Logo

Privacy Notice

AMENDMENT NOTE (DPO Review — June 2026): This version supersedes the April 2026 draft. Amendments from June 2026 are shown in bold and marked [JUNE 2026 AMENDMENT]. They reflect the current operational reality: website contact and enquiry forms feed the HubSpot CRM solely for the purpose of managing enquiries and client relationships. No marketing use of website form data is active at this stage. The sections on marketing consent (checkboxes, separate consents, consent timestamps) from the April 2026 draft have been revised or removed accordingly and will be reinstated once marketing forms are deployed.

This Privacy Notice (hereinafter referred to as “Notice”) was published by Aisa International SAS. This Notice is effective as of June 2026 and valid until adjusted.

This document explains how the Company uses the personal data that it collects from its Customers and potential Customers, in compliance with Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as “GDPR”) and applicable French data protection law.

The Company acts as data controller in respect of all personal data processed under this Notice.

What information do we collect?

We process information about you when you become our client in the field of financial planning or financial advice, mortgage, investment and insurance products. Not all services are available in all countries; we will explain to you what services are available in your country.

Categories of personal data processed by the Company:

  • Identification details
  • Contact details
  • Information on sources and the total amount of income
  • Data serving for assessment of needs and suitability
  • Health data and retirement age

Furthermore, the Company performs Customer due diligence inspections in relation to anti-money laundering and terrorism financing legislation. In the context of applicable capital markets regulation, the Company keeps records of certain communications with Customers and potential Customers.

We can also collect information when you voluntarily complete client surveys and provide feedback to us through our online system Money-Trove (hereinafter referred to as “Trove”).

[JUNE 2026 AMENDMENT] We also collect personal data when you complete a contact or enquiry form on our website. The data collected via those forms (first name, last name, email address, phone number, country of residence, and message content) is processed solely for the purpose of responding to your enquiry and managing the resulting relationship within our customer relationship management system. At present, website contact form data is not used for marketing communications. Should this change, this Notice will be updated and, where required, your specific consent will be sought before any marketing use commences.

Information about connected individuals

We may need to gather personal information about your close family members and dependants in order to provide our service to you effectively. In such cases, it will be your responsibility to ensure that you have the consent of the people concerned to pass their information on to us. We will provide a copy of this privacy notice for them if we are also providing services to them or, where appropriate, ask you to pass the privacy information to them.

Why do we need to collect and use your personal data?

Processing your personal data by the Company is based on the following legal grounds:

  • Performance of the contract concluded between the Company and you as a client.
  • Meeting the Company’s legal obligations as a personal data controller.
  • Company’s legitimate interests (e.g., protection of legal interests, optimisation of web services).
  • Your consent (e.g., marketing communications, special category data such as health data).
  • [JUNE 2026 AMENDMENT] Processing of personal data submitted via website contact and enquiry forms is carried out on the legal basis of the Company’s legitimate interest in responding to enquiries from potential clients and members of the public (Article 6(1)(f) GDPR), and, where a contractual relationship subsequently arises, on the basis of the performance of that contract (Article 6(1)(b) GDPR).
  • Transfers of your data to HubSpot Inc. (United States) as described below are carried out on the legal basis of Standard Contractual Clauses adopted by the European Commission, ensuring an adequate level of protection for your personal data.

How do we use information about you?

We always gather such amount of your personal details as are essential to achieve the intended purpose of their processing. The purposes include:

  • Handling communication with clients, potential clients and the public;
  • Evaluation of client requirements for our services;
  • Concluding and performing contracts with clients;
  • Anti-money laundering and terrorism financing prevention;
  • Meeting obligations to protect consumers;
  • Meeting the Company’s obligations as a legal and economic entity;
  • Handling claims, requirements and complaints;
  • Client data records in case of disputes;
  • Optimising instruments used in providing our services;
  • Sending information about the Company’s services and activities;
  • Monitoring Customer feedback to improve services;
  • [JUNE 2026 AMENDMENT] Receiving, recording and managing enquiries submitted through the website contact forms, and maintaining a record of those enquiries and any follow-up correspondence within our customer relationship management platform (HubSpot). At present, contacts created through website forms are held in the CRM solely for the purpose of managing the enquiry and any resulting client relationship, and are not enrolled into marketing communications unless separate consent is obtained at a later stage.

How we collect your consent (website forms)

[JUNE 2026 AMENDMENT — SECTION REVISED] When you submit a contact or enquiry form on our website, you will be asked to confirm that you have read this Privacy Notice by ticking a checkbox. This step is required to submit the form. The checkbox is not pre-ticked.

The wording displayed next to the checkbox is: “I confirm that I have read and understood Aisa International’s Privacy Notice [link to Privacy Notice] and I consent to the processing of my personal data for the purpose of responding to my enquiry.”

At present, no separate marketing consent checkbox is shown on the website contact or enquiry forms, as those forms are not used for marketing purposes. When marketing forms are introduced in the future, a separate, clearly labelled and unticked marketing consent checkbox will be added, and this Notice will be updated accordingly.

Where the Company relies on consent as the lawful basis for processing, you have the right to withdraw that consent at any time without detriment, by contacting us at the details below or by using the unsubscribe link in any marketing email.

Who might we share your information with?

In order to provide our services effectively, we may share your personal details with the following parties:

  • Our tied agents with whom we have a contractual relationship and who are directly involved in the mediation and provision of our services;
  • Suppliers of products and services that we mediate for you;
  • Providers of compliance, accounting or legal services;
  • Providers of IT services and tools used to provide our services;
  • Authorities or institutions that supervise our activities, such as the Autorité des marchés financiers (AMF) and the Commission Nationale de l’Informatique et des Libertés (CNIL);
  • [JUNE 2026 AMENDMENT] HubSpot Inc., 25 First Street, Cambridge, MA 02141, United States, which provides the Company’s customer relationship management (CRM) platform. Personal data submitted via the website contact and enquiry forms (including name, email address, phone number, country of residence and message content) is stored and processed within HubSpot on the Company’s behalf, acting as a data processor, solely for the purpose of managing enquiries and client relationships. Personal data is transferred to HubSpot’s servers, which may be located in the United States, on the basis of Standard Contractual Clauses (Module Two: controller to processor) approved by the European Commission under Commission Implementing Decision (EU) 2021/914. HubSpot’s current data processing addendum and SCCs are available at https://legal.hubspot.com/dpa. The Company has assessed the transfer and is satisfied that appropriate safeguards are in place.

Furthermore, we may share your personal data with affiliated entities within the AISA group of companies for internal administrative purposes (risk and conflict-of-interest assessment, reporting, handling claims) or for the purpose of sending important information about Aisa International SAS.

Your personal data are not transferred to third countries except as described above in relation to HubSpot (United States, covered by Standard Contractual Clauses) and, where applicable, where a client has requested services to be provided in or in connection with a country outside the European Economic Area, in which case the transfer is made on the basis of an appropriate safeguard or, where permitted, because the transfer is necessary for the performance of the contract at the client’s request.

We do not share your personal data with any parties outside Aisa International SAS for marketing purposes.

Where third parties are involved in processing your personal data as processors, we ensure that appropriate data processing agreements are in place, in compliance with Article 28 GDPR.

All data transferred to third parties is encrypted and password protected. All data in Trove is safely encrypted and access to the system is two-factor authenticated.

How long do we keep hold of your information?

The Company keeps your personal data for the time required for its purpose and respects the time limits set by legal regulations:

  • Personal data gathered to perform contracts: maximum 6 years after the relationship ends.
  • E-mail communications: generally deleted after 1 year, except those relating to personal advisory.
  • Data processed on the basis of consent: 3 years from the date consent was given.
  • Accounting data (e.g., billing details): 10 years from the end of the relevant financial year.
  • [JUNE 2026 AMENDMENT] Website contact form data and the corresponding CRM records in HubSpot: retained for as long as necessary to respond to and manage the enquiry, and, where a contractual relationship subsequently arises, for the duration of that relationship plus the applicable retention period above. Where no contractual relationship results from the enquiry, records will be retained for no longer than 12 months from the date of the last correspondence, after which they will be deleted or anonymised.
  • Consent records (acknowledgement of Privacy Notice, timestamps): retained for the duration of the relevant processing activity plus 1 year, to allow the Company to demonstrate compliance with its transparency obligations.

You have the right to request the deletion of your personal data. We will assess your request and will accommodate it where no legal regulation or other legal reason prevents deletion.

How can you access the information we hold about you?

You have the right to request a copy of the personal information that we hold about you. If you would like a copy of some or all of your personal information, please contact us using the details below. Where appropriate, we will provide this information in a digital format.

When your data is processed by automated means, you have the right to ask us to transfer your personal data to another controller designated by you.

The Company is committed to ensuring that your personal data is accurate and up to date. Please contact us to correct or remove any information that you think is incorrect.

Your rights related to personal data protection

In addition to the rights described above, you have the following rights under Articles 15 to 22 of the GDPR:

  • Right of access: to obtain confirmation of whether your personal data is being processed and to receive further information about such processing;
  • Right to rectification: if you believe your data is incomplete or incorrect;
  • Right to erasure (“right to be forgotten”): where the data is no longer necessary or other legal conditions are met;
  • Right to restriction of processing;
  • Right to data portability;
  • Right to object to processing based on legitimate interests;
  • Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal;
  • Right not to be subject to a decision based solely on automated processing (including profiling) which produces legal or similarly significant effects.

Automated decision-making and profiling

If you use Trove, your personal information is entered into the system and automated tools and mechanisms are used for processing. If you are unsure about the outcome of the automated process, you may contact us to discuss or challenge the outcome and require a remedy.

We take measures to ensure the security of your data, including encryption, separate private databases with full security and regular anti-intrusion checks.

We do not use special category data (e.g., health data) in an automated process unless it is strictly necessary to deliver our service and we have obtained your explicit consent.

Marketing

We would like to send you information about our products and services which may be of interest to you. [JUNE 2026 AMENDMENT] We will only send you marketing communications where you have actively given your separate, freely given and specific consent to receive them, via a clearly labelled and unticked opt-in checkbox. At present, no marketing communications are sent to contacts created solely through the website contact or enquiry forms. Marketing forms and campaigns are subject to separate consent collection, which will be introduced at a later stage and accompanied by an update to this Notice. If you have agreed to receive marketing information, you may opt out at any time, without any sanctions, by contacting us at the details below or by clicking the unsubscribe link in any marketing message. You can also withdraw your agreement to share your information with other Aisa International SAS entities.

Cookies

[JUNE 2026 AMENDMENT] Our website uses cookies and similar tracking technologies. Cookies are small files placed on your device when you visit our website. We use the following categories of cookies:

  • Strictly necessary cookies: required for the website and its forms to function correctly. These do not require your consent.
  • Analytical and performance cookies: used to understand how visitors interact with our website (for example, pages visited and time spent). These are only placed on your device after you have given your consent.
  • Marketing and advertising cookies: used to show you relevant content or advertisements. These are only placed on your device after you have given your explicit consent.

When you first visit our website, a cookie consent banner will appear. You may accept all cookies, refuse all non-essential cookies, or manage your preferences by category. Refusing non-essential cookies does not affect your ability to submit an enquiry form. You may change your preferences at any time via the Cookie Settings link on our website. Your cookie choices are stored and respected for up to six months, after which you will be asked again.

For a full list of the cookies used on our website, their purpose and their duration, please refer to our Cookie Policy [link to Cookie Policy].

Right to lodge a complaint with a supervisory authority

If you believe that your data protection rights have not been respected, you can file a complaint with your national data protection authority. In France:

Commission Nationale de l’Informatique et des Libertés (CNIL)
3 Place de Fontenoy — TSA 80715 — 75334 PARIS CEDEX 07
Tel: +33 (0)1 53 73 22 22 | www.cnil.fr

Changes to our Privacy Notice

We periodically review this Privacy Notice. When a change is necessary, we will notify you on our website. This notice was last updated in June 2026.

How to contact us

Please contact us if you have any questions about this Notice or the data we hold about you:

Aisa International SAS
57 Avenue du Maréchal Juin, Biarritz, 64200, France
Email of the Data Protection Officer: rovattip@aisainternational.fr

Your right to be forgotten: Please contact us if you wish to request the deletion of your data from our database.