Privacy Policy - Endevio
Our top priority is to keep your data and privacy safe. Investigate Endevio's clear and thorough privacy policy.
Introduction
Privacy Policy
Last updated: 2 May 2026
1. Introduction
1.1. This Privacy Policy explains how Agenglobal Ltd., trading as Endevio, collects, uses, stores, shares and protects personal data in connection with the Endevio website, enquiries, client onboarding, investment migration services, residence and citizenship advisory services, family office services, related advisory services, marketing, events and communications.
1.2. This Privacy Policy applies to personal data about clients, prospective clients, applicants, family members included in applications, dependants, beneficial owners, authorised representatives, introducers, intermediaries, professional advisers, suppliers, website users, marketing contacts and other persons whose personal data is processed in connection with Endevio.
1.3. This Privacy Policy is intended to comply with the General Data Protection Regulation (EU) 2016/679, the GDPR, and Malta’s Data Protection Act, Chapter 586 of the Laws of Malta.
2. Data controller
2.1. For personal data processed through the Endevio website and in connection with Endevio-branded services, the data controller is:
| Item | Details |
|---|---|
| Legal entity | Agenglobal Ltd. |
| Trading name | Endevio |
| Company number | C 110550 |
| Registered in Malta | 2 December 2024 |
| Registered address | Level 2, The Brewhouse, Mdina Road, Central Business District, Zone 2, Birkirkara CBD 2010, Malta |
| Brand website | endevio.com |
| Privacy contact | privacy@endevio.com |
2.2. Agenglobal Ltd. is licensed by Residency Malta Agency as an Agent under licence RES-AGEN.
2.3. Depending on the programme, jurisdiction and client requirements, Endevio may provide services directly, work with local legal counsel, professional advisers, intermediaries, introducers, licensed agents, government agencies or other approved service providers, or coordinate services with other entities within the Innovora Group.
3. The Innovora Group
3.1. Agenglobal Ltd. forms part of the Innovora Group.
| Group entity | Company number | Role |
|---|---|---|
| Agenglobal Ltd. | C 110550 | Operates the Endevio brand |
| Quivani Endevio Ltd. | C 107527 | Operates the Quivani brand |
| Innovora Ltd. | C 110524 | Parent and family office entity |
3.2. Each Group entity is generally an independent data controller for the personal data it processes for its own brand, business, website, clients and services.
3.3. For certain shared Group activities, Agenglobal Ltd., Quivani Endevio Ltd. and Innovora Ltd. may act as joint controllers where they jointly determine the purposes and means of processing. These shared activities may include group-level client relationship management, service coordination, compliance oversight, shared operational functions, security, analytics, reporting and business administration.
3.4. The essence of the joint controller arrangement is that each Group entity is responsible for complying with data protection law in relation to the personal data it processes, while the Group coordinates shared processing, access controls, security, rights handling and retention responsibilities. You may exercise your rights in relation to Group processing by contacting privacy@endevio.com.
3.5. Where one Group entity processes personal data only on behalf of another Group entity, the relevant entities will treat that processing as a controller-processor relationship and apply appropriate contractual protections.
4. Personal data we collect
4.1. The personal data we collect depends on the nature of your enquiry, engagement, application, family situation, jurisdiction, programme requirements and legal or regulatory obligations.
| Category | Examples |
|---|---|
| Identity data | Full name, previous names, date of birth, place of birth, nationality, citizenship, gender, marital status, passport details, national identity details, tax identification numbers and immigration status. |
| Contact data | Residential address, mailing address, email address, telephone number, messaging details, preferred contact method and country of residence. |
| Client and engagement data | Enquiry details, engagement letters, client instructions, eligibility assessments, matter records, application forms, file notes, status updates and service history. |
| Financial data | Income, assets, liabilities, bank statements, investment portfolios, business ownership, dividends, sale proceeds, inheritance information, tax records, payment history and billing information. |
| Source-of-funds and source-of-wealth data | Documents and explanations showing how funds and wealth were generated, including contracts, invoices, audited accounts, bank records, sale agreements, employment records, dividend records, trust records, inheritance documents and supporting evidence. |
| AML, KYC and due diligence data | Identity verification, sanctions screening, politically exposed person checks, adverse media checks, beneficial ownership information, risk assessments, due diligence reports, references, compliance notes and ongoing monitoring records. |
| Family member data | Data about spouses, partners, children, parents, grandparents, dependants and other family members included in, or relevant to, an application or advisory matter. |
| Biometric data | Passport photographs, facial images, liveness checks, biometric verification results, video identity verification data and similar information where required for identity verification, residence, citizenship, travel document or government application purposes. |
| Health data | Medical certificates, health insurance details and related information where required by a residence, citizenship, relocation or government application process. |
| Criminal convictions and offences data | Police conduct certificates, criminal record checks, declarations, litigation records, regulatory findings, adverse media and information about alleged or confirmed offences where relevant to due diligence, AML, risk assessment or application eligibility. |
| Professional and business data | Employment history, directorships, shareholdings, business activities, beneficial ownership, professional qualifications, public profile information and references. |
| Communications data | Emails, letters, messaging records, meeting notes, call notes, online meeting details, client portal messages, call recordings, video recordings and transcripts where recordings are made. |
| Website and device data | IP address, browser type, device identifiers, operating system, referring pages, pages viewed, form submissions, cookie identifiers and website usage data. |
| Marketing engagement data | Marketing preferences, newsletter subscriptions, event attendance, campaign engagement, email opens, clicks, website visits, advertising interactions and lead source information. |
5. How we collect personal data
5.1. We collect personal data from:
- you directly, including through website forms, calls, meetings, emails, messages, documents and client portals;
- family members, dependants, authorised representatives, advisers, introducers and intermediaries;
- Innovora Group entities, where relevant to service coordination, compliance or shared operations;
- public sources, including company registries, sanctions lists, court records, government records, media sources and professional directories;
- due diligence, AML, KYC, screening, identity verification and biometric verification providers, including Veriff or equivalent providers;
- banks, payment providers, law firms, accountants, tax advisers, trustees, fiduciaries, real estate providers and other professional advisers;
- government authorities, regulators, residence agencies, citizenship agencies, immigration authorities, embassies and consulates;
- CRM, website, analytics, advertising and marketing technology tools.
5.2. Where you provide personal data about another person, including a family member, dependant, beneficial owner, intermediary or representative, you must ensure that you are authorised to do so and that the person is informed of this Privacy Policy where appropriate.
6. Why we process personal data and our legal bases
6.1. We process personal data only where we have a lawful basis under the GDPR.
| Purpose | Examples | Main legal bases |
|---|---|---|
| Responding to enquiries | Answering questions, arranging meetings, assessing service fit and preparing proposals. | Legitimate interests, pre-contractual steps, consent where required for marketing. |
| Client onboarding | Identity checks, conflict checks, AML, KYC, source-of-funds and source-of-wealth verification. | Legal obligation, contract performance, legitimate interests. |
| Providing services | Advising on residence, citizenship, relocation, family office, structuring, investment migration and related matters. | Contract performance, legitimate interests, legal obligation. |
| Preparing and managing applications | Collecting documents, completing forms, liaising with authorities, submitting applications and monitoring progress. | Contract performance, legal obligation, legitimate interests, explicit consent where special category data is required. |
| AML, sanctions and regulatory compliance | Screening, ongoing monitoring, risk scoring, suspicious activity assessment and regulatory record keeping. | Legal obligation, legitimate interests. |
| Due diligence and risk assessment | Reviewing financial documents, verifying wealth history, obtaining third-party reports, assessing adverse media and evaluating client or application risk. | Legal obligation, contract performance, legitimate interests. |
| Intra-group coordination | Coordinating services between Agenglobal Ltd., Quivani Endevio Ltd. and Innovora Ltd., shared CRM, shared operations, group-level security and compliance. | Legitimate interests, and where applicable contract performance or legal obligation. |
| Security and fraud prevention | Protecting systems, client files, communications, documents, staff, premises and business operations. | Legitimate interests, legal obligation. |
| Billing, payments and accounting | Issuing invoices, processing payments, maintaining accounting records and debt recovery. | Contract performance, legal obligation, legitimate interests. |
| Legal claims and risk management | Establishing, exercising or defending legal rights, handling complaints, audit trails and dispute management. | Legitimate interests, legal obligation. |
| Call, video and meeting recordings | Proof of instructions, accurate notes and transcripts, service quality, training, compliance, identity verification and dispute management. | Contract performance, legitimate interests, legal obligation, consent where required. |
| Marketing communications | Sending newsletters, event invitations, updates and promotional communications. | Consent, legitimate interests where permitted by law. |
| Website analytics and optional cookies | Measuring website use, improving content, personalising online experience and online advertising. | Consent for optional cookies and similar technologies. |
| Business analytics | Aggregated reporting, service performance, group-level planning and market insights. | Legitimate interests, using anonymised or aggregated data where possible. |
6.2. Where we rely on contract performance, processing is necessary to take steps before entering into a contract with you or to perform our engagement with you.
6.3. Where we rely on legal obligation, processing is necessary because we are required to comply with laws, regulatory duties, programme rules, agency requirements, AML, KYC, sanctions, tax, accounting, immigration, residence, citizenship, corporate, reporting or decord-keeping obligations.
6.4. Where we rely on legitimate interests, we have assessed that the processing is necessary for a legitimate business, compliance, security or operational purpose and that your rights and interests do not override that purpose. Our legitimate interests include operating and securing our business, coordinating services within the Innovora Group, preventing fraud, managing risk, improving services, maintaining client relationships and protecting legal rights.
6.5. Where we rely on consent, you may withdraw consent at any time. Withdrawal of consent does not affect processing carried out before withdrawal. If you withdraw consent for processing that is necessary for a specific application, identity verification process or service, we may be unable to continue that application, verification or service.
7. Special category data, biometric data and health data
7.1. We may process special category data where necessary for a residence, citizenship, identity verification, relocation, family office, advisory or government application process.
7.2. Special category data may include biometric data used for unique identification, facial images, liveness checks, health data, medical certificates and other sensitive data required by a specific programme, authority or law.
7.3. Where biometric data or other special category data is processed, we rely on an Article 6 GDPR legal basis and an Article 9 GDPR condition. Depending on the circumstances, this may include:
- explicit consent;
- processing necessary for legal claims;
- processing necessary for reasons of substantial public interest where authorised by EU or Maltese law;
- processing required for compliance with legal or Degulatory obligations;
- processing necessary for the relevant application, verification or advisory service.
7.4. We may use third-party identity verification and biometric verification providers, including Veriff or equivalent providers. We may also use additional providers or internal verification tools where appropriate.
7.5. We apply additional safeguards to special category data, including restricted access, confidentiality controls, secure storage, data minimisation and retention controls.
8. Criminal convictions, offences and adverse media
8.1. We may process criminal convictions, offences data, police conduct certificates, regulatory findings, sanctions information, litigation data, adverse media and information relating to alleged or confirmed misconduct where necessary for:
- due diligence;
- AML, KYC and sanctions checks;
- source-of-funds and source-of-wealth verification;
- residence, citizenship or immigration application requirements;
- fraud prevention;
- client acceptance;
- risk assessment;
- regulatory or agency reporting;
- legal claims;
- protecting our business, clients and the Innovora Group.
8.2. Adverse media and reputational screening may include information about alleged offences, investigations, regulatory action, sanctions, litigation, fraud, corruption, financial crime, tax matters, insolvency, disqualification, public controversy or other integrity concerns.
8.3. We restrict access to this data and use it only where relevant and proportionate. Where due diligence or adverse findings create unacceptable legal, regulatory, ethical or commercial risk, we may decline to act or terminate an engagement.
9. Calls, video meetings, recordings and transcripts
9.1. We may record telephone calls, video calls, online meetings, consultations and identity verification sessions where this is appropriate and where participants are notified.
9.2. We may use recordings and transcripts for:
- proof of instructions, advice and decisions;
- accurate meeting notes and file records;
- transcription and action tracking;
- service quality;
- staff training;
- compliance and audit;
- identity verification;
- dispute management;
- legal claims.
9.3. Access to recordings and transcripts is restricted. Recordings are retained in accordance with the retention periods in this Privacy Policy.
10. Marketing, cookies and online tracking
10.1. We may send marketing communications about Endevio services, Innovora Group services, events, publications and updates where you have consented or where we are otherwise permitted to do so.
10.2. We may rely on legitimate interests for relationship management, professional outreach, business development and limited business-to-business communications where permitted by applicable law.
10.3. You can opt out of marketing at any time by using the unsubscribe link in our emails or by contacting privacy@endevio.com.
10.4. The Endevio website uses cookies, pixels, tags and similar technologies. Some are necessary for the website to function. Optional analytics, advertising and marketing cookies are used only where consent is required and has been obtained.
10.5. Details of individual cookies, pixels and similar technologies, including their purpose, provider and retention period, are set out in our Cookie Policy and consent management tool.
10.6. Website and marketing technology providers may include HubSpot, Google, Meta, LinkedIn, Microsoft, Cloudflare and similar providers.
11. Sharing personal data outside the Innovora Group
11.1. We may share personal data with third parties where necessary for the purposes described in this Privacy Policy, where required by law, where authorised by you, or where necessary to provide services.
| Recipient category | Examples | Purpose |
|---|---|---|
| Government authorities and programme agencies | Residency Malta Agency, Aġenzija Komunità Malta, immigration authorities, citizenship authorities, embassies, consulates and other competent authorities. | Application submission, application management, official requests, regulatory checks and reporting. |
| Regulators, law enforcement and public bodies | AML, tax, sanctions, financial intelligence, police, court, tribunal or regulatory authorities. | Legal obligations, investigations, reporting, audits, regulatory compliance and legal claims. |
| Professional advisers | Legal counsel, tax advisers, accountants, auditors, notaries, trustees, fiduciaries, insurers and real estate advisers. | Service delivery, structuring, transaction support, legal advice, tax advice and risk management. |
| Intermediaries and local advisers | Introducers, referral partners, licensed agents, local counsel, professional intermediaries and other advisers. | Coordinating services, jurisdiction-specific support, client referrals and application management. |
| Due diligence, AML and verification providers | Veriff or equivalent providers, identity verification providers, sanctions screening tools, adverse media providers and enhanced due diligence firms. | Client onboarding, ongoing monitoring, identity verification, AML, KYC and risk assessment. |
| Financial institutions and payment providers | Banks, card processors, payment processors and payment service providers. | Payments, refunds, banking arrangements, transaction checks and financial compliance. |
| IT, cloud and security vendors | Google Cloud, AWS, Cloudflare, Microsoft, hosting providers, cybersecurity providers, document management systems and client portals. | Secure operation of systems, document management, communications, backups and security. |
| CRM, analytics and marketing providers | HubSpot, Google, Meta, LinkedIn, Microsoft and similar providers. | CRM management, marketing communications, website analytics, advertising, conversion tracking and campaign reporting. |
| E-signature and document providers | DocuSign or equivalent providers, secure document transmission, certification, scanning, translation and storage providers. | Document execution, document management, translation, certification and delivery. |
| Courts, tribunals and dispute parties | Courts, arbitrators, mediators, opposing counsel and insurers. | Establishing, exercising or defending legal claims. |
11.2. Some third parties act as our processors and process personal data only on our documented instructions. Others act as independent controllers, including government authorities, regulators, certain professional advisers, banks, payment providers and some intermediaries.
11.3. We do not sell personal data.
12. Sharing personal data inside the Innovora Group
12.1. We may share personal data within the Innovora Group where necessary for service coordination, group-level analytics, security, compliance, shared systems, finance, client relationship management and operational support.
12.2. Intra-group sharing may involve Agenglobal Ltd., Quivani Endevio Ltd. and Innovora Ltd.
12.3. The purposes of intra-group sharing include:
- coordinating advisory and application services;
- identifying relevant services across Group brands;
- managing client relationships;
- maintaining shared CRM and operational systems;
- group-level compliance, AML, KYC and risk oversight;
- data security, fraud prevention and access control;
- internal reporting and analytics;
- finance, billing, governance and management;
- legal claims and dispute management.
12.4. We limit intra-group sharing to what is necessary and proportionate. Where possible, group-level reporting and analytics use aggregated or anonymised information.
13. International transfers
13.1. We serve international clients and families. Personal data may be transferred to, stored in or accessed from countries outside the European Economic Area.
13.2. International transfers may occur where:
- you, your family members, representatives or approved intermediaries are located outside the EEA;
- a residence, citizenship, immigration, investment, relocation or advisory matter involves a non-EEA jurisdiction;
- government authorities, professional advisers, intermediaries, banks or service providers are located outside the EEA;
- our cloud, CRM, analytics, identity verification, communications, marketing, security or document providers process data outside the EEA;
- Innovora Group staff, advisers or service partners access data from outside the EEA.
13.3. Where required, we use appropriate safeguards for international transfers. These may include:
- adequacy decisions;
- Standard Contractual Clauses approved by the European Commission;
- transfer risk assessments;
- encryption;
- access controls;
- data minimisation;
- confidentiality obligations;
- supplementary technical and organisational measures.
13.4. In limited cases, we may rely on specific GDPR derogations, for example where a transfer is necessary for performing a contract with you, necessary for a contract concluded in your interest, necessary for legal claims, required for important public interest reasons, or based on your explicit consent after you have been informed of relevant risks.
14. Automated tools and profiling
14.1. We may use automated tools to assist with identity verification, document verification, sanctions screening, adverse media checks, eligibility assessment, CRM management, marketing engagement, risk assessment, workflow management and analytics.
14.2. These tools support human review and decision-making. We do not make final decisions about you based solely on automated processing, including profiling, where the decision produces legal effects concerning you or similarly significantly affects you.
14.3. Where automated tools produce risk indicators, screening results or eligibility outputs, those outputs are reviewed in context and may be supplemented by manual checks, professional judgement and further documentation.
15. How long we keep personal data
15.1. We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, including service delivery, legal obligations, regulatory compliance, AML requirements, accounting, tax, audit, complaints and legal claims.
| Data category | Standard retention period |
|---|---|
| General enquiries where no engagement follows | Up to 3 years from the last meaningful interaction, unless deletion is requested earlier and no legal reason requires retention. |
| Marketing contact data | Until consent is withdrawn, the contact opts out, or there has been no meaningful marketing engagement for 24 months, unless a longer period is needed to maintain suppression records. |
| Marketing suppression records | For as long as necessary to ensure we respect opt-outs and do not contact you again. |
| Client onboarding records | Duration of the engagement plus 5 years after the end of the business relationship, unless a longer period is required by law, regulator, agency requirement or legal claim. |
| AML, KYC, sanctions, source-of-funds and source-of-wealth records | 5 years from the end of the business relationship, the relevant occasional transaction, the final transaction in a linked series, or the date of a suspicious transaction report, as applicable, unless a competent authority or law requires a longer period. |
| Client matter files and application records | Duration of the engagement plus 5 years after closure, unless accounting, tax, regulatory, programme-specific, complaint, audit or legal claim reasons require a longer period. |
| Family member data included in applications | Same period as the related client matter file, unless deletion is required or appropriate earlier. |
| Biometric data, identity verification data and passport photographs | Duration of the relevant verification, application or engagement plus 5 years after closure, unless a shorter or longer period is required by law, regulator, agency requirement or legal claim. |
| Criminal record, police conduct and adverse media data | Duration of the relevant due diligence, application or engagement plus 5 years after closure, unless a shorter or longer period is required by law, regulator, agency requirement or legal claim. |
| Call and meeting recordings used only for training or quality purposes | Up to 12 months from the recording date. |
| Recordings forming part of client instructions, advice, identity verification, compliance files or dispute records | Duration of the engagement plus 5 years after closure, unless a longer period is required by law, regulator, agency requirement or legal claim. |
| Accounting, billing and payment records | 10 years from the end of the relevant financial year or the date required by applicable accounting or company law. |
| Supplier and professional adviser records | Duration of the relationship plus 7 years after termination, unless needed longer for accounting, tax, audit or legal claims. |
| Website analytics data | As stated in our Cookie Policy and consent management tool. |
| Security logs | Up to 12 months, unless needed longer for security investigations, legal claims or regulatory purposes. |
| Complaint and rights request records | Up to 6 years from closure of the complaint or request, unless needed longer for legal claims or regulatory purposes. |
15.2. Where different retention periods apply to the same record, we apply the retention period required by law or the period necessary for the most relevant lawful purpose.
15.3. When personal data is no longer required, we delete it, anonymise it or restrict access to it where deletion is not immediately possible.
16. Security
16.1. We use appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, misuse, alteration, disclosure or destruction.
16.2. These measures may include:
- access controls and role-based permissions;
- multi-factor authentication;
- encryption in transit and at rest where appropriate;
- secure document storage and transmission;
- confidentiality obligations for staff, contractors and advisers;
- vendor due diligence and contractual protections;
- system monitoring, logging and malware protection;
- backups and business continuity measures;
- secure disposal and deletion processes;
- staff training on confidentiality, AML and data protection;
- incident response and breach management procedures.
16.3. No method of transmission or storage is completely secure. We therefore cannot guarantee absolute security, but we take measures designed to protect personal data in a manner appropriate to the risk.
17. Your data protection rights
17.1. Subject to conditions and exceptions under the GDPR and applicable law, you have the following rights:
| Right | What it means |
|---|---|
| Access | You may ask for confirmation that we process your personal data and request a copy of that data. |
| Rectification | You may ask us to correct inaccurate or incomplete personal data. |
| Erasure | You may ask us to delete personal data where there is no lawful reason for us to keep it. |
| Restriction | You may ask us to restrict processing in certain circumstances. |
| Portability | You may ask to receive certain personal data in a structured, commonly used and machine-readable format where the GDPR conditions apply. |
| Objection | You may object to processing based on legitimate interests or direct marketing. |
| Withdrawal of consent | You may withdraw consent at any time where processing is based on consent. |
| Automated decision-making | You may exercise rights relating to certain solely automated decisions with legal or similarly significant effects. |
17.2. Some rights are not absolute. We may need to continue processing or retaining personal data where required for legal obligations, AML requirements, regulatory duties, official applications, legal claims, security, fraud prevention or other lawful reasons.
17.3. To exercise your rights, contact privacy@endevio.com.
17.4. We may ask for information to verify your identity. Where a request is made on behalf of another person, we may request evidence of authority to act for that person.
17.5. We will respond within the time required by the GDPR, normally within one month. Where a request is complex or there are multiple requests, we may extend the response period where permitted by law.
18. Children’s personal data
18.1. Our services are not directed at minors under 18.
18.2. We may process personal data relating to minors where a parent, grandparent, guardian or other authorised adult includes them in a family application, dependant application, residence or citizenship process, relocation matter or related family office engagement.
18.3. Where a parent, grandparent, guardian or other authorised adult provides data about a minor, we expect that person to have legal authority to do so and to provide appropriate information to the minor where required.
18.4. We process children’s personal data only where necessary for the relevant purpose and apply appropriate safeguards.
19. Data Protection Officer
19.1. The Data Protection Officer responsible for Endevio’s data processing activities may be contacted through:
privacy@endevio.com
19.2. You may also write to the Data Protection Officer at:
Agenglobal Ltd.
For the attention of the Data Protection Officer
Level 2, The Brewhouse
Mdina Road
Central Business District, Zone 2
Birkirkara CBD 2010
Malta
19.3. We do not publish the individual name of the Data Protection Officer.
20. Complaints
20.1. We encourage you to contact us first at privacy@endevio.com so that we can try to resolve your concern.
20.2. You also have the right to lodge a complaint with a supervisory authority.
20.3. In Malta, the supervisory authority is the Office of the Information and Data Protection Commissioner, the IDPC.
| Supervisory authority | Contact details |
|---|---|
| Office of the Information and Data Protection Commissioner | Floor 2, Airways House, Triq Il-Kbira, Tas-Sliema SLM 1549, Malta |
| Telephone | +356 2328 7100 |
| idpc.info@idpc.org.mt | |
| Online complaints | The IDPC provides an online complaint form through its official website. |
21. Third-party websites and services
21.1. The Endevio website may contain links to third-party websites, platforms, social media pages or online services.
21.2. We are not responsible for the privacy practices, content or security of those third parties. You should review the privacy notice of any third-party website or service before providing personal data to it.
22. Updates to this Privacy Policy
22.1. We may update this Privacy Policy from time to time to reflect changes in our legal structure, services, processing activities, technologies, vendors, Group arrangements, legal obligations or regulatory guidance.
22.2. Where we make material changes, we will take appropriate steps to notify you. This may include posting a notice on the Endevio website, updating the “Last updated” date, sending an email notification, or providing notice through another appropriate communication channel.
22.3. The version published on the Endevio website is the current version.
Get in touch with us today
Our team of experts at Endevio can help you stay updated with the latest regulations.