Information we collect from you
Whether you are an individual investor or a director/shareholder of a company that we are thinking of investing in, or someone from within our network who wishes to have a relationship with us, we may collect and process different kinds of personal data about you, which we have grouped together as follows:
Identity Data includes first name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data includes billing address, delivery address, email address and telephone numbers.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from investments you are involved in and share information.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call us.
Profile Data includes your username and password, your interests, preferences, feedback and survey responses.
Usage Data includes information about how you use our website.
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
How we collect your personal data
Personal data you give us. This may include Identity Data, Contact Data and Financial Data about you that you give us by filling in forms on our website or by corresponding with us by phone, e-mail or otherwise. It includes personal data you provide when you register to receive Oxx’s news and updates, subscribe to any of our services, participate in discussion boards or other social media functions on our site and when you report a problem with our site.
Personal data we collect about you. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, and other similar technologies. We may also collect your Identity Data and Contact Data from publicly available sources, to send you communications which make suggestions and recommendations to you about services or investments that may be of interest to you. You will always be provided with the opportunity to opt-out of receiving these communications (see “Marketing” below).
Personal data we receive from other sources. This is personal data we receive about you if you use any of the other websites we operate or the other services we provide. In this case, we will have informed you when we collected that data if we intend to share that data internally and combine it with data collected on this site. We will also have told you for what purpose we will share and combine your data. We are working closely with third parties (including, for example: (i) business partners such as accountants and lawyers, located both inside and outside the EU; (ii) portfolio companies, investors and suppliers, located both inside and outside the EU; (iii) analytics providers such as Google based outside the EU; and (iv) publicly available sources such as Companies House and the Electoral Register based inside the EU).
Uses made of the personal data
We use personal data held about you in the following ways: We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Where we need to perform the contract we are about to enter into or have entered into with you.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Where we need to comply with a legal or regulatory obligation.
Generally we do not rely on consent as a legal basis for processing your personal data, other than in relation to sending third party direct marketing communications to you via email or text message.
Purposes for which we will use your personal data
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
Type of data
Lawful basis for processing including basis of legitimate interest
To register you when you sign up to join our network or apply for investment
To process any payments by you or us: (a) Manage payments, (b) Collect and recover money owed to us (c) Transfer funds
(a) Identity (b) Contact
(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to develop our business)
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us)
(a) Identity (b) Contact (c) Profile (d) Marketing and Communications
(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To research and develop potential investments and talent opportunities within our network
(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications (f) Job history
(a) Performance of a contract with you (b) Necessary for our legitimate interests (for running our business, and carrying out due diligence in preparation for an investment)
To enable you to interact with us, through our website and social media platforms
(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to study how individuals interact with us, to help develop and grow our business)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Identity (b) Contact (c) Technical
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation
To deliver relevant website content to you and measure or understand the effectiveness of the advertising we serve to you
(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
(a) Technical (b) Usage
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about services or investments that may be of interest to you
(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile
(a) Consent (where you are a consumer and you have opted in to receiving these suggestions and recommendations); or (b) Necessary for our legitimate interests (to develop our products/services and grow our business)
Carrying out checks required by law such as Know Your Client and requirements necessitated by our LPs
(a) Identity (b) Contact (c) Profile
Necessary to comply with a legal obligation
To invite you to events that we think may be of interest to you
(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile
Necessary for our legitimate interests (to develop our products/services, grow our business, and educate our membership on relevant material)
As part of our investment evaluation process we are willing to execute a Non-Disclosure Agreement (NDA) in our standard form at your request. Our standard form NDA is based on the British Private Equity & Venture Capital Association standard model.
Oxx is likely to receive and store personal information as part of its investment evaluation process. If you are involved in a transaction that Oxx and/or the funds that it manages or advises enters into, or a potential transaction that Oxx considers, we may store personal information relating to you. This might include your CV, details of your previous employment history and professional activities, information relating to your financial status and dealings, nationality information (including copies of identity documents, such as a passport), references provided by third parties, and results of other due diligence carried out. We collect and store this information for the purposes of:
Evaluating a transaction and your role in it;
Managing an investment once made;
Maintaining records of investments;
Meeting regulatory and legal obligations e.g. KYC checks;
Safeguarding our legal rights and interests;
Seeking and receiving advice from our professional advisors, including accountants, lawyers and other consultants; and
Providing periodic business updates, as described below.
We store and process information in this way because it is necessary to:
perform a contract to which you are likely to be a party;
comply with a legal or regulatory obligation; and/or
protect our legitimate interests in running and promoting our business.
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). If you are an individual, you will receive marketing communications from us because you have requested to receive them or previously entered into a contract with us and, in each case, you have not opted out of receiving marketing.
If we are contacting you as a business then we are entitled to contact you on the basis of our legitimate interests (to develop and grow our business) with marketing information provided that you have not previously opted out of receiving such communications. In some circumstances you may receive marketing communications from us if we have collected your Identity Data and Contact Data from a publicly available source, however you will always be provided with the opportunity to opt-out of receiving these communications.
We will get your express opt-in consent before we share your personal data with any company outside the Oxx group of companies for marketing purposes.
You can ask us or third parties to stop sending you marketing messages at any time by contacting the Compliance Officer at 20 North Audley Street, London, W1K 6WE or at any time.
Disclosure of your personal data
We may have to share your personal data with the parties set out below for the purposes set out above:
Any member of the Oxx Group, which includes any Oxx entity that directly or indirectly controls, is controlled by, or is under common control with another Oxx entity acting as both controllers and processors based inside and outside the EU.
Selected third parties including:
Business partners, including portfolio companies and investors, acting as processors or joint controllers based inside and outside the EU.
Suppliers and sub-contractors acting as processors based inside and outside the EU who provide IT and systems and administration services.
Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the UK, the US and other jurisdictions outside the EEA who provide consultancy, banking, legal, insurance and accounting services.
Regulators and other authorities, including HMRC acting as processors or joint controllers based in the UK who require reporting of processing activities in certain circumstances.
Analytics and search engine providers based in jurisdictions both inside and outside of Europe that assist us in the improvement and optimisation of our site.
Please contact the Compliance Officer at 20 North Audley Street, London, W1K 6WE or if you want further information on the Oxx Group or any third party with whom we share your personal data.
We will disclose your personal data to third parties:
In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets.
If Oxx or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We share your personal data within the Oxx Group. This may involve transferring your data outside the European Economic Area (EEA). Many of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
Please contact the Compliance Officer at 20 North Audley Street, London, W1K 6WE or if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Details of retention periods for different aspects of your personal data are available in our Document Retention & Management Policy which you can request by contacting us.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. You have the right to ask us not to process your personal data for direct marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting the Compliance Officer at 20 North Audley Street, London, W1K 6WE or email@example.com. Under certain circumstances, by law you have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate personal data we hold about you corrected.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal data to another party. If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact us.
No fee usually required
You will not have to pay a fee to exercise any of your rights as set out above. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity to ensure that you do have a right to exercise any of your rights as set out above. This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Right to withdraw consent
We will not usually rely on your consent as the legal basis for processing your personal data. In the limited circumstances where we have requested you to consent to the processing of your personal data for a specific purpose, and you have provided such consent, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Compliance Officer at 20 North Audley Street, London, W1K 6WE or firstname.lastname@example.org. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Third party sites
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
We use a fund administrator service provider, NCM Fund Services, to provide KYC checks. Information about how NCM Fund Services process your personal data can be found here (https://www.ncmfundservices.com/page/privacy-statement)
This version was last updated on 10th October 2019.