Cookie & Website Privacy Policy

Constance Group and its affiliated companies (Constance, we, us, our, the Company) are committed to maintaining the highest data privacy standards. We ensure that all personal data is handled in line with the Data Protection Act 2017 and relevant international regulations. Constance Group continually monitors its compliance practices and takes all necessary steps to meet legal and regulatory obligations.

This Policy provides you with clear and comprehensive information about the cookies we use and the purposes for using them.

Our Website uses cookies, in combination with pixels, local storage objects, and similar devices (collectively, “cookies” unless otherwise noted) to distinguish you from other users of the Website. You do not need to allow cookies to visit most of the Website. However, enabling cookies may allow for a more tailored browsing experience and is required for certain parts of the Website to work. In most cases, a cookie does not provide us with any of your personal information.

Constance Group recognizes the importance of privacy and respects your privacy, and is committed to protecting the privacy, confidentiality and security of the personal data you provide us when you use our website, when you contact our office, or when you otherwise interact with us. Constance uses the personal data for the intended purpose only.

1. What is a cookie?

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer. When you visit our site, strictly necessary cookies will be placed on your device. You can change the cookie settings that will be placed when you visit our website by changing the settings on your browser.
First and third-party cookies: whether a cookie is ‘first’ or ‘third’ party refers to the domain placing the cookie. First-party cookies are those set by the website that is being visited by the user at the time (e.g. cookies placed by the Website).
Third-party cookies are cookies that are set by a domain other than that of the website being visited by the user. If a user visits a website and another entity sets a cookie through that website, this would be a third-party cookie.
Persistent cookies: these cookies remain on a user’s device for the period of time specified in the cookie. They are activated each time that the user visits the website that created that particular cookie.
Session cookies: these cookies allow website operators to link the actions of a user during a browser session. A browser session starts when a user opens the browser window and finishes when they close the browser window. Session cookies are created temporarily. Once you close the browser, all session cookies are deleted.

2. How to delete and block our cookies?

You can change your cookie preferences by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including strictly necessary cookies), you may not be able to access all or parts of our Website.
You can change your cookie settings by changing the settings on your browser.

3. What Personal Data We Collect and Why

When interacting with you through our website, we may collect the following personal data for the purposes of our business activities or for assisting you with your queries or concerns or for meeting our obligations:
• your name and surname;
• your contact details (phone and email addresses);
• any other personal data that you choose to provide to us.
When you choose to receive our communications (including communiques and Notice of dividends and AGMs), we ask that you provide us with your email address. The provision of this information is purely voluntary, and you may opt out of receiving our communications at any time by unsubscribing to these communications.

4. To whom do we disclose personal data?

We may disclose personal data to authorized personnel and carefully select third-party service providers who assist in the operation, maintenance, and enhancement of our business. Such disclosures may also be made to comply with applicable legal and regulatory obligations, including those set out under the Mauritius Data Protection Act 2017. Access to personal data is strictly limited to individuals with a legitimate need to know, and all recipients are contractually obligated to maintain confidentiality and implement appropriate technical and organizational measures to safeguard the information.

5. How long do we keep your information?

Your personal data will be stored for as long as required to fulfill our business purposes and for the period required by law (maximum 7 years). To the extent required by law, we will take reasonable steps to destroy personal data in a secure manner when we no longer need it for the purposes for which it was collected, and retention is no longer necessary for legal or business purposes.

6. Processing of personal data must be justified

We process personal data based on one or more of the following legal grounds: your consent, our contractual obligations, compliance with legal requirements, or our legitimate business interests. You have the right to access, correct, or delete your personal data, and to object to or restrict certain types of processing. You may also withdraw your consent at any time.

7. Safeguarding and Securing the Data

Constance Group is committed to securing your data and keeping it confidential. Constance Group has done all in its power to prevent data theft, unauthorized access, and disclosure by implementing the latest technologies and software, which help us safeguard all the information we collect online.

8. International Data Transfers

In certain circumstances, your personal data may be transferred to and processed in countries outside Mauritius. These transfers will only occur where necessary for the performance of our services, compliance with legal obligations, or engagement with trusted third-party providers. We ensure that such transfers are carried out in accordance with the Mauritius Data Protection Act 2017, and that appropriate safeguards — such as contractual clauses or equivalent legal mechanisms — are in place to protect your personal data and uphold your privacy rights.

9. Data Breach Notification

10. Links to other websites

Our website may contain links to other websites, apps, content, services or resources on the internet which are operated by our subsidiaries. If you access other websites, using the links provided, please be aware they may have their own privacy policy, and we do not accept any responsibility or liability for these policies or for any personal data which may be collected through these sites. Please check these policies before you submit any personal information to these other websites.

11. Amendments to this Policy

Amendment and approved by the Board of Directors on 10th November 2025.

Data Protection Policy

Constance Group and its affiliates (“Constance”, “Company”, “Controller” or “Processor”) are committed to upholding the highest data privacy standards. This Data Protection Policy (“Policy”) outlines how Personal Data is collected, stored, used, and processed—whether in physical or digital form—in compliance with the Data Protection Act 2017 (“DPA 2017”) and the EU General Data Protection Regulation (“GDPR”) (together, the “Data Protection Laws”). Constance ensures all personal data is handled in accordance with these laws and continually monitors and updates its compliance practices to meet legal and regulatory requirements.

1. DEFINITIONS

• Personal data means data relating to a natural living person who can be identified, directly or indirectly, from these data and include the full name, address, contact nos., photo, occupation, physical characteristics of the person as well as online identifiers.
• Data subject is a living individual to whom personal data relates.
▪ Data controller is a natural or legal person, or an organisation which alone or jointly with others, determines the purposes and the way personal data is processed. A data controller collects, processes and stores data about living individuals in a structured filing system, whether it is manual or electronic, or both.
• Data processor is a natural or legal person, or an organisation which processes data on behalf of the data controller. The data processor is usually a third-party external to the company.
• Processing means any operation or set of operations performed on personal data whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
• Data breach or incident means any event or action which may compromise the confidentiality, integrity and availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause harm to the data subject, whether physical, material or moral.
• Supervisory authority refers to any competent public body responsible for monitoring and enforcing compliance with privacy law.

2. CONTROLLER

3. POLICY STATEMENT

During business, Constance is required to collect, process and store personally identifiable information about individuals including directors, shareholders or third parties on behalf of the Company, in order to fulfill operational and legal obligations. Measures are taken to ensure protection of the privacy rights of individuals and their personal data are treated with the utmost care and confidentiality. Constance shall act in accordance with the data protection laws and apply appropriate technical and organisational measures to maintain the privacy and security of personal data that are processed and stored, whether on paper or in its information systems.

4. OBJECTIVE

4.1. This policy aims at guiding employees in the proper handling of personal data to:
4.1.1. ensure due respect to the privacy rights of individuals (employees and non-employees);
4.1.2. prevent / mitigate the risk of data breach under the applicable data privacy laws & regulations; and
4.1.3. ensure compliance with the applicable data protection laws and regulations.

Safeguarding and Securing the Data

Constance is committed to securing your data and keeping it confidential. Constance has done all in its power to prevent data theft, unauthorized access, and disclosure by implementing the latest technologies and software, which help us safeguard all the information we collect online.

5. SCOPE

5.1. Third parties who process personal data on behalf of Constance must act in accordance with the applicable data protection legislation, or, at least, comply with the data protection principles.
5.2. The third parties shall acknowledge their data protection obligations through signature of the Data Processing Agreement, as addendum to their contract with the Company.
5.3. Such obligations shall be extended to any sub-contractor engaged by the third party data processor.
5.4. Constance shares personal data with third parties only under the following circumstances:
• Where required by law, regulation, or legal proceedings;
• Where necessary for the performance of a contractual obligation;
• Where the explicit consent of the data subject has been obtained.
5.5. In all cases, Constance shall ensure that appropriate safeguards are in place to protect the rights and freedoms of data subjects.

6. DATA PROTECTION PRINCIPLES

6.1. Principle of lawfulness, fairness and transparency
Personal data shall be processed in a fair, lawful and transparent manner and in accordance with the rights of the data subject.
6.2. Principle of purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes.
6.3. Principle of adequacy and relevance & data minimization
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,
6.4. Principle of accuracy
Personal data shall be accurate and, where necessary, kept up to date.
6.5. Principle of storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed,
6.6. Principle of integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
6.7. Principle of accountability
The data controller is responsible for and must be able to demonstrate compliance with the above principles.

7. PROCEDURES APPLYING THE DATA PROTECTION PRINCIPLES

7.1. LAWFULNESS, FAIRNESS AND TRANSPARENCY
7.1.1. PROCESSING of personal data would be lawful when either the data subject has given explicit consent, or the processing is necessary:
• to meet contractual obligations entered into by the data subject to comply with the data controller’s legal obligations (compliance with laws and regulations);
• to protect the data subject’s vital interests;
• for tasks carried out in the public interest;
• for the purposes of legitimate interests pursued by the data controller.
7.2. Consent and conditions
7.2.1. If consent is required, it should be obtained prior to processing the data. The data controller should be able to demonstrate that consent was obtained.
i. Requests for consent shall be sent to data subjects in clear and plain language. A separate consent shall be requested for different purposes;
ii. Data subjects must have the possibility to withdraw their consent at any time, without detriment (e.g., link to unsubscribe);
iii. Consent is required for all secondary uses of data collected.
iv. Explicit consent is required whenever sensitive or special categories of data are to be processed (see definition on Annex 2)
v. Consent is required for processing the personal data of children under 16 years;
vi. Consent is not required for legitimate interests. In any case, the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place, and provided that the interests or the fundamental rights and freedoms of the data subject are not overriding.
7.3. Fairness
There must be a fair balance between the personal data which organisations process, the reasons why they process them, and what they have said, promised and described in the information provided to data subjects.
7.4. Transparency
For the sake of transparency and in line with data subjects' right to information, the Company has published on its website a cookie and privacy policy which describes the purposes and way the Company collects, processes and stores personal data, and informs data subjects of their rights with respect to their personal data held by it. Contact details are provided to facilitate queries, complaints and the exercise of the rights of persons concerned.

8. DATA COLLECTION

8.1. Approved standard forms shall be used for collecting personal data from individuals.
8.2. Only the minimum information necessary for the specified purpose(s) shall be collected;
8.3. All data collection forms (manual and electronic) shall include the Company name and address.
8.4. A printed copy of the Cookie & Website Privacy policy shall be made available upon request by data subject.
8.5. Where consent is required, it should be highlighted to the individuals concerned and, in case of non-consent, the consequences must be explained.
8.6. Once obtained, the consent must be duly registered and the evidence stored securely.

9. ACCURACY

Constance will take measures to maintain accuracy of data, especially on the electronic systems. Where necessary, the data must be kept up to date. All measures taken must be documented.

10. INTEGRITY AND CONFIDENTIALITY

10.1. The Company is committed to maintaining the integrity, confidentiality and security of personal data to prevent unauthorised access, accidental deletion and malicious hacking attempts.
10.2. It will take reasonable measures to ensure that the computers storing the information are kept in a secure environment with restricted physical access. Secured firewalls and other measures are used to restrict electronic access. If the data must be transferred to a third party, similar measures are put in place to protect personal data.

11. DATA RETENTION

Constance establishes the retention period for each category of data and will ensure that the data is destroyed as soon as reasonably practicable, where the purpose for which the data was collected has lapsed. Constance shall establish a defined retention period for each category of personal data it processes. Personal data shall be retained only for as long as is necessary to fulfill the purpose for which it was collected, or to comply with legal or regulatory obligations.
Once the retention period has expired, or when the data is no longer required, Constance shall ensure that such data is securely deleted or irreversibly anonymized as soon as reasonably practicable.

12. ACCOUNTABILITY & RECORD KEEPING

12.1. In line with the principle of ‘accountability’ (see Annex 1), Constance the Data Controller, shall maintain appropriate documentation and records including (but not limited to) the following:
• Policies and Standard Operating Procedures
• Copies of all processing activities
• Up-to-date inventories of personal data processed by each department / function
• Employee awareness training conducted
• Consent mechanisms and consents obtained
• Technical and organisational security measures
• Audits and assessments of present data privacy practices
• Data incidents/ breaches and reports made to Supervisory Authorities

13. TRANSFERS AND DISCLOSURES

13.1. Personal data shall be disclosed only on a business-related need-to-know basis within the organisation. Any other disclosure or transfer of personal data shall be done in accordance with the applicable data protection law. Data transfers may be subject to one or more of the following conditions:
• there is a lawful basis for the transfer or disclosure (legal obligation, performance of contract or to protect the vital interest of the data subject);
• the data subject is aware of or can expect that such transfer will be made
• the data subject has explicitly consented to the transfer;
• proper authorization has been received from the Supervisory Authority
In any case, Constance needs to ensure that appropriate safeguards are applied to protect the privacy rights of the individuals and ensure security and integrity of the data during the transfer;

14. INTERNATIONAL DATA TRANSFERS

Personal data may be transferred outside Mauritius only in accordance with Section 36 of the Data Protection Act 2017. The Company ensures that such transfers occur only where the recipient country or organisation offers an adequate level of data protection, or where appropriate safeguards are in place. Where required, explicit consent from the data subject shall be obtained prior to any such transfer. All international transfers shall be documented and subject to approval by the Data Protection Officer.

15. DATA SUBJECT RIGHTS

Data is to be processed in accordance with the rights of data subjects. Any complaints received or requests made by data subjects, claiming their rights under applicable privacy law, shall be forwarded to the Data Protection Officer (DPO) without undue delay, to enable prompt action. Response to such queries or complaints should be within one month from date of request. .

16. PRIVACY BY DESIGN & PRIVACY BY DEFAULT

16.1. “Privacy by design” means data protection through technology design. Constance is required to consider data protection issues at the design phase of any new system, service, product or process (e.g., pseudonymisation).
16.2. “Privacy by default” requires the implementation of appropriate technical and organizational measures to ensure that, by default, only data strictly necessary for each specific purpose of the processing are processed. This applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. Such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

17. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

Data Protection Laws impose a Data Protection Impact Assessment (DPIA) prior to the launch of any new project or process that is likely to involve a high risk to the personal information of individuals. A DPIA will help to identify risks, for a type of processing using new technologies. The process owner shall notify the DPO of the requirement for a DPIA and the latter will organize accordingly.

18. DATA BREACH

18.1. A personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. A data breach can result in harm caused to the data subject.
18.1.1. Constance must be vigilant and on the lookout for data incidents and potential data breaches.
18.1.2. It shall put in place a mechanism to ensure that any data incident identified is logged and reported to the DPO without undue delay. The incident log shall contain the following information:
• Details of the occurrence (time, IT system, process owner, individuals involved)
• All corrective measures taken following identification of the incident
• any complaints registered following the incident
18.2. Depending on the materiality of the breach, it may be necessary to report it to the appropriate supervisory authority within 72 hours of the occurrence. Such reports shall be processed by the DPO.

19. DATA PROTECTION OFFICER (DPO)

Constance is deemed a data controller under the laws. It collects, handles, processes and stores personal data of employees and non-employees which include directors, suppliers, contractors, job seeThe main role of the DPO is to monitor and facilitate the implementation of data protection regulations throughout the organization. The DPO shall act as an advisor and expert on all matters related to data privacy within the Company and shall be the single point of contact to external stakeholders (e.g., Data Protection Authorities and Data Subjects).

20. REFERENCE

While reading this Data Protection Policy & Procedures, reference shall be made to the IT Code of Practice which describes the ways in which integrity and confidentiality of data is maintained.

21. POLICY REVIEW

This Data Protection Policy shall be reviewed at least once every five (5) years, or earlier if there are significant changes in data protection laws, regulations, or the Company’s operations that may affect the way personal data is process.

Our Location

Send us a Message

Our Headquarters