Introduction
Cairnfort ("we," "us," or "our") is committed to protecting your privacy and handling your personal information with transparency, integrity, and respect. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you engage our fraud and asset recovery services, visit our website, or interact with our case management platform.
We operate under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable data protection legislation. As a data controller, we are responsible for deciding how and why your personal data is processed.
Please read this policy carefully. By using our services or submitting a case, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.
This policy should be read alongside our Terms of Service and any specific agreements or engagement letters we issue to you at the start of a recovery case.
Definitions
Data We Collect
We collect information necessary to provide fraud recovery services, verify your identity, and communicate effectively about your case. The categories of data we collect include:
| Category | Examples | Purpose |
|---|---|---|
| Identity Data | Full name, date of birth, government-issued ID, passport or driving licence | Identity verification, AML compliance, KYC obligations |
| Contact Data | Email address, phone number, postal address, country of residence | Case communication, document delivery, notifications |
| Financial Data | Bank account details, transaction records, wallet addresses, loss amounts, payment receipts | Case investigation, fund tracing, payment processing |
| Case Data | Fraud details, scammer communications, exchange records, evidence files | Recovery case processing, legal proceedings, reporting |
| Technical Data | IP address, browser type, device identifiers, session tokens | Platform security, fraud prevention, service improvement |
| Usage Data | Pages visited, features used, timestamps of logins and case actions | Service improvement, audit trails, support |
| Communications | Messages with our team, support tickets, chat history with assigned agents | Service delivery, dispute resolution, quality assurance |
We do not collect data from children under 18 years of age. If you are under 18, do not submit a case or use our services without a parent or guardian acting on your behalf.
How We Use Your Data
We use your personal data only for legitimate, specified purposes. Your information is used to:
- Deliver Recovery ServicesInvestigate your fraud case, trace misappropriated funds, liaise with relevant exchanges, financial institutions, and law enforcement agencies on your behalf.
- Verify Your IdentityConduct mandatory Know Your Customer (KYC) checks and Anti-Money Laundering (AML) screening as required by UK law and our regulatory obligations.
- Communicate About Your CaseSend updates on case progress, payment confirmations, document requests, and notifications from your assigned recovery agent.
- Support Legal ActionPrepare evidence packages, coordinate with solicitors, and support civil or criminal proceedings where applicable.
- Ensure Platform SecurityProtect our systems and your account from unauthorised access, fraud, and technical vulnerabilities.
- Improve Our ServicesAnalyse anonymised data to enhance our recovery methodologies, platform features, and client experience.
- Meet Legal ObligationsComply with court orders, regulatory requirements, tax obligations, and mandatory reporting duties.
Legal Basis for Processing
Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:
| Legal Basis | When It Applies |
|---|---|
| Contract Performance | Processing necessary to deliver the recovery services you have engaged us to provide, including case management, fund tracing, and reporting. |
| Legal Obligation | Compliance with AML regulations, KYC requirements, court orders, and regulatory reporting obligations imposed on our business. |
| Legitimate Interests | Fraud prevention, platform security, service improvement, and maintaining accurate business records, provided these do not override your rights. |
| Consent | Where we send optional communications, use non-essential cookies, or process sensitive data where consent is specifically required by law. |
| Vital Interests | In rare circumstances where processing is necessary to protect your life or safety, or that of another person. |
Data Sharing & Disclosure
We do not share your personal data with third parties except in the following circumstances, all of which are necessary for delivering our services or meeting our legal obligations:
- Law Enforcement & RegulatorsWe may disclose information to the police, National Crime Agency (NCA), Financial Conduct Authority (FCA), Action Fraud, Interpol, or overseas equivalents when required by law or court order, or when necessary to support your recovery case.
- Financial Institutions & ExchangesBanks, payment processors, and cryptocurrency exchanges may receive case-specific information when we submit recovery or recall requests on your behalf.
- Legal ProfessionalsSolicitors, barristers, and legal counsel engaged in connection with your case will access relevant personal and case data under strict confidentiality obligations.
- Service ProvidersIT infrastructure providers, email delivery services, and platform hosting companies may process data on our behalf under binding data processing agreements.
All third parties are contractually required to maintain the confidentiality and security of your data, and to process it only for the purposes we specify.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to any legal or regulatory retention requirements.
| Data Type | Retention Period | Reason |
|---|---|---|
| Case Files & Evidence | 7 years from case closure | Legal proceedings, statute of limitations, regulatory requirements |
| Identity Documents (KYC) | 5 years from last service date | AML Regulations 2017, HMRC obligations |
| Financial Records & Payments | 6 years | Companies Act 2006, HMRC tax records |
| Communications & Chat Logs | 3 years from case closure | Dispute resolution, quality assurance |
| Account & Login Data | Duration of account + 2 years | Security audit trail, account recovery |
| Technical Logs | 12 months | Security monitoring, fraud prevention |
When data is no longer required, we securely delete or anonymise it in accordance with industry best practices and applicable law.
Your Rights
Under UK GDPR, you have the following rights regarding your personal data. These rights are not absolute and may be subject to legal exemptions in certain circumstances, particularly where processing is required for legal proceedings or regulatory compliance.
- Right of AccessYou may request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month.
- Right to RectificationIf your data is inaccurate or incomplete, you have the right to have it corrected without undue delay.
- Right to ErasureIn certain circumstances you may request deletion of your data. This right is limited where we have legal obligations to retain records.
- Right to RestrictionYou may request that we restrict processing while a dispute about accuracy or lawfulness is resolved.
- Right to Data PortabilityWhere processing is based on consent or contract, you may request your data in a structured, machine-readable format.
- Right to ObjectYou may object to processing based on legitimate interests. We will cease unless we have compelling legitimate grounds that override your interests.
- Rights Related to Automated DecisionsWe do not make solely automated decisions that have significant legal effects on you. A human is always involved in case and payment decisions.
To exercise any of these rights, please contact our Data Protection Officer using the details in Section 13. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
Cookies & Tracking
Our website and platform use cookies and similar technologies to ensure functionality, improve security, and understand how our services are used.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential Cookies | Session management, authentication tokens, CSRF protection, platform security | Session / 24 hours |
| Functional Cookies | User preferences, dashboard settings, language selection | 30 days |
| Analytics Cookies | Anonymised usage statistics to improve our platform (with your consent) | 12 months |
| Security Cookies | Bot detection, login attempt monitoring, fraud prevention | Session / 7 days |
You may manage or disable non-essential cookies through your browser settings. Disabling essential cookies will affect the functionality of our platform and your ability to access case management features.
Security Measures
We implement robust technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure. Our security measures include:
- EncryptionAll data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Database credentials and sensitive configurations are stored using industry-standard secret management practices.
- Access ControlsRole-based access controls ensure that only authorised staff and agents access case data relevant to their specific role. All access is logged and audited.
- Two-Factor AuthenticationAll staff accounts and client dashboards support two-factor authentication (2FA) to prevent unauthorised account access.
- Incident ResponseWe have documented procedures for identifying, containing, and reporting data breaches. Where a breach affects your rights, we will notify you within 72 hours as required by law.
No method of electronic transmission or storage is 100% secure. While we use commercially reasonable measures, we cannot guarantee absolute security.
International Data Transfers
Recovery cases may require us to share your data with organisations outside the United Kingdom, particularly when tracing funds through international financial systems or coordinating with overseas law enforcement.
Where we transfer data outside the UK, we ensure appropriate safeguards are in place, including:
- Transfers to countries with an adequacy decision from the UK Information Commissioner's Office
- Standard Contractual Clauses (UK International Data Transfer Agreements) with receiving parties
- Transfers required or authorised by UK law, including law enforcement mutual assistance arrangements
You may request details of specific safeguards in place for international transfers relevant to your case by contacting our Data Protection Officer.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data processing practices. When we make material changes, we will:
- Notify registered clients by email at least 14 days before changes take effect
- Post a prominent notice on our platform dashboard for active users
- Update the "Last Updated" date at the top of this policy and maintain version history
Continued use of our services after the effective date of any changes constitutes your acceptance of the revised policy. We recommend reviewing this page periodically.
Contact & Data Protection Officer
If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to raise a concern, please contact our Data Protection Officer: