Controller. Goldstream Group Ltd, info@goldstream.co.uk.
What we collect. Identity data, contact data, order details, KYC evidence, payment references (no full card numbers), support messages, analytics.

Why (lawful bases).
• Perform a contract (fulfil orders, delivery or storage).
• Legitimate interests (security, fraud prevention, analytics, service improvement).
• Legal obligation (AML record keeping).
• Consent (marketing emails; cookies).

Sharing. Processors include Stripe (payments), AWS S3 (document storage), BullionVault or vault partners (allocation), Zoho (email), and other essential vendors. We require appropriate safeguards.
Retention. Order and KYC records kept for up to 6 years (or longer if legally required). Marketing consent until you opt out.

Your rights. Access, rectify, erase, restrict, object, portability, and withdraw consent. See Data Requests.
Security. Encryption in transit and at rest, access controls, staff training.

International transfers. Where data leaves the UK/EEA, we use UK Addendum/EU SCCs or equivalent safeguards.

Contact/DPO. info@goldstream.co.uk.