Privacy Notice

Last Updated:

December 23, 2025

Introduction and scope

Amberstone Capital Ltd (“Amberstone”, “we”,“us” or “our”) is committed to protecting personal data and processing it responsibly and transparently.

This Privacy Notice explains how we collect, use, disclose and safeguard personal data in connection with our business and website.

This Privacy Notice applies exclusively to professional and institutional contexts, including:

  • Professional Clients and institutional counterparties;
  • Directors, officers, employees, authorised signatories, ultimate beneficial owners and representatives of our clients and counterparties; and
  • Service providers, advisers and other business contact.

This website and our services are not directed at retail clients or members of the general public, and we do not knowingly process personal data relating to retail investors.

About Amberstone Capital Ltd.

The Site is operated by Amberstone Capital Ltd (“Amberstone”, “we”, “us” or “our”).

Amberstone is incorporated in the Abu Dhabi Global Market (“ADGM”), authorised and regulated by the Financial Services Regulatory Authority (“FSRA”), holding Financial Services Permission No. 240101, and having its registered office at Ste 203, 14, Al Sarab Tower, ADGM Square, Al Maryah Island, Abu Dhabi, United Arab Emirates.

Amberstone is authorised to conduct regulated activities: engaging in Islamic Financial Business, Managing Assets, and Managing a Collective Investment Fund.

Contact:

Email: info@amberstone.capital
Telephone: +971 (02) 812 4036

Our role in processing personal data

For the purposes of applicable data protection laws, including the ADGM Data Protection Regulations 2021, Amberstone generally acts as a Data Controller, meaning that we determine the purposes and means of processing personal data.

In limited circumstances, we may act as a Data Processor when processing personal data strictly on behalf of another data controller and in accordance with their instructions.

Categories of personal data we process

We process personal data that is relevant, necessary and proportionate to our business as an ADGM-regulated asset manager, including:

  • Identification and verification data
            (e.g. name, nationality, date of birth, identification documents)
  • Professional and corporate information
        (e.g. employer, position, authority, ownership or control information)
  • Contact details
        (e.g. business address, email address, telephone number)
  • Regulatory and compliance information
        (e.g. KYC, AML, sanctions screening and due diligence data)
  • Transactional and relationship information
        (e.g. contracts, instructions, correspondence)
  • Website technical data
        (e.g. IP address, browser type, basic usage data.

We do not intentionally collect or process personal data unrelated to our professional and institutional business activities.

Purposes and lawful bases for processing

We process personal data for the following purposes and lawful bases:

  • Regulatory and legal compliance
         (including FSRA, AML, KYC, sanctions and reporting obligations)
  • Performance of contracts
        (including client, counterparty and service provider relationships)
  • Legitimate business interests
        (including governance, risk management, security and business communications)
  • Consent, where required by law and expressly obtained.

Special categories of personal data

We do not seek to process special categories of personal data (such as health data or biometric data). Where such data is processed incidentally or exceptionally, it will be handled strictly in accordance with applicable law and appropriate safeguards.

Sources of personal data

We may collect personal data:

  • Directly from you or from your organisation;
  • From professional advisers, counterparties or service providers;
  • From publicly available sources or regulatory databases;
  • Through our website (limited technical data).

Data sharing and disclosures

We may share personal data, on a need-to-know basis, with:

  • Regulators, supervisory authorities and law enforcement bodies;
  • Professional advisers, auditors and consultants;
  • IT, compliance and administrative service providers;
  • Group entities or successors in the event of a corporate transaction.

All recipients are required to process personal data in accordance with applicable data protection laws and appropriate confidentiality obligations.

International data transfers

Personal data may be transferred outside the ADGM where necessary for business or regulatory purposes.

Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with ADGM Data Protection Regulations, including adequacy decisions or contractual protections.

Data security and retention

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss or misuse.

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, including regulatory, legal and record-keeping requirements.

Your rights

Subject to applicable law, you may have the right to:

  • Access your personal data;
  • Request correction or erasure;
  • Restrictor object to processing;
  • Request data portability.

Requests may be made by contacting us using the details above. We may need to verify your identity before responding.

You also have the right to lodge a complaint with the ADGM Commissioner of Data Protection.

Updates to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in law, regulation or our business practices. The latest version will always be available on our website.

Term

Definition

Amberstone Capital

means Amberstone Capital Limited

ADGM

means the Abu Dhabi Global Market.

ADGM Commissioner of Data Protection

means the ADGM Commissioner of Data Protection appointed by the ADGM board who heads the Office of Data Protection at ADGM.

ADGM Data Protection Regulations

means ADGM Data Protection Regulations 2021 enacted by the board of directors of the Abu Dhabi Global Market, in exercise of its powers under Article 6(1) of the Law No.4 of 2013 concerning the Abu Dhabi Global Market.

ADGM Know Your Customer (KYC)

means mandatory requirements to ensure updated information about Amberstone Capital’s Customers, to perform identity verification and prevention of illegal transactions through the business relationship with Amberstone Capital such as money-laundering, identity theft.

Applicable Law

means any enactment or subordinate legislation applicable in (i) ADGM; or (ii) under Abu Dhabi or Federal Law having application in ADGM, as it applies to Data Controllers and Data Processors that are within the scope of these Regulations;

Automated Processing

means Processing that is conducted using an electronic application or system that operates automatically, either independently without any human intervention or under the supervision and limited intervention of a human.

Binding Corporate Rules

means Binding Corporate Rules or BCRs are internal rules which define the policy across entities regarding intra-organizational Personal Data transfers outside the ADGM.

Biometric Data

means Personal Data that results from the use of specific technology related to the physical, physiological or behavioral characteristics of the Data Subject that allow or confirm the unique identification of the Data Subject. This includes facial imaging or fingerprints.

Consent

means the approval in which the Data Subject authorizes a Third Party to process his / her Personal Data, provided that this Consent is specific, clear, and unambiguous through a statement or a clear positive action stating that the Data Subject accepts the Processing of his or her Personal Data.

Data Controller

means the entity or the natural person that has Personal Data and, by virtue of their activity, determines the method, approach, criteria, and purpose of Processing this Personal Data, whether alone or jointly with other persons or entities.

Customer

means consumers of products and services from Amberstone Capital.

Data Protection Officer

means the entity who is tasked with overseeing Amberstone Capital’s data protection programme and ensuring in an independent manner that all Personal Data processing at Amberstone Capital is in compliance with Applicable Laws including the ADGM Data Protection Regulations.

Data Subject

means an identified or identifiable natural person that Personal Data pertains or applies to.

Employee

means full time staff of Amberstone Capital.

Explicit Consent

means an indication that the Data Subject has given an active, clear and unambiguous agreement for their Personal Data to be used in a specific way, including, for example by signing a document, sending an email.

Personal Data

means any data related to a specific natural person or a natural person that can be identified directly or indirectly by linking identification elements, such as the person’s name, voice, photo, identification number, electronic identification, geographical location, or one or more of the person’s physical, physiological, economical, cultural or social attributes.

Personal Data Breach

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Processing

means any operation or set of operations performed on Personal Data through electronic means, including collecting, storing, recording, organizing, adapting, modifying, circulating, transferring, retrieving, exchanging, sharing, using, describing, and disclosing Personal Data by broadcasting, transfer, distributing, making available, coordinating, merging, restricting, obfuscating, deleting, destroying, or modeling the data.

Data Processor

means the entity or natural person that processes Personal Data on behalf of the Data Controller under the Data Controller’s direction and instructions.

Profiling

means the use of Personal Data to evaluate certain aspects related to the Data Subject.

Recipient

means the entity to whom Personal Data is transferred.

Special Categories of Personal Data

means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, Biometric Data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation; and Personal Data relating to criminal convictions and offences or related security measures.

Third Parties

means an entity who processes Personal Data on behalf of Amberstone Capital or any of the joint Controllers of Amberstone Capital.

UAE

means the United Arab Emirates.