Privacy Policy

1. Introduction

GRSS Limited is committed to safeguarding the privacy and security of the personal information in our care and respecting all applicable laws and requirements in the countries in which we operate.  This privacy policy (“policy”) explains how we collect your personal information, what we do with it, how we protect it and your rights in respect of it.

All references in this policy to ‘we’, ‘our’, ‘us’ or ‘GRSS’ are to GRSS Limited, a limited liability company established under English law and all affiliates or subsidiaries.

2. Relevant legislation

We are required in the jurisdictions in which we operate to comply with relevant legislation regarding the use of personal information including the UK General Data Protection Regulation and the EU General Data Protection Regulation (together for the purposes of this policy “GDPR”) and related privacy laws when we are the controller or processor of such information. For the purposes of our obligations under the GDPR, “personal information” means information relating to an identified or identifiable person who is a resident of the United Kingdom or European Union.

3. The role of GRSS

In relation to the roles and responsibilities established under relevant data privacy and security laws, GRSS acts as the data controller of any personal information that we process. As a data controller we are legally responsible for ensuring our systems, processes, suppliers and employees comply with data protection laws in relation to the personal information that we handle.  Our IT systems are located in the UK or EU.

Where we transfer your personal data to third parties, in certain circumstances those third parties may also be data controllers.  In all cases, your personal information is handled and protected in accordance with data protection law.

Written terms of business, forming part of each of our contracts to deliver Services may supplement this policy by providing further details on our confidentiality obligations to our clients during and beyond the course of our engagement.

3. Who do we process personal information for

We collect and process the personal information of: 

  • Our clients 

  • Counterparties and other third parties of our clients connected to the matters on which we are working for our clients

  • Non-client contacts, such as those who use our website, attend our seminars or other events, subscribe to our newsletters, email services or other promotional services

  • Professional advisers, experts and consultants involved in the work that we carry out for our clients or engaged by us to support client work

  • Contractors, suppliers and other third parties connected to the operation of our services

4. Why do we process personal information

We will only collect and process information where it is necessary for the operation of our business. This will arise in the following situations: 

  • Where the processing is necessary for the performance of a contract or in order to take steps at your request prior to entering into a contract

  • Where the processing is necessary for our legitimate business interests in conducting and managing our business. When considering our legitimate interests, we must take account of what is reasonable for the running of our business, but which is not detrimental to you and would have minimal impact on your privacy. Examples of legitimate interest include:

To provide the products or perform the services requested by clients and individuals pursuant to a letter of engagement, statement of work, or similar

To provide the products or perform the services requested by clients and individuals using our website

Where permitted by applicable law, to advise you through e-mail, phone call, or post about other products or services similar to the products or services we have provided to you and that we think will be of interest to you

For complying with obligations provided by laws, current regulations and legislation (e.g. tax regulations, anti-money laundering regulations)

For hosting of events such as seminars or webinars. We may use your data to manage your registration to a GRSS event, including sharing data with event co-hosts and tracking and facilitating event attendance.

5. The personal information we collect

We may collect personal information directly from you, including through your use of the website, when you contact us or request information from us by email, telephone, post or social media, when you apply for an employment opportunity with GRSS, when you request a proposal from us in respect of the services we provide, when you engage us for services, when an entity with which you are associated as an employee or officer provides us with such information, or as a result of your attendance at one of our events. 

We may also collect personal information from publicly available sources including social media sites, and/or from third parties, such as companies operating public relations or business development databases. We may use this information in connection with our marketing activities.

The information we collect typically consists of your contact information, including your name, address, business affiliation, business title, email address, and telephone number. 

We also may obtain personal information indirectly from or on behalf of our clients. With respect to personal information that we receive from or on behalf of our clients in order to provide services, our client remains the data controller and GRSS acts as a processor of such personal information. 

 6. Processing of personal data

Personal data is processed both manually and electronically in accordance with the above-mentioned purposes and in compliance with current regulations. We permit only authorised GRSS employees and contractors, suppliers and other third parties connected to the operation of our services to have access to your information. Such individuals are appropriately designated and trained to process data only according to the instructions we provide them.

7. Data integrity

Users are responsible for the accuracy of any user information that they provide to GRSS. We will use reasonable efforts to maintain the accuracy and integrity of Information based on the input received from Users.

8.  Who can we share personal information with

GRSS may share the information that we collect or that you provide to us with our affiliates. We also may share personal information with the following categories of third parties as necessary:

  • Sub-contractors we have engaged in connection with providing services to our clients. 

  • Our professional advisers, including our lawyers and auditors.

  • Our insurers and insurance brokers.

  • Third parties to whom we outsource certain services to assist with operating our business, such as IT managed service providers, software providers, information storage providers and other related service providers. We also require such vendors to maintain reasonably appropriate information security policies and procedures and to maintain personal information confidentially.

  • Third parties to whom our clients have directed us to share information in connection with our services, such as our clients’ lawyers and auditors.

  • Third-party service providers that assist us with client data analytics.

  • Third-party postal or courier providers that assist us with delivering marketing and other documents to you.

9. Where we transfer personal information 

GRSS is located in the United Kingdom and Malta. Your personal information could be stored in either or both jurisdictions. GRSS does not transfer personal information outside the United Kingdom and European Union, except where we have been explicitly authorised by a client to transfer such information to a recipient outside these areas.

10. Personal data rights 

Under GDPR you are entitled to see any EU personal data held about you and you may ask us to make any necessary changes to ensure that it is accurate and kept up to date.

Under GDPR your rights with respect to EU personal data are:

  • Right to access – You have the right to request copies of your EU personal data that GRSS holds about you in our databases. We will provide you with all the details that we hold about you, both online and offline, upon request.

  • Right to erasure – Under certain conditions, you have the right to request that we erase your EU personal data.

  • Right to restrict processing or object – You also may restrict or object to the processing of your EU personal data, in some circumstances.

  • Right to rectify. You may ask us to correct or remove information you think is inaccurate or out of date.

  • Right to data portability – You have the right to have your EU personal data transmitted to another controller, where technically feasible and if it does not adversely affect the rights and freedoms of others.

  • Rights related to automated decision making and profiling – GRSS does not make decisions about you using automated decision making or profiling of your EU personal data.

  • Right to complain – you may have the right to lodge a complaint to an applicable supervisory authority or other regulator if you are not satisfied with our responses to your requests or how we manage your EU personal data.

11. Period of retention

GRSS retains personal information in compliance with our obligations under applicable law.  We may destroy personal information without notice or liability.

Your personal information is retained by us in accordance with applicable law and regulation.   Our data retention periods may vary depending on the location, nature and context of the personal information that we have in our care, and will take into account the following factors:

  • potential claims or litigation

  • guidance from official bodies such as relevant data protection supervisory authorities and regulatory bodies

  • how long we need to keep the data to fulfil the original purpose for which it was collected

  • the nature and sensitivity of personal data and

  • legal obligations to which we are subject

12. Confidentiality and information security

An organisation creating, maintaining, using or disseminating personal data must take reasonable and appropriate measures to protect it from loss, misuse and unauthorised access, disclosure, alteration, and destruction. 

GRSS is committed to keeping your personal information secure. We have taken reasonably designed steps to protect personal information from unauthorised access, use or disclosure. We also require our vendors to maintain reasonably appropriate information security policies and procedures and to maintain personal information confidentially. 

Our web site has commonly used security measures to protect against the loss, theft, misuse, and alteration of personal information and remains under the control of GRSS. You should be aware, however, that we have no control over the security of other websites that you might visit or use, even when a link to those websites is available on or through our web site. 

In the event of a breach of the confidentiality or security of your personal information, GRSS will notify you if reasonably necessary under applicable law so that you can take appropriate protective steps. We may notify you under such circumstances using the email address or addresses that we have on record for you.

13. Amendments to privacy policy

GRSS may occasionally update this policy, as noted by the “updated date” at the beginning of this policy. If GRSS updates this policy in a manner that allows it to collect, use, or disclose your personal information in a materially less restrictive manner than under a prior version of the policy, GRSS will provide you with prior notice of the pending update and seek your consent by posting notice on our website or by contacting you using the email address or addresses that GRSS has on record for you.

GRSS encourages you to periodically review this policy to stay informed about its collection, use, and disclosure of your Information. Your continued use of any web site constitutes your agreement to this policy and any updates.

14. Complaints and Dispute Resolution

If you have any questions, complaints, or disputes regarding how we handle or protect your personal Information, please bring it to our immediate attention (see “How to Contact GRSS below).

The Data Protection Act 2018 and certain other applicable data protection laws give you the right to lodge a complaint with a data protection supervisory authority (‘DPA’), usually in the country or state where you work, normally live or where any alleged infringement of data protection laws has occurred. Details of European DPAs can be found here EU DPA contacts.

15. How to Contact GRSS

If you have any questions about the policy, please email [email protected].

Nic Image

Nicholai Cumbo
Surveillance Analyst

Nicholai previously held the position of Senior Risk Officer at ACA Mirabella, where he was responsible for on-boarding clients, managing relationships and reviewing clients’ investment processes, risk management processes, strategy complexity, and operational arrangements. He was also responsible for compiling and submitting data for Regulatory Reporting. 

After graduating with a B.Sc. in Mathematics and Physics, he transitioned to finance, by completing a post graduate certificate in the Mechanics of Risk Management. He followed this up by sitting for the FRM and became a Certified Financial Risk Manager.


Elizabeth Mallia
Surveillance Analyst

An awardee of the Marie Curie Actions scholarship, Elizabeth built up her data crunching and analytical skills in theoretical motor neuroscience where she investigated brain mechanisms in action initiation at the Institute of Neurology, University College London.

She transferred her skillset to financial services in 2017, where she formed part of a formidable risk team at the regulatory hosting platform, ACA Mirabella. There she held the position of Senior Risk Associate, where she concentrated on risk management for funds with model-based strategies, focusing primarily on insurance-linked security investments. As part of the same role, Elizabeth worked with a subsection of the team on consolidating and improving the surveillance framework for potential market abuse of the platform’s diverse clientele, promoting an evidence-based approach in the set-up of the framework. 

Having also previously had the opportunity to study and work at various neuro-research institutions, including Karolinska Institutet, Stockholm and Radboud UMC, Nijmegen, Elizabeth brings multi-faceted experience in breaking down complex problems to facilitate custom solutions.


Ryan Farrugia
Surveillance Analyst

Ryan most recently held the position of Senior Risk Associate at ACA Mirabella, where he was responsible for reviewing clients’ investment processes, risk management processes, strategy complexity, and operational arrangements. He was responsible for monitoring clients’ trading activities daily, including risk/trading limits. Ryan was also involved with the creation of the Governance Risk Compliance Operations Unit within the company. 

After graduating with a Bachelors’ Degree in Commerce, a Post Graduate Certificate in Finance, and a Master’s Degree in Investment and Finance, Ryan spent over two years at APS Bank in Risk Management and Finance.


Tim Jukes
Senior Surveillance Analyst

For the last five years, Tim held the position of Senior Compliance Consultant at ACA Mirabella overseeing a wide range of complex and large firms on the hosted platform. 

Tim began his career at Price Waterhouse in 1986, where he qualified as a Chartered Accountant. Following qualification, Tim transferred to Hong Kong, where he spent 5 years specialising in the audit of multinational trading and finance entities. Tim spent 18 months on secondment at the Hong Kong Securities and Futures Commission developing an inspection regime for asset managers and advisers. 

On returning to the UK, Tim spent 3 years at IMRO, a predecessor to the FCA, specialising in asset management supervision. Tim subsequently undertook several senior in-house compliance and finance roles across a range of start-up and large asset managers specialising in open-ended funds and, subsequently, private equity. Tim then moved into compliance consulting with Cordium and more recently spent 5 years working at ACA Mirabella overseeing a wide range of hosted clients.


Paul Springer
Senior Surveillance Analyst

Paul held the position of Senior Compliance Consultant at ACA Mirabella, where he was responsible for monitoring some of the largest clients and most complex served by Mirabella. He is a compliance professional with 25+ years of regulatory experience. 

At ACA Mirabella, as well as implementing a compliance infrastructure at each client and conducting ongoing compliance reviews, Paul’s role encompassed oversight and review of clients’ electronic communications (employing Fingerprint) and their staff members’ personal compliance interactions (utilising Compliance ELF). 

Paul spent 5 years at the FCA (then the FSA) as the Manager of a Corporate Authorisation team, followed by approximately 20 years of compliance experience in the financial services industry. He has worked in-house and held the Compliance Officer and Money Laundering Reporting Officer roles for approximately 12 years, firstly at a broking firm which he joined at start-up, and then a hedge fund manager. Paul also spent over 3 years working at a leading compliance consultancy, providing compliance support to clients (including full-scope and sub-threshold AIFMs, investment managers and advisers).  He is a qualified Chartered Accountant.


George Camilleri
Head of Operations

George worked at ACA Mirabella for the past six years as Head of Risk Operations and managed the Malta-based Risk Team responsible for all the Firm’s risk monitoring and regulatory reporting. 

He holds an MSc in Financial Mathematics from the University of Leeds, focusing on quantitative risk management, and a BSc in Mathematics and Physics from the University of Malta. He has also taken several short courses, including the Oxford Private Markets Certificate at the Saїd Business School.

In his free time, George volunteers for non-governmental organisations within the cultural sector in Malta, having an interest in the arts, classical music, and opera.


Sarah Donnelly
Head of Sales

Sarah recently left ACA Mirabella, where she held the role of Head of Sales. In this role, she was focused on the company’s growth, from targeting new business opportunities to nurturing existing client relationships.

Sarah is working towards the CIPD Foundation Certificate in People Practice.


Joe Vittoria

Joe was most recently the CEO and Founder of the Mirabella Group. During the eight years that Joe grew the Mirabella business, it became the recognised leader in regulatory hosting in the UK. As its CEO and an experienced Compliance Officer, he was responsible for ensuring regulatory compliance of Mirabella and its appointed representative clients. During his tenure at Mirabella, the firm fully and successfully complied with its regulatory obligations, which included the FCA (UK), MFSA (Malta), and the NFA/ CFTC (USA).

Mirabella conducted a thorough surveillance process across all its clients’ activities, which included over $19bn in assets under management, across over 50 investment mandates, managed by over 200 portfolio managers and traders. The investment strategies it hosted ranged from Private Equity and Real Estate to complex credit and derivative processes, with the majority in long/short equity.

Apart from his experience at Mirabella, Joe has acted as COO to other investment management firms, which included quant, debt and credit strategies. Before starting in the alternative investment management industry in 1998, Joe worked at Salomon Brothers which he joined in 1985, after graduating from Yale with a BA in Economics.