Privacy Notice

commerce.mu — Republic of Mauritius

Last updated: 23 May 2026 · Effective from the date of publication

1. Data Controller

Software for Humanity Ltd, a company incorporated in the Republic of Mauritius (the "Company", "we", "us"), is the data controller responsible for personal data collected through commerce.mu. Contact: privacy@commerce.mu. Registered office: Sottise Road, Grand Baie 30550, Republic of Mauritius.

2. Scope

This Notice applies to personal data we collect when you visit commerce.mu, submit an enquiry form, contact us by messenger, email or telephone, or otherwise interact with our representatives in connection with our Mauritius Occupation Permit (Investor) advisory services.

3. Categories of Personal Data

We process:

• Identification and contact data — full name, email, phone number, messaging handles;
• Communications data — enquiry message content, call notes, correspondence history;
• Technical data — IP address, device and browser metadata, referral source;
• Analytics and cookie data — pseudonymous identifiers, pages viewed, traffic source and campaign parameters (UTM), interaction events; see our Cookie Policy and the detail below;
• Professional or investor-status information — where you choose to share it, as necessary for eligibility screening.

3.1 Web analytics

On page load, the website runs two web-analytics services that act as processors on our instructions: Yandex.Metrica (operated by Yandex LLC) and Google Analytics 4 (operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States). Both are loaded on the basis of our legitimate interest in measuring the performance of the website and of our advertising, not on the basis of consent.

Google Analytics 4 processes: a pseudonymous browser identifier (client_id) stored in the _ga and _ga_3FJ2DY4CC6 cookies; pages viewed; traffic source and campaign parameters (UTM); device and browser characteristics; and approximate location. IP addresses are processed in truncated form (anonymize_ip); Google Signals and advertising personalisation are disabled and no Google Ads linking is used. Values typed into form fields (name, phone, email, message) are excluded from session recording by the analytics tools' native masking features.

The processing relies on Article 6(1)(f) GDPR (legitimate interests). You have the right to object to this processing at any time and to opt out of Google Analytics collection across all websites by installing the Google Analytics Opt-out Browser Add-on or by the other means described in our Cookie Policy. The cross-border transfer of data to Google LLC (United States) is described in section 7 below.

The Site uses Google Tag Manager (operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States), a tag-management service that loads and executes the Site's analytics configuration. Google Tag Manager itself does not collect personal data, does not set analytics or advertising cookies, and does not build user profiles; it only manages which analytics tags run on the Site. The tags managed through the container are limited to the website-performance analytics described above (Google Analytics 4 and Yandex.Metrica); no advertising, remarketing, Google Ads conversion, Floodlight or Google Signals tags are deployed. Advertising storage is set to "denied" at the tag-manager level (Consent Mode: ad_storage / ad_user_data / ad_personalization = denied). Loading occurs on page load on the basis of our legitimate interest (Article 6(1)(f) GDPR), identically to Google Analytics 4. Data processed by Google Tag Manager (technical request data) is transferred to Google LLC (United States) — see section 7 below. Google's privacy policy: policies.google.com/privacy.

3.2 Our own analytics and operational notifications

When a page of the Site loads, a technical request is sent automatically to the Company's own server (the /api/event endpoint) for aggregated traffic measurement and assessment of the effectiveness of our advertising channels. The data sent comprises: the address of the page viewed, advertising-campaign parameters (UTM tags), device class (mobile / tablet / desktop), browser time zone and language settings. On the server side, a pseudonymised hash of the IP address (HMAC-SHA256 with a rotating key) and an approximate geolocation (country, city) are added to the record — the original IP address is not stored in the database.

When you click a button to open a messenger (WhatsApp, Telegram) or submit an enquiry form on the Site, the Company records that action in order to handle the contact you have initiated. A notification is sent to an authorised member of staff through an internal Telegram service bot (Telegram FZ-LLC) containing: the channel and location of the button or form, advertising-campaign parameters (UTM tags), browser, operating system and device type, a timestamp, your IP address and the information derived from it on the server side — approximate geolocation (country, city, carrier / internet service provider) and connection signals (use of a proxy, hosting provider or mobile network). The IP address is included in this service notification in its original form, because clicking a messenger button or submitting the form is an action by which you initiate contact with the Company, and prompt identification of the source of the enquiry is necessary to handle it. The legal basis is the taking of steps prior to entering into a contract at your request, together with the Company's legitimate interest in handling an enquiry you have initiated (Article 6(1)(b) and Article 6(1)(f) GDPR; and, for users in the Russian Federation, Article 6(1)(5) and Article 6(1)(7) of Federal Law No. 152-FZ). The IP address is used solely to generate the service notification and is not stored by the Company in its original form: the system of record is the database referred to in section 1, in which the IP address is recorded only as a pseudonymised hash (HMAC-SHA256 with a rotating key). This notification is an internal channel for promptly alerting an authorised member of staff.

Before you express your choice in the cookie banner: no session identifier is created, no cookies are set and no user identification is performed. The data is processed in aggregated form and used solely to count visits and attribute advertising sources. The legal basis is the Company's legitimate interest (Article 6(1)(f) GDPR), analogous to the processing of server access logs.

After you consent to analytics cookies: a session identifier is added to the data (stored in the browser's sessionStorage and not retained between sessions), allowing events within a single visit to be linked.

Records are retained for no longer than 90 days. Processing takes place on the Company's own server and the self-hosted analytics log is not disclosed to third parties (other than the internal Telegram alerting channel described above). Because this processing involves a transfer of your IP address and derived data to the Telegram messaging service, the cross-border-transfer safeguards in section 7 apply.

4. Purposes of Processing

We process personal data to:

• respond to investor enquiries;
• prepare and negotiate contractual documentation;
• conduct preliminary eligibility and suitability assessments;
• comply with anti-money-laundering, know-your-customer and sanctions screening obligations;
• maintain records required by Mauritian law and applicable financial regulations;
• improve our website and services.

5. Legal Basis

Under the EU/UK General Data Protection Regulation (where applicable), we rely on:

• Art. 6(1)(a) consent (cookies, marketing communications);
• Art. 6(1)(b) performance of, or steps prior to, a contract (enquiry handling, onboarding);
• Art. 6(1)(c) compliance with legal obligations (AML/KYC, record-keeping);
• Art. 6(1)(f) legitimate interests (security, fraud prevention, internal analytics).

Under the Mauritius Data Protection Act 2017, we rely on the lawful processing conditions set out in Section 28, in particular consent, contractual necessity and legal obligation.

6. Recipients

Personal data may be disclosed, on a need-to-know basis, to:

• our directors, employees and professional advisers (legal, tax, audit);
• regulators and government bodies including the Economic Development Board of Mauritius, the Financial Services Commission and the Mauritius Revenue Authority;
• banking partners and KYC/AML service providers;
• IT and CRM service providers acting as processors under written agreements;
• web-analytics providers — Yandex LLC (Yandex.Metrica) and Google LLC, United States (Google Analytics 4, and the Google Tag Manager tag-management service) — acting as processors on our instructions on the basis of our legitimate interest; for Google LLC the cross-border transfer described in section 7 applies.
• an authorised member of staff, via an internal Telegram service bot (Telegram FZ-LLC), for prompt handling of enquiries you initiate; the data shared is interaction metadata, your IP address and the approximate geolocation derived from it, with no special categories of personal data. The contents and legal basis of this disclosure are described in section 3.2 above.

7. International Transfers

The Company operates internationally. Some processors supporting our Russian-speaking sales desk are hosted in the Russian Federation; certain technical and analytics providers are hosted in the European Union and other jurisdictions. Where personal data is transferred outside Mauritius or the EEA, we put in place appropriate safeguards — contractual commitments equivalent to Standard Contractual Clauses, technical and organisational measures — consistent with Section 36 of the Mauritius DPA and Chapter V of the GDPR.

When Google Analytics 4 is used, the automatically collected data (the pseudonymous browser identifier and the technical and behavioural parameters described in section 3.1) is transferred to Google LLC, United States. The United States is not currently recognised by the Russian supervisory authority (Roskomnadzor) as a country providing adequate protection for the rights of data subjects, and benefits from no EU adequacy decision relied upon by us for this transfer.

The technical request data processed by Google Tag Manager (see section 3.1) is likewise transferred to Google LLC, United States on the same legal basis and in truncated / technical form, without the User's personal data.

The legal basis for this transfer is our legitimate interest in measuring the performance of the website and of our advertising (Article 6(1)(f) GDPR), which does not override your fundamental rights; only pseudonymised and technical data in truncated form (anonymize_ip) is transferred, and no special categories of personal data are involved. You may object to this processing at any time and stop the transfer to Google LLC by installing the Google Analytics Opt-out Browser Add-on or using the means described in our Cookie Policy. Contractual confidentiality safeguards are provided by the Google Ads Data Processing Terms.

8. Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, plus any further period required by law (for example, AML record-keeping obligations, typically seven years from the end of the business relationship). Enquiry data from prospects who do not proceed is deleted or anonymised within 24 months.

Web-analytics data is retained in anonymised form for up to 26 months for Yandex.Metrica; Google Analytics 4 user and event data is retained for 14 months, after which it is automatically deleted by Google.

9. Your Rights

Subject to the conditions set out in the GDPR (Articles 15–22) and the Mauritius DPA (Sections 37–42), you have the right to:

• access your data;
• request rectification or erasure;
• restrict or object to processing;
• receive your data in a portable format;
• withdraw any consent at any time without affecting the lawfulness of prior processing.

To exercise these rights, contact privacy@commerce.mu. We will respond within one month.

10. Supervisory Authority

You may lodge a complaint with the Data Protection Commissioner of Mauritius (dataprotection.govmu.org). EU/EEA residents may additionally complain to the supervisory authority in their place of residence or alleged infringement. UK residents may complain to the Information Commissioner's Office (ICO).

11. Changes

We may update this Notice. The "Last updated" date above reflects the current version. Material changes will be notified on this page.