Last updated: Mon, 30 May 2022 16:49:34 GMT

Privacy

1. WHO WE ARE

This is the Privacy Notice for Growth Impact, L.P. Fund (the ' Fund'), an English private fund limited partnership established under the laws of England and Wales with registered number LP022519 and its principal place of business at 113-115 Fonthill Road, London, England, N4 3HH.

The partners to the Fund are Big Issue Invest Fund Management (' BIIFM') and UnLtd Social Investments Ltd (' UnLtd') and their affiliates (together, the ' Partners', 'we', 'our' or 'us'). The Partners jointly manage the operations and activities of the Fund through Growth Impact GP Ltd, a company whose shares are jointly held by BIIFM and UnLtd and incorporated under the laws of England and Wales, registered under number 14013384, whose registered office is at 113-115 Fonthill Road, London, United Kingdom, N4 3HH (the ' Company').

We have agreed that we will each take individual responsibility for compliance with applicable data protection laws in respect of the elements of the processing we undertake. This Privacy Notice is issued jointly on behalf of the Partners.

2. SCOPE OF THIS PRIVACY NOTICE

This Privacy Notice describes how we gather and use personal data that we collect:

For the purposes of applicable UK and EU data protection laws, (' the UK and EU Privacy Laws'), including Regulation (EU) 2016/679 (the ' EU GDPR'), the UK equivalent of the EU GDPR (the ' UK GDPR') and the Data Protection Act 2018, BIIFM and UnLtd will be joint controllers of any personal data collected in connection with the Fund and the Company.

3. HOW TO CONTACT US

If you have any questions regarding our use of your personal data in connection with the activities of the Fund, or this Privacy Notice, please contact the Partners via the 'contact us' page on the Website, or the Partners individually at enquiries.gif@bigissue.com in respect of BIIFM and at DPO@unltd.org.uk in respect of UnLtd stating it is a query about your personal data or this Privacy Notice.

4. THE PERSONAL DATA WE PROCESS AND HOW WE COLLECT IT

We collect your personal data in the following ways, and we only collect the personal data necessary to carry out our business for the purposes set out in the section 6 ('How we use your personal data') below:

Information you provide to us

We collect your personal data when you decide to interact with us (e.g., via the contact section of the Website, when you visit our offices, when you communicate with us over email or the telephone, when you apply for a job with us, etc.) including your name, email address, postal address, title, job title, telephone number, passport or other government-issued identification, financial information, CV information and/or demographic data including in respect of ethnicity, gender and sexual orientation, as appropriate.

Whilst we do not normally collect special category or sensitive personal data, in the event you provide us with any special category or sensitive personal data, we will seek your consent or we will rely on substantial public interest,in order to process that personal data in accordance with applicable UK and EU Privacy Laws.

We may also collect personal data about you such as your IP address through automated technology when you access and use our Website, such as cookies and similar technology.

Information provided by third parties or publicly available sources

We collect personal data from third parties, such as a CV sent to us by a recruiting firm, background information from a background check provider, personal data we viewed on social media (e.g., LinkedIn) or information obtained from publicly available lists of individuals subject to sanctions or trade restrictions.

If you represent one of our vendors, business partners or portfolio companies, we may also collect your personal data (i.e., basic identifying and contact information, including your name, title, work email address, work postal address, job title and/or work telephone number and/or demographic data including in respect of ethnicity, gender and sexual orientation, as appropriate) from the entity that you work where this is necessary to receive products or services from, or otherwise conduct business with, such third party.

We process information in relation to companies that we are evaluating in connection with a corporate transaction or potential investment. This information may include your personal data including name, title, email address, postal address, job title, telephone number, passport or other government-issued identification, financial information, job and benefits information and/or demographic data including in respect of ethnicity, gender and sexual orientation, as appropriate.

5. WHAT DATA WE COLLECT

The personal data that we may collect or process about you is:

Information we collect or generate about you

In running and maintaining our website we may collect and process information about your use of our site including details of your visits such as pages viewed, length of visits and the resources that you access. Such information includes traffic data, location data and other communication data. We will automatically collect technical information including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, information about your visit including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time), page response times, download errors.

Information that you provide to us

This includes information about you that you give us by communicating with us, whether face-to-face, by phone, e-mail or otherwise. This information may include, but may not be limited to, your name, address, contact telephone number, email address and role description.

We may also collect your personal data as part of KYC/AML checks conducted when you agree to receive an investment, loan or a grant from us. Where you are the legal signatory of your organisation, have the authorisation to make payments from your organisation's bank account, are an individual with significant control, or hold a different key role in your organisation, the personal data we may collect will typically include: your full name, year of birth, gender, address, email and telephone number, as well as copies of personal documents and proofs of address.

Special Category Personal Data

We do not normally collect special category or sensitive personal data. In the event you provide us with any special category or sensitive personal data, we will take extra care to ensure your rights are protected, in accordance with applicable data protection laws.

We may also ask for equal opportunities monitoring information about the leadership of your organisation and will collect this data where provided. To the extent we collect sensitive personal data such as ethnicity, gender or sexual orientation, it will be collected for the purposes of equal opportunities monitoring or treatment and we rely on substantial public interest as described in the UK and EU Privacy Laws.

6. HOW WE WILL USE YOUR PERSONAL DATA

We rely on various legal bases under the UK and EU Privacy Laws in order to process your personal data (including basic contact and identifying information and IP addresses, and, where appropriate, more sensitive types of personal data such as passport information and financial information, etc.), including for our legitimate interests, contractual necessity and as required by law. We use the personal data we collect to operate our business, conduct business with you and perform essential or legitimate business operations.

Your personal data may be used by us for the following purposes:

Purpose Legal Basis
Providing you with services, products or information which you have requested. Contractual necessity; and/or our legitimate interest in operating our business and providing investment services.
Managing our relationship with you (e.g. ensuring we know how you prefer to be contacted), including to schedule and facilitate meetings (in-person and online) and to administer your participation in any of our events. Our legitimate interest in operating our business and providing investment services.
To verify your identity (including to conduct anti-money laundering checks and to enable you to access our offices) and to conduct conflicts checks. Legal requirement; and/or our legitimate interest in operating our business and providing services securely.
To protect against, identify and prevent, fraud, money-laundering, cyber attacks, theft of our property and other unlawful activity. Legal requirement; and/or our legitimate interest in operating our business and providing investment services securely.
Reporting to the appropriate legal and regulatory authorities, and complying with the law. Legal requirement; and/or our legitimate interest in operating our business and providing investment services securely.
To conduct due diligence activities in connection with an actual or prospective corporate transaction or investment which are evaluated by the Fund. Our legitimate interest in operating our business and providing our investment services; contractual necessity; and/or legal requirement.
For the purpose of promoting equal opportunity or treatment with an actual or prospective corporate transaction or investment which are evaluated by the Fund. Substantial public interest and our legitimate interest in operating our business and providing investment services.
Assessing risks to public funding where relevant, and fulfilling reporting requirements where provision of statistical information has been agreed with external funders. Our legitimate interest in operating our business and providing our investment services; contractual necessity; and/or legal requirement.
Understanding how we can improve our services, products or information delivery. Our legitimate interest in operating our business.
Conducting sectoral research. Our legitimate interest in operating our business.
Providing you with details of other services offered by the Fund, including through marketing communications. Our legitimate interest in operating our business.
Profiling - to enable us to communicate with you effectively, we may sometimes use your data for analysis purposes, based on information that you have provided to us; such as location, marketing sources, behaviour and interests. We use anonymised data in all our profiling activities. Our legitimate interest in operating our business.
Corporate transaction and investment reporting. Legal requirement
Litigation management and conducting internal audits and investigations Legal requirement; and/or our legitimate interest in operating our business.
To obtain advice from our professional advisors, including lawyers and accountants. Our legitimate interest in operating our business.
For any other purpose that has been notified, or has been agreed, in writing. Consent.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

7. SHARING YOUR PERSONAL DATA

In general, once received by us, your personal data is processed by us, and we do not pass personal data provided by you to third parties. Where we do share your personal data, we do so with the following recipients and categories of recipients:

Partners

Where any of the Partners use your personal data as an independent controller or for purposes different to those stated in this Privacy Notice, the relevant Partner will inform you through its own privacy notice or seek consent from you as required by UK and EU Privacy Laws.

External funders

Some of the Fund's services and programmes are delivered using external funds. Where this is the case, we may be required to provide statistical or narrative information to those funders. This will typically be information about your organisation and the services received from us but may include personal data. Where provided, personal data will be held by funders primarily for oversight, audit and assurance purposes to prevent fraud and ensure that funds have been spent in accordance with regulations and the purposes agreed with the funder.

Service providers

We may share your personal data with third parties in order to fulfil the purposes set out in this Privacy Notice. We will only share your personal data with service providers that have a need to know that personal data, where we have an appropriate data processing agreement (or similar protections) in place, and they will not be able to use your personal data for their own purposes (e.g. for their own marketing purposes).

We may also share your personal data with individuals who help us deliver or improve our work, products or services (such as external evaluators, awards panel members) or who have a legitimate interest in our work (such as committee members). We will ensure that any persons authorised to access your personal data have a need to know that personal data and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Fraud prevention agencies

Your personal data may be shared with fraud prevention agencies for the purpose of determining, preventing or detecting crime, or for safeguarding purposes, who will use it to prevent fraud and money laundering and to verify your identity.

Agencies and authorities if required by law

We may disclose your personal data to any law enforcement agency, court, regulator, government authority, or in connection with any legal action if we are required to do so to meet a legal or regulatory obligation, where the request is proportionate, or otherwise to protect our rights or the rights of anyone else (for example, in response to valid and properly served legal process such as a warrant). We will attempt to notify you prior to disclosing your data unless (i) prohibited by applicable law from doing so, or (ii) there are clear indications of unlawful conduct in connection with your use of the Fund's services.

We may also disclose your personal data:

We will only share personal data to the extent they need that personal data to carry out their work and subject to appropriate security measures.

Related Entities

We may share your personal data with any of our current or future affiliates or members of the Fund.

Professional advisors and auditors

We may disclose your personal data to professional advisors (such as legal advisors and accountants) or auditors for the purpose of providing professional services to us.

Replacement providers

We may also share your personal data in the following circumstances:

Otherwise, your personal data will only be disclosed or shared in special exceptional cases, where we are obligated or entitled to do so by statute or upon binding order from a public authority.

We will never pass on your personal data to third party organisations without your explicit and informed consent other than for the purposes as described above.

We do not sell or share your personal data to third parties for the purposes of marketing.

8. HOW LONG WILL WE KEEP YOUR PERSONAL DATA?

How long we hold your personal data for will vary. The retention period will be determined by various criteria including:

We only keep your personal data for as long as we need to, to be able to use it for the reasons given in this Privacy Notice. In general terms we remove identifiable personal data from our records, in accordance with the following:

9. ACCURACY

We will take all reasonable steps to keep personal data accurate, complete, current and relevant, if it is used on an ongoing basis and based on the most recent information available to us. If we are advised of a change in information, we will update your personal data accordingly. Please notify us of any changes to your personal data.

10. SECURITY AND RETENTION OF PERSONAL DATA

We are committed to taking all reasonable and appropriate steps to protect the personal data we collect from you from against improper use or disclosure, unauthorised access, unauthorised modification, and unlawful destruction or accidental loss and against all other unlawful forms of processing. We have taken and will take appropriate information security, technical, storage and organisational measures to achieve this, including measures to deal with any suspected data breach, and will notify you and any applicable regulator of a breach where we are legally required to do so. All service providers who are involved with the processing of your information are also obliged to respect the confidentiality of your personal data. We protect your personal data by storing it securely and we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know and who need to know that personal data.

Unfortunately, there is always risk involved in sending information through any channel over the internet. You send information over the internet (including our Website) entirely at your own risk. Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted over the internet (including our Website) and we do not warrant the security of any information, including personal data, which you transmit to us over the internet.

If you suspect any misuse, loss, or unauthorised access to your personal data please let us know immediately using the contact details set out in section 3 of this Privacy Notice. We will investigate the matter and update you on next steps.

We will keep your personal data only for as long as is reasonably necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required by law. We will not keep more personal data than we need for those purposes. For further information about how long we will keep your personal data, please contact us using the contact details set out in section 3 of this Privacy Notice.

11. WHERE WE TRANSFER YOUR PERSONAL DATA

The personal data that we collect from you may be transferred to, processed and stored at a destination outside the United Kingdom (' UK') or the European Economic Area (which means the 28 European Union member states, together with Norway, Iceland and Liechtenstein, ' EEA'), including by our third-party service providers. Your personal data may also be processed by staff operating outside the EEA or UK who work for us or for one of our service providers.

In the event that your personal data is transferred to, or stored in a country outside of the EEA or UK, such transfers will be made in accordance with the UK and EU Privacy Laws.

For further information about the safeguards used, please contact using the contact details set out in section 3 of this Privacy Notice.

12. CAPACITY

The Website is only intended for individuals who are at least 13 years of age. We do not knowingly encourage or solicit visitors to this Website who are under the age of 13 or knowingly collect personal data from anyone under the age of 13 without parental consent. If we learn we have collected or received personal data from an individual under the age of 13, we will delete that personal data.

13. COOKIES

Information regarding how you access this Website (e.g., browser type, access times, and Internet Protocol (IP) address) and your hardware and software may be collected through the use of cookies (a small text file placed on your hard drive) or other technologies or tools. This information is used to improve Website performance and for our business purposes. Where cookies are not necessary for us to provide the products or services you have requested or for the functioning of this Website, we will ask you to consent to their use. You may opt-in to accept cookies automatically by changing the settings on your browser. If you opt-out of certain cookies, you may not be able to access certain parts of this Website.

You may wish to visit www.aboutcookies.org, which contains comprehensive information about types of cookies, how they are used, and how you manage your cookie preferences.

14. YOUR RIGHTS

You have various rights in relation to the personal data which we hold about you as described below.

To get in touch with us about any of your rights under applicable data protection laws, please use the contact details set out in section 3 of this Privacy Notice. We will seek to deal with your request without undue delay, and in any event within any time limits provided for in applicable data protection law (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise. We may need to request specific information from you to help us confirm your identity.

### Right to be informed

You have the right to be informed about how we collect and use your personal data.

### Right to access your information

You have the right to ask for a copy of the personal data that we hold and process about you free of charge, however we may charge a reasonable fee, if we think that your request is excessive, to help us cover the costs of locating the information you have requested.

### Right to rectification

You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.

### Right to erasure

You have the right to request that we 'erase' your personal data in certain circumstances. Normally, this right exists where:

We would only be entitled to refuse to comply with your request for erasure in limited circumstances, including where prevented due to legal obligations, and we will always tell you our reason for doing so. When complying with a valid request for the erasure of personal data we will take all reasonably practicable steps to delete the relevant personal data.

### Right to restrict processing

You may request that we stop processing your personal data (other than storing it), if: (i) you contest the accuracy of it (until the accuracy is verified); (ii) you believe the processing is against the law; (iii) you believe that we no longer need your personal data for the purposes for which it was collected, but you still need your personal data to establish or defend a legal claim; or (iv) you object to the processing, and we are verifying whether our legitimate grounds to process your personal data, override your own rights. If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.

### Right to data portability

This only applies to personal data you have given us. If you wish to transfer the personal data that we hold and process about you on the legal ground of contractual necessity to another organisation (and certain conditions are satisfied), you may ask us to do so, and we will send it directly if we have the technical means. We must do this if the transfer is, as the regulation says, 'technically feasible'.

The right only applies if we are processing data based on your consent or for the purpose of performing a contract with you.

### Right to object

This right enables you to object to us processing your personal data where we do so for one of the following reasons:

### Withdrawal of consent

If you previously gave us your consent (by a clear affirmative action) to allow us to process your personal data for a particular purpose not specified in this Privacy Notice, but you no longer wish to consent to us doing so, you can contact us to let us know that you withdraw that consent.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

15. HOW TO COMPLAIN

You have the right to make a complaint to your local supervisory authority with regards to how your personal data has been processed by us under:

• the UK GDPR and/or Data Protection Act 2018, please contact the UK Information Commissioner's Office – https://ico.org.uk/global/contact-us; or

• the EU GDPR, please contact your local supervisory authority in particular in the EU Member State of your habitual residence, place of work, or place of the infringement, concern or complaint.

Please raise your concern with us first and we will do our best to help.

16. CHANGES TO THIS PRIVACY NOTICE

We reserve the right to amend this Privacy Notice from time to time by updating this Privacy Notice. If we decide to change our Privacy Notice, we will post those changes so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to collect personal data or use any collected personal data in a manner different from that stated at the time it was collected, we will notify applicable users. We will use information only in accordance with the Privacy Notice under which the personal information was collected.