Privacy Policy

1. Introduction

Polyvalent Capital Management Limited, a private company limited by shares, incorporated and
registered under the laws of the Republic of Cyprus with registration number HE 424788 and
authorized as an Alternative Investment Fund Manager by the Cyprus Securities and Exchange
Commission in accordance with the provisions of the Alternative Investment Fund Managers
Law of 2013 (L.56(I)/2013) (the “AIFM Law”) with authorisation number AIFM46/56/2013
AIFM [_] (“us” or “we”), is strongly committed to privacy issues and wants to be transparent
about the data it collects and how data is used. In particular, the personal data which is
processed by us is that of natural persons who are our clients, our contractors and/or business
affiliates as well as personal data of any other individuals, including but not limited to
employees, directors, authorised representatives, beneficial owners and/or shareholders of our
clients (including the AIFs under management and the investors of the relevant AIFs), our
contractors and/or business affiliates, being legal entities (“you”).

During the course of our Business Relationship, we collect and process personal data. We are a
data controller in respect of such personal data. This means that we are responsible for
determining the purposes and means of the processing of such personal data.

For the purposes of this Privacy Notice, ‘Personal data’ means any information relating to an
identified or identifiable natural person and ‘Processing’ means any operation or set of
operations which is performed on personal data, whether or not by automated means, such as
collection, recording, storage, use, disclosure, erasure or destruction. ‘Business Relationship’
means our commercial and/or business and/or other relationship with you including, but not
limited to, for the provision of our services to you and the various transactions entered into
between us and you from time to time.

Pursuant to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 (the “GDPR”), the Law providing for the The Protection of Natural
Persons against the Processing of their Personal Data and the Free Movement of such Data of

2018 (Law 125(I)/2018), as amended and other applicable data protection laws, as amended
from time to time, we are required to notify you of the information contained herein.

2. Our Principles

When we process your personal data, it is:

(i) Processed lawfully, fairly and in a transparent manner in relation to the data subject
(‘lawfulness, fairness and transparency’);

This means that we provide information to you in respect of the processing of your
personal data (transparency), that the processing matches the description given to you
(fairness), and that it is based on at least one of the lawful basis set out in the GDPR
(lawfulness).

(ii) Collected for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes; (‘purpose limitation’);

This means that we specify exactly what personal data is collected, the purpose of use and
limit the processing of personal data to only what is necessary to meet the relevant
purpose.

(iii) Adequate, relevant and limited to what is necessary in relation to the purposes for which
they are processed (‘data minimisation’);

This means that we do not process any personal data over and above what is required.

(iv) Accurate and, where necessary, kept up to date; every reasonable step is taken to ensure
that personal data that are inaccurate, having regard to the purposes for which they are
processed, are erased or rectified without delay (‘accuracy’);

This means that we have in place processes for identifying and addressing out-of-date,
incorrect or unnecessary personal data.

(v) Kept in a form which permits identification of data subjects for no longer than is necessary
for the purposes for which the personal data are processed (‘storage limitation’);

This means that wherever possible, we process personal data in such a way that limits or
prevents identification of the data subject.

(vi) Processed in a manner that ensures appropriate security of the personal data, including
protection against unauthorised or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or organisational measures (‘integrity
and confidentiality’).

3. Categories of Personal Data

We process the following categories of personal data:

  • Contact information, such as first name, last name, address (including proof of address
    e.g. utility bill), telephone, fax number, e-mail address, country of residence;
  • Personal characteristics, such as gender, date of birth, country/place of birth, citizenship,
    nationality;
  • Government issued identifiers, such as passport, identification card, tax identification
    number, tax certificate, social insurance number, FATCA/CRS information;
  • Financial information (including but not limited to bank account number/details, data on
    transactions, experience in investments, investment objectives, income, source of wealth
    and source of funds);
  • Functions and powers of relevant authorised representative(s) (where applicable);
  • Education, employment and occupation information, such as CVs, professional
    memberships, job title and responsibilities, professional qualifications, the previous or
    current holding of a prominent public function (for PEPs);
  • Certificate of clear criminal record (where applicable); and
  • Publicly available information (where applicable).

Special Categories of Personal Data (sensitive data)

In certain cases we may collect and process special categories of personal data which is
information revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade union membership, data concerning health or data concerning sex life or sexual
orientation. We shall process such data subject to your documented consent and/or where the
processing is necessary for the establishment, exercise or defence of legal claims relevant to us.

If during the course of our Business Relationship there is a change in your personal data, you
must ensure that the above details (as and where applicable) are updated by contacting us as
soon as practically possible. From time to time, we may request from our clients (including the
AIFs under management and the investors of the relevant AIFs) to confirm the accuracy of
personal data. We take every reasonable step to ensure that personal data that is inaccurate,
having regard to the purposes, for which it is processed, is erased or rectified without delay.

If we request from you to be provided with certain personal data, we kindly request that such
information is provided at your earliest convenience. If you fail to provide us with the personal
data requested, we may not be able to perform or be prevented from complying with our
obligations under our Business Relationship and/or any agreement entered into and/or
exchanged between us and you.

4. Purposes of Processing

We will process your personal data (as and where applicable) for the purposes of (i) meeting our
obligations under our Business Relationship and/or any agreement entered into and/or
exchanged between us in relation to, inter alia, the performance of the following functions under
section 6(5) of the AIFM Law: (a) investment management (portfolio management and risk
management), (b) administration, (c) marketing and (d) activities related to the assets of
alternative investment funds; (ii) operation, management and control of the affairs of our
business and its purposes; (iii) general planning and organisation of our business; (iv)

maintaining our IT systems, including our human capital, administrative and management
systems, processes and policies; (v) maintaining and developing our business relationship with
you; (vi) maintaining and developing our business with our clients (vii) the carrying out of
surveys and direct marketing (including via our website); (viii) management, planning and
organisation at work; and (ix) complying with any requirement of law and/or regulation
(including but not limited to the AIFM Law, the Prevention and Suppression of Money
Laundering and Terrorist Financing Law of 2007 (L.188(I)/2007), the Common Reporting
Standard (the “CRS”), the Foreign Account Tax Compliance Act (the “FATCA”), the sanctions
or restrictive measures of the EU, the UN and the US, as amended from time to time and all the
relevant Directives and Circulars issued from time to time by the Cyprus Securities and
Exchange Commission) and/or of any competent authority or professional body (where
applicable) of which we are a member and/or are licensed under (e.g. the Cyprus Securities and
Exchange Commission).

5. Lawful Basis of Processing

We are committed to your privacy. As part of the values we stand for, we will always consider
your fundamental rights as a data subject. We process your personal data for the purposes
mentioned above on the lawful basis that (i) the processing is necessary for compliance with a
legal obligation to which we are subject (e.g. KYC requirements, reporting requirements under
our license issued by the Cyprus Securities and Exchange Commission and complying with, inter
alia, the FATCA rules and the CRS rules); (ii) the processing is necessary for the performance of
an agreement which you have entered into with us and in order to take steps at your request
prior to entering into the said agreement(s); (iii) you have given consent (if and where
applicable); and (iv) the processing is necessary for the purposes of the legitimate interests
pursued by us.

Such legitimate interests include, inter-alia, our business and/or commercial interests and the
management, operation and marketing of our business and/or our exercise or defence of legal
claims and/or the prevention of fraud and money laundering activities and/or to disclose
information to other data recipients such as our service providers, auditors and technology
providers and/or to comply with obligations or internal policy requirements of our business,
and/or to monitor and improve our relationships with you and/or to keep our internal records

and/or to monitor communication to/from you using our systems and/or to protect the integrity
of our IT systems.

Where we decide to rely on explicit consent to process your personal data, we will contact the
relevant data subject to request this accordingly. In case consent is relied solely upon to achieve
a lawful basis of processing of your personal data, you will have the right to withdraw this
consent at any time.

6. Disclosure of Personal Data

We disclose your personal data to the following categories of recipients:

  • other member companies and/or entities of and/or affiliated entities to the group of
    companies which we belong to;
  • our clients, contractors, business partners and/or other business affiliates;
  • our auditors, administrators, lawyers, tax advisors, valuators, consultants, accountants,
    investment advisors, credit reference and fraud prevention agencies and other
    professional advisors (as shall be engaged from time to time);
  • our IT and data reporting service providers and other companies who assist us with the
    effective operation of our business by providing technological expertise, file storage and
    record management, logistic services and solutions and other subcontractors;
  • persons acting on behalf of beneficial owners, shareholders and any other stakeholders of
    our clients, contractors and/or business affiliates, being legal entities, including but not
    limited to payment recipients, beneficiaries, account nominees, correspondent and agent
    banks;
  • banks and/or other financial institutions, payment services providers, and insurance
    companies; and
  • supervisory and other public and regulatory authorities and other competent authorities of
    which we are a member and/or are licensed under (i.e. the Cyprus Securities and
    Exchange Commission, the Unit for Combating Money Laundering (MOKAS), criminal
    prosecution authorities), upon request or where required, for the purposes described
    above.

When we transfer personal data to countries located outside of the EEA, we carry out such
transfers (i) to a recipient who is in a country which provides an adequate level of protection for
personal data or (ii) to a recipient who is in a country which does not provide an adequate level
of protection for personal data, under appropriate safeguards pursuant to the provisions of
applicable data protection laws (e.g. under an agreement in the form of standard data protection
clauses adopted by the European Commission), the form of which is available at
https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-
contracts-transfer-personal-data-third-countries_en. In some (occasional) cases we may carry
out such transfers where (a) we have obtained the explicit consent from the relevant data subject
in respect of the proposed transfer, provided that the data subject has been informed of the
possible risks of such transfer (due to the absence of an adequacy decision and appropriate
safeguards); (b) the transfer is necessary for the performance of a contract entered into between
the data subject and us, or (c) the transfer is necessary for the performance of a contract
concluded in the interest of the data subject and entered into between us and another person or
(d) the transfer is necessary for the establishment, exercise or defence of legal claims.

7. Your Rights as a Data Subject

  • Right of access – you have the right to request a copy of the information that we hold
    about you.

    You have the right to confirmation as to whether or not we process your personal data and,
    where we do, access to the personal data, together with certain additional information.
    Such additional information includes, inter alia, details of the purposes of the processing,
    the categories of personal data concerned and the categories of recipients of the personal
    data. The right to obtain a copy of your data shall not adversely affect the rights and
    freedoms of others.
  • Right of rectification – you have a right to correct data that we hold about you that is
    inaccurate or incomplete.

    You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about
    you completed.
  • Right to be forgotten (right to erasure) – where certain criteria are met you can ask for
    the data we hold about you to be erased from our records.

    In some circumstances you have the right to obtain the erasure of your personal data without undue delay. Those circumstances include cases where (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) you withdraw consent on which the processing is based solely on consent; (iii) you object to processing which is based on our legitimate interests and there are no overriding legitimate grounds for the processing; (iv) the processing is for direct marketing purposes; (v) the personal data have been unlawfully processed; and (vi) the personal data have to be erased for compliance with a legal obligation to which we are subject.

    The above shall not apply where processing is necessary (i) for exercising the right of
    freedom of expression and information; (ii) for compliance with a legal obligation which
    requires processing by a law to which we are subject; (iii) for reasons of public interest; or
    (iv) for the establishment, exercise or defence of legal claims.
  • Right to restriction of processing – where certain criteria are met you can ask to
    restrict the processing.

    In some circumstances you have the right to obtain from us the restriction of processing of
    your personal data. Those circumstances include cases where (i) you contest the accuracy
    of the personal data, for a period enabling us to verify the accuracy of the personal data;
    (ii) processing is unlawful but you oppose erasure and you request the restriction of their
    use instead; (iii) we no longer need the personal data for the purposes of our processing,
    but you require personal data for the establishment, exercise or defence of legal claims; and (iv) and you have objected to processing which is based on our legitimate interests,
    pending the verification of that objection.

    Where processing has been restricted on the basis of the above, we will continue to store
    your personal data. However, we will only otherwise process it (i) with your consent; (ii)
    for the establishment, exercise or defence of legal claims; (iii) for the protection of the
    rights of another natural or legal person; or (iv) for reasons of important public interest.
  • Right to object – you have the right to object to certain types of processing.

    You have the right to object on grounds relating to your particular situation, to the
    processing of personal data to the extent that such processing is based on being necessary
    (i) for the performance of a task carried out in the public interest or in the exercise of any
    official authority vested in us; or (ii) for the purposes of the legitimate interests pursued by
    us or by a third party. If you make such a request, we will cease to process the personal
    data unless we have compelling legitimate grounds for the processing, or the processing is
    for the establishment, exercise or defence of legal claims.
  • Right of portability – you have the right to have the data we hold about you transferred
    to another organisation.

    You have the right to receive personal data which you have provided to us in a structured,
    commonly used and machine-readable format and the right to transmit those data to
    another data controller. However, please note that this right to data portability only arises
    where (a) the processing is based on consent (as and where applicable) or is necessary for
    the performance of a contract to which you are a party; and (b) the processing is carried
    out by automated means (as and if applicable). In conforming to such requests, we will not
    adversely affect the rights and freedoms of others.
  • Right to withdraw consent – where the processing is based on your written consent
    you have the right to withdraw consent at any time, without affecting the lawfulness of
    processing based on consent before its withdrawal.

    To the extent that the legal basis for our processing of your personal information is
    consent (as and where applicable), you have the right to withdraw that consent at any
    time, such withdrawal will not affect the lawfulness of processing before the withdrawal.
  • The right to lodge a complaint to a supervisory authority

    You have a right to lodge a complaint with the Office of the Commissioner for the
    Protection of Personal Data in Cyprus at any time.

8. Retention of personal data

We shall process and store your personal data for as long as you have a Business Relationship
with us and for [six years] thereafter unless otherwise requested by a competent authority
and/or as required under applicable law. Your personal data may be retained for longer periods
for the purposes of our legitimate interests in case of any legal process commencing prior to the
completion of the [six-year] period.

9. Security

As part of our privacy policy, we process personal data which is adequate, relevant and limited
to what is necessary in relation to the purposes mentioned above. We implement appropriate
technical and organizational measures to ensure an adequate level of security appropriate to the
applicable risk. Such measures aim to prevent unauthorized or unlawful processing, accidental
loss, destruction or damage of personal data and include inter-alia, pseudonymization and
encryption of personal data.

10. Our Website

We use a number of cookies on our website [https://www.polyvalent.capital/] for analytics and
for remarketing features, which inter-alia allow us to better track usage of our website and to
reach users who have previously visited our website. In doing so, we may collect and/or process
personal data of visitors to our website, which is adequate, relevant and limited to what is
necessary.

11. Further Information

Further information and/or queries and/or requests regarding the processing of your personal
data and any of your rights (where applicable) in respect of your personal data, can be requested
by contacting us in writing as follows:

By e-mail: info@polyvalent.capital

By post: 2 Vasileos Pavlou Street, Office 301, 1096 Nicosia, Cyprus

Amendments

This Privacy Notice is kept under regular review and is updated from time to time. We will,
where appropriate, notify you about amendments as soon as practically possible.