Last Updated: 23 March 2021
The General Data Protection Regulation (“GDPR”) applies to the processing of personal data in the context of the activities of an establishment in the European Economic Area (“EEA”), as well as to firms outside the EEA that process personal data relating to the offering of services to individuals in the EEA. The UK General Data Protection Regulation (“UK GDPR”) applies to the same matters within the United Kingdom, as from the date 1 January 2020.
What information do we collect?
As described in detail below, we collect certain identifying information from or about you in connection with your use of, or any of your submissions to, the System (collectively, the “Collected Information”). Collected Information includes, without limitation, any information that may be used to identify an individual, including, but not limited to, a first and last name, a phone number or an email address. The purposes for which we may collect, store and use personal data about you and our ‘lawful basis’ for processing such data are set out in the table below. The law specifies certain ‘lawful bases’ for which we are allowed to use your personal data.
- To correspond with you, send you information or promotional materials that you have requested.
- Corresponding with third parties such as service providers, legal advisors, auditors and technology providers and regulatory authorities to comply with any legal obligation imposed on us or in order to pursue our legitimate business interests.
- To maintain our records.
- To operate the System and deliver the Services, including to provide certain services and improve the user experience, maintain System integrity and security, conduct research and analysis to maintain, protection, develop, and improve the System. This may include analysing your use of our System.
Lawful Basis for Processing
- Our legitimate interests in responding to your enquiry, sending you the information you have requested or otherwise communicating with you in the course of our business.
- Compliance with applicable legal obligations. Our legitimate interests in conducting our business in a proper manner.
- Our legitimate interests in conducting our business in a proper manner.
- Our legitimate interests in studying how our System and Services are used, keeping our website updated and relevant, to develop our business and inform our marketing strategy.
In addition to the uses above, please note that we may also process your information where we are required by law to do so or if we reasonably believe that it is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.
How do we collect this information?
We typically collect personal data about you when you provide information to us when communicating or transacting with us in writing by filling in forms or by corresponding with us by post, phone, e-mail or otherwise. For instance, when you request information from us or otherwise correspond with us.
We may collect personal data about you from various third parties and public sources, such as analytics providers; search engines; providers of payment, delivery or other similar services; data brokers; recruitment agencies; aggregators; and other similar service providers or publically available sources.
We appreciate your questions and comments about the System and Services and welcome your messages at our “Contact Us” page, which you can find here: Contact Us. If you correspond with Henderson Park through the System or via email, the Collected Information may include the content of, and metadata regarding, any correspondence you may have with us. We may share your messages with those within our organization who are most capable of addressing the issues contained in your message. We may archive your message for a certain period of time or discard it.
With whom do we share information that we collect?
We do not sell, rent, or lease our user lists or the identity of individual users to third parties. However, Henderson Park may use and disclose certain aggregated, anonymized information, such as System usage data, to our trusted business partners. As this information has been anonymized it can no longer identify you and is no longer personal data.
Henderson Park does not disclose personal data about its clients to non-affiliated third parties, except as required or permitted by law, for its everyday business purposes (such as to process transactions or service a client account), or pursuant to joint marketing agreements that are subject to contractual and legal restrictions. Under certain circumstances, Henderson Park may also disclose Collected Information if we become subject to a subpoena or court order, or if we are otherwise legally required to disclose information. We may also use and disclose Collected Information to establish or exercise our legal rights, to enforce the Terms, to assert and defend against legal claims, or if we believe such disclosure is necessary to investigate, prevent, or take other action regarding actual or suspected illegal or fraudulent activities or potential threats to the physical safety or well-being of any person.
As Henderson Park grows and develops its business, it is possible that its corporate structure or organization might change or that it might merge or otherwise combine with, or that it or portions of its business might be acquired by, another company. In any such transactions, Collected Information may also be transferred.
We may need to share your personal data with:
- other entities within our group as part of our regular reporting activities in company performance, in the context of a business reorganisation or group restructuring exercise or for assistance in relation to marketing and business development;
- professional advisers including lawyers, bankers, auditors and insurers to the extent such information is relevant to their performance of their services;
- regulators; and
- any of our service providers where such information is relevant to their performance of such services.
How long will we retain your information?
We will retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements and our legitimate interests in maintaining such personal information in our records. In doing this we will have regard to the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Generally, we will keep information relevant to our dealings with you for a minimum period of 7 years following the last date of activity or longer as required by applicable law or regulation.
In some circumstances your personal data may be anonymised so that it can no longer be associated with you, in which case it is no longer personal data.
Once we no longer require your personal data for the purposes for which it was collected, we will securely destroy your personal data in accordance with applicable laws and regulations.
What choices do you have?
When submitting information, corresponding, making requests for information, and otherwise interacting with Henderson Park and its representatives through or in connection with the System, you choose what information to supply or submit, whether you wish to receive further information, and how you may be contacted. You are not required or obliged to share such information and should only share information that you believe is necessary or appropriate. However, please note that our website may automatically collect certain technical data (further details on this are in the ‘How do we collect this information?’ section).
Your rights in relation to your information
Where GDPR and/or UK GDPR applies to the processing of your personal data, you have rights as an individual which you can exercise in relation to the information we hold about you under certain circumstances. These rights are to:
- request access to your personal data (commonly known as a “data subject access request”) and request certain information in relation to its processing;
- request rectification of your personal data;
- request the erasure of your personal data;
- request the restriction of processing of your personal data;
- object to the processing of your personal data;
- request the transfer of your personal data to another party.
If you want to exercise one of these rights please contact us at email@example.com.
You also have the right to make a complaint at any time to a supervisory authority for data protection issues.
You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
How do we protect information collected about you?
Social media platforms and websites
We may share your personal data within our group or with service providers located in other jurisdiction, which may involve transferring it outside of the United Kingdom and European Economic Area. Where this is done, we will ensure a similar degree of protection is afforded to it by implementing safeguards such as:
- Ensuring your personal data is only transferred to countries which have been deemed to be provide an adequate level of protection for personal data by the applicable regulator under GDPR or UK GDPR, as applicable.
- Ensuring our contracts with service providers including appropriate undertakings, such as the European Commission’s standard contractual clauses, to give personal data the same protection it has in Europe.
The System (including the Site and Services included therein) is intended for a general audience and is not intended for use or view by children. We do not knowingly collect information about children or sell products to children. Consistent with the US’s Children’s Online Privacy Protection Act, we will not knowingly collect any information from children.
Visiting the System from outside the United States
If you are visiting the System, or any part thereof, from outside of the United States of America, please be aware that your information may be transferred to, stored or processed in the United States as our website is hosted there and also in order for us to correspond with you or otherwise provide the information you have requested where our United States partnership is better placed to correspond with you.
The data protection and other laws of the United States and other countries might not be as comprehensive as those in your country, but please be assured that we take steps to protect your privacy. Where this is the case, we will (or will require a processor to) put in place appropriate safeguards such as the EEA-approved standard contractual clauses to ensure that your personal data is treated in a manner that is consistent with and respects the EEA laws on data protection. In particular, we have put in place standard contractual clauses to regulate the processing of personal data which is transferred from the UK and EU-based entities and the US-based entities of our Henderson Park. If you require further information about this you can request it from firstname.lastname@example.org.
Do Not Track Requests
Privacy Notice for California Residents
This provision supplements the information contained above and applies solely to investors who reside in the State of California. Henderson Park does not sell your information.
The term “Personal Information” as used herein any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include de-identified or aggregate information, or public information lawfully available from governmental records. This information may include the Investor’s name, address, telephone number, e-mail address, passport number, social security number, taxpayer identification number, bank account number, transaction history, and other Personal Information.
Personal Information Collected
- Personal identifiers, including your name, physical address, email address, phone numbers, customer number, account password, and IP address or other unique identifier;
- Financial information, such as financial account information;
- Internet or other electronic activity information, such as your device and browser type, your browsing and search history on our Site, and information regarding your interaction with our Site;
- Information about an Investor’s transactions with Henderson Park; and
- Inferences drawn from any of the information identified above.
Use of Personal Information
- Providing our services to you;
- Facilitating your use of the Site;
- Responding to requests for information;
- Customizing your experience of the Site;
- Marketing purposes; and
- Preventing fraud, activities that violate our Terms of Service or that are illegal, and to protect our rights and the rights and safety of our users or others.
Sharing Your Information
Henderson Park generally does not disclose any non-public Personal Information about Investors to any non-affiliated parties. In the 12 months prior to the date of this Policy, we may have disclosed each of the categories of Personal Information identified above to the following categories of entities:
- To service providers that help us operate our business. Henderson Park restricts access to non-public Personal Information to those personnel, agents or other parties that need to know that information in order to provide services to Henderson Park;
- To non-affiliated parties at the request of an investor or with an Investor’s consent (with respect to information relating to such Investor); and
- To data analytics providers. We may share your Personal Information with data analytics providers that help us manage how visitors use and interact with our Site, including the products we offer.
We may also share your Personal Information as required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property or safety of others, including to law enforcement agencies, and judicial and regulatory authorities. We may also share your Personal Information with third parties to help detect and protect against fraud or data security vulnerabilities. And we may transfer your Personal Information to a third party in the event of a merger, reorganization of our entity or other restructuring. For the limited purposes outlined above, Henderson Park may internally disseminate non-public Personal Information concerning Investors. However, Henderson Park will use commercially reasonable efforts to ensure that such information is treated in accordance with the principles set forth above.
We have not sold your Personal Information in the last 12 months, and do not, and will not, sell your Personal Information.
California Consumer Privacy Act of 2018. The California Consumer Privacy Act of 2018 (the “CCPA”) grants California residents certain rights with respect to their Personal Information, including, as described below, the right to know about, delete, and if applicable, opt-out of the sale of their Personal Information. These rights are subject to certain limitations, however, such as that they do not all apply to Personal Information about employees, applicants, and contractors, or information processed exclusively in the business-to-business context (e.g., information about an individual acting in his or her capacity as a representative of an entity). These rights also do not apply to information subject to the Gramm-Leach-Bliley Act. Where we decline to grant a request pursuant to an applicable exception, we will provide you with an explanation.
Right to request disclosure of information we collect or share about you. You can submit a request to us for the following data regarding the Personal Information we have collected about you in the 12 months prior to our receipt of your request (a “request to know”):
- The categories of Personal Information we have collected;
- The categories of sources from which we collected the Personal Information;
- The business or commercial purposes for which we collected the Personal Information;
- The categories of third parties with which we shared the Personal Information;
- The categories of Personal Information we disclosed for a business purpose, and for each category identified, the categories of third parties to whom we disclosed that particular category of Personal Information; and
- The specific pieces of Personal Information we collected.
You have the right to request the deletion of Personal Information we have collected from you. Upon request, we will delete the Personal Information we have collected about you, except for situations where specific information is necessary for us to provide you with a product or service that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law.
The law also permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us.
How can you make a request to exercise your rights?
To exercise the rights described above, you may submit a request to us by either e-mailing us at email@example.com. The request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information and it must describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. We will not deny services, charge different prices, offer a different quality of service or otherwise discriminate against you for exercising these rights.
How we will handle a request to exercise your rights.
For requests to know or delete, we will first acknowledge receipt of the request within 10 business days of receipt of your request. We will provide a substantive response to your request within 45 days from receipt of your request, although we may be allowed to take longer to process your request under certain circumstances. If we expect your request is going to take us longer than normal to fulfil, we’ll let you know.
When you make a request to know or delete your Personal Information, we will take steps to verify your identity. These steps may include asking you for Personal Information, such as your name, address, or other information we maintain about you. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of the denial.
You are also entitled to submit a request for Personal Information that could be associated with a household as defined in the CCPA. To submit a request to know or delete household Personal Information, such requests must be jointly made by each member of the household, and we will individually verify all of the members of the household using the verification criteria explained above, and separately verify that each household member making the request currently resides in the household. If we are unable to verify the identity of each household member with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of our denial.
You may also designate an authorized agent to submit requests on your behalf. If you do so, you will be required to verify your identity by providing us with certain Personal Information as described above. Additionally, we will also require that you provide the agent with written and signed permission to act on your behalf, and we will separately confirm with you that you provided the agent with permission to submit the request. We will deny the request if the agent is unable to meet submit proof to us that you have authorized them to act on your behalf or if any of the above verification criteria are not met.