Legal
Privacy Policy.
How Citius Trust handles personal data on this website, what we collect, why we collect it, and the rights every data subject has under the EU General Data Protection Regulation and Cyprus data protection law.
Data controller
Citius Trust Limited is the data controller for personal data processed in connection with this website. The registered office is at 42-44 Griva Digeni Avenue, 2nd Floor, 1096 Nicosia, Cyprus. The contact email for any data protection matter is dpo@citiustrust.com.
Lawful basis for processing
We process personal data on the following lawful bases under Article 6 of the General Data Protection Regulation (Regulation EU 2016/679, the GDPR):
- Legitimate interest, for measuring website performance and improving the content we publish (Article 6(1)(f)).
- Consent, for any analytics cookie that is set in a user's browser and for any future newsletter or marketing communication (Article 6(1)(a)).
- Contract, for personal data processed in the course of a client engagement once a mandate has been agreed (Article 6(1)(b)).
- Legal obligation, for records we are required to retain under Cyprus tax, accounting, anti-money-laundering, and ICPAC professional rules (Article 6(1)(c)).
What we collect
The website itself is a static publication. The categories of personal data that may be processed in connection with it are limited:
- Email address and any details a user voluntarily provides when sending an email to info@citiustrust.com from a link on the site.
- Cookies and analytics identifiers set by Google Analytics 4 (property G-17Q95C3SZ9), only after a user has granted analytics consent in the cookie banner. Until consent is granted, no analytics cookies are set and no events are recorded.
- Server-side access logs maintained by our content delivery network (Cloudflare) and our hosting provider, recording IP address, request timestamp, and the URL requested. These logs are processed for security and operational purposes.
- Personal data provided by clients during an advisory engagement is processed under the engagement contract and is governed by the engagement letter, not by this website privacy policy.
Retention periods
We retain personal data only for as long as necessary for the purposes for which it was collected:
- Email correspondence sent to info@citiustrust.com is retained for as long as the matter is open and for a reasonable period after closure to allow follow-up. Where the correspondence relates to a regulated client engagement, the records are retained for the period required by Cyprus professional rules, typically seven years.
- Google Analytics 4 user-level data is configured for a 14-month retention period, after which Google deletes it from the property.
- Cloudflare access logs are retained per Cloudflare's standard retention policy, which the user can review at https://www.cloudflare.com/privacypolicy/.
Recipients and processors
We do not sell personal data. We share personal data only with the processors and recipients necessary to deliver the website and any services arising from it:
- Google LLC (and Google Ireland Limited as the EEA establishment), as processor of website analytics data through Google Analytics 4.
- Cloudflare, Inc., as our content delivery network and security provider.
- Our hosting provider, currently GoDaddy.com, LLC.
- Professional advisers and regulators where disclosure is required by law or by ICPAC professional rules.
Your rights as a data subject
Under Articles 15 to 22 of the GDPR you have the following rights in respect of personal data we hold about you:
- Right of access, to request a copy of the personal data we hold about you and information about how we process it.
- Right to rectification, to request correction of inaccurate or incomplete personal data.
- Right to erasure, also known as the right to be forgotten, in the circumstances set out in Article 17.
- Right to restriction of processing, in the circumstances set out in Article 18.
- Right to data portability, to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to object to processing based on our legitimate interest, including the right to object at any time to direct marketing.
- Right to withdraw consent at any time, where the lawful basis for processing was consent. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
How to exercise your rights
To exercise any of the rights above, please email dpo@citiustrust.com. We will respond within one calendar month of receiving your request, in line with Article 12(3) of the GDPR. Where the request is complex or numerous, we may extend that period by a further two months and will inform you of the extension and the reasons for it within the first month.
You also have the right to lodge a complaint with the supervisory authority. The Cyprus supervisory authority is the Office of the Commissioner for Personal Data Protection. Contact details and the complaint procedure are available at https://www.dataprotection.gov.cy.
International transfers
Where personal data is transferred outside the European Economic Area, the transfer is made under safeguards approved by the European Commission. Google LLC and Cloudflare, Inc. are recipients in the United States; transfers to them are made under Standard Contractual Clauses adopted by the European Commission and, where applicable, under the EU-US Data Privacy Framework.
Updates to this policy
We may update this privacy policy from time to time. The version on this page is the current version. The effective date below records when the policy was last revised. Material changes will be notified through the website or, where appropriate, by direct communication.
Effective date: 25 April 2026