Who we are: Edmiston acts as the data controller when handling your personal data in relation to brokerage services.

What we collect: We may collect personal contact details, financial information, professional and background data, and due diligence documentation where legally required.

Why we use your data: Your data is processed to fulfil our contractual obligations to you, comply with legal and regulatory duties (such as anti-money laundering requirements), and to pursue our legitimate business interests—always in a balanced and proportionate way.

How we protect it: We implement robust organisational and technical safeguards to keep your data secure, limit access to authorised personnel only, and regularly review our security measures.

With whom we share it: Your data may be shared with our group companies and selected service providers (e.g. financial institutions, IT providers), under strict confidentiality and data protection obligations.

International transfers: Where data is transferred outside the UK or EU (e.g. to Monaco or the US), we ensure appropriate safeguards are in place, including the use of Standard Contractual Clauses.

How long we keep it: We retain your data only as long as necessary for the purposes for which it was collected, in accordance with defined retention schedules and applicable laws.

Your rights: You have rights to access, correct, delete or restrict your data, as well as to object to certain uses. Details are provided in Section 9.

This overview is provided for clarity and convenience only. For full details on how we process personal data and your rights, please refer to the sections below. This notice should be read together with our Cookie Policy, which describes our use of cookies.

1. Data controller

Edmiston & Company Limited acts as a data controller for brokerage-related data processing, determining the purposes and means of processing. It is incorporated in the Isle of Man under the number 079243C, and has its registered address at Dorchester House, Belmont Hill, Douglas, Isle of Man, IM1 4RE.

2. Data protection principles

We will comply with data protection laws. This says that the personal information we hold about you will be:

• Used lawfully, fairly and in a transparent way;
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
• Relevant to the purposes we have told you about and limited only to those purposes;
• Accurate and kept up to date;
• Kept only as long as necessary for the purposes we have told you about;
• Kept securely.

3. The personal data we collect, and the purpose for which such data is collected

While this Website Privacy Notice focuses on data collected via our website, certain categories of personal data (including due diligence and AML/KYC information) are collected after initial contact, as part of our brokerage and regulatory obligations, and are described here for transparency.

We may also collect personal information via the cookies used on our website. Please refer to our Cookie Policy for more information.

Via our website, we may process:

• Name, address, phone number, personal email, nationality, country of residence;
• Gender, financial background, source of wealth;
• Yachts owned, yachts chartered, interests in yachts; and
• Related exchanges.

We will process this data in particular to:

• Enter into pre-contractual discussions with you or possibly enter into a contract with your, or to manage payments due, as per the contracts we may enter into with you (Article 6.b) GDPR); or to
• Perform our diligence and make a decision about the establishment of a relationship or thereafter about its termination, which is a legal obligation (Article 6.c) GDPR).

This data may finally be processed for Edmiston’s legitimate interest (Article 6.f) GDPR), for the following purposes:

• To effectively engage and communicate with clients and prospective customers;
• To market our services, via our website;
• For the general management of our activity, including accounting and auditing; and
• To manage potential legal disputes.

After our initial contact, this data may also be processed with your consent to market our services to you via our newsletters (Article 6.a) GDPR).

Then, as part of our brokerage and regulatory obligations, we may collect, store, and process the following types of personal data on our clients, and/or on companies or persons that own or control our clients as applicable, for the purposes specified below:

3.1. Financial information

We may process:

• Bank account details, tax status, tax registration number; and
• Related exchanges.

We will process this data in particular to:

• Manage payments due, as per the contracts we will enter into with you (Article 6.b) GDPR); or
• For the general management of our activity, including accounting and auditing, which is in Edmiston legitimate interest (Article 6.f) GDPR).

3.2. Due Diligence Information

We may process:

• Information about criminal convictions, offences, investigations concerning criminal convictions and offences, actual or alleged involvement into illicit activities;
• Date of birth, marital status, dependants;
• Identity documents, photos from identity documents or publicly available sources, bank statements, evidence of residency;
• Companies or other entities owned or controlled, and
• Related exchanges.

We will process this data in particular to:

• Perform our diligence and make a decision about the establishment of a relationship or its termination, which is a legal obligation (Article 6.c) GDPR); or
• For the general management of our activity, including accounting and auditing, which is in Edmiston legitimate interest (Article 6.f) GDPR).

3.3. Special Category Data and Criminal Convictions Data

In the course of our anti-money laundering and sanctions compliance obligations, we may process certain categories of personal data that benefit from enhanced protection under data protection laws, namely:

• Special category data within the meaning of Article 9 of the GDPR (such as information revealing political opinions), where this information appears in sanctions lists, politically exposed persons (PEP) screening results, adverse media checks, publicly available sources or information you or your representatives may provide to us.
• Criminal convictions and offences data within the meaning of Article 10 of the GDPR, where this information arises from due diligence searches, sanctions screening, publicly available sources or information you or your representatives may provide to us.

We process this data on the following legal bases:

• For special category data: Article 9(2)(g) of the GDPR: processing necessary for reasons of substantial public interest, namely the prevention of money laundering and terrorist financing, on the basis of applicable AML/CTF legislation (including, as applicable, Monaco Law No. 1.362 of 3 August 2009 as amended);
• For criminal convictions data: processing carried out under the control of official authority or authorised by law, in accordance with our regulatory obligations.

In compliance with applicable laws, we maintain an Appropriate Policy Document setting out our procedures for ensuring compliance with the data protection principles when processing such data, as well as our retention and erasure policies. This document is available from the DPO on request.

3.4. Use of data for other purposes

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you, and we will explain the legal basis which allows us to do so.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

4. How we collect personal data

We collect personal data from:

• You directly, through website enquiries or through direct contact to our brokers;
• Third-party brokers, introducers or other business contacts, such as your representatives or captains of yachts you may own;
• Screening providers and adverse media databases;
• Publicly available source or news outlets.

We will collect additional personal information in the course of the brokerage services we will provide to you.

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you, we may not be able to communicate effectively, and we may be prohibited at law from establishing or maintaining a contractual relationship with you.

You are responsible for ensuring that any personal information you provide to us, including on behalf of other individuals (e.g., company owners or representatives), is accurate, complete, and that you are authorised to share it with Edmiston for the purposes described in this Privacy Notice.

5. Who we share your data with?

We may share client personal data with the following third parties, where necessary for the purposes specified in Section 3:

• Our IT service providers and data hosting providers, including notably Deep Blue Soft Monaco SARL;
• Our banking institutions, including notably CFM Indosuez Wealth Management, Monaco, Emirates NBD, United Arab Emirates, or Centtrip, United Kingdom;
• Edmiston Group Companies (Edmiston & Company SAM in Monaco, Edmiston & Company Limited in England, or Edmiston & Company Inc. in the US);
• Government Agencies where required by law, e.g. the Monaco Autorité Monégasque de Sécurité Financière (“AMSF”), or the UK National Crime Agency,

All third parties receiving client data are required to solely process such data under our documented instructions, and to implement appropriate security measures and comply with data protection laws. We do not allow third parties to use your personal data for their own purposes.

However, while we carefully select our third-party service providers and require them to comply with applicable data protection laws and security standards, we cannot be held liable for any act or omission by such third parties beyond our control, unless required by applicable law.

6. Transferring information abroad

In the course of providing our brokerage services, we may transfer the personal information we collect about you to recipients located outside the European Economic Area, the United Kingdom or Monaco, including to our affiliates, service providers and banking partners in:

• The United Kingdom: where transfers originate from the European Economic Area (EEA), they are covered by the European Commission’s adequacy decision of 28 June 2021 in respect of the United Kingdom, which recognises that the UK provides an adequate level of protection for personal data;
• Monaco: Monaco is not the subject of an adequacy decision from the European Commission. Transfers to Edmiston & Company SAM are therefore made on the basis of the Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Decision 2021/914), or, where the transfer originates from the United Kingdom, on the basis of the UK International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the EU SCCs. Processing in Monaco is also subject to Monaco’s data protection law (Law No. 1.565 of 3 December 2024, as amended), under the oversight of the Autorité de Protection des Données Personnelles (APDP — www.apdp.mc);
• The United States: As the United States is not the subject of a general adequacy decision, transfers to Edmiston & Company Inc. are made on the basis of the Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Decision 2021/914), or, where the transfer originates from the United Kingdom, on the basis of the UK IDTA or Addendum; or
• The United Arab Emirates: where personal data is shared with our banking partner Emirates NBD for the purpose of executing payment transactions, transfers are made on the basis of Standard Contractual Clauses or, where applicable, the UK IDTA or Addendum. Where strictly necessary for the performance of a contract concluded in your interest, transfers may alternatively rely on Article 49(1)(b) or (c) of the GDPR.

Copies of the safeguards in place for any of the transfers described above are available from the DPO on request (see Section 10).

7. Data security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Details of these measures are available in Edmiston’s Cyber Security Framework and Policies Repository.

In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and/or any applicable regulator of a suspected breach where we are legally required to do so.

8. Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Once we no longer provide or market services to you, we will retain and securely destroy your personal information in accordance with applicable laws and regulations, as detailed in our Data Retention Policy.

Beyond the active retention periods during which the relevant Edmiston personnel may access the data for the purpose for which it was collected (the “Active Retention Periods”), Edmiston may need to hold Personal Data for longer periods to comply with applicable laws or regulations or to be able to able to support Edmiston’s compliance in the case of an audit from a relevant authority. These additional periods are generally referred to below as the “Archival Periods”. During the Archival Periods, only personal data directly needed to comply with applicable laws, regulations or to support Edmiston’s compliance may be retained. Such data is kept separately to data under an Active Retention Period, and access to such data shall be restricted and monitored.

We may retain personal contact details and personal background information for ten years from the date of our last contact with you.

The retention periods of financial information are:

• Active Retention Period: two years from the last contact with you;
• Archival Period: three further years thereafter.

The retention periods of due diligence information are:

• Active Retention Period: three years from the last contact with you;
• Archival Period: seven further years thereafter.

At the term of the applicable retention period, any employee paper-based files will be shredded and the remnants placed in confidential waste bins. All electronic records will be deleted from Edmiston’s IT system, unless a technical limitation requires a delay, in which case the data will be securely archived and access strictly restricted.

9. Your rights

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Under certain circumstances, by law you have the right to:

• Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
• Object to processing of your personal information where we are relying on a legitimate interest (see Section 3) and there is something about your particular situation which makes you want to object to processing on this ground;
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
• Request the transfer of your personal information to another party; and
• Withdraw your consent at any time, where we are relying on consent to process your personal information (for example, in relation to direct marketing communications and newsletters). Withdrawing your consent will not affect the lawfulness of any processing carried out before you withdrew your consent. It will also not affect the processing of your personal information carried out in reliance on lawful processing grounds other than consent. To withdraw your consent to receive marketing communications, you may use the unsubscribe link included in each communication, or contact the DPO directly.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the DPO in writing.

We will respond to your request without undue delay, and in any event within one month of receipt of the request. Where the request is complex, or where we receive a number of requests from you, this period may be extended by up to a further two months. In such cases, we will inform you of the extension and the reasons for it within one month of receiving your request.

You will not have to pay a fee to access your personal information or to exercise any of the other rights. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

10. The Data Protection Officer

dmiston is not required at law to appoint a DPO. However, Edmiston made the choice to appoint a DPO to ensure its compliance with all applicable data privacy regulations on a continuing basis, and for Edmiston’s employees, vendors, clients and partners to be ensured that Edmiston treats all privacy data with the utmost care, maintaining confidence in our organization. The DPO oversees our compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal information, please contact the DPO.

The person currently holding this position can be reached at data.privacy@edmiston.com.

11. Right to file a complaint

If you believe that your personal data has been processed unlawfully, you have the right to file a complaint with the Isle of Man Information Commissioner or with the data protection authority in your country of residence or place of work. We encourage you to contact us first so we can address your concerns.

Isle of Man Information Commissioner:
Ask@inforights.im
+44 1624 693260
www.inforights.im

12. Changes to this Privacy Notice

We reserve the right to update this Privacy Notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

Date of last update : May 2026

If you have any questions about this Privacy Notice, please contact our DPO.