Incofin Privacy Policy

Scope

This Privacy Policy governs the collection, storage and use of personal information collected by Incofin Investment Management NV (“Incofin IM” or “Incofin”), either via the website www.incofin.com (“Website”) or during the use of the services provided by Incofin for data subjects acting as representatives of investors, representatives of investees, individual shareholders, employees, candidates, suppliers, or in any other way professionally linked to Incofin. This Privacy Policy will provide details about the personal information Incofin collects, how and why the personal information is used and the data subject’s rights.

Incofin Investment Management NV has its registered office at 2610 Antwerp, Sneeuwbeslaan 20, Belgium and is registered in the register of legal entities of Antwerp with company registration number 0815.870.958 and VAT number BE 0815.870.958. Incofin is a Belgian licensed Alternative Investment Fund Manager (“AIFM”), supervised by the Belgian Financial Services and Markets Authority (“FSMA”).

Personal data can be exchanged between all legal entities of Incofin IM insofar as that this is necessary. The entities of Incofin that receive your data will always process them with respect for this Privacy Policy.

As a data controller in the sense of article 4 GDPR of personal data, Incofin respects the right to privacy and will only process personal information which is provided in accordance with applicable data protection laws, which include:

1. the General Data Protection Regulation (Regulation 2016/679) (“GDPR“);
2. the Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data;
3. any additional national and local legislation and other applicable privacy laws.

Incofin safeguards personal data as much as reasonably possible and in compliance with applicable data protection laws, in particular the General Data Protection Regulation 2016/679 of 27 April 2016 (‘GDPR’). This Privacy Policy was last updated on 20 September 2023

The personal information Incofin collects

When accessing and browsing the Website (including when you submit personal information to us through data entry fields on the Website) or during the use of our services, Incofin may collect the following information (“personal data”):

• Identification data: For Due Diligence, AML obligations and to provide our services, Incofin collects the following identification data including, but not limited: e-mail address and contact details when registering such information via our Website. Other possible information is the full name (first and last name), e-mail address, country of residence, telephone number, national register number, bank account number and any other information necessary for anti-money laundering and due diligence purposes.
• Financial data: For Due Diligence and AML obligations Incofin collects the following financial data including, but not limited to company information including but not limited to personal data containing business unit details, financial policies, bank account numbers, financial plans, budgets, fund details, pricing, business plans and other related financial information.
• Cookies: this covers data on when accessing the Website, any personalized settings, and browsing behaviour. Incofin collects this information through automated means when browsing the Website. For Analytical Cookies, in order to improve our Services, consent will be asked to the use such cookies through a Cookie Banner. All non-analytical Cookies are necessary to optimize navigation and the browsing experience. For more information see Incofin’s Cookie Policy.

IP addresses of Website visitors are also collected but are only used for statistical and reporting purposes as further described in Incofin’s Cookie Policy. IP addresses will not be linked to any personal information.

Incofin only collects the necessary personal data and does not process personal information in any way, other than specified in this Privacy Policy.

For which purposes and on which legal basis Incofin processes personal data

Incofin (or third-party data processors acting on Incofin’s behalf) may collect, store and use personal data listed above for the following purposes:

Purposes of the processing of personal data

Incofin processes personal data for the following purposes:

 

Legal basis for the processing of personal data

Incofin bases the processing of personal data on one or more of the following legal grounds:

• Consent: consent may be requested in connection with the use of personal data for certain purposes; If the processing is based on consent, data subjects have the right to withdraw consent this processing at any time, without this affecting the lawfulness of the processing based on the consent before its withdrawal. In case consent has been given to receive newsletters and advertising, this can be withdrawn by adjusting the account settings or using the « unsubscribe » link in this communication. In such a case consent can be withdrawn at any time;

• to be able to conclude an agreement: when in the process of becoming an investee of one of the funds managed or advised by us, Incofin may have to process certain data due to our statutory obligations in order to assess whether the investment can actually be provided;
• to be able to execute an agreement correctly: in case the data subject is a representative of an investee or an investor of one of the funds managed or advised by Incofin, Incofin must be able to supply information regarding the privacy rights and obligations in certain cases;
• for the realization of a legitimate interest: Incofin may process data in order to function as a company and to fulfill its corporate purpose. Incofin strives to maintain a fair balance between the need to process data and the preservation of the privacy rights and freedoms, including the protection of privacy;
• because of a legal obligation: Incofin may need to process certain personal data for antimoney laundering legal obligations or in order to abide social and/or tax legislation.

What are the privacy rights?

Access, rectification, erasure, portability and objection rights

When personal data is processed, data subjects have the following rights:

1. Right to access: the right to access the data that Incofin processes. This also includes the right to ask a copy and to ask for information about the data retention period and the purposes of the processing;
2. Right to update: the right to request us to update or correct any outdated or inaccurate personal data that Incofin holds;
3. Right to erasure: right to erasure and restriction of processing of personal data within the boundaries specified in the privacy legislation;
4. Right to transfer: Right to request that Incofin transfers personal data to a third party within the limits specified in the privacy legislation;
5. Right to restrict: restrict the processing of personal data if you were to object to the processing or to the accuracy of the processed data or if you wish to retain certain personal data in the context of a possible claim while Incofin no longer needs the data in the light of the purposes mentioned above;
6. Right to oppose: in case Incofin processes personal data for its legitimate interests, you have the right to oppose such processing; in this case Incofin may only proceed with the processing of personal data if compelling legitimate grounds apply and after careful consideration of your interests and the interests of Incofin;
7. Right to complain: You always have the right to file a complaint with the supervisory authority, namely the Belgian Data Protection Authority;
8. Right to object: if your personal data are processed for direct marketing you have the right to object to such processing and Incofin must further refrain from processing your personal data for these purposes. Incofin will then cease the processing unless there are compelling legitimate grounds. For example, you can object to the processing of your personal data after a non-successful application. In such case, Incofin will immediately erase your personal data and stop any further processing.

If you wish to exercise any of the above rights, please contact us:

• by postal mail: Incofin, Sneeuwbeslaan 20 postbus 2, 2610 Wilrijk
• via e-mail: privacy@incofin.com

This request must always be accompanied by either proof of identity or proof of a valid connection to the use of our products or services. If Incofin has a reason to doubt the identity or valid connection of the natural person making the request, Incofin is entitled to request additional information necessary to confirm the identity or connection to our products/services.

If Incofin has already anonymized your information, Incofin will inform you that it is unable to comply with the exercise of your rights except when you, with a view to exercising your rights, provide additional data that make it possible for Incofin to identify you.

Within 1 month after the submission of the request, you will be informed of the follow-up by the Privacy Officer.

No automated decision-making, including profiling, is used in the processing of Personal Data. Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects or that significantly affect the individuals involved. As a rule, Incofin does not make use of automated decision-making as described above.

 

Right to lodge a complaint

In the event of a conflict concerning the processing of your personal data, you can contact us:

• By mail: Incofin, Sneeuwbeslaan 20 postbus 2, 2610 Wilrijk

• By email at: privacy@incofin.com

You can also lodge a complaint to the Belgian Data Protection Authority For additional general information regarding the protection of Personal Data, please contact the Data Protection Authority (DPA) with address at 1000 Brussels, Drukpersstraat 35, tel: 02/274.48.00 or via e-mail contact@apd-gba.be (www.gegevensbeschermingsautoriteit.be).

If Incofin receives a request to exercise any of the above-mentioned right, Incofin might request additional information to verify the validity and valid connection to our services before acting on the request. This is to ensure that the data subject is the rightful person and to ensure the confidential treatment and protection of personal data.

How Incofin shares personal data

Except in the cases specified below Incofin will not disclose personal data to any third party. Incofin may only share personal data with affiliated companies or other companies who perform data processing activities on our behalf. Incofin will not sell or rent personal data.

These other companies are (among others):

• Hubspot: CRM portal (https://www.hubspot.com/)
• Microsoft via Cheops: IT administrator (https://azure.microsoft.com/)
• Mimecast: IT security (https://www.mimecast.com/)
• IBM Cloud: IT administrator (https://www.ibm.com/cloud)

Incofin may also disclose personal information to third parties where Incofin is required to do so (i) by applicable law, (ii) by a governmental body, (iii) by a law enforcement agency or (iv) in connection with an investigation of suspected or actual fraudulent or illegal activity.

In accordance with the principles set out below, Incofin will delete personal data once it is no longer required to fulfil the purposes outlined in this Privacy Policy, unless their retention would remain required for other fundamental purposes, including but not limited to complying with our legal obligations, handling claims and resolving disputes.

For the retention period of any cookies used on this Website we refer to our Cookie Policy.

In case Incofin would transfer personal data to third parties as part of the recruitment process, Incofin will inform the relevant individuals beforehand. In the context of the selection & recruitment process the following stakeholders might have access to personal data: HR, your envisaged hierarchic superior(s), the IT department and auditors on a strict ‘need-to-know’ basis for the purposes described above.

Incofin may change its corporate structure by changing the legal form via a merger or via acquisitions and sale. In such transactions, Personal Data will be transferred in accordance with this Privacy Policy and applicable data protection laws.

Anonymous data, on which the GDPR is not applicable, can always be passed on, whether or not for commercial purposes.

How long does Incofin keep your personal data?

Incofin will not store personal data beyond the time necessary for the performance of the purposes for which the data is processed.

The reference point for storing personal data is the legal retention period. Such a period is often up to 10 years after the end of an agreement or 5 years after the last processing for which the information was originally obtained. If the law does not prescribe a period, the archiving may be shorter. The storage may also be longer when Incofin must be able to use the data for proof purposes in a legal procedure.

The personal data will be retained for the following subsequent periods:

How does Incofin protect personal data?

Incofin has taken appropriate technical and organizational measures to safeguard and protect personal data, against unauthorized or unlawful processing and against accidental destruction, loss, access, misuses, damage and any other unlawful forms of processing of the personal data in our possession.

It is permitted to collect non-personal and anonymous data when the Website is visited and to anonymize personal data. These data do not allow to identify an individual person and these data may be shared with third parties, including for statistical purposes.

You also have an important role to play in securing your personal data, e.g. by keeping your PC up-to-date and keeping your login data confidential and secure.

Updates to our Privacy Policy

This Privacy Policy may be updated periodically to reflect changes in our personal data practices.

Incofin will post a prominent notice on the Website as a notification of any significant changes to our Privacy Policy and indicate at the top of the notice the date at which it was last amended.

If one or more clauses from this Privacy Policy are declared partially or completely null and void or non-binding by judicial intervention, this will not affect the validity of the other clauses or the validity of the entire Privacy Policy. If the clause(s) in question wish to be amended or replaced, the amended or new clause must be as closely aligned as possible with the clause(s) declared void or non-binding.

The failure to demand strict compliance with the provisions of this Privacy Policy shall not be construed as any waiver or rejection thereof.

Any dispute or claim relating to the processing of personal data and the Privacy Policy or any data mentioned herein is governed by Belgian law and falls under the exclusive jurisdiction of the courts and tribunals of Brussels (Belgium).

How to contact Incofin

If you have any questions or comments about this Privacy Policy or about how Incofin collects, stores and uses your personal information, or if you would like to exercise your rights, or to update the information Incofin has about you or your preferences, please contact us here:

E-mail: privacy@incofin.com

Post: Incofin, Sneeuwbeslaan 20 postbus 2, 2610 Wilrijk

Transfers of personal data outside the EU

Personal data in the EU is protected by the General Data Protection Regulation, but other countries may not have necessary the same standards on privacy or protection of personal data.

It may be necessary that a Incofin affiliate requires access to personal data to process and/or store these Personal data. This affiliate may be located within or outside the EEA.

For these purposes, all Incofin affiliates have concluded an internal agreement including EU Standard Contractual Clauses in accordance with the data protection principles.

Incofin abides by the standard provisions regarding data protection (SCC’s) within the meaning of Article 46 (2) (c) and (d) GDPR in the name and on behalf of Incofin. For the record, in that case Incofin is the data exporter (as defined in the SCC’s) and any processor or Sub-processor is the data importer (as defined in the SCC’s).

Personal data will only be processed for internal use for the purposes described above. Incofin does not rent or sell Personal Data to third parties, yet only uses Personal data for its own purposes.

Inside Incofin Personal data is only made available to its staff on a ‘need to know’ basis.

Incofin uses processors to process Personal Data. Processors are natural or legal persons, governments, agencies or other bodies that process the personal data on behalf of Incofin.

Incofin may transfer the personal data to the following (categories of) recipients:

• Processors providing statistical research and analysis;
• Processors who provide hosting of this Website and related databases;
• Processors and data controllers who acts as subcontractors in the performance of the Services;
• Companies affiliated with Incofin.

Personal data may be processed outside the European Economic Area. Incofin will ensure that appropriate or appropriate safeguards are taken, such as a transfer based on an EU Adequacy Decision or based on EU Standard Contractual Clauses. Data subjects can obtain a copy of the guaranteed measures upon written request by sending a mail to privacy@incofin.com.