Privacy Notice

Welcome to the World Star Aviation Privacy Notice. This Privacy Notice covers all of our legal entities including World Star Aviation (UK) Limited which is incorporated in England & Wales and has the registration number of 09108519 and registered address of 1st Floor 32 Wigmore Street, London, England, W1U 2RP. At World Star Aviation, we provide a full, in-house asset and investment management service. This covers aircraft analysis and investment structuring, complete lease servicing, aircraft marketing and technical inspection.

Our Privacy Notice applies to all of our website users, employment applicants as well as prospective and existing investors and third parties that engage with us. We’ve created a brief glossary in Section 9 which explains the key data protection terms (including ones that we’ve used by capitalising the first letter in a word in this Privacy Notice).

This Privacy Notice is kept regularly under review and was last updated in September 2023.

1. Our status and approach

Data Protection Laws have created the concepts of a Data Controller and a Data Processor. World Star Aviation’s status is that of a Data Controller. We are supervised by the Information Commissioner’s Office (“ICO”) which is the data protection supervisory authority in England & Wales. Our registration reference with the ICO is ZB602385.

We have completed an assessment of our organisation under Data Protection Laws and have determined that we are not required to appoint a Data Protection Officer. Compliance with Data Protection Law is managed by all employees within our Legal & Compliance Team.

World Star Aviation believes that protecting the confidentiality and integrity of Personal Data is a critical responsibility that we must take seriously at all times. Our data protection compliance program includes a governance framework, data protection policies and procedures, technical security controls and training for employees.

Our data protection compliance program is built on the following principles.

• Personal Data must be Processed lawfully, fairly and in a transparent manner.
• Personal Data must be collected only for specified, explicit and legitimate purposes.
• Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
• Personal Data is accurate and where necessary, kept up to date.
• Personal Data should not be kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the Personal Data is Processed.
• Personal Data must be Processed in a manner that ensures its security using appropriate technical and organisational measures to protect it against unauthorised or unlawful Processing and against accidental loss, destruction or damage.

2. Types of Personal Data that we Process

We collect, use, store and transfer different kinds of Personal Data depending on our relationship with you. In general, we collect the following types:

• Identity Data (e.g., title, gender, first name, maiden name, last name, date and place of birth, tax residency, nationality, passport, national ID card, driver’s licence and employment status).
• Contact Data (e.g., phone number, email address, business address and billing address).
• Financial Data (e.g., invoices, bank account details, bank statements, utility bills, value added tax numbers, payment details and source of wealth).
• Profile Data (e.g., information about your professional background/organisation and agreements you have entered into with us and our business partners).
• Technical & Usage Data (e.g., your preference in respect of cookies, internet protocol addresses, browser type and version, time zone settings and information about how you use our website).
• Special Category Data (e.g., information about your mental and physical health).

3. Different types of Data Subjects

a) Website users

We collect Technical & Usage Data (for tracking purposes). We also collect Identity Data and Contact Data (if you decide to get in touch with us).

As you interact with our website, we automatically collect this Personal Data about you by using cookies and similar technologies. We also collect this Personal Data through our direct interactions with you such as when you contact us through our website.

Our legal grounds for Processing are:

• Consent (i.e., in that you are choosing to provide us with your details so that we can contact you).
• Legitimate Interests (i.e., it’s necessary for our Legitimate Interests in running and developing our business).

b) Applicants (prospective employees)

We collect Identity Data, Contact Data and Profile Data (for when you submit your application to join us). We collect some Special Category Personal Data about you (such as information about your health where we are required to put in place reasonable adjustment for your interview). We only collect this type of Personal Data when we have a legal ground in which to do so (i.e., you have given us your Consent and chosen to provide us with this Personal Data).

We collect this Personal Data through our direct interactions with you.

Our legal grounds for Processing are:

• Consent (i.e., in that you are choosing to provide us with your details so that we can contact you about a vacancy).
• Contract (i.e., in that we need this information to potentially enter into a contract with you).

c) Potential or existing investors, counterparties and other third-parties

We also collect Identity Data, Contact Data, Financial Data and Profile Data (for when you enter into a contract with us for us to deliver our services or during the course of our business of acquiring, financing, selling or leasing assets).

We collect this Personal Data through our direct interactions with you and other third parties, such as Lexis Nexis Accuity Online Compliance.

Our legal grounds for Processing are:

• Contract (i.e., in that we need this information to enter into or perform a contract with you).
• Legitimate Interests (i.e., its necessary for our Legitimate Interests in recovering funds due).
• Legal obligation (i.e., its necessary for us to comply with a legal obligation such as in respect to our financial, tax and legal affairs and in order to ensure compliance with applicable sanctions).

4. Sharing your Personal Data

We will only share your Personal Data when necessary and have outlined examples of the types of organisations with whom we would share it with:​

• Technology companies that provide us with support, hardware and software products (such as Microsoft) – for us to conduct our business operations.
• Professional advisers such as law firms, banks, payment providers and accountancy firms (such as KPMG and PwC) – which we need to engage with for the purposes of our business.
• Regulators and other governmental authorities (e.g., Companies House and HM Revenue & Customs) – which we need to engage with for the purposes of our business.
• Third parties to whom we may be in contact with to acquire, finance, sell, or lease assets, or to attempt to acquire, finance, sell or lease assets.

We require all third parties to respect the security of your Personal Data and to treat it in accordance with Data Protection Laws. We enter into contractual agreements with our third parties (with the exception of regulators and governmental authorities) which include the appropriate data protection clauses.

5. Protecting your Personal Data

We have put in place appropriate technical and organisational security measures to prevent your Personal Data from being accidentally lost, falsified, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, contractors and other third parties who have a business need to know. We have put in place policies and procedures to deal with any suspected or actual Personal Data breaches.

6. Transferring Personal Data across bordersa

We ensure that Personal Data is transferred safely and securely at all times. Whenever your Personal Data is transferred outside of the United Kingdom (“UK”) and/or the European Economic Area (“EEA”), we ensure that it’s protected by putting in one of the following safeguards:

• We will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data as endorsed by the ICO and identified and determined by the European Commission.
• We will only transfer your Personal Data where we have entered into specific contracts with an organisation outside of the UK and/or the EEA which states that they will ensure that your Personal Data has the same level of protection as if it were in the UK and/or the EEA.

If you want to find out the specific mechanism used when transferring your Personal Data out of the UK and/or the EEA, please contact us using the details below (see Section 10).

7. Retaining Personal Data

We will only keep your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we Process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.

8. Data Subject rights

Under certain circumstances, you have specific rights in respect of the Personal Data that we Process about you. These rights include, for example:

• ​Right of access to information and copies of the Personal Data that we hold about you.
• Right to rectify (i.e., correct) your Personal Data where it is inaccurate or incomplete.
• Right to delete your Personal Data, but only in specific circumstances (e.g., where the Personal Data is no longer necessary in relation to the purpose for which it was originally collected or Processed).
• Right to restrict Processing in specific circumstances (e.g., for example while we are reviewing the accuracy or completeness of your Personal Data or deciding on whether any request for erasure is valid).
• Right to object to Processing of your Personal Data in cases where Processing is based upon our Legitimate Interests.

If you wish to exercise any of the rights set out above, please contact us using the details below (see Section 10). You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity. This is a security measure also in your own interest to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than one month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

We also need to let you know that you have the right to make a complaint to the ICO which can be contacted on www.ico.org.uk. We request that if you are not satisfied in the way in which we Process your Personal Data that you kindly contact us in the first instance.

Please note that we have not listed all of the Data Subject rights in Section 8 and we have only listed those that are applicable due to the nature of our business and the Personal Data that we Process (e.g., the Data Subject right to data portability is not applicable as we do not carry out Processing by automated means).

9. Glossary

Consent refers to when an individual gives agreement which is freely given, specific, informed and is an unambiguous indication of their wishes. It is done by a statement or by a clear positive action in respect of the Processing of any Personal Data relating to them.

Data Controller refers to an organisation that determines when, why and how to Process Personal Data. It is responsible for establishing policies and procedures in line with Data Protection Laws.

Data Processor refers to an organisation that Processes Personal Data on behalf of a Data Controller. It is responsible for establishing policies and procedures in line with Data Protection Laws and also its contractual obligations with Data Controllers.

Data Protection Laws refers to the UK GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any other applicable European Union legislation (such as the General Data Protection Regulation 2016/679) relating to personal data. The “UK GDPR” is the retained version of the General Data Protection Regulation 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). The UK GDPR sits alongside the Data Protection Act 2018.

Data Subject refers to a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

European Economic Area (“EEA”) refers to the 27 countries in the European Union, Iceland, Liechtenstein and Norway.

Legitimate Interest refers to when an organisation’s interests are legitimate (as they need to do something to operate) and these interests do not override an individual’s interests or fundamental rights and freedoms.

Personal Data refers to any information identifying an individual or information relating to an individual that an organisation can identify (directly or indirectly) from that data alone or in combination with other identifiers that it Processes. Personal Data includes Special Category Personal Data and pseudonymised Personal Data. Further examples of Personal Data are included in Section 2 in this Privacy Notice. Personal Data excludes anonymous data or data that has had the identity of an individual permanently removed.

Process, Processing and Processed refers to any activity that involves the use of Personal Data. It includes obtaining, recording or holding the Personal Data, or carrying out any operation or set of operations on the Personal Data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Special Category Personal Data refers to more sensitive information including that which reveals racial or ethnic origin, religious or similar beliefs, physical or mental health conditions and biometric or genetic data of an individual.

10. Communicating with us

We take our legal and compliance responsibilities seriously and hope that you have found our Privacy Notice to be informative and useful. Should you have any questions concerning it and our approach to data privacy, please do get in touch with us on:

• Address: 32 Wigmore Street, 1st Floor, London, United Kingdom, W1U 2RP
• Phone: +44 (0) 20-3966-7688
• Email: wsaadmin@worldstaraviation.com