CedeOS

Legal

Privacy Policy

Last updated: June 2026

1. Introduction

Meridian Infrastructure Ltd, trading as CedeOS(“we”, “us”, “our”), is committed to protecting and respecting your privacy. This privacy policy explains how we collect, use, store, and protect personal information when you visit our website (cedeos.co), use our services, or interact with us in any capacity.

Meridian Infrastructure Ltd is a company registered in England and Wales.
Company Number: 17221205
Registered under the Companies Act 2006, Section 1115.
Trading as: CedeOS
Registered Office: England and Wales
Operational HQ: Dubai International Financial Centre (DIFC), Dubai, UAE

We are a “data controller” under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable international data protection laws including the Protection of Personal Information Act (POPIA) of South Africa, the Kenya Data Protection Act 2019, and the Saudi Arabia Personal Data Protection Law (PDPL).

2. Data Protection Principles

We comply with data protection law across all jurisdictions in which we operate. Your personal information will be:

  1. Used lawfully, fairly, and in a transparent manner.
  2. Collected only for valid purposes that we have clearly explained and not used in any way incompatible with those purposes.
  3. Relevant and limited only to the purposes we have communicated.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the stated purposes.
  6. Kept securely with appropriate technical and organisational measures.

3. Information We Collect

We may collect, store, and use the following categories of personal information:

3.1 Information you provide directly

  • Name, job title, and company name
  • Email address and telephone number
  • Country and region of operation
  • Gross Written Premium (GWP) range and bordereaux volume (when provided via our demo request form)
  • Messages and correspondence you send us
  • Newsletter subscription preferences

3.2 Information collected automatically

  • IP address and approximate geographic location
  • Browser type, device type, and operating system
  • Pages visited, time spent, and navigation patterns on our website
  • Referring URL and search terms used to find our website
  • Cookie identifiers and analytics data (see Section 9)

3.3 Information from third parties

  • Publicly available business information (e.g., company registrations, published regulatory filings)
  • Information from event organisers when you attend industry conferences where we participate

4. How We Use Your Information

We use your personal information for the following purposes:

  • Service delivery: To provide, maintain, and improve our reinsurance operations platform and related services.
  • Communication: To respond to enquiries, send service updates, and provide information you have requested.
  • Marketing: To send industry insights, product updates, and event invitations (only with your consent, which you may withdraw at any time).
  • Analytics: To understand how our website is used and improve the user experience.
  • Legal compliance: To comply with applicable laws, regulations, and legal processes.
  • Security: To detect, prevent, and address technical issues, fraud, or security threats.
  • Contract performance: To perform contracts entered into with you or your organisation.

5. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Consent: Where you have given explicit consent (e.g., newsletter subscriptions, marketing communications).
  • Contractual necessity: Where processing is necessary for the performance of a contract or to take steps prior to entering a contract.
  • Legitimate interests: Where processing is necessary for our legitimate business interests, provided these do not override your fundamental rights. Our legitimate interests include: operating and improving our services, marketing our platform to relevant audiences, and maintaining website security.
  • Legal obligation: Where we are required to process data to comply with applicable law.

6. Data Sharing and Disclosure

We may share your personal information with:

  • Service providers: Third-party vendors who provide services on our behalf (hosting, email delivery, analytics, payment processing). These providers are contractually bound to process data only on our instructions and in accordance with applicable data protection law.
  • Affiliated entities: Other entities within our corporate group, subject to the same data protection obligations.
  • Legal requirements: Regulatory bodies, law enforcement, or government authorities where required by law or to protect our legal rights.
  • Business transfers: In connection with any merger, acquisition, or sale of company assets, where your data would remain subject to this privacy policy.

We do not sell your personal information to third parties. We do not allow third-party service providers to use your personal data for their own marketing purposes.

7. International Data Transfers

CedeOS operates across multiple jurisdictions. Your personal data may be transferred to, and processed in, countries outside of your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place:

  • UK/EEA transfers: We rely on UK Standard Contractual Clauses (SCCs) or adequacy decisions where applicable.
  • African operations: Client operational data is processed regionally (af-south-1, South Africa). Personal data collected via our website may be processed in the EU/UK for service delivery.
  • Gulf operations: Client operational data is processed in me-central-1 (Saudi Arabia). Personal data handling complies with PDPL requirements.

We do not transfer client reinsurance operational data outside the applicable region. Website visitor data (analytics, form submissions) is processed via infrastructure in the EU and UK.

8. Data Retention

We retain personal information only for as long as necessary for the purposes described in this policy:

  • Contact form submissions: 3 years from last interaction, unless a contract is formed.
  • Newsletter subscribers: Until you unsubscribe or request deletion.
  • Demo/pilot requests: 3 years from submission date.
  • Client data (platform users): For the duration of the contractual relationship plus 7 years (regulatory retention requirements).
  • Website analytics: 26 months (anonymised after this period).
  • Audit trail data: 7 years minimum (regulatory requirement under IFRS 17 and applicable insurance regulations).

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. We obtain your consent before placing any non-essential cookies.

  • Necessary cookies: Enable core functionality — session management, security tokens, and language preferences. These cannot be disabled and do not require consent.
  • Analytics cookies: Help us understand website usage patterns — which pages are most useful, how visitors navigate, and where we can improve. Tools used: PostHog (product analytics) and Google Analytics 4 (traffic). Only placed with your explicit consent.
  • Marketing cookies: Used to measure the effectiveness of marketing campaigns and to show relevant content to people who have previously visited cedeos.co. Tools used: Google Ads conversion tracking and LinkedIn Insight Tag. Only placed with your explicit consent.

When you first visit our website, a cookie consent modal will appear. You must make a choice before proceeding — you cannot bypass this. You can update your preferences at any time by clearing your browser's local storage or contacting us at privacy@cedeos.co. You can also control cookies through your browser settings, though this may affect site functionality.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal information:

  • AES-256 encryption at rest for all stored data
  • TLS 1.3 encryption in transit for all data transmission
  • Multi-factor authentication (MFA) for all internal system access
  • Role-based access control limiting data access to authorised personnel only
  • Regular security assessments and penetration testing
  • Incident response procedures with notification within 72 hours of becoming aware of a qualifying breach
  • Employee training on data protection obligations

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data where there is no legitimate reason for continued processing.
  • Restriction: Request that we suspend processing of your data in certain circumstances.
  • Portability: Request transfer of your data to another organisation in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests or for direct marketing purposes.
  • Withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Complaint: Lodge a complaint with a supervisory authority.

To exercise any of these rights, contact us at privacy@cedeos.co.

11.1 Jurisdiction-Specific Rights

United Kingdom: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

South Africa (POPIA): You have the right to lodge a complaint with the Information Regulator at inforegulator.org.za. You may also request confirmation of whether we hold personal information about you.

Kenya (Data Protection Act 2019): You have the right to lodge a complaint with the Office of the Data Protection Commissioner. You have the right to be informed of the use of automated decision-making.

Saudi Arabia (PDPL): You have the right to request destruction of personal data that is no longer necessary. You have the right to be informed before collection.

12. Automated Decision-Making

We do not make decisions based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you. Our AI-powered platform processes reinsurance operational data (bordereaux, treaty information) — not personal data for automated individual decision-making.

13. Children's Privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.

14. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to read the privacy policies of any website you visit.

15. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by posting the updated policy on our website with a revised “Last updated” date. Continued use of our website after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this privacy policy or wish to exercise your data protection rights, please contact:

Data Protection Officer
Meridian Infrastructure Ltd (trading as CedeOS)
Email: privacy@cedeos.co
Company Number: 17221205 (England and Wales)

For complaints regarding data protection, you may also contact:
Information Commissioner's Office (ICO)
ico.org.uk | 0303 123 1113