Oxx Ltd is authorised and regulated by the Financial Conduct Authority.
References to “Amadeus companies managed by Oxx” (or similar) refers to companies in which funds managed by Amadeus Capital Partners Limited have invested, and in respect of which Oxx provides consultancy, board representation, advisory and/or monitoring services to Amadeus Capital Partners Limited.
Information we collect from you
Whether you are an individual investor or a director/shareholder of a company that we are thinking of investing in, or someone from within our network who wishes to have a relationship with us, we may collect and process different kinds of personal data about you, which we have grouped together as follows:
Identity Data includes first name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data includes billing address, delivery address, email address and telephone numbers.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from investments you are involved in and share information.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call us.
Profile Data includes your username and password, your interests, preferences, feedback and survey responses.
Usage Data includes information about how you use our website.
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
How we collect your personal data
Personal data you give us. This may include Identity Data, Contact Data and Financial Data about you that you give us by filling in forms on our website or by corresponding with us by phone, e-mail or otherwise. It includes personal data you provide when you register to receive Oxx’s news and updates, subscribe to any of our services, participate in discussion boards or other social media functions on our site and when you report a problem with our site.
Personal data we collect about you. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, and other similar technologies. We may also collect your Identity Data and Contact Data from publicly available sources, to send you communications which make suggestions and recommendations to you about services or investments that may be of interest to you. You will always be provided with the opportunity to opt-out of receiving these communications (see “Marketing” below).
Personal data we receive from other sources. This is personal data we receive about you if you use any of the other websites we operate or the other services we provide. In this case, we will have informed you when we collected that data if we intend to share that data internally and combine it with data collected on this site. We will also have told you for what purpose we will share and combine your data. We are working closely with third parties (including, for example: (i) business partners such as accountants and lawyers, located both inside and outside the EU; (ii) portfolio companies, investors and suppliers, located both inside and outside the EU; (iii) analytics providers such as Google based outside the EU; and (iv) publicly available sources such as Companies House and the Electoral Register based inside the EU).
Uses made of the personal data
We use personal data held about you in the following ways: We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Where we need to perform the contract we are about to enter into or have entered into with you.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Where we need to comply with a legal or regulatory obligation.
Generally we do not rely on consent as a legal basis for processing your personal data, other than in relation to sending third party direct marketing communications to you via email or text message.
Purposes for which we will use your personal data
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
Type of data
Lawful basis for processing including basis of legitimate interest
To register you when you sign up to join our network or apply for investment
To process any payments by you or us: (a) Manage payments, (b) Collect and recover money owed to us (c) Transfer funds
(a) Identity (b) Contact
(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to develop our business)
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us)
(a) Identity (b) Contact (c) Profile (d) Marketing and Communications
(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To research and develop potential investments and talent opportunities within our network
(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications (f) Job history
(a) Performance of a contract with you (b) Necessary for our legitimate interests (for running our business, and carrying out due diligence in preparation for an investment)
To enable you to interact with us, through our website and social media platforms
(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to study how individuals interact with us, to help develop and grow our business)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Identity (b) Contact (c) Technical
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation
To deliver relevant website content to you and measure or understand the effectiveness of the advertising we serve to you
(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
(a) Technical (b) Usage
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about services or investments that may be of interest to you
(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile
(a) Consent (where you are a consumer and you have opted in to receiving these suggestions and recommendations); or (b) Necessary for our legitimate interests (to develop our products/services and grow our business)
Carrying out checks required by law such as Know Your Client and requirements necessitated by our LPs
(a) Identity (b) Contact (c) Profile
Necessary to comply with a legal obligation
To invite you to events that we think may be of interest to you
(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile
Necessary for our legitimate interests (to develop our products/services, grow our business, and educate our membership on relevant material)
As part of our investment evaluation process we are willing to execute a Non-Disclosure Agreement (NDA) in our standard form at your request. Our standard form NDA is based on the British Private Equity & Venture Capital Association standard model.
Oxx is likely to receive and store personal information as part of its investment evaluation process. If you are involved in a transaction that Oxx and/or the funds that it manages or advises enters into, or a potential transaction that Oxx considers, we may store personal information relating to you. This might include your CV, details of your previous employment history and professional activities, information relating to your financial status and dealings, nationality information (including copies of identity documents, such as a passport), references provided by third parties, and results of other due diligence carried out. We collect and store this information for the purposes of:
Evaluating a transaction and your role in it;
Managing an investment once made;
Maintaining records of investments;
Meeting regulatory and legal obligations e.g. KYC checks;
Safeguarding our legal rights and interests;
Seeking and receiving advice from our professional advisors, including accountants, lawyers and other consultants; and
Providing periodic business updates, as described below.
We store and process information in this way because it is necessary to:
perform a contract to which you are likely to be a party;
comply with a legal or regulatory obligation; and/or
protect our legitimate interests in running and promoting our business.
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). If you are an individual, you will receive marketing communications from us because you have requested to receive them or previously entered into a contract with us and, in each case, you have not opted out of receiving marketing.
If we are contacting you as a business then we are entitled to contact you on the basis of our legitimate interests (to develop and grow our business) with marketing information provided that you have not previously opted out of receiving such communications. In some circumstances you may receive marketing communications from us if we have collected your Identity Data and Contact Data from a publicly available source, however you will always be provided with the opportunity to opt-out of receiving these communications.
We will get your express opt-in consent before we share your personal data with any company outside the Oxx group of companies for marketing purposes.
You can ask us or third parties to stop sending you marketing messages at any time by contacting the Compliance Officer at 20 North Audley Street, London, W1K 6WE or at any time.
Disclosure of your personal data
We may have to share your personal data with the parties set out below for the purposes set out above:
Any member of the Oxx Group, which includes any Oxx entity that directly or indirectly controls, is controlled by, or is under common control with another Oxx entity acting as both controllers and processors based inside and outside the EU.
Selected third parties including:
Business partners, including portfolio companies and investors, acting as processors or joint controllers based inside and outside the EU.
Suppliers and sub-contractors acting as processors based inside and outside the EU who provide IT and systems and administration services.
Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the UK, the US and other jurisdictions outside the EEA who provide consultancy, banking, legal, insurance and accounting services.
Regulators and other authorities, including HMRC acting as processors or joint controllers based in the UK who require reporting of processing activities in certain circumstances.
Analytics and search engine providers based in jurisdictions both inside and outside of Europe that assist us in the improvement and optimisation of our site.
Please contact the Compliance Officer at 20 North Audley Street, London, W1K 6WE or if you want further information on the Oxx Group or any third party with whom we share your personal data.
We will disclose your personal data to third parties:
In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets.
If Oxx or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We share your personal data within the Oxx Group. This may involve transferring your data outside the European Economic Area (EEA). Many of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
Please contact the Compliance Officer at 20 North Audley Street, London, W1K 6WE or if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Details of retention periods for different aspects of your personal data are available in our Document Retention & Management Policy which you can request by contacting us.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. You have the right to ask us not to process your personal data for direct marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting the Compliance Officer at 20 North Audley Street, London, W1K 6WE or email@example.com. Under certain circumstances, by law you have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate personal data we hold about you corrected.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal data to another party. If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact us.
No fee usually required
You will not have to pay a fee to exercise any of your rights as set out above. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity to ensure that you do have a right to exercise any of your rights as set out above. This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Right to withdraw consent
We will not usually rely on your consent as the legal basis for processing your personal data. In the limited circumstances where we have requested you to consent to the processing of your personal data for a specific purpose, and you have provided such consent, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Compliance Officer at 20 North Audley Street, London, W1K 6WE or firstname.lastname@example.org. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Third party sites
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
We use a fund administrator service provider, NCM Fund Services, to provide KYC checks. Information about how NCM Fund Services process your personal data can be found here (https://www.ncmfundservices.com/page/privacy-statement)
This version was last updated on 10th October 2019.
Environmental, Social, Governance (“ESG”) Policy
As institutional investors, we have a duty to act in the best long-term interests of our beneficiaries. In this fiduciary role, we believe that environmental, social and corporate governance (ESG) issues can affect the performance of investment portfolios (to varying degrees across companies, sectors, regions, asset classes and through time). We also recognise that applying these principles may better align investors with broader objectives of society.
Oxx has opted to comply with the UN Principles of Responsible Investing, and conducts its own activities in a manner consistent with those principles, although no group entity is a signatory. Our policy incorporates Invest Europe / BVCA guidance.
Therefore, where consistent with our fiduciary responsibilities, we commit to the following:
to incorporate ESG issues into investment analysis and decision-making processes;
to be active owners and incorporate ESG issues into our ownership policies and practices;
to seek appropriate disclosure to Oxx on ESG issues by the entities in which it invests;
to promote acceptance and implementation of the principles within the investment industry;
to work together to enhance our effectiveness in implementing the principles; and
to report on our activities and progress towards implementing the principles.
In addition to opting to comply with the UN Principles of Responsible Investing, Oxx also commits to applying best practices to the operations of the firm in relation to environmental, social and governance issues. This includes offsetting the carbon dioxide emissions from flights taken by Oxx employees in the course of business for the firm.
2. ESG risk
Oxx is a technology investor and so ESG risk will generally be considered to be low. Investee companies are almost always intrinsically aligned with wider environmental and social objectives. Entrepreneurs are usually progressive on environmental and social matters.
Technology companies generally operate within an environment where worker entitlements, environmental laws, and rights based on age, race, or gender are well developed and policed, and have broad support. This is not always the case and care must be taken in assessing if a prospective investee company is in line with best practices in relation to worker diversity, inclusion and equality.
Care must also be taken where, for example, manufacturing is involved or where there may be subsidiaries or operations in less developed markets, where there may be greater ESG risks.
3. ESG issues
3.1 Environmental Issues
3.1.1 Material usage & recycling – what is the indirect impact of raw material manufacture required for the prospective investee company? How much of this material comes from recycled or sustainable sources?
3.1.2 Energy usage, energy savings and energy saving initiatives – what is the direct contribution to carbon emissions from the prospective investee company’s activities? Will this represent a significant constraint in a carbon-constrained world?
3.1.3 Water usage and sources – what is the direct impact on water resources of the prospective investee company’s activities? Will the business still be viable in a water-constrained world?
3.1.4 Emissions, effluents and wastes from both normal and abnormal (e.g. accident) conditions – what are the outputs of prospective investee company’s activities, and how can these be mitigated or minimised?
3.1.5 Mitigation of product and services impacts – does the prospective investee company (need to) take action to minimise the total environmental impact of its product? Could stakeholder perception of these impacts reduce the prospective investee company’s viability in the longer term?
3.1.6 Environmental protection, expenditure and investment – has the prospective investee company allowed sufficient provisions within the business model for current and future required environmental expenditure? Are provisions associated with legal compliance or a move towards best practice?
3.1.7 Compliance with environmental laws – is the prospective investee company in material compliance with relevant local, national and international environmental laws? Could non-compliance represent a significant risk of prosecution and/or business interruption?
3.1.8 Impacts of transportation of goods, raw materials and labour force – what is the carbon footprint associated with logistics, business travel and commuting?
3.1.9 Impacts on global and local environment and biodiversity, both positive and negative – how does the prospective investee company’s activity impact on global and local environment, including flora and fauna?
3.1.10mplications of climate change – what could the longer term considerations be for the prospective investee company in a carbon-constrained world? Does this potentially undermine the current business model?
3.2.1 Workforce profile and turnover (by number, region, contract, benefits etc.) – are statistics suggestive of a balanced work force with equal opportunities? Is this topic already well covered by the prospective investee company through compliance with relevant local legislation where it is in place (e.g. in Sweden)? Is employee retention supporting or hindering the business?
3.2.2 Health and safety compliance and performance – is the prospective investee company at risk of fines, penalties or regulatory intervention? Does the prospective investee company take appropriate steps to protect the health and safety of its employees?
3.2.3 Diversity of staff and equal opportunities (pay relative to gender, age and ethnic origin) – is this in line with recognised best practice and relevant local legislation where it is in place (e.g. in Sweden), taking into account the prospective investee company’s stage of maturity?
3.2.4 Non-discrimination – is there sufficient evidence that employees are treated fairly and equally? Is there any litigation underway or pending which could have a significant adverse impact on the prospective investee company (financial or otherwise)?
3.2.5 Wages relative to local norm – how well is the workforce remunerated relative to accepted (including legal) local standards?
3.2.6 Employee relations – is there a history of general disputes between the management and staff over e.g. pay, or working conditions and practices?
3.2.7 Security practices – are personnel in high risk areas provided with sufficient security and protection? Are security personnel sufficiently trained in understanding human rights of employees or others?
3.2.8 Human rights conformance and awareness – does the prospective investee company ensure that human rights of its employees are considered and protected?
3.2.9 Child labour rates, and measures to combat this; forced and compulsory labour rates, and measures to combat this – does the prospective investee company meet legal requirements or best practice in this area? Is there a risk of reputational damage or litigation which could impact the prospective investee company?
3.2.10 Obligations under local laws/regulations, based on number of violations and actions taken – is the prospective investee company considerate of local law obligations? Is there a risk of reputational damage associated with previous or current activities? Could there be significant market opportunities to improve this reputation?
3.3 Corporate Governance
3.3.1 Structure and functioning of the board of directors and management team – how is the composition of the board determined? Are there any independent directors? Are regular board meetings held and are these fully minuted?
3.3.2 Corruption-related incidents, anti-corruption policies and actions taken – does the prospective investee company take a firm stance on anti-corruption, and have there been any incidents which could result in penalties or negative publicity?
3.3.3 Overall business compliance with relevant laws and regulations – are there risks associated with fines or regulatory intervention? Has the prospective investee company allowed sufficient contingency within the business model for reasonably foreseeable legal requirements?
3.3.4 Financial controls, reporting and accounting – are the accounting records fully up to date and compliant and prepared in keeping with internationally recognised accounting standards?
3.3.5 Cyber security - does the board have sufficient awareness of the risks to their information systems from cyber-crime? Does the company have in place sufficient systems and procedures to safeguard the security, integrity and confidentiality of information held?
3.3.6 Anti-competitive behaviour – is there a risk of penalties, legal intervention or reputational damage?
3.3.7 Public policy positions, e.g. lobbying and political donations – could any of these public positions result in positive or negative reputational impact?
3.3.8 Overall business integrity – has any senior manager or board member been, or is, under investigation by law enforcement or regulatory authorities? Are there any other key concerns?
4. Prohibited Investments
In line with general principles Oxx will not invest in companies that:
are associated with material and / or systemic violations of the laws, rules or regulations laid down by the national authorities in the markets in which such enterprises operate;
which contribute to or is responsible for material and / or systemic violations of the human rights that are specified by the UN Declaration of Human Rights or labour rights as specified by the UN / International Labour Organisation, e.g. forced labour, child labour or other form of child exploitation;
the core business of which is engaged in activities resulting in material and / or systemic breaches of internationally recognised conventions, protocols or norms;
are associated with material and / or systemic corruption;
are domiciled in a country subject to trade embargoes imposed by the UN or the EU;
are involved in the manufacturing, production, distribution or sale of weapons and firearms;
is involved in the production, distribution, marketing or sale of tobacco, unless at a retail level and as an incidental and minor activity;
are involved in prostitution, the sex industry or the production, distribution or sale of pornography, unless at a retail level and as an incidental or minor activity;
are involved in usury;
are involved in gambling, unless as an incidental or minor activity.
5. Oxx ESG process
Oxx applies a process to both its ESG initial due diligence and ongoing monitoring of investments.
For investee companies, Oxx expects team members to consider whether there is anything about the company’s strategy or business model that is inherently inimical to good ESG practices. This includes anticipating potential ESG-related risks that may arise in future stages of growth. Usually, such concerns would be prejudicial to a positive investment decision.
Investment managers are expected explicitly to consider and report on ESG factors in all investment recommendations presented to the investment committee of any fund managed by a group company, both for initial, follow-on investments and on-going monitoring.
6. Guidance on due diligence
When conducting due diligence and monitoring, we should consider both current practices of the company that offend ESG principles, and how this may change in the future. We will also need to consider where the company is in its life-cycle when reviewing ESG - the ESG factors which affect an early stage company will be different to a larger growth company.
We will also distinguish between issues that are inherent to the company’s activity / business model, or so deeply ingrained in the controlling management / founders that there is effectively no solution and issues that can be resolved or mitigated in a timely way at some future point in the company’s development. Where issues can be resolved, we need to formulate an approach as to how to fix them, and either ensure this is concluded prior to our investment, or is implemented after our investment.
We should not completely disregard past problems that have been fixed as these may need monitoring for reoccurrence.
We should also weigh costs against benefits, especially where these are inextricable. For instance: most companies will have some carbon emissions. But even where the benefits outweigh the costs (which they usually do), workable ways of reducing those (ESG) costs further should still be considered.
In both the initial and ongoing assessments and reporting, we should consider if any potential risk or negative impact has beenidentified, and, if so, what has / is been done to resolve or mitigate this.
In summary, we should distinguish between:
current practices of the company that offend ESG principles, and
how this might change after the Company has scaled (if not already at scale). Consider the position with sales at $100m. What about $1bn?
And distinguish between:
issues that are inherent to the Company’s activity / business model, or so deeply ingrained in the controlling management / founders that there is effectively no solution, and
issues that can be resolved or mitigated in a timely way at some future point in the company’s development.
Problems in the first category clearly give rise to the question whether to invest at all.
7. Oxx carbon offsetting policy
For each flight taken by Oxx employees in the course of business for the firm an estimate will be made of the carbon dioxide emissions resulting from that flight using
At the end of each calendar year the total amount of carbon dioxide required to be offset will be calculated and each Oxx employee will select offsetting projects from https://www.goldstandard.org/take-action/offset-your-emissions to offset their share of the carbon dioxide emissions.
8. Review of ESG policy and procedures.
ESG policy and procedures will be reviewed on an annual basis.
Updated: January 2020