— Legal —

Privacy Policy

How Ariyor collects, uses, and protects your personal data, in compliance with the EU General Data Protection Regulation (GDPR).

Last Updated

27 April 2026 · Effective immediately

1. Who we are

Ariyor S.A. ("Ariyor", "we", "us") is a precious-metals custodian registered in Luxembourg, with its registered office at 21 Rue Glesener, L-1631 Luxembourg. We are the data controller responsible for personal data we collect through ariyorlux.com and the My Ariyor member dashboard.

For any questions about this policy or your personal data, contact our Data Protection Officer at dpo@ariyorlux.com or by post at the address above.

2. What data we collect

We collect only the data necessary to operate as a precious-metals custodian and meet our regulatory obligations under EU anti-money-laundering law.

From all visitors to ariyorlux.com

Technical data: IP address, browser type, device type, pages visited, referring URL, timestamps. Used solely to ensure the website operates correctly and to detect abuse.
Cookie preferences: Stored locally in your browser. See our Cookie Policy.

From contact-form submissions

Your name, email address, telephone number (if provided), and the content of your message.
Used solely to respond to your enquiry. Retained for 24 months unless you become a member, after which retention follows the member-data rules below.

From applicants and members

Identity data: Full legal name, date of birth, nationality, government-issued ID, photograph from ID document.
Contact data: Postal address, email, telephone numbers.
Financial data: Source of funds declaration, bank account details for transactions, holdings records.
Compliance data: KYC/AML checks, sanctions-list screening results, transaction history.
Communication data: Records of correspondence with our private desk, dashboard chat history, voice-call recordings (where applicable, with prior notice).

3. Why we process your data

We process your personal data only when we have a lawful basis to do so under Article 6 of the GDPR.

Performance of contract (Art. 6(1)(b)): To open and operate your member account, execute transactions, and provide custody services.
Legal obligation (Art. 6(1)(c)): To comply with EU AML directives (Directive 2015/849 as amended), tax reporting requirements, and Luxembourg law.
Legitimate interest (Art. 6(1)(f)): To prevent fraud, secure our infrastructure, and improve our services. We balance these interests against your rights and you may object at any time.
Consent (Art. 6(1)(a)): For optional communications such as newsletters or research updates. You may withdraw consent at any time.

4. Who we share your data with

We do not sell your personal data, ever. We share it only when necessary to provide our services or comply with the law.

Regulatory authorities: The Luxembourg CSSF, tax authorities, and law-enforcement agencies, when legally compelled.
Banking partners: Banks that process your settlement payments. Only the data needed to execute the transaction is shared.
Insurance providers: Lloyd's of London syndicates that insure vault contents. Personal identification is not shared; only aggregated holding values.
External assayers and auditors: Independent firms that conduct quarterly vault audits. They see holdings ledgers but not personal identity data.
IT and infrastructure providers: Hosting and security service providers under strict EU data-processing agreements. All servers are located within the EU.

We never share your data with marketing companies, advertising platforms, data brokers, or analytics firms outside the EU.

5. How long we keep your data

Member data: For the duration of our relationship plus 10 years thereafter, as required by Luxembourg AML law.
Transaction records: 10 years after the transaction, as required by EU AML and tax law.
Contact-form submissions: 24 months from submission, then deleted.
Website analytics: 13 months in aggregated form, then deleted.

6. Your rights under GDPR

You have the following rights regarding your personal data, exercisable at any time by writing to dpo@ariyorlux.com:

Right of access: Request a copy of all data we hold on you.
Right to rectification: Request correction of inaccurate data.
Right to erasure: Request deletion of your data, subject to AML retention obligations.
Right to restrict processing: Limit how we use your data while a query is investigated.
Right to data portability: Receive your data in a machine-readable format.
Right to object: Object to processing based on legitimate interest.
Right to lodge a complaint: With the Luxembourg supervisory authority (CNPD) at cnpd.public.lu.

We respond to all requests within one calendar month. There is no fee for exercising these rights, except where requests are manifestly excessive or repetitive.

7. Security measures

We protect your data with measures appropriate to its sensitivity:

End-to-end encryption of all data in transit (TLS 1.3)
Encryption at rest for all stored personal and financial data
Multi-factor authentication for member accounts (production launch)
Regular security audits by independent third parties
Strict access controls; only personnel who need data to perform their role have access
Data-breach notification procedures meeting GDPR's 72-hour requirement

8. International transfers

Your data is stored on EU-based servers and not transferred outside the European Economic Area, except where required by court order or in the limited cases of regulated banking partners that operate internationally. In any such case, transfers occur only under EU Standard Contractual Clauses or equivalent safeguards.

9. Changes to this policy

We may update this policy when our practices change or when required by law. We will notify members of material changes via email at least 30 days before they take effect. The current version is always available at this URL.

10. Contact

Data Protection Officer
Ariyor S.A.
21 Rue Glesener, L-1631 Luxembourg
dpo@ariyorlux.com