Legal

Privacy Notice

This notice sets out how Aspen Meridian Ltd collects, uses, retains, and discloses personal data in connection with this website and with correspondence directed to the company. It applies solely to data processing conducted at the level of the holding company and does not govern the practices of any operating company within the group.

1. Identity of the Data Controller

The Data Controller in respect of personal data processed pursuant to this Notice is Aspen Meridian Ltd, a private company limited by shares, incorporated in the Isle of Man pursuant to the Companies Acts 1931 to 2004 and registered with the Isle of Man Companies Registry. The company is registered as a Data Controller with the Isle of Man Information Commissioner's Office in accordance with its obligations under the Data Protection Act 2018 (Isle of Man) (the "Act").

Aspen Meridian Ltd
Registered Number: 139014C
Registered office: Aspen House, Malew Street, Castletown, Isle of Man, IM9 1AB
Correspondence: enquiries@aspenmeridian.com

References in this Notice to "Aspen Meridian", "the company", "we", "us", or "our" are to Aspen Meridian Ltd in its capacity as Data Controller. The "group" means Aspen Meridian Ltd and its subsidiary and operating companies from time to time.

2. Scope and Application

This Notice applies to personal data processed by Aspen Meridian Ltd in connection with:

  1. visits to and use of the website at www.aspenmeridian.com (the "Site"), including any subdomains or successor domains;
  2. correspondence received by or sent from Aspen Meridian Ltd by electronic or other means, including enquiries submitted by email or otherwise directed to the company's registered or correspondence addresses; and
  3. technical and operational data generated incidentally by the foregoing activities.

This Notice does not apply to, and does not supersede, any privacy notice, data protection policy, or terms of service published by any operating company within the group, including without limitation those published by locked.im or ManxPay. Where an individual's relationship is primarily with an operating company rather than with Aspen Meridian Ltd itself, the applicable notice is that published by the relevant operating company. Enquiries concerning data processed at the operating company level should be directed to those entities, whose contact and compliance details are contained within their own published documentation.

3. Categories of Personal Data Collected

Aspen Meridian collects and processes only such personal data as is necessary for the purposes identified in this Notice. Depending upon the nature of an individual's interaction with the Site or the company, such data may include:

  1. Correspondence data: the full name, electronic mail address, postal address, telephone number, and such other identifying or contact particulars as an individual includes in correspondence addressed to the company, together with the content, metadata, and any attachments of that correspondence;
  2. Technical and log data: Internet Protocol address, browser type and version, operating system, device type, referral source, pages accessed, access times and durations, and other data automatically generated by interaction with the Site and recorded in server logs or equivalent records;
  3. Cookie and analytics data: data generated by cookies, web beacons, and similar technologies deployed on the Site, to the extent described in Section 8 of this Notice; and
  4. Due diligence and counterparty data: where required in the context of a potential corporate, commercial, or investment relationship, personal data relating to directors, principals, beneficial owners, or other relevant natural persons, to the extent necessary to satisfy the company's legal and regulatory obligations or its own internal governance requirements.

Aspen Meridian does not, in the ordinary course of its operations, collect or process special categories of personal data (including, without limitation, data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, data concerning health, or data concerning sex life or sexual orientation). Where such data is volunteered unsolicited in correspondence, it will not be processed beyond what is strictly necessary to handle the relevant communication, and will not be retained for any secondary purpose.

4. Purposes and Legal Bases for Processing

The Act requires that each processing activity be carried out on a lawful basis. Aspen Meridian processes personal data under the following bases and for the following purposes:

  1. Legitimate interests (Article 6(1)(f), UK GDPR as retained and adapted in Isle of Man law): the administration, operation, and security of the Site; the handling and archiving of corporate correspondence; the prevention of fraud, misuse, or abuse of the company's systems and communications channels; the protection of the company's legal rights and proprietary interests; and the conduct of proportionate due diligence on prospective counterparties. The company has assessed that these processing activities are necessary for the purposes of the legitimate interests pursued and that those interests are not overridden by the interests or fundamental rights and freedoms of affected data subjects.
  2. Performance of a contract or pre-contractual steps (Article 6(1)(b)): where an individual contacts the company with a view to entering into, or in connection with the performance of, any arrangement or agreement with Aspen Meridian, personal data may be processed to the extent necessary to take steps at the data subject's request or to perform obligations arising under the relevant arrangement.
  3. Compliance with a legal obligation (Article 6(1)(c)): where processing is required by or under any applicable law, regulation, court order, or the requirements of any competent regulatory or governmental authority, including obligations arising under Isle of Man law and any applicable anti-money laundering, counter-terrorist financing, or tax reporting requirements.
  4. Consent (Article 6(1)(a)): in the limited circumstances where Aspen Meridian relies upon consent as the lawful basis for processing — including in connection with certain categories of cookies as described in Section 8 — that consent will be sought in a form that is freely given, specific, informed, and unambiguous, and may be withdrawn at any time by contacting the company at the address set out in Section 1 of this Notice. Withdrawal of consent shall not affect the lawfulness of any processing carried out prior to such withdrawal.

5. Disclosure and Sharing of Personal Data

Aspen Meridian does not sell, rent, or otherwise transfer personal data to third parties for commercial or marketing purposes. Personal data may, however, be disclosed in the following circumstances:

  1. Service providers and processors: to carefully selected third-party service providers engaged to support the operation, maintenance, security, hosting, and administration of the Site or the company's communications infrastructure. Such parties are engaged pursuant to written agreements that impose obligations of confidentiality and restrict their use of personal data to the purposes for which it was disclosed;
  2. Professional advisers: to legal counsel, accountants, auditors, and other professional advisers retained in connection with the company's governance, corporate affairs, or any actual or prospective legal proceedings, subject in each case to applicable professional obligations of confidentiality;
  3. Group companies: to other members of the Aspen Meridian group where reasonably necessary for the administration of the group's affairs or the performance of shared infrastructure or administrative functions, and in each case subject to equivalent data protection standards; and
  4. Regulatory and legal disclosure: to any competent court, regulatory authority, governmental body, or law enforcement agency where such disclosure is required or permitted by applicable law, or where the company reasonably determines that disclosure is necessary to protect the rights, property, or safety of the company, its group members, or the public.

6. International Transfers of Personal Data

The Isle of Man maintains a data protection framework assessed as equivalent to that of the United Kingdom and, by extension, consistent with European data protection standards. Where personal data processed by or on behalf of Aspen Meridian is transferred to processors or sub-processors located outside the Isle of Man, Aspen Meridian will take reasonable and appropriate steps to ensure that such transfers are conducted in accordance with the Act, including, where required, by ensuring that adequate safeguards are in place — whether by means of standard contractual clauses, adequacy determinations by the Isle of Man Information Commissioner, or other mechanisms recognised as affording equivalent protection.

Individuals who wish to obtain further information regarding the safeguards applicable to any particular international transfer may direct enquiries to the address set out in Section 1 of this Notice.

7. Retention of Personal Data

Personal data is retained only for so long as is reasonably necessary, having regard to the purpose for which it was collected, any applicable statutory or regulatory retention requirements, the reasonable requirements of the company's administration and governance, and any limitation periods applicable to potential legal claims. In determining appropriate retention periods, the company applies the principle of proportionality and seeks to avoid the retention of personal data beyond the period for which a lawful basis continues to exist.

Correspondence received and not giving rise to any ongoing matter is typically retained for a period not exceeding two years from the date of receipt, unless a longer period is required by applicable law, is necessary in connection with any ongoing matter or legal proceedings, or is otherwise justified by reference to the purposes for which the data was collected. Technical and log data is retained for such period as is reasonably necessary for the operational, security, and legal purposes for which it was generated. On expiry of the applicable retention period, personal data will be securely deleted or anonymised in accordance with the company's internal procedures.

8. Cookies and Similar Technologies

The Site may employ cookies, web beacons, pixels, and similar client-side tracking or functionality technologies. Cookies may be deployed for the following categories of purpose:

  1. Strictly necessary: cookies essential to the basic operation and security of the Site, including those required to maintain session integrity, prevent cross-site forgery, and ensure proper delivery of pages and content. These cookies do not require consent and cannot be disabled without impairing Site functionality;
  2. Performance and analytics: cookies and equivalent technologies used to collect aggregate, non-personally-identifying information regarding how visitors interact with the Site, including pages visited, duration, and referring sources, with a view to improving Site performance and user experience. Where any such tool involves the collection of personal data, it will be deployed only to the extent permitted by applicable law and disclosed in this Notice; and
  3. Functional: cookies that enable enhanced functionality, including the retention of user preferences where relevant.

Third-party analytics or performance services engaged by the company may set their own cookies, subject to the privacy policies of those services. Users may configure their browser settings to refuse, restrict, or delete cookies at any time, though doing so may affect the operation or presentation of certain elements of the Site. Where required by applicable law, consent to non-essential cookies will be sought prior to their deployment.

9. Rights of Data Subjects

Subject to applicable law, and to any limitations or exemptions that may apply in individual cases, data subjects whose personal data is processed by Aspen Meridian may be entitled to exercise the following rights under the Act:

  1. Right of access: to obtain confirmation as to whether personal data concerning them is being processed and, if so, to receive a copy of that data together with information about the purposes, categories, recipients, and envisaged retention period;
  2. Right to rectification: to require the correction of inaccurate or incomplete personal data held by the company;
  3. Right to erasure: to request the deletion of personal data where it is no longer necessary for the purposes for which it was collected, where consent has been withdrawn and no other lawful basis exists, or in such other circumstances as are prescribed by the Act;
  4. Right to restrict processing: to request that processing be restricted pending the resolution of a contest as to accuracy or the outcome of an objection;
  5. Right to object: to object to processing carried out on the basis of the company's legitimate interests, including on grounds relating to the data subject's particular situation, in which case the company will cease processing unless it can demonstrate compelling legitimate grounds that override the data subject's interests, rights, and freedoms, or that the processing is necessary for the establishment, exercise, or defence of legal claims;
  6. Right to data portability: to receive personal data provided by the data subject in a structured, commonly used, and machine-readable format, and to transmit it to another controller, where the processing is carried out by automated means and is based on consent or contract; and
  7. Right to withdraw consent: where processing is based on consent, to withdraw such consent at any time, without prejudice to the lawfulness of processing carried out prior to withdrawal.

To exercise any of the foregoing rights, a data subject should submit a written request to the company at the address or electronic mail address set out in Section 1. The company will respond within the timescales required by the Act. The company may request such information as is reasonably necessary to verify the identity of the requester before acting upon any request.

Data subjects who consider that their rights under the Act have been infringed or that the company is not processing their personal data in accordance with applicable law have the right to lodge a complaint with the Isle of Man Information Commissioner's Office, whose contact details are available at www.inforights.im.

10. Security of Personal Data

Aspen Meridian implements technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Such measures are reviewed and updated from time to time in accordance with the nature of the data processed, the risks involved, and the standards expected of a prudent data controller operating in this sector. Where third-party processors are engaged, the company requires contractual commitments to maintain appropriate security standards.

Notwithstanding the foregoing, no method of transmission over the Internet or of electronic storage is wholly secure. The company therefore cannot guarantee the absolute security of information transmitted to or by it via the Site or by electronic correspondence, and any such transmission is at the sender's own risk.

11. Limitation of This Notice — Group Companies

This Notice applies solely to Aspen Meridian Ltd in its capacity as Data Controller for the activities described in Section 2 above. The group's operating companies — including, without limitation, locked.im and ManxPay — are each independent data controllers in respect of personal data processed through their respective products, platforms, and services. Each such entity maintains its own data protection registration, privacy notices, and subject access procedures, which are the definitive statements for data processing in those contexts. Nothing in this Notice constitutes a representation or warranty as to the practices of any operating company.

12. Amendments to This Notice

This Notice may be amended from time to time to reflect changes in the company's processing activities, applicable law, or regulatory guidance. Any revised version will be published on this page with an updated effective date. The company recommends that this Notice be reviewed periodically. Continued use of the Site following publication of a revised notice will not, in itself, constitute acceptance of the amended terms; where material changes are made, the company will take reasonable steps to bring such changes to the attention of affected persons.

This Notice was last reviewed and updated in April 2026. Previous versions are available upon request.

Aspen Meridian Ltd  ·  Registered Number: 139014C  ·  Isle of Man Data Protection Act 2018  ·  Data Controller Registration: Isle of Man Information Commissioner's Office

Last reviewed: April 2026

↑ You have been brought to the end of this notice

Please scroll up to read it in full before proceeding. The button below should only be clicked once you have done so — clicking it constitutes your confirmation that you have read and understood this Privacy Notice.