Privacy Policy — Aegis DPO Platform

01

Who we are

The Aegis DPO Platform is a product of DPMAS — Data Privacy & Management Advisory Services, a data protection consultancy registered and operating in Barbados.

For the purposes of the Barbados Data Protection Act 2019, DPMAS is the data controller for all personal data collected through this website and the Aegis DPO Platform.

Registered address: Bridgetown, Saint Michael, Barbados
Email: [email protected]

02

What data we collect

We collect only what is necessary for the purposes described in this policy. The data we collect depends on how you interact with our site.

Source	Data collected
Early access application form	Full name, email address, organisation name, job title / role, jurisdiction, current data protection challenges, modules of interest
Contact / general enquiry form	Full name, email address, organisation (optional), message content
Gated demo request	Full name, email address
Site analytics	Anonymised page visit data, referral source, browser type, approximate geographic region. No personally identifiable information.
Cookies	See Section 8 and our Cookie Policy for full details.

We do not collect: payment card data, government ID numbers, sensitive personal data as defined under s.3 of the Barbados DPA 2019, or any data from children under 18.

03

How we use your data

We use the personal data we collect for the following purposes:

To process and respond to early access applications and assess suitability for the early access cohort
To communicate with you about your application, platform onboarding, and updates relevant to early access participants
To respond to general enquiries and contact form submissions
To provide access to gated platform demo content following identity verification
To understand which platform modules are most requested (using aggregated, anonymised application data)
To fulfil any legal or regulatory obligations applicable to DPMAS as a data controller

We do not use your data for automated decision-making or profiling as defined under the Barbados DPA 2019. We do not sell, rent, or otherwise commercialise your personal data.

04

Legal basis for processing

Under the Barbados Data Protection Act 2019, we rely on the following legal bases under ss.6–12 for each processing activity:

Consent (s.7): Where you have submitted a form voluntarily and are informed of how your data will be used. You may withdraw consent at any time.
Legitimate interests (s.9): For internal analytics and platform improvement activities, where our interests do not override your rights and freedoms.
Legal obligation (s.10): Where we are required to retain or disclose data to comply with applicable law.

Note on single vs. multi-basis: Consistent with our own platform's compliance guidance, we identify and document a primary legal basis for each processing activity. We do not rely on consent as a fallback where a more appropriate basis applies.

05

Who we share your data with

We do not share your personal data with third parties except in the following limited circumstances:

Formspree: Form submissions from this site are processed via Formspree, Inc., which routes submissions to our email inbox. Formspree acts as a data processor on our behalf. You can review their privacy practices at formspree.io.
Google Fonts: This site loads fonts from Google Fonts, which may result in your IP address being transmitted to Google servers. No other Google services are used on this site.
Legal or regulatory requirement: Where disclosure is required by the Barbados Data Protection Act 2019, a court order, or another applicable law, we will comply. We will notify you where we are legally permitted to do so.

We do not use advertising networks, tracking pixels, or social media integration that would share your data with third parties without your knowledge.

06

How long we keep your data

We retain personal data only for as long as necessary for the purpose it was collected, or as required by law.

Data type	Retention period
Early access applications (successful)	Duration of the early access programme + 12 months
Early access applications (unsuccessful)	6 months from decision date, then deleted
General enquiry / contact submissions	12 months from last correspondence, then deleted
Demo access requests	6 months from submission, then deleted
Anonymised analytics data	24 months on a rolling basis

At the end of the applicable retention period, data is securely deleted or anonymised. We do not archive personal data beyond what is operationally or legally necessary.

07

Your rights under the DPA 2019

As a data subject under the Barbados Data Protection Act 2019, you have the following rights. You may exercise any of these rights by contacting us at [email protected]. We will respond within 30 days of verifying your identity — consistent with the deadline under s.23 of the DPA 2019, which runs from the date of identity verification, not the date of receipt.

Right of access (s.22) You may request a copy of the personal data we hold about you and information about how it is processed.

Right to rectification (s.24) You may ask us to correct inaccurate or incomplete personal data we hold about you.

Right to erasure You may request deletion of your personal data where there is no compelling reason for us to continue processing it.

Right to restrict processing You may ask us to limit how we use your data while a dispute over accuracy or lawfulness is resolved.

Right to object You may object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds that override your rights.

Right to withdraw consent Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Barbados.

08

Cookies

This site uses a minimal number of cookies, limited to those necessary for the site to function correctly. We do not use advertising cookies or third-party tracking cookies.

Full details of the cookies this site uses, their purpose, and how to manage them are set out in our Cookie Policy.

09

Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction — consistent with our obligations under s.25 of the Barbados DPA 2019 and consistent with the security standards we apply in our DPO consulting practice.

Form submissions are transmitted over encrypted HTTPS connections. Data received via Formspree is routed directly to our secured email system and is not stored by third parties beyond what is described in Section 5.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach (s.26, DPA 2019), and will notify affected individuals without undue delay where required.

10

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Aegis platform, or applicable law. Where changes are material, we will update the "Last updated" date at the top of this page and, where appropriate, notify early access participants directly.

We encourage you to review this policy periodically. Continued use of this site following any update constitutes acceptance of the revised policy.

11

Contact us

For any questions about this Privacy Policy, to exercise your data subject rights, or to raise a privacy concern, please contact us:

DPMAS — Data Privacy & Management Advisory Services
Email: [email protected]
Bridgetown, Saint Michael, Barbados

We aim to respond to all privacy-related enquiries within five business days. Data subject access requests will be handled within 30 days of identity verification, in line with s.23 of the Barbados DPA 2019.