This legal context and privacy policy sets out the regulatory framework, data protection obligations and compliance standards of Unique Villas Collection Ltd (Company No. 15759075).

UNIQUE VILLAS COLLECTION LTD

Registered in England and Wales

Company Number: 15759075

LEGAL NOTICE, TERMS OF USE, AML POLICY, PRIVACY POLICY & DATA PROTECTION

Effective date	1 January 2026
Replaces version	1 January 2025
Next review date	1 January 2027
Governing law	Laws of England and Wales
ICO Registration	ZB823986 (UNQ Villas Collection LTD)
AML Registration	Registered with HMRC under MLR 2017
Document contact	legal@uniquevillascollection.com

IMPORTANT NOTICE TO READERS This document constitutes the entire legal framework governing access to and use of the website at uniquevillascollection.com and the services provided by Unique Villas Collection Ltd. All persons accessing this website or engaging the Company’s services are bound by these terms. This document has been prepared to the standard required for a UK-registered company operating as a high-value lettings agent and private travel office under UK AML and data protection legislation. It should be reviewed annually and following any material change in applicable law. For legal queries, contact legal@uniquevillascollection.com.

TERMS OF USE

These Terms of Use (“Terms”) govern your access to and use of the website located at uniquevillascollection.com (the “Site”) and all content, services and functionality available through the Site. Please read these Terms carefully before using the Site.

1. Definitions

In these Terms, the following definitions apply:

“the Company”	Unique Villas Collection Ltd, registered in England and Wales, Company Number 15759075, whose registered address is on file with Companies House.
“the Site”	The website operated by the Company at uniquevillascollection.com and all associated subdomains.
“User” / “you”	Any person or entity accessing the Site, whether as a prospective client, existing principal, estate owner, or professional advisor.
“Principal”	A client who has entered into or is in the process of entering into a business relationship with the Company for estate management or private travel office services.
“Services”	Estate management, bespoke travel programme design, superyacht charter coordination, private aviation coordination and related concierge services provided by the Company.
“Content”	All text, images, data, documents, designs, marks and other material published on or accessible through the Site.

2. Acceptance of terms

2.1  By accessing or using the Site, you confirm that you have read, understood and agree to be bound by these Terms in their entirety. If you do not agree to any part of these Terms, you must immediately cease use of the Site.

2.2  These Terms constitute a legally binding agreement between you and the Company. They take effect from the moment you first access the Site and continue to apply on each subsequent visit.

2.3  The Company reserves the right to amend these Terms at any time. Amendments take effect upon publication to the Site. Continued use of the Site following publication of any amendment constitutes your acceptance of the revised Terms. The date of the most recent revision is stated at the top of this document.

2.4  These Terms should be read in conjunction with the Company’s Privacy Policy, AML Policy, Data Protection Policy and Cookie Policy, all of which form part of the legal framework governing your relationship with the Company.

3. Nature of the site and services

3.1  The Site operates across two distinct service tiers. The Company’s publicly accessible portfolio of Properties may be reserved directly through the Site’s booking process, subject to these Terms, the Company’s Booking and Cancellation Policy, and the completion of applicable identity and payment verification requirements. In addition, the Company operates a private travel office service for UHNW individuals and family offices, available by introduction or private enquiry, which provides access to the Company’s on and off-market portfolio, bespoke travel programme design, estate management services, and real estate advisory services. The existence of the direct booking facility does not limit, reduce or otherwise affect the terms applicable to private office engagements, which are governed by a separate Services Agreement.

3.2  Content published on the Site is for informational purposes only. In respect of direct online bookings, a binding contract arises upon the Company’s issue of a written Booking Confirmation and receipt of the required Deposit in cleared funds, in accordance with the Booking and Cancellation Policy. In respect of private office engagements, no binding contract arises from viewing the Site or submitting an enquiry; a contract arises only upon execution of a formal written Services Agreement. The Company reserves the right to decline any booking or enquiry at its absolute discretion, without being required to give reasons.

3.3  The Company acts as a founder-led private travel office providing estate management, bespoke travel programme design, super yacht charter coordination, private aviation coordination, concierge services, and real estate advisory services to UHNW individuals and family offices. Real estate advisory services include the identification and introduction of property acquisition opportunities, facilitation of property disposals, and the arrangement of long-term rental transactions, all provided in the capacity of introducer and advisor. In certain transactions the Company also acts as a disclosed intermediary agent. The precise capacity in which the Company acts in any given transaction will be set out in the relevant Services Agreement. All real estate activities are conducted in full compliance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

3.4  Nothing on the Site constitutes legal, financial, tax or investment advice. Users should seek independent professional advice in relation to any matter that may have legal or financial implications.

4. Intellectual property and proprietary rights

4.1  All Content on the Site, including but not limited to the Company’s branding, name, logo, trade marks, property descriptions, photography, written content and structural design of the Site, is the exclusive property of Unique Villas Collection Ltd or is used under licence. All rights are reserved.

4.2  The Company’s intellectual property is protected under the Copyright, Designs and Patents Act 1988, the Trade Marks Act 1994 and equivalent international legislation and conventions.

4.3  You may access and view Content on the Site for your personal, non-commercial use only. Any reproduction, distribution, adaptation, commercial exploitation, scraping, data extraction or systematic copying of any Content — in whole or in part — without the Company’s prior written consent is strictly prohibited.

4.4  Unauthorised use of the Company’s intellectual property will constitute infringement and may result in civil proceedings and, where applicable, criminal prosecution under applicable United Kingdom and international law. The Company reserves the right to seek injunctive relief, damages and an account of profits in respect of any infringement.

4.5  If you wish to reproduce any Content for any purpose, you must obtain prior written consent from the Company by writing to legal@uniquevillascollection.com.

5. User conduct and prohibited activities

5.1  In accessing and using the Site, you agree that you will not:

• use the Site for any unlawful purpose or in any manner that infringes the rights of any third party;
• attempt to gain unauthorised access to any part of the Site, its systems, servers or databases;
• transmit any unsolicited commercial communications, malware, viruses or any other harmful or disruptive code or material;
• use automated means (including bots, scrapers, crawlers or data mining tools) to access, extract or aggregate Content from the Site without the Company’s prior written consent;
• impersonate any person or misrepresent your identity or affiliation with any person or entity;
• post, transmit or upload any content that is false, defamatory, offensive, obscene or in breach of any applicable law;
• use the Site to facilitate fraud, money laundering, terrorist financing or any other criminal activity.

5.2  The Company reserves the right to take any action it deems appropriate in response to prohibited conduct, including restricting access to the Site, reporting conduct to relevant authorities and commencing legal proceedings.

6. Third-party service providers

6.1  The Company works with a network of vetted third-party service providers including estate operators, superyacht charter operators, private aviation operators, security providers and other concierge partners (“Partners”). The Company conducts due diligence on all Partners before engagement and maintains ongoing oversight of their performance.

6.2  Notwithstanding the foregoing, the Company acts as the contractual counterparty in its services agreements with Principals. As between the Company and the Principal, the Company accepts responsibility for the selection and oversight of Partners. The extent of the Company’s liability in respect of third-party operational failures is set out in Clause 8 below.

6.3  Certain hyperlinks or references on the Site may direct users to external websites operated by third parties. The Company is not responsible for the content, accuracy or availability of such third-party websites and the inclusion of any link does not constitute an endorsement by the Company.

7. Availability and accuracy of the site

7.1  The Company endeavours to ensure that the Site is available at all times and that its content is accurate and up to date. However, the Site is provided on an “as is” and “as available” basis. The Company does not warrant that the Site will be uninterrupted, error-free or free from viruses or other harmful components.

7.2  The Company reserves the right to modify, suspend or withdraw the Site, or any part of it, at any time and without notice, including for maintenance, security or operational reasons. The Company shall not be liable for any loss or inconvenience arising from such modifications, suspension or withdrawal.

7.3  Property availability, specifications and all other details published on the Site are subject to change at any time without notice and should not be relied upon as definitive or contractually binding.

8. Limitation of liability

8.1  To the fullest extent permitted by law, the Company excludes all liability for any loss or damage — whether direct, indirect, consequential, special or otherwise — arising from:

• your use of, or inability to use, the Site;
• reliance on any content or information published on the Site;
• any interruption, suspension or cessation of the Site;
• any viruses or other harmful material that may infect your device or systems as a result of using the Site;
• the acts or omissions of third-party service providers engaged in connection with the Company’s services.

8.2  Nothing in these Terms operates to exclude or limit the Company’s liability for:

• death or personal injury caused by the Company’s negligence;
• fraud or fraudulent misrepresentation;
• any matter for which it would be unlawful for the Company to exclude or restrict liability.

8.3  The Company’s total aggregate liability to any User in respect of any claim or series of related claims arising under or in connection with these Terms shall not, subject to Clause 8.2, exceed the greater of (a) the total fees paid by the Principal to the Company in the twelve-month period preceding the event giving rise to the claim, or (b) £10,000 (ten thousand pounds sterling).

9. Governing law and jurisdiction

9.1  These Terms, and any dispute, claim or matter arising out of or in connection with them (including non-contractual disputes or claims), shall be governed by and construed in accordance with the law of England and Wales.

9.2  Subject to Clause 9.3, the parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales in respect of any dispute arising under or in connection with these Terms.

9.3  Nothing in this Clause prevents the Company from seeking interim injunctive or other emergency relief in any court of competent jurisdiction.

10. Severability and entire agreement

10.1  If any provision of these Terms is found by a court of competent jurisdiction to be invalid, unlawful or unenforceable, that provision shall be deemed severed from these Terms and the remaining provisions shall continue in full force and effect.

10.2  These Terms, together with the Company’s Privacy Policy, AML Policy and any applicable services agreement, constitute the entire agreement between the Company and the User with respect to the subject matter hereof and supersede all prior representations, agreements and understandings, whether written or oral.

11. Contact

All legal enquiries relating to these Terms should be directed to:

Legal enquiries	legal@uniquevillascollection.com
General enquiries	info@uniquevillascollection.com
Website	uniquevillascollection.com
Registered company	Unique Villas Collection Ltd, Company No. 15759075

ANTI-MONEY LAUNDERING (AML) POLICY

This Anti-Money Laundering Policy (“AML Policy”) sets out the framework by which Unique Villas Collection Ltd complies with its obligations under United Kingdom anti-money laundering and counter-terrorist financing legislation. It applies to all persons acting on behalf of the Company.

1. Legislative framework

The Company’s AML obligations arise under the following legislation:

Primary legislation	The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR 2017”), as amended by the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 and 2022
Criminal law	The Proceeds of Crime Act 2002 (POCA 2002)
Terrorism	The Terrorism Act 2000
Sanctions	The Sanctions and Anti-Money Laundering Act 2018 (SAMLA 2018)
Regulatory guidance	HMRC Guidance for Estate and Letting Agencies and High-Value Dealers; FATF Recommendations; OFSI Financial Sanctions guidance

The Company is registered with HM Revenue and Customs (HMRC) for AML supervision purposes as required by MLR 2017.

2. Relevant firm status and scope

2.1  The Company is a “relevant firm” for the purposes of MLR 2017 in its capacity as:

• a high-value letting agent facilitating rental transactions with a monthly rental value exceeding €10,000 (ten thousand euros) or equivalent; and
• a provider of trust or company services and high-value ancillary services to UHNW individuals and family offices.

2.2  This AML Policy applies in full to all business relationships and transactions falling within the scope of the Company’s activities as a relevant firm. It applies with equal force to all persons acting on behalf of the Company, including the founder, any employees, consultants, agents and sub-contractors.

2.3  The Company also cooperates with requirements applicable to transactions involving assets situated in the Hellenic Republic, including those arising under Greek Law 5026/2023 concerning source of funds declarations. Where transactions involve Greek-sited assets, the Company facilitates compliance with the relevant AADE (Ανεξάρτητη Αρχή Δημοσίων Εσόδων) requirements and cooperates with Greek notaries and legal advisors as required.

3. Money Laundering Reporting Officer (MLRO)

The Company has designated a Money Laundering Reporting Officer (MLRO) with responsibility for overseeing AML compliance and receiving and evaluating all internal suspicious activity reports.

MLRO name	Georgios Bistas
Title	Founder and Principal, Unique Villas Collection Ltd
Contact	legal@uniquevillascollection.com
Alternate contact	info@uniquevillascollection.com

The MLRO is responsible for: receiving internal suspicious activity reports; evaluating such reports; making external reports to the National Crime Agency (NCA) via the SAR portal where there are grounds to do so; maintaining the Company’s AML records; and ensuring this Policy remains current and effective.

4. Customer Due Diligence (CDD)

4.1  The Company applies Customer Due Diligence measures to all clients and beneficial owners before entering into a business relationship or executing any transaction. No business relationship will be established and no funds will be accepted until satisfactory CDD has been completed to the MLRO’s satisfaction.

4.2  Standard CDD comprises:

• Verification of the client’s identity by reference to a current, government-issued photo identity document (passport or national identity card);
• Verification of the client’s residential or registered address by reference to a utility bill, bank statement or equivalent document dated within three months;
• For clients that are corporate entities, partnerships or trusts: verification of the legal structure, registered address, director(s) and ultimate beneficial owner(s) (UBOs holding 25% or more of the entity), together with certified copies of constitutional documents;
• For clients acting on behalf of another person or entity: verification of the authority to act and verification of the identity of the underlying principal;
• Screening of all parties (clients, beneficial owners, connected persons) against the UK Office of Financial Sanctions Implementation (OFSI) consolidated list, HM Treasury’s UK Sanctions List, and internationally recognised PEP (Politically Exposed Person) databases;
• Assessment of the nature, purpose and intended duration of the business relationship.

4.3  CDD information and documentation will be retained for a minimum of five years from the date on which the business relationship ends or the transaction is completed, as required by Regulation 40 MLR 2017.

5. Enhanced Due Diligence (EDD)

5.1  The Company applies Enhanced Due Diligence in all situations presenting a higher risk of money laundering or terrorist financing, including:

• Clients or beneficial owners who are Politically Exposed Persons (PEPs) as defined in Regulation 35 MLR 2017, or their known close associates or immediate family members;
• Clients from, or transactions connected to, high-risk third countries as published from time to time by the FATF, the European Commission or HM Government;
• Transactions of unusual complexity, size or pattern, or which have no apparent legitimate commercial or economic purpose;
• Clients whose source of wealth or source of funds cannot be adequately verified by standard CDD measures;
• Any situation in which the MLRO determines that a higher risk is present having regard to all relevant circumstances.

5.2  EDD measures include, as appropriate:

• Obtaining additional documentation evidencing the client’s source of funds and source of wealth;
• Conducting enhanced background screening using reputable third-party intelligence sources;
• Obtaining written approval from the MLRO before establishing the business relationship;
• Applying enhanced ongoing monitoring to the relationship and its transactions;
• Where relevant, obtaining information on the reasons for and intended nature of the transaction.

6. Ongoing monitoring

The Company conducts ongoing monitoring of all business relationships throughout their duration. This includes: reviewing all transactions to ensure they are consistent with the Company’s knowledge of the client; identifying any transactions that appear unusual, inconsistent with the client’s profile or without apparent legitimate purpose; keeping CDD information current and accurate; and re-screening clients against sanctions and PEP databases at appropriate intervals and whenever there is reason to believe a client’s status may have changed.

7. Suspicious Activity Reporting (SAR)

7.1  Any person within the Company who knows or suspects, or has reasonable grounds to know or suspect, that another person is engaged in or has been engaged in money laundering or terrorist financing, or that property represents the proceeds of criminal conduct, must make an internal report to the MLRO as soon as practicable.

7.2  The MLRO will evaluate all internal reports and, where there are reasonable grounds for suspicion that cannot be resolved by further enquiry, will submit an external Suspicious Activity Report to the National Crime Agency (NCA) via the NCA’s online SAR portal.

7.3  TIPPING OFF — CRIMINAL OFFENCE: It is a criminal offence under section 333A of the Proceeds of Crime Act 2002 and section 21D of the Terrorism Act 2000 to disclose to any person that a SAR has been made, or to disclose information that might prejudice an investigation into suspected money laundering or terrorist financing. If you are in any doubt about whether a proposed disclosure constitutes tipping off, you must consult the MLRO before taking any action.

7.4  The Company maintains a register of all internal reports and their outcomes. This register is maintained in confidence and is available to HMRC and other competent authorities upon request.

8. Financial integrity and payment security

8.1  All financial transactions are processed through the Company’s regulated banking arrangements and accounting infrastructure. The Company utilises bank-grade encryption and Strong Customer Authentication (SCA) protocols in connection with all electronic payment processing.

8.2  The Company does not accept cash payments. All payments must be made by bank transfer, verified card transaction or other traceable payment method consistent with the Company’s AML obligations.

8.3  Where card payments are accepted, processing is conducted exclusively through PCI-DSS compliant merchant processors. The Company does not store, transmit or have access to full card numbers. All sensitive payment data is handled exclusively by the relevant regulated payment processor.

8.4  All payments are subject to identity verification and source of funds assessment as part of the Company’s CDD and EDD procedures. The Company reserves the right to decline any payment or transaction where it is not satisfied as to its provenance.

9. Training and awareness

All persons acting on behalf of the Company are made aware of this AML Policy, their personal obligations under UK AML legislation, the Company’s CDD and EDD procedures, and the procedure for making internal suspicious activity reports. This Policy is reviewed annually and updated to reflect changes in legislation, regulatory guidance and the Company’s risk assessment.

10. Consequences of non-compliance

Non-compliance with this AML Policy, or with the underlying legislative obligations, is a matter of the utmost seriousness. Breaches may result in termination of engagement without notice and, where there is evidence of criminal conduct, referral to HMRC, the NCA or other relevant law enforcement authorities. The Company will not, under any circumstances, knowingly permit any business relationship, payment or transaction to be used in connection with money laundering or terrorist financing.

PRIVACY POLICY

This Privacy Policy explains how Unique Villas Collection Ltd collects, uses, stores and protects personal data in its capacity as a Data Controller under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).

1. Identity of the Data Controller

The Data Controller in respect of all personal data collected and processed by the Company is:

Company name	Unique Villas Collection Ltd
Company number	15759075 (England and Wales)
Trading name	Unique Villas Collection
ICO registration	ZB823986 (registered as UNQ Villas Collection LTD)
ICO registration dates	02 December 2024 – 01 December 2025 (renewed annually)
Data protection contact	legal@uniquevillascollection.com
General enquiries	info@uniquevillascollection.com

2. Personal data we collect and process

We collect and process only such personal data as is necessary for the specific, lawful purposes described in this Policy. Depending on the nature of your relationship with us, this may include the following categories of data:

Category	Examples	Source
Identity data	Full legal name, date of birth, nationality, passport or national identity card number, signature	Provided directly by you or your authorised representative
Contact data	Email address, telephone number, postal address, Signal handle	Provided directly by you or your representative
Financial data	Bank account details for payment processing; source of funds and source of wealth documentation required for AML compliance	Provided directly by you
Programme and lifestyle data	Travel preferences, dietary and nutritional requirements, medical considerations relevant to safe delivery of travel services, family composition, scheduling and itinerary information	Provided directly by you or your family office representative
Professional and organisational data	Family office structure, corporate entity details, UBO information, directorship details	Provided by you or your professional advisors
Technical data	IP address, browser type and version, device identifiers, pages visited on the Site and time spent on those pages	Collected automatically when you visit the Site
Communications data	Correspondence by email, Signal, telephone or other channel relating to the Company’s services or your enquiry	Generated through your communications with us

We do not collect special category personal data (as defined in Article 9 UK GDPR, including health, racial or ethnic origin, religious beliefs or biometric data) except where this is directly relevant to the safe delivery of a specific element of your travel programme — for example, serious medical conditions relevant to emergency planning. Special category data is collected only with your explicit consent and processed only to the extent strictly necessary.

3. Lawful bases for processing

We process your personal data only where we have a lawful basis for doing so under Article 6 UK GDPR (and Article 9 for special category data). The following table sets out the primary purposes for which we process personal data and the corresponding lawful basis:

Purpose of processing	Lawful basis (UK GDPR)
To provide estate management, private travel office and concierge services pursuant to a services agreement with you	Article 6(1)(b) — performance of a contract
To comply with UK AML, tax, regulatory and legal obligations including CDD, EDD and SAR requirements	Article 6(1)(c) — compliance with a legal obligation
To communicate with you in relation to your programme, enquiry or services agreement	Article 6(1)(f) — legitimate interests of the Company
To maintain records of our business relationship and transactions	Article 6(1)(c) legal obligation and Article 6(1)(f) legitimate interests
To protect the Company’s legal position in connection with actual or potential claims or disputes	Article 6(1)(f) — legitimate interests of the Company
To improve our services, systems and security measures	Article 6(1)(f) — legitimate interests of the Company
To send you service-related communications and updates relevant to your programme	Article 6(1)(f) — legitimate interests of the Company
To process special category data (e.g. relevant medical information, dietary data)	Article 9(2)(a) — explicit consent

Where we rely on legitimate interests as our lawful basis, we have assessed that our legitimate interests are not overridden by the data subject’s rights and freedoms, having regard to the nature of the data, the context of the processing and the reasonable expectations of the data subject.

4. How we share your personal data

4.1  We do not sell, rent, lease or otherwise transfer your personal data to any third party for their own commercial purposes. We share personal data only in the following limited circumstances:

• With vetted operational Partners (estate staff, superyacht operators, private aviation operators, security providers, medical providers) to the extent strictly necessary for the delivery of your programme. All such Partners are required to process your data in compliance with UK GDPR and are subject to data processing terms.
• With the Company’s professional advisors (solicitors, accountants, compliance consultants) under duties of professional confidentiality.
• With HMRC, the NCA, the ICO, OFSI or other competent regulatory or law enforcement authorities where the Company is under a legal obligation to make disclosure, or where disclosure is necessary for the prevention, detection or prosecution of crime.
• With any successor entity in the event of a sale, merger, restructuring or transfer of all or part of the Company’s business, provided that the acquiring entity assumes equivalent data protection obligations.

4.2  International transfers: Where personal data is transferred to recipients outside the United Kingdom — for example, to operational Partners in Greece, France, Monaco, Spain or Caribbean jurisdictions — the Company ensures that appropriate transfer safeguards are in place in accordance with Chapter V UK GDPR. These safeguards may include: an adequacy regulation made by the UK Secretary of State; a UK International Data Transfer Agreement (IDTA); or, where applicable, reliance on a derogation under Article 49 UK GDPR (for example, the explicit consent of the data subject or the necessity of the transfer for the performance of a contract).

5. How we protect your personal data

The Company implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include:

• Encryption of all data in transit using HTTPS/TLS protocols;
• Encrypted storage of personal data at rest on secure, access-controlled systems;
• Use of encrypted communications channels (including Signal and encrypted email) for sensitive principal communications;
• Restriction of access to personal data to authorised personnel only, on a strict need-to-know basis;
• Regular review and testing of security measures;
• Secure disposal of physical documents containing personal data by shredding;
• Maintenance of up-to-date operating systems and security software on all devices used for Company business.

6. Retention of personal data

We retain personal data only for as long as is necessary for the purpose for which it was collected and in accordance with our legal obligations. The following retention periods apply:

Data category	Retention period	Basis
AML, CDD and KYC records	5 years from end of business relationship	Legal obligation (Regulation 40 MLR 2017)
Contract documents and financial records	6 years from end of contract or last transaction	Legal obligation (Limitation Act 1980)
Programme and correspondence data	Duration of relationship + 2 years	Legitimate interests
Enquiry data (no relationship established)	12 months from last communication	Legitimate interests
Special category data (e.g. medical/dietary)	Duration of relevance + 12 months	Consent (withdrawn upon request)
Website technical/analytics data	26 months	Legitimate interests

Upon expiry of the applicable retention period, personal data is securely and permanently deleted or rendered irreversibly anonymous.

7. Your rights under UK GDPR

As a data subject, you have the following rights in respect of your personal data. You may exercise any of these rights at any time by writing to us at legal@uniquevillascollection.com. We will acknowledge your request within five working days and respond substantively within one calendar month (extendable by a further two months in complex cases, with prior notification).

Right	What it means in practice
Right of access (Article 15)	You may request a copy of all personal data we hold about you, together with information about how and why we process it. This is known as a Subject Access Request (SAR).
Right to rectification (Article 16)	You may request that we correct any inaccurate or incomplete personal data we hold about you.
Right to erasure (Article 17)	You may request the deletion of your personal data where there is no longer a compelling lawful basis for us to retain it. Note: we may decline an erasure request where the data is required for active AML compliance, ongoing legal claims or compliance with a legal obligation.
Right to restriction of processing (Article 18)	You may request that we restrict our processing of your personal data in certain defined circumstances (for example, while the accuracy of the data is contested).
Right to data portability (Article 20)	Where processing is based on your consent or on a contract and is carried out by automated means, you may request that we provide your personal data in a structured, commonly used, machine-readable format.
Right to object (Article 21)	You may object to processing based on legitimate interests at any time. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
Rights related to automated decision-making (Article 22)	The Company does not carry out automated decision-making or profiling that produces legal or similarly significant effects.

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe that the Company has failed to handle your personal data in accordance with applicable data protection law. The ICO can be contacted at ico.org.uk, by telephone on 0303 123 1113, or by post at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

8. Cookies

The Site uses a minimal set of cookies. Strictly necessary cookies are required for the Site to function correctly and are deployed without requiring your consent. Analytics cookies — used to generate aggregate, anonymised data about Site usage — are activated only upon your explicit consent via the cookie banner. The Company does not use advertising, retargeting or third-party tracking cookies. Full details of all cookies used on the Site are set out in the Company’s Cookie Policy, available at uniquevillascollection.com/cookies.

9. Changes to this Privacy Policy

This Privacy Policy is reviewed annually and following any material change in UK data protection law or the Company’s processing activities. Where material changes are made, existing Principals will be notified directly. The current version of this Policy is always available at uniquevillascollection.com/privacy-policy. The version and effective date appear at the top of this document.

DATA PROTECTION POLICY

This Data Protection Policy sets out the internal governance framework by which Unique Villas Collection Ltd ensures that all personal data is collected, stored, used and disposed of in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Scope and application

This Policy applies to all personal data processed by the Company in connection with its business activities, including but not limited to data relating to Principals, prospective clients, estate owners, service providers and professional contacts. It applies to all persons acting on behalf of the Company, including the founder, employees, consultants and sub-contractors with access to Company data or systems.

2. The seven data protection principles

The Company is committed to ensuring that all personal data is processed in accordance with the seven principles of UK GDPR (Article 5). All personal data must be:

Principle	How we apply it
1. Lawfulness, fairness and transparency	We always identify and document a lawful basis before processing. Our Privacy Policy provides transparent information to data subjects about our processing activities.
2. Purpose limitation	Data is collected only for specified, explicit and legitimate purposes. We do not use data for purposes incompatible with those for which it was collected.
3. Data minimisation	We collect only the minimum personal data necessary for the purpose. Requests for data that goes beyond what is necessary will be declined internally.
4. Accuracy	We take reasonable steps to keep personal data accurate and up to date. We correct inaccuracies promptly when notified.
5. Storage limitation	Data is retained only for as long as necessary and in accordance with our Retention Schedule. It is then securely deleted or anonymised.
6. Integrity and confidentiality	We maintain appropriate technical and organisational measures to protect data against unauthorised access, loss, destruction or alteration.
7. Accountability	The Company maintains documentation of its processing activities, policies and procedures, and can demonstrate compliance with UK GDPR on request.

3. Roles and responsibilities

Data Controller	Unique Villas Collection Ltd — determines the purposes and means of processing personal data.
ICO Registration	ZB823986 — registered with the Information Commissioner’s Office as required under DPA 2018.
Data Protection Lead	Georgios Bistas, Founder — responsible for day-to-day compliance with this Policy and UK GDPR obligations.
All personnel	Every person acting on behalf of the Company must handle personal data in accordance with this Policy. Breaches must be reported to the Data Protection Lead immediately.

4. Technical and organisational security measures

The Company implements the following technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk:

• Access controls: personal data is accessible only to personnel who require it for the performance of their role. Access credentials are not shared and are revoked promptly upon termination of engagement.
• Encryption in transit: all data in transit between users and the Site is encrypted using HTTPS/TLS. Sensitive communications are conducted via encrypted channels including Signal and end-to-end encrypted email.
• Encryption at rest: personal data stored electronically is held on encrypted storage systems. Devices used for Company business are encrypted at rest and configured for remote wipe.
• Third-party processor controls: all third-party processors engaged by the Company are subject to written Data Processing Agreements (DPAs) confirming that they will process data only on the Company’s documented instructions and in compliance with UK GDPR.
• Physical security: physical documents containing personal data are held in locked, access-controlled premises and disposed of by secure cross-cut shredding.
• Software maintenance: operating systems, applications and security software on all Company devices are maintained with current security patches and updates.
• Incident response: the Company maintains a documented data breach response procedure (see Section 5 below).

5. Data breach response procedure

A personal data breach means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The following procedure applies to all suspected or confirmed breaches:

Step	Action required
1 — Immediate containment	Any person who discovers or suspects a breach must immediately notify the Data Protection Lead and take all reasonable steps to contain the breach (e.g. changing compromised credentials, isolating affected systems).
2 — Assessment	The Data Protection Lead assesses the breach within 24 hours: nature and scope; categories and approximate number of data subjects affected; likely consequences; and risk level.
3 — ICO notification	If the breach is likely to result in a risk to the rights and freedoms of individuals, it must be reported to the ICO within 72 hours of the Company becoming aware of it (Article 33 UK GDPR).
4 — Data subject notification	If the breach is likely to result in a high risk to individuals, those individuals must be notified without undue delay (Article 34 UK GDPR).
5 — Documentation	All breaches (reported or not) must be recorded in the Company’s internal Breach Register, including facts, effects, remedial actions taken and outcome.

6. Data subject rights — handling procedure

All requests to exercise data subject rights must be submitted in writing to legal@uniquevillascollection.com. The following procedure applies:

• All requests will be acknowledged within five working days of receipt.
• The identity of the person making the request will be verified before any data is disclosed or any action is taken.
• All requests will be fulfilled within one calendar month of receipt (extendable by a further two months in complex cases, with prior notification to the data subject).
• Requests will be fulfilled free of charge unless they are manifestly unfounded or excessive, in which case a reasonable administrative fee may be charged or the request may be refused, with written reasons provided.

7. International data transfers

Where personal data is transferred to recipients outside the United Kingdom (for example, to operational partners in Greece, France, Spain, Monaco or the Caribbean), the Company ensures that one of the following safeguards is in place: a UK adequacy regulation; a UK International Data Transfer Agreement (IDTA); a UK Addendum to EU Standard Contractual Clauses; or, where applicable, an explicit consent derogation under Article 49 UK GDPR. The Company maintains a record of all international transfers and the safeguards applied to them.

8. Policy review and compliance

This Policy is reviewed annually by the Data Protection Lead, and following any material change in UK data protection legislation, ICO guidance or the Company’s processing activities. All persons acting on behalf of the Company are required to familiarise themselves with this Policy. Any concerns about data protection compliance must be raised with the Data Protection Lead without delay.

Policy owner	Georgios Bistas, Founder, Unique Villas Collection Ltd
ICO registration	ZB823986
ICO renewal due	01 December 2025 (renew annually at ico.org.uk)
Last reviewed	1 April 2025
Next scheduled review	1 April 2026
Contact	legal@uniquevillascollection.com

UNIQUE VILLAS COLLECTION LTD

Company No. 15759075  ·  ICO Reg. ZB823986  ·  legal@uniquevillascollection.com

uniquevillascollection.com  ·  Governed by the Laws of England and Wales