This privacy notice (this “Privacy Notice”) sets forth the privacy practices with respect to the personal data of existing, prospective, or former members or affiliates of CREO Syndicate and/or CREO Syndicate UK Limited (“CREO”, “our”, “we”, or “us”) (“Members”, “you”, or “your”). We recognize that the lawful and correct treatment of personal data is very important to successful operations and to maintaining our Members’ confidence in us. This Privacy Notice explains, among other things, what personal data we collect, how we use your personal data, and the steps we have put in place to protect the personal data you have entrusted to us in accordance with applicable data protection laws in the UK/European Economic Area (“EEA”). If you are a natural person, this will affect you directly. To the extent you are a corporate Member (including, for these purposes, legal arrangements such as trusts or exempted limited partnerships), we ask that you provide a copy of this Privacy Notice to any individuals whose personal data the corporate Member has provided or will provide to CREO in connection with the corporate Member’s investment. For EEA/UK data protection purposes, CREO Syndicate and CREO Syndicate UK Ltd. are controllers of your personal data.
This Privacy Notice may be updated at any time and we will notify you in writing of any material changes.
Personal Data That May Be Collected. The personal data that CREO collects about Members may include:
- Contact and Identification Information: such as name, residential and business address, telephone number(s), email address(es), nationality, passport number, driver’s license, place of birth, date of birth, job title, signature, and other identification documents for anti-money laundering purposes;
- Financial Information: such as tax identification number(s), country of tax residence(s), accredited investor status or equivalent;
- Investment History: such as credit history, correspondence records, source of wealth information, investment strategy and allocations (e.g., size, frequency, and asset classes), income details, membership sector interests;
- Special Categories of Personal Data: such as details regarding your ethnicity, race, and gender; and
- Any other information required by applicable laws.
Purposes For Processing And Legal Basis For Processing Personal Data. We may use your personal data for the following purposes:
Categories of Personal Data
Legal Basis under UK General Data Protection Regulation (UK GDPR)
Contact and Identification Information, Financial Information, Investment History
Managing and administering your investment with us, including assessing and processing applications, facilitating the transfer of funds and administering and facilitating any other transaction with us, servicing accounts, maintaining your accounts and communicating with you about your membership and related activities on an ongoing basis.
This use of your personal data is necessary for the performance of your contract with us (Article 6(1)(b), UK GDPR)
Contact and Identification Information, Financial Information, Investment History
Managing and maintaining our relationships with you and for ongoing customer service
This use of your personal data is necessary for the performance of your contract with us (Article 6(1)(b), UK GDPR)
Contact and Identification Information, Financial Information, Investment History
To enforce or defend our rights, or ourselves or through third parties to whom we delegate such responsibilities
This use of your personal data is necessary for the performance of your contract with us (Article 6(1)(b), UK GDPR)
This use of your personal data is necessary for the performance of your contract with us (Article 6(1)(b), UK GDPR)
nvestigating and resolving complaints and managing contentious regulatory matters, investigations and litigation
This use of your personal data is necessary in order for us to comply with our legal or regulatory obligations (Article 6(1)(c), UK GDPR)
This use of your personal data is necessary for our legitimate interests in managing our business including for legal, personnel, administrative and management purposes (Article 6(1)(f), UK GDPR)
Contact and Identification Information, Financial Information, Investment History
To share information with police, law enforcement, tax authorities or other government and fraud prevention agencies where we have a legal obligation, including screening transactions, reporting suspicious activity, and complying with production and court orders
This use of your personal data is necessary in order for us to comply with our legal or regulatory obligations (Article 6(1)(c), UK GDPR)
This use of your personal data is necessary for our legitimate interests in managing our business including for legal, personnel, administrative and management purposes and for the prevention and detection of crime provided our interests are not overridden by your interests (Article 6(1)(f), UK GDPR)
Contact and Identification Information, Financial Information, Investment History
To comply with any of our applicable legal, tax or regulatory obligations, which derive from anti-money laundering and counter-terrorism legislation
This use of your personal data is necessary in order for us to comply with our legal or regulatory obligations (Article 6(1)(c), UK GDPR)
Contact and Identification Information, Financial Information, Investment History
To report tax related information to tax authorities
This use of your personal data is necessary in order for us to comply with our legal or regulatory obligations (Article 6(1)(c), UK GDPR)
Contact and Identification Information, Financial Information, Investment History
The day to day running and management of our business, including to:
- monitor, maintain and improve the processes, information and data, technology and communications solutions and services used by us;
- perform general, financial and regulatory accounting and reporting;
- business analysis, training and related purposes in order to pursue our legitimate interests and to improve service delivery;
- protect our legal rights and interests including screening transactions for fraud prevention and anti-money laundering purposes; and
- share such personal data with third parties that acquire or are interested in acquiring all or part of our assets or shares, or that succeeds us in carrying on our business.
This use of your personal data is necessary for our legitimate interests in managing our business including for legal, personnel, administrative and management purposes and for the prevention and detection of crime provided our interests are not overridden by your interests (Article 6(1)(f), UK GDPR)
Contact and Identification Information
To contact you to tell you about products and services offered by us which we believe may interest you unless you advise us that you do not wish to receive marketing or market research communications from us
0If applicable law requires that we receive your consent before we send you certain types of marketing communications, we will only send you those types of communications after receiving your consent. If you wish to stop receiving marketing or market research communications from us you can unsubscribe via the link at the bottom of the relevant marketing email or contact us using the contact details below (Article 6(1)(a), UK GDPR)
Special Categories of Personal Data
Special Categories of Personal Data
We may request you provide us with certain data relating to: (i) your ethnicity, race, and gender where we have your explicit consent to understand the diversity, ethnicity and inclusion trends within our ecosystem; or (ii) your organization’s diversity, ethnicity and inclusion practices with a view to enabling such equality to be promoted or maintained. We may share such data, in an aggregated form only, with certain third parties.
Where you are a corporate Member, this use of your personal data is necessary for our legitimate interests and for reasons of substantial public interest, specifically for equality of opportunity or treatment purposes (Articles 6(1)(f) and 9(2)(g), UK GDPR; Condition 8 of Part 2 of Schedule 1 of the UK Data Protection Act 2018)
Where you are a Member who is a natural person, we will only process your personal data with your explicit consent (Articles 6(1)(a) and 9(2)(g), UK GDPR)
Please note that where EEA/UK data protection laws apply you may have the right to object to the processing of your personal data where that processing is carried out for our legitimate interest or for direct marketing.
Consequences of Not Providing Your Personal Data. Where we require your personal data to comply with anti-money laundering or other legal requirements, failure to provide this information means we may not be able to process your membership with us and provide services to you. This may result in us terminating our relationship with you. We will tell you when we ask for your personal data whether it is a statutory or contractual requirement to give us the personal data and the consequences of not providing such personal data.
Security. We take the security of personal data very seriously and take steps to establish reasonable and appropriate physical, technical and organizational measures to ensure a level of security appropriate to the sensitivity of personal data processed. We take measures to safeguard your personal data, but we cannot guarantee its absolute security.
Recipients of Personal Data. We may disclose the categories of personal data listed above as permitted by law to the following entities:
- our affiliates, non-affiliated third parties and service providers engaged in connection with the oversight, safekeeping, administration, distribution or operation of our business, including payroll providers, agents, administrators, custodians, bankers, insurers, AML service providers, web designers and programmers, auditors, accountants and lawyers;
- fraud prevention agencies and law enforcement agencies;
- competent authorities (including tax or regulatory industries), courts and bodies as required by applicable law or requested by such entities or to affiliates for internal investigations for reporting purposes;
- any third party that acquires, or is interested in acquiring, all or part of our assets or shares, or that succeeds us in carrying on all or part of our business, whether by merger, acquisition, reorganization, or otherwise; and
- as required or permitted by law, including to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or we have a legitimate interest in making a disclosure, such as where necessary to protect our rights and property.
As stated above, we may also disclose certain personal data (including relating to your ethnicity, race, and gender) to certain third parties in an aggregated form only i.e., you will not be identifiable from the data disclosed.
In the U.S., Federal law regulating financial companies gives you the right to limit sharing of certain nonpublic personal information, including: sharing for affiliates’ everyday business purposes—information about your creditworthiness; affiliates from using your information to market to you; and sharing for nonaffiliates to market to you. At this time, we do not conduct any of these activities.
International Data Transfers. Certain affiliates, non-affiliates, service providers and other recipients as described in the section above, are located in jurisdictions outside the EEA/UK which may not be deemed to have ‘adequate’ data protection laws equivalent to those in the EEA/UK. Any such international transfers of personal data shall be in accordance with the requirements of applicable data protection laws (e.g., relying on a data transfer mechanism such as EU standard contractual clauses ("EU SCCs”) or UK international data transfer agreement). You can request further details regarding data transfer mechanisms by using the contact details set out below.
Retention Period. We will retain your personal data for as long as required for a particular business or relationship purpose or for as long as required for us to comply with applicable legal/regulatory obligations, whichever is longer. The criteria used to determine the retention periods include: (i) how long the personal data is needed to provide / receive the services and operate the business; (ii) the type of personal data collected; and (iii) whether we are subject to a legal, contractual or similar obligation to retain the personal data (e.g., mandatory data retention laws, government orders to preserve data relevant to an investigation or data that must be retained for the purposes of litigation or disputes).
Data Subject Rights. Where you are located in the EEA/UK, you may have various rights under EEA/UK data protection laws in relation to your personal data (subject to certain restrictions and limitations) including the right to request access to and rectification or erasure of your personal data, obtain restriction of processing or object to the processing of your personal data where it is based on our legitimate business interests or for direct marketing, ask not to be subject to automated decision making if the decision produces legal or other significant effects that affect you, and ask for a copy of your personal data to be provided to you, or, a third party in a digital format. You also have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
You may also have the right to lodge a complaint about the processing of your personal data with your local data protection authority.
We will respond to your request in writing, or orally if requested, as soon as practicable and within the time frame prescribed under applicable data protection laws. We may request proof of identification to verify your request. For more details in relation to your rights, including how to exercise them, please contact us at privacy@creosyndicate.org.
How to Contact Us. If you have any questions regarding this Privacy Notice or about our use of your personal data, or to exercise your data subject rights, please contact us at privacy@creosyndicate.org.
