EEA and UK Privacy Policy

This EEA and UK Privacy Notice (this “EEA and UK Privacy Notice”) applies to the extent that EEA and UK Data Protection Legislation (as defined below) applies to the processing of personal data by an Authorized Entity (as defined below). If this EEA and UK Privacy Notice applies, the data subject has certain rights with respect to such processing of their personal data, as outlined below.

For this EEA and UK Privacy Notice, “EEA and UK Data Protection Legislation” means all applicable legislation and regulations relating to the processing and/or protection of personal data, in each case as in force from time to time in the EU, the EEA and/or the UK, including: (i) Regulation (EU) 2016/ 679 (the “General Data Protection Regulation”); (ii) the General Data Protection Regulation as it forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union Withdrawal Act 2018; (iii) any other legislation which implements any other current or future legal act of the EEA or the UK concerning the protection and/or processing of personal data and any national implementing or successor legislation; and (iv) any amendment or re-enactment of any of the foregoing. The terms “controller,” “processor,” “data subject,” “personal data” and “processing” and any other applicable terms in this EEA and UK Privacy Notice shall be interpreted in accordance with the applicable EEA and UK Data Protection Legislation. Unless the context otherwise requires, as used herein the words “include,” “includes” and “including” shall be deemed to be followed by the phrase “without limitation.” All references to “investor(s)” in this EEA and UK Privacy Notice shall be to such actual or potential investor(s) (who may or may not be admitted to the applicable fund as a limited partner) and, as applicable, any of such investor(s)’ authorized representatives, partners, officers, directors, employees, shareholders, members, managers, ultimate beneficial owners and affiliates.

Please direct any questions arising out of this EEA and UK Privacy Notice to Invidia at privacy@invidiacap.com or (212) 970-6431.

Categories of personal data collected and lawful bases for processing

In connection with forming, offering and operating funds for investors, Invidia and its portfolio companies, their affiliates, and in each case, their administrators, service providers, legal and other advisors and agents (the “Authorized Entities”) collect, record, store, adapt and otherwise process and use personal data, either relating to investors or to any other data subjects, including from the following sources:

• information received in telephone conversations, in voicemails, in meetings, through written correspondence, via email, or on subscription agreements, investor questionnaires, applications or other forms (including any anti-money laundering, “know your client” identification, and verification documentation);
• information about transactions with any Authorized Entity or others;
• information captured on any Authorized Entity’s website, fund data room and/or investor reporting portal (as applicable), including registration information and any information provided through online forms and any information captured via “cookies” or similar technologies; and
• information from available public sources, including from:
  • publicly available and accessible directories and sources;
  • bankruptcy registers;
  • tax authorities, including those that are based outside the UK and the EEA if the applicable data subject is subject to tax in another jurisdiction;
  • governmental and competent regulatory authorities to whom any Authorized Entity has regulatory obligations;
  • credit agencies; and
  • fraud prevention and detection agencies and organizations.
• The Authorized Entities may process the following categories of personal data:
• names, dates of birth, birth place, gender, citizenship, place of residence and marital status;
• contact details and professional addresses (including physical addresses, email addresses and telephone numbers);
• account data and other information contained in any document provided by investors to the Authorized Entities (whether directly or indirectly);
• information regarding a data subject’s use of any Authorized Entities’ website, fund data room and investor reporting portal (e.g., cookies, browsing history and/or search history);
• risk tolerance, transaction history, investment experience and investment activity;
• association with other entities, including in particular association with publicly traded companies;
• information regarding an investor’s status under various laws and regulations, including their social security number, tax status, income and assets;
• accounts and transactions with other institutions;
• information regarding an investor’s interest in the applicable fund(s), including ownership percentage, capital investment, income and losses;
• details relating to immediate family members or senior political figures to whom investors may be connected;
• source of funds used to make the investment in the applicable fund(s); and
• anti-money laundering, identification (including passport and drivers’ license) and verification documentation.

Any Authorized Entity may, in certain circumstances, combine personal data it receives from an investor with other information that it collects from, or about such investor. This will include information collected in an online or offline context. In addition, personal data of investors could be processed and controlled irrespective of whether such investor is admitted to a fund as a stockholder.

One or more of the Authorized Entities are “controllers” of personal data collected in connection with the funds. In simple terms, this means such Authorized Entities: (i) “control” the personal data that they or other Authorized Entities collect from investors or other sources; and (ii) make certain decisions on how to use and protect such personal data.

There is a need to process personal data for the purposes set out in this EEA and UK Privacy Notice as a matter of contractual necessity under or in connection with the Subscription Agreement, the Partnership Agreement, and any other agreement entered into or being negotiated between the relevant Authorized Entity and investor or data subject (the “Invidia Documentation”), pursuant to applicable legal obligations and in the legitimate interests of the Authorized Entities (or those of a third-party), to operate their respective businesses. From time to time, an Authorized Entity may need to process the personal data on other legal bases, including the following: (i) with consent; (ii) to comply with a legal obligation; (iii) if it is necessary to protect the vital interests of an investor or other data subjects; or (iv) if it is necessary for a task carried out in the public interest.

A failure to provide the personal data requested to fulfill the purposes described in this EEA and UK Privacy Notice may result in the applicable Authorized Entities being unable to provide the services as contemplated by the Invidia Documentation.

Purpose of processing

The applicable Authorized Entities process the personal data for the following purposes (and in respect of paragraphs (iii), (iv), (vi), (viii), (ix) and (xi) in the legitimate interests of the Authorized Entities (or those of a third- party)):

1. The performance of its contractual and legal obligations (including applicable anti-money laundering, KYC and other related laws and regulations), including in connection with assessing suitability of investors in a fund, facilitating the admission of investors in a fund and facilitating the investment, borrowing and other activities of a fund.
2. The administrative processes (and related communication) carried out between the Authorized Entities as a matter of contractual necessity in preparing for the admission of investors to a fund.
3. Ongoing communication with investors, their representatives, advisors and agents (including the negotiation, preparation and signature of documentation) during the process of admitting investors to a fund.
4. The ongoing administrative, accounting, reporting and other processes and communications required to operate the business of the funds and Authorized Entities in accordance with the Invidia Documentation and any other applicable documentation between the parties.
5. To administer, manage and set up investor account(s) as a matter of contractual necessity and for the purposes of the Authorized Entities’ legitimate interests to allow investors to purchase holdings of shares and/or other interests in the funds.
6. To facilitate the execution, continuation or termination of the contractual relationship between investors and Invidia or the relevant Authorized Entities (as applicable).
7. To facilitate the transfer of funds, and administering and facilitating any other transaction, between investors and Invidia or the relevant Authorized Entities (and any other funds operated by Invidia or its affiliates) as a matter of contractual necessity and for the purposes of the Authorized Entities’ legitimate interests.
8. To enable any actual or proposed assignee or transferee, participant or sub-participant of Invidia or any Authorized Entity (and any other funds operated by Invidia or its affiliates) rights or obligations to evaluate proposed transactions.
9. To facilitate business asset and/or similar transactions involving Invidia’s partnership or Invidia-related vehicles or any Authorized Entity or Authorized Entity-related vehicles (and any other funds operated by Invidia or its affiliates).
10. Any legal, compliance, tax or regulatory rule or requirement as necessary pursuant to applicable legal obligations and/or for the purposes of the Authorized Entities’ legitimate interests.
11. Keeping investors informed about the business of Invidia generally, including offering opportunities to make investments other than to the funds in which such investors currently invest.
12. Any other purpose for which notice has been provided, or has been agreed to, in writing, as necessary pursuant to applicable legal obligations, as a matter of contractual necessity, for the purposes of the Authorized Entities’ legitimate interests and/or where the data subject has given consent to the processing of their personal data for the specific purpose.

The Authorized Entities monitor communications where the law requires them to do so. The Authorized Entities also monitor communications, where required to do so, to comply with regulatory rules and practices and, where permitted to do so, to protect their respective businesses and the security of their respective systems for the purposes of their legitimate interests.

Sharing and transfers of personal data

In addition to disclosing personal data amongst themselves, any Authorized Entity may disclose personal data, where permitted by EEA and UK Data Protection Legislation, to other service providers, investors, employees, agents, contractors, consultants, professional advisors, lenders, processors and persons employed and/or retained by them in order to fulfill the purposes described in this EEA and UK Privacy Notice. In addition, any Authorized Entity may share personal data with regulatory bodies having competent jurisdiction over them, as well as with the tax authorities, auditors and tax advisers (where necessary or advisable to comply with law).

Any Authorized Entity may transfer personal data cross-border, including to a Non-Equivalent Country (as defined below), in order to fulfil the purposes described in this EEA and UK Privacy Notice and in accordance with applicable law, including where such transfer is a matter of contractual necessity to enter into, perform and administer the Invidia Documentation, including the Subscription Agreement and/or Partnership Agreement, and to implement requested pre-contractual measures. For information on the safeguards applied to such transfers, please contact Invidia. For the purposes of this EEA and UK Privacy Notice, “Non-Equivalent Country” shall mean a country or territory other than: (i) a member state of the EEA; (ii) the UK; or (iii) a country or territory which has at the relevant time been determined by the European Commission, the Government of the UK, or any other relevant authority, to ensure an adequate level of protection for personal data in accordance with EU and UK Data Protection Legislation.

Retention and security of personal data

Invidia and the Authorized Entities consider the protection of personal data to be a sound business practice, and to that end, employ appropriate technical and organizational measures, including robust physical, electronic and procedural safeguards designed to protect personal data in their possession or under their control.

Personal data may be kept for as long as it is required for the applicable purposes described in this EEA and UK Privacy Policy, or where longer, such longer period as is required by applicable legal or regulatory obligations. Personal data will be retained throughout the life cycle of any investment in a fund managed by Invidia. However, some personal data will be retained after a data subject ceases to be an investor in such fund.

Data Subject Rights

It is acknowledged that, subject to applicable EEA and UK Data Protection Legislation, the data subjects to which personal data relates have the following rights under EEA and UK Data Protection Legislation:

• right to withdraw consent: if the lawful bases for the processing of personal data is the data subject’s consent, the data subject has the right to withdraw consent given in relation to, the processing of their personal data at any time. This will not affect the lawfulness of processing based on consent before its withdrawal;
• right of access: if the data subject requires, the Authorized Entities will confirm whether they are processing personal data and, if so, will provide the data subject with a copy of their personal data;
• right to rectification: if personal data of the data subject is inaccurate or incomplete, the data subject is entitled to ask for correction or completion of their personal data;
• right to erasure: the data subject has the right to require the deletion of their personal data, such as when personal data is no longer necessary for the purpose or the data subject withdraws consent (if applicable). Please note that the right to erasure is not absolute, and it may not always be possible to erase personal data on request, including where the personal data must be retained to comply with a legal obligation. In addition, erasure of the personal data requested to fulfil the purposes described in this EEA and UK Privacy Notice may result in the inability to provide the services as contemplated by the Invidia Documentation;
• right to object: the data subject has the right to (i) object at any time, on grounds relating to the data subject’s particular situation, to the processing of personal data when the processing is based on the legitimate interest basis in the circumstances described above, unless the controllers demonstrate compelling legitimate grounds for the processing, and (ii) object to the processing of personal data for direct marketing (if applicable).
• right to data portability: the data subject has the right to obtain personal data that the data subject consented to provide or that is necessary to perform the Invidia Documentation and that is processed by automated means, in a structure, commonly used machine-readable format;
• right not to be subject to automated decision-making: the data subject has the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the investor or similarly affects the data subject; and
• 
  right to lodge a complaint with a data protection authority: if the data subject has a concern about processing of personal data under this EEA and UK Privacy Notice, the data subject has the right to report it to the data protection authority that is authorized to hear those concerns.

A data subject may raise any request relating to the processing of their personal data with Invidia at the contact information provided above.