BEGIN A CONVERSATION
BEGIN A CONVERSATION
Privacy Notice
June 2026
01

Purpose

This privacy notice (“Privacy Notice”) is intended to ensure transparency in how Personal Information is managed within Okami Capital Management Ltd (the “Company”). It outlines the principles and practices governing the collection, use, disclosure, and protection of Personal Information across the Company, as well as the measures in place to uphold accountability and to comply with applicable privacy and data legislation and regulations.

This Privacy Notice also explains the rights of Data Subjects and the mechanisms available to them to exercise such rights, in accordance with applicable Data Protection Laws.

02

Applicability

The Privacy Notice applies to Personal Data of any natural person that is Processed by or on behalf of the Company, whether in physical or electronic form.

It applies to all products, services, business activities, and operations of the Company, including where the Company acts directly or indirectly through intermediaries, partners, correspondents, agents, or service providers, whether located in Mauritius or in foreign jurisdictions. This includes circumstances where Personal Data is processed in connection with a direct relationship or an indirect relationship facilitated through another entity. It also applies to cases where an individual engages with the Company as an authorised signatory, representative, or authorised person of a non-individual entity.

The applicable terms and conditions of any product or service of the Company may contain additional provisions that operate alongside this Privacy Notice. The Privacy Notice does not restrict or limit any consent previously given or that may be given in the future for the benefit of the Company. Concerned individuals are therefore expected to read the specific terms and conditions relevant to the products or services they use, together with this Privacy Notice.

03

Definition and Interpretation

3.1. The headings contained in this Privacy Notice are for convenience and reference purposes only.

3.2. The use of the masculine shall include the feminine and vice versa and the use of the singular shall include the plural.

3.3. For the purposes of the Privacy Notice, the following definitions shall apply:

  1. “Consent” means any freely given specific, informed and unambiguous indication of the wishes of a Data Subject, either by a statement or a clear affirmative action, by which he signifies his agreement to Personal Data relating to him, being Processed;
  2. “Controller” means a natural or legal person, public authority, agency or other body which determines the purposes of Processing Personal Data;
  3. “Customer” means any individual with which the Company has a business relationship;
  4. “Data Protection Laws” means the Data Protection Act 2017 of the Republic of Mauritius, any regulations, and other subsidiary enactments issued thereunder including any applicable guidelines or practice (or similar documents) by the Local Data Protection Office or other local and international public authorities ( including, where applicable, the European Union’s General Data Protection Regulation (EU) 2016/679 (“GDPR”));
  5. “Data Subject” means an identified or identifiable individual, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual;
  6. “Group Data Protection Officer” means the officer at the Company responsible for monitoring compliance with Data Protection Laws, advising on data protection obligations and acting as the primary contact point for supervisory authorities and Data Subjects;
  7. “Legitimate Interest” means a lawful business or commercial interest pursued by the Company which is not overridden by the fundamental rights and freedoms of the Data Subject;
  8. “Local Data Protection Office” means the office as provided for in the Data Protection Laws having the details specified in paragraph 18;
  9. “Company” means Okami Capital Management Ltd together with its subsidiaries, associates and affiliates in Mauritius or in foreign countries;
  10. “Personal Data” or “Personal Information” means any information relating to a data subject, including:
    • Customer identification data e.g. name, e-mail, postal address, telephone number, country of residence, passport scan and number, national identity card scan and number, tax identification number;
    • personal characteristics e.g. date of birth, marital status;
    • employment and occupation e.g. employer, function, title, place of work;
    • academic/study information;
    • family information;
    • banking/non-banking and financial data e.g. financial identification, financial situation (including loans, assets, expenses, etc.), risk profile, investment objectives and preferences;
    • investment appetite and risk profile;
    • electronic identification data e.g. IP addresses, cookies;
    • data received in the context of the performance of an agreement e.g. account positions and transactions, power of attorneys;
    • tax related data; and/or
    • images, sounds and communications e.g. surveillance camera footage, telephone recordings, exchange of letters/emails with the data subject.
  11. “Processing” means an operation performed on Personal Data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The word “Processed” shall be construed accordingly;
  12. “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;
  13. “Profiling” means any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person;
  14. “Third Party” means a natural or legal person, public authority, agency, or body other than the Data Subject, Controller, Processor, and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data.
04

Collection of Personal Data

The Company may, for a Legitimate Interest, use, hold and process, process, by automated or non-automated means, and, where applicable, in jurisdictions inside or outside Mauritius, subject to appropriate safeguards under Data Protection Law, Personal Data and may collect it from various sources, including from a Customer, any person linked with the Customer, his business and services, people working on behalf of the Customer, a regulatory body or in circumstances such as:

  1. on application for a product or service with the Company;
  2. during phone calls, including recorded calls and notes that the Company may make;
  3. through the use of the Company website, mobile applications;
  4. in emails, letters;
  5. in insurance claims and other documents;
  6. in financial and risk reviews and interviews;
  7. in customer surveys; and/or
  8. through participation in competitions, lottery or promotions.

 

05

Legal Basis for Processing Personal Information

The Company will collect and process various categories of Personal Information under the following circumstances (subject to appropriate retention periods set out in section 11 below) in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality:

  1. for the execution of agreements, contracts signed with Customers, and services linked thereto, or in the context of pre-contractual measures requested by Customers;
  2. to fulfil the Company’s legal and/or regulatory obligations; and/or
  3. for the Legitimate Interests set forth in paragraph 6.1.
06

Legitimate Interests for Processing Personal Data

6.1 Subject to the relevant Data Protection Laws, the Company will process Personal Data for the following Legitimate Interests:

  1. setting up, administering, managing and updating Customers files;
  2. managing Customers accounts and payment/settlement transactions;
  3. executing contracts signed by Customers and execution of Customers instructions;
  4. management and provision of investment products and generally for conducting the business relationship with Customers;
  5. application for advisory, investment and related products;
  6. improving and personalising the Company’s services on an ongoing basis and the development of investment strategies;
  7. testing of new investment strategies and communicating them and other services to Customers;
  8. ensuring the security of people and property;
  9. research, modelling and statistics;
  10. administering and managing risks;
  11. fraud prevention, detection, investigation, and reporting of financial crimes, including compliance with AML/CFT obligations;
  12. advertisement and marketing activities;
  13. meeting the Company’s legal and regulatory obligations;
  14. management of the Company’s financial position, business capability, planning, adding and testing systems and processes, managing communications, corporate governance, and audit;
  15. responding to all legitimate requests from public, legal or supervisory authorities for access to Personal Data;
  16. establishment, exercise and defence of legal claims;
  17. exercise of the Company’s rights set out in agreements or contracts; and/or
  18. debt recovery.


6.2 The Processing of Personal Data by the Company may give rise to decision-making, including Profiling, which shall be effected within the legal and regulatory limits set out in the Data Protection Laws. Data Subjects shall not be subject to a decision based solely on automated Processing, including Profiling, which produces legal or similarly significant effects, except where permitted by law and subject to appropriate safeguards.

07

Offer of Personalised Solutions

In its endeavour to provide Customers with optimised services that are constantly evolving in order to better meet the Customer needs, as well as to maintain and develop its business relationship, the Company may:

  1. publish, share or send to Customers, through any channel:
    • regulatory, informative or commercial materials linked to the contract signed with the Customer and the services subscribed, as well as products held by the Customer;
    • financial and economic literature;
    • value-adding publications on different topics; and/or
    • invitation to events, talks or workshops that may be of interest to the Customer.
  2. contact the Customer for sharing general product information as regards financial literacy and awareness;
  3. use Profiling to process Customer Personal Information with a view to:
    • Search for and identify, within its Customer database, characteristics shared by persons, who are likely to be interested with a specific new or existing service or product;
    • Search for and identify, within its Customer database, relatively homogenous groups of persons in terms of products held and/or banking/non-banking behaviour in order to improve the Company’s understanding of its Customer base and the personalisation of its investment services.
08

Sharing of Personal Data with Third Parties

8.1. the Company may transfer Personal Data to the following categories of persons:

  1. agents, advisers and services providers of the Company;
  2. persons appointed by Customers;
  3. supervisory authorities of the Company and other public authorities for fraud prevention, regulatory or legal purposes; and
  4. credit institutions, credit reference agencies, financial sector professionals, and any other external service provider with which the Company interacts or whose services are necessary in the context of providing services to Customers.


8.2. In transferring Personal Data, the Company shall ensure that the Third Parties with which it interacts are legally required to process Personal Data with the same or equivalent degree of care and confidentiality as required under the applicable Data Protection Laws. The Third Parties shall at least have the obligation to maintain appropriate technical and organisational security measures to protect the Personal Data against:

  1. accidental destruction, loss, and alteration; and
  2. unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.


8.3. the Company does not rent, sell, or otherwise commercially trade Personal Data to any Third Party.

8.4. Where Personal Data is transferred outside Mauritius, the Company shall ensure that such transfers are subject to appropriate safeguards in accordance with applicable Data Protection Laws, including adequacy decisions, contractual safeguards, or other legally recognised transfer mechanisms.

These Third Parties may act as Controllers or Processors and have a duty to comply with legal and/or contractual obligations regarding the protection of Personal Data, including professional secrecy and the applicable confidentiality obligations.

09

Recording of Communications

The Company may record and keep records of conversations and meetings including telephone conversations and correspondences relating to any service provided, activity carried out or transaction executed by the Company on behalf of Customers. Personal Data collected in the course of telephone recording activities will be Processed and kept strictly in accordance with the applicable Data Protection Laws and shall serve, where appropriate, as proof of instructions.

10

Data Subject Rights

10.1. Subject to the relevant Data Protection Laws, the Data Subjects’ rights regarding the Processing of Personal Data include the right to request:

  1. access to the Personal Data Processed by the Company;
  2. confirmation of whether or not Personal Data is or has been Processed;
  3. rectification of Personal Data that is inaccurate or incomplete;
  4. erasure of his/her Personal Data on legitimate grounds;
  5. the restrictive use of the Processing of Personal Data on legitimate grounds;
  6. information from recordings concerning the conversations and meetings including telephone conversations and correspondence relating to any service provided, activity carried out or transaction executed, with the exact date and time of the recording;
  7. transmission of Personal Data to a Third Party in an easily readable format (this right applies exclusively to European Customers who are subject to the General Data Protection Regulation 2016); and
  8. objection to the use of Personal Data that the Company collects, retains and processes on legitimate grounds.


10.2. Data Subjects may submit a request to exercise the rights set forth above through a registered letter sent to the Company Data Protection Team situated at the Company Head Office, Office 118, Rue De La Democratie, Ebene Junction, Republic of Mauritius, or by such other channels as may be communicated by the Company from time to time.

11

Retention Period of Personal Data

The Company retains Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including meeting any contractual, operational, or service-related requirements. Once the relevant purpose has been achieved, the data is securely deleted or anonymised, unless a longer retention period is required or permitted by law. Certain regulatory or legal obligations may require the Company to retain Personal Data for a specified duration e.g. retention requirements from the Bank of Mauritius or other competent authorities.

The Company ensures that all retention periods comply with applicable legal and regulatory frameworks and are guided by internal data retention policies. Further details on applicable retention periods may be obtained upon request from the Company Data Protection Team.

12

Termination of Customer Relationship

  1. the Company may, subject to applicable legal and regulatory obligations, be unable to continue its relationship with a Customer in the following cases: the Customer exercises his right to erasure of his/ her Personal Data; or
  2. the Customer objects to the use of his/her Personal Data that the Company collects, retains and processes on legitimate grounds.
13

Security Measures and Governance

The Company implements appropriate technical and organisational measures to safeguard personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are aligned with industry-recognised frameworks, including the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0. These measures are proportionate to the nature, scope, context and purposes of the Processing, as well as the risks to the rights and freedoms of Data Subjects.

By default, the Company applies privacy and security by design principles when developing or modifying systems and processes. Security controls include access management based on the principle of least privilege, encryption where applicable, secure system configurations, regular monitoring, and regular vulnerability assessments with formal review and remediation.

The Company conducts mandatory data protection and information security training for all staff and relevant contractors at least once per year and provides targeted or refresher training whenever necessary.

These measures are reviewed and updated periodically to reflect evolving threats, industry standards, and applicable legal and regulatory obligations.

The Company Data Protection Team, as required under the Data Protection Act 2017, reports to executive and board committees, to ensure appropriate oversight and governance of data protection compliance.

14

Cookies Management

The Company uses both essential (mandatory) cookies and optional cookies on its website. Customers can choose to accept all cookies, accept only the non-mandatory cookies of their choice, or decline all optional cookies while continuing to use the website with essential cookies only.
15

Handling of Personal Data Breaches

Upon identification of a Personal Data breach the Company shall take immediate actions to assess, contain, mitigate and resolve the incident. Where required by applicable Data Protection Laws, the Company will notify the relevant supervisory authority and affected individuals without undue delay. The Company also keeps records of all data breaches in accordance with its legal obligations and internal policies.

16

Audit and Compliance Reviews

The Company may be subject to audits or inspections carried out by regulatory authorities to verify compliance with applicable Data Protection Laws. In addition to regular internal audits, the Company also engages independent external auditors to, at least annually, review its data protection practices, security controls, and internal processes. These audits help ensure that Personal Data is handled lawfully, securely, and in accordance with industry standards. Findings from such audits are assessed, and the Company implements corrective actions where necessary to continuously improve its data protection framework.

17

Complaints

Under the prevailing Data Protection Laws, a Data Subject has the right to lodge a complaint regarding the Processing of Personal Data with the Company by:

  1. sending an email to: info@okami-capital.com, or
  2. sending a registered letter to Okami Capital Management Ltd Data Protection Team at the Company Head Office, Office 118, Rue De La Democratie, Ebene Junction, Republic of Mauritius.
18

Local Data Protection Office in Mauritius

Data subjects have the right to lodge a complaint with the Data Protection Commissioner (see more at https://dataprotection.gov.mu) if they believe that their Personal Data has been Processed in a manner that infringes applicable Data Protection Laws.

19

Amendments

The Company reserves its right to amend at any time partly or wholly the provisions of the present Privacy Notice and such amendments shall be notified by posting on the Company website www.okami-capital.com or any other appropriate means it deems appropriate. Such amendments shall take effect on the date of posting on the Company’s website, unless otherwise required by applicable law.

Begin a conversation.
SPEAK TO ONE OF OUR ADVISORS

If you are a high-net-worth individual, a family office, or an institution seeking a more disciplined, more transparent, and more considered approach to investment management and private brokerage, we would welcome the opportunity to speak with you.

Enquiries are handled with complete discretion. All consultations are obligation-free.

CONTACT

info@okami-capital.com