Privacy Policy

Who we are

XCap Ecosystem Ltd, trading as Ownera (“We”, “Ownera”, “our”) are committed to protecting and respecting your privacy. We will only process your personal data where permitted by applicable data protection laws, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (as amended). 

Ownera as a Controller

When we provide services to clients, to the extent we process any personal data about client’s customers we act as a data processor. Clients should review our FAQs for further information. This privacy policy applies when Ownera acts as a Controller when conducting our business, for example when we recruit staff or respond to enquiries. It also applies to our shareholders.  

When we are a Controller, this means that we are responsible for deciding how we hold and use personal information about you. This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand how we will treat your personal data and your rights.

When do we collect your personal data? 

We use different methods to collect personal data from and about you including through: 

  • Your direct interactions with us: You may give us your personal data by filling in online forms or by corresponding with us by post, email or otherwise. This includes personal data you provide when you: 

    • Request our services; 

    • Request our newsletter be sent to you;

    • Give us feedback or otherwise contact us; or

    • When you apply to a job vacancy.

  • Automated technologies or interactions: As you interact with our website, we will automatically collect technical information. Please see the ‘Information we collect from you and our purposes and lawful bases for using it’ section below for further details on the technical information we collect. We may collect some of this personal data using cookies and other similar technologies. Please see the ‘Analytics’ section below and our Cookies Policy further details. 

  • Third parties and other available sources: We may receive personal data about you from other sources, such as conference organisers. Where you apply for a job vacancy we may also receive personal data about you from those who provide references and background check providers (including criminal convictions)   

Information we process and our purposes and lawful bases for using it

UK GDPR requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases, depending on the activities we are carrying out: 

  • Necessary for the entry into/ Performance of a contract with you: Where we need to perform a contract we are about to enter into or have entered into with you, we will need to collect and process your personal information. Failure to provide the requested personal information or objecting to this type of processing/ exercising your deletion rights, will result in us being unable to perform the contract we have or are trying to enter with you. 

  • Legitimate interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

  • Legal obligation: We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. 

  • Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose. 

In the case of special categories of personal data (such as information about your health), extra protections apply under UK GDPR and the Data Protection Act 2018. We therefore may only process such information in the following circumstances:

  • Where appropriate, where we have your explicit consent;

  • Where it is necessary for the purposes of performing or exercising obligations or rights in relation to employment law

We have set out below how we use the various types of your personal data, our purposes for processing it and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where applicable.

  • Personal Data

    • Name

    • Address

    • E-mail address

    • Company name

    • Phone number

    • Your preferences

    ____

    Purpose

    To carry out our obligations arising from any contracts entered into between you (or your employer) and us and to provide you with the information, products and services that you (or your employer) request from us. 

    Legal Basis

    Performance of contract; legitimate interest in providing our products and services to you.

    ____

    Purpose

    To provide you with information about other products and services we offer that are similar to those that you have already purchased or enquired about. 

    Legal Basis

    Legitimate interest to develop our products/services and grow our business.

    ____

    Purpose

    To notify you about changes to our products or services. 

    Legal Basis

    Performance of contract; legitimate interest to develop our products/services and grow our business.

    ____

    Purpose

    To provide you with our newsletter. 

    Legal Basis

    Consent.

    ____

    Purpose

    Notifying you about changes to our terms or privacy policy.

    Legal Basis

    Performance of contract; Necessary to comply with a legal obligation under UK GDPR.

    ____

    Purpose

    Dealing with your requests, feedback, complaints and queries.

    Legal Basis

    Performance of a contract; Legitimate interest for the purpose of managing our relationship with you.  Necessary to comply with a legal obligation under UK GDPR.

    ____

    Purpose

    To register you for an event.

    Legal Basis

    Consent.

    ____

  • Personal Data

    • Name

    • Address

    • E-mail address

    • Company name

    • Phone number

    • Shareholder reference number

    • Bank account and payment details

    • ID documents such as passport

    • Financial information about your shareholding and shareholder records

    Purpose

    To administer the shareholding, maintain the shareholder register, dividend payments, voting, elections, annual report correspondence, identifying relevant products and services, perform KYC and AML checks, dealing with disputes and retaining records relating to shareholdings.

    Legal Basis

    Performance of a contract; Necessary for compliance with our legal obligations and regulatory requirements; Legitimate interest for the purpose of administration of our business.

  • Personal Data

    • Name 

    • Contact information 

    • Information provided in your CV and during the application process including employment history, education history and qualifications

    • Information provided to us during your interview

    • Information obtained from references

    ___

    Purpose

    • To process any job application. 

    • Identifying further education, training and development areas.

    Legal Basis

    • Performance of a contract.

    • Legitimate interests: to conduct recruitment.

    ___

    Purpose

    • To assess your skills, qualifications and suitability for the role that you have applied for. 

    • To carry out background and referencing checks, where applicable.

    Legal Basis

    Legitimate interest; necessary to ensure individuals applying for a position have the required skills, qualifications, experience, education and suitability to perform the role. 

    ___

    Purpose

    Communicate with you about the recruitment process.

    Legal Basis

    Legitimate interest: to keep in touch with prospective candidates.

    ___

    Purpose

    • Keep records related to our hiring processes.

    • Business management and planning.

    Legal Basis

    Legitimate interest: necessary for the purpose of department organisation, identifying skill gaps for recruitment and to ensure the correct individuals are in the right role.

    ___

    Purpose

    Comply with legal or regulatory requirements as an employer.

    Legal Basis

    Necessary to comply with a legal obligation.

    ___

    We may process special category data that you provide to us during the recruitment process including:

    Personal Data

    Information about your race or ethnicity, religious or philosophical beliefs, trade union membership, sexual orientation and political opinions.

    Purpose

    For monitoring and reporting, such as equal opportunities, diversity, equity and inclusion.

    Legal Basis

    Necessary for performing or exercising obligations or rights in relation to employment law.

    ___

    Personal Data

    Information about your health, including any medical condition, and health.

    Purpose

    Ascertaining whether we need to make reasonable adjustments for your interview or in the workplace.

    Legal Basis

    Necessary for performing or exercising obligations or rights in relation to employment law.

    ___

    Personal Data

    Information about criminal convictions and offences, where required depending on the role you are applying for.

    Purpose

    To assess a candidate's suitability for a vacancy, including their professional integrity and accountability.

    Legal Basis

    • Consent.

    • Necessary to prevent and detect crime.

Where we intend to process the personal data you have provided for a purpose other than that for which the personal data was collected, we shall provide you with information on that other purpose and with any relevant further information prior to that further processing.

Analytics 

As set out in our Cookies Policy, we use Google Analytics on our website. This means that we may use cookies to collect online identifiers about your use of our website, including cookie identifiers, internet protocol addresses and device identifiers, which we may use for the purpose of better understanding your use of our website.

Google may transfer the personal data collected by it on our behalf outside of the United Kingdom. See here for further information on Google Analytics.

Marketing

From time to time, we may send you information regarding that which we perceive may be of interest to you or your business. You may receive this information by letter, telephone or email. If at any time you prefer not to receive further communications from us in any or all forms (except in connection with information, products or services that you specifically request) you will have the ability to opt-out from such communications by means of a link provided in e-mails that are sent to you by us.

Disclosure of your information

We may share your information with third parties including:

  1. Third party service providers, for example, our recruitment applicant tracking system provider, background checks providers, AML and KYC providers, professional advisors including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services

  2. Analytics and search engine providers that assist us in the improvement and optimisation of our sites. 

  3. Any party which acquires Xcap Ecosystem Ltd or substantially all of its assets, in which case personal data held by it about its customers will be one of the transferred assets.

  4. Any other party as required by law, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of XCap Ecosystem Ltd, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Where we store your personal data

The data that we collect from you may be transferred to, stored and processed in any destination where Ownera or its affiliates, subsidiaries or facilities used by third party service providers have a presence; in some cases, your data may be transferred or accessed by support staff in the US. We will only transfer your data to a country outside the UK or the European Economic Area where that country ensures an adequate level of data protection within the meaning of the UK or we use specific standard contractual terms approved for use in the UK which give the transferred personal data the same protection as it has in the UK. To obtain more information about these contractual safeguards, please contact our DPO, details provided in the ‘Contact’ section below. 

Keeping your data secure 

We have implemented appropriate technical and organisational measures to protect your data from being accidently lost, used or accessed in an unauthorised way, altered or disclosed, taking into account the nature, scope, context and purpose of the processing and the risks involved in processing. Our measures to ensure the security of data in transit, include end-to-end encryption, strict access controls, and a layered set of security safeguards designed to prevent unauthorized access or tampering. These controls are supported by 24/7/365 monitoring and alerting to ensure continuous visibility and rapid response to potential security events.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of a site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

How long we will store your personal data

The personal data that we collect from you will be stored only for so long as is necessary to fulfil the purpose for which the data was collected, or to comply with applicable legal, tax or regulatory requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Your rights

If you reside in the UK, or are applying for a job or services based in the UK, you have the following rights:

  • to access your data (subject to the provisions of Article 15 of the UK GDPR). This is commonly known as making a “data subject access request” and enables you to reive a copy of the personal information we hold about you and to check that we are lawfully processing it.

  • to request that inaccurate data be rectified (subject to the provisions of Article 16 of the UK GDPR). This enables you to have any incomplete or inaccurate information we hold about you corrected. 

  • to request that your personal data be erased (subject to the provisions of Article 17 of the UK GDPR). This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below). 

  • to restrict the processing of your data (subject to the provisions of Article 18 of the UK GDPR). This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it. 

  • to request that your data is transferred to another Controller (subject to the provisions of Article 20 of the UK GDPR)

  • to object to processing of personal data (subject to the provisions of Article 21 of the UK GDPR). This means where we are relying on legitimate interest (or those of a third party), you can object to our processing of your personal data on this ground. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object. You also have the right to object where we are processing your personal information for direct marketing purposes. 

  • withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. 

Should you wish to exercise any of your rights under the UK GDPR please contact our Data Protection Officer (DPO) at the contact details/ address detailed in the ‘Contact’ section below. 

Complaints 

You also have the right to make a complaint if you feel that your personal data has not been handled correctly by us, you have been impacted by a data breach, or you are unhappy with our response to any rights requests you have made to us. 

In the first instance, you should contact us using at the contact details set out in the ‘Contact’ section below. We will acknowledge any complaints within 30 days of receipt, take appropriate steps to investigate, and respond without undue delay with details of the outcome of your complaint.

After receiving our response, if you wish to escalate the matter you have the right to lodge a complaint with the Information Commissioner’s Office, the UK regulator for data protection issues, whose contact details are available at www.ico.org.uk. 

You can contact the ICO by calling 0303 123 1113. Or go online to ico.org.uk/concerns (please note we can’t be responsible for the content of external websites). 

Changes to our privacy policy

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.

Contact

We have appointed a data protection officer (DPO). If you have any questions, comments and requests regarding this privacy policy or our data protection practices please contact: 

  • Email address: DataProtection@Ownera.io

  • Postal Address: XCap Ecosystem Ltd, 33 Queen St, London, EC4R 1AP.

Ownera as a Processor

We also act as a Processor on behalf of our clients, who are Controllers, solely for the purpose of performing our services. Our services ensure that tokenised transactions can take place, by imposing standard configurations that allow the Ownera router to orchestrate the matching of authentication certificates which facilitate the transfer of encrypted pseudonymous personal data and assets, as directed by our clients with their counterparties. The transactions originated by these firms are encrypted and orchestrated through Ownera’s hosted routing service in a way that does not give Ownera access to any personal data or underlying transaction information when delivering hosted Application Orchestration Router or SuperApp services. Please see our FAQs for further information on how we process and protect personal data on behalf of our clients. 

Cookies Policy

Our sites use cookies to distinguish you from other users of a site. This helps us to provide you with a good experience when you browse our sites and also allows us to improve our sites.

Cookies are small text files which a website may put on your computer or mobile device when you first visit a site or page. We use cookies on our sites to improve their performance and enhance your user experience.

If you do not want to receive cookies, you may choose to opt-out by changing your browser settings. Most browsers allow you to turn off cookies. Switching off cookies may restrict your use of a site and/or delay or adversely affect the way in which it operates.

Listed below are the cookies being used on the Ownera.io website and their source and supposed usage:

First Party Cookies

Cookies that are set by the website and can only be used by the website.

Ownera.io 

  • To persist user session so they stay logged in on the website (Session only)

  • To store currently logged in user details to pre-fill form data

  • To authorise the interface with XCap Ecosystem Ltd servers as part of user registration and onboarding

  • To save user’s account preferences 

Third Party Cookies

Cookies that are not set by the website owner and is primarily used for analytical data of that service or feature.

Google 

  • To track current active users

  • To get visits based on geolocation

  • To get most visited pages and duration of user session per visit

  • To get devices commonly used to access the site

  • To get traffic based on time of day

  • To know how users get referred to the website 

FAQs

  • Ownera’s clients are regulated financial services firms or fintech firms to which we intend to hold to the same standards as we would for a regulated firm. The router provides direct peer-to-peer communication between these firms. The transactions originated by these firms are encrypted and orchestrated through Ownera’s hosted routing service in a way that does not give Ownera access to any personal data or underlying transaction information when delivering hosted Application Orchestration Router or SuperApp services.

    Personal data may form part of the originating or receiving firms’ transmissions. However, any such personal data is in the form of a pseudonymous certificate, which is generally only decipherable by the originating and receiving firm, or by Ownera only when investigating anomalies or incidents.

  • Ownera acts as a data processor, on behalf of its clients who are data controllers. Ownera's services ensure that tokenised transactions can take place, by imposing standard configurations that allow the Ownera router to orchestrate the matching of authentication certificates which facilitate the transfer of encrypted pseudonymous personal data and assets, as directed by our clients with their counterparties.

    In the current business model, Ownera’s clients are regulated financial services firms or fintech firms, and these firms are the data controller. Ownera will never be a controller of customer personal data when performing hosted routing services and associated applications.

  • Ownera processes authentication certificates that include encrypted pseudonymous personal data. This is performed on behalf of its clients solely for the purpose of ensuring application layer interoperability and compatibility with the routing services. Ownera will not process pseudonymous personal data for any other purpose.

  • The pseudonymous personal data that Ownera processes is saved on Amazon Web Servers (AWS). Ownera’s AWS server locations are in Europe - Germany (Frankfurt) hosts the primary site and Ireland is our disaster recovery / resilience site. Clients may select other AWS locations for their deployments.

  • Ownera’s commitment to security and trust are upheld by the security measures that in place:

    Benefits of Blockchain:

    • Our router system is not connected to the internet but is a peer to peer network between trusted parties. The blockchain is operated through a decentralised network, which significantly reduces the risk of cyber attacks by making it extremely difficult for any unauthorised access to occur. This decision, and the requirement that all parties accessing the network must first undergo a validation process, provides an enhanced level of security and integrity. These measures mean that working with us provides an additional layer of security compared to traditional systems. Blockchain has become a trusted solution for securing sensitive data, and we are committed to maintaining the highest standards of protection for your information.

    Certifications:

    • Ownera is Information Security Management ISO 27001 certified, and ISO 27017 Cloud Services certified demonstrating adherence to global standards. 

    Employee training:

    • Every member of the Ownera team undergoes training in security and privacy to ensure that they are well equipped to manage data and information. Training is monitored internally and required of not only general employees but also external contractors. Training obligations must be fulfilled upon onboarding and on a regular basis thereafter. 

    Technical measures:

    • Ownera use a set of Cloud-native tools to pre-emptively identify and neutralise security risks and configuration mistakes. Ownera’s security strategy ranges from external security services ) to internal technical controls that ensure trust.

    • All data is backed up and backup processes are audited annually as part of our internal disaster recovery readiness processes.

    Policies:

    • We have in place a suite of policies for disaster recovery, business continuity and incident response. These policies are regularly reviewed by senior management and practiced continuously to ensure we always act decisively to protect your security interests.

  • Trust and transparency form the foundation of our security and privacy principles. Ownera will only access or share the pseudonymous personal data we process where essential to enable the effective provision of our services:

    Ownera data access and sharing:

    Ownera Employees: Only those Ownera employees and contractors who need to provide the services will have access to pseudonymous personal data, which may include employees of the technical and customer services teams.  Ownera implements access controls to ensure that only those with a need-to-know have access to pseudonymous personal data.

    Intra-Group Sharing: Although Ownera is a UK-based company, the technology team is based in Israel, and there are support staff in the U.S., Romania, Bulgaria, and the Ukraine. Only those employees from outside the UK that require access to pseudonymous personal data for the effective provision of our service will have access to it. 

    Data sharing with third parties: 

    • We rely on Netskope, a third-party supplier of VPN capabilities to allow for our effective cross-jurisdictional operation between the UK and other countries. Some personal data may be made available to Netskope during this process. We have appropriate contractual and security measures in place to ensure any personal data shared with Netskope are as limited as possible and fully protected. 

    • As set out in the "Where is personal data stored" question, AWS provide Ownera with hosting services, meaning AWS is Ownera's sub-processor.  

    • The nature of the Ownera hosted routing services means that the limited pseudonymous personal data that we access as a data processor will be shared by Ownera, as directed by our clients with their counterparties. Depending on the nature of the client-instructed transaction, parties required to complete the transaction may include buy side and sell side organisations, payment initiation service providers, custodians, wallet providers, etc.

  • Yes. 

    Personal data processed by Ownera hosted routers and APIs results in a transfer of pseudonymous personal data to Israel, which is recognised by the UK Government and European Commission as an 'adequate territory'. This means that Israel provides an equivalent level of protection for personal data as the UK/EU and data transfers to Israel do not require additional safeguards to be put in place. 

    There may be very limited transfers to the US where contractors may remotely access personal data to provide client services and prospective client services. Their engagement is likely to be primarily related to our clients in the US, but may on occasion participate in work related to UK or EEA clients. In the event we transfer personal data to the US, we will use specific standard contractual terms approved for use in the UK which give the transferred personal data the same protection as it has in the UK.

    There are also technology staff in the Ukraine. The staff in Ukraine work only on the development of software, and they do not have access to any data in production. In the event that an exception is required for unusual situations where those individuals have the domain knowledge to investigate a specific client issue, this will require case by case approvals and special and limited access rights. Staff in Ukraine are also contractually required to follow all policies, processes and controls applying to staff in all Ownera GDPR-equivalent jurisdictions; thereby ensuring that they meet the same data protection standards.

  • As a data processor, Ownera can only retain the pseudonymised personal data as agreed with its clients, who are the data controllers, or otherwise as required by law. 

    Given that the Ownera routing service ensures transactions can take place on the blockchain, we maintain and retain a detailed record of each transaction event for our clients. This practice is part of our commitment to ensuring complete transparency and the ability to audit transactions at any time, giving peace of mind about the integrity and traceability of investments.

  • If you have any comments or questions about our data protection and privacy practices please contact us at DataProtection@Ownera.io.