Epiris Privacy Notice and Cookies Notice

Last Updated: April 2024

Your personal data and privacy is important to us.

We are committed to safeguarding your personal data and protecting your privacy.

This privacy notice and cookies notice (“privacy notice”) explains how Epiris LLP collects, processes and safeguards personal data. It also tells you about your rights and choices with respect to your personal data, and how you can contact us in case of any questions. In particular, the privacy notice describes:

How this privacy notice applies to you
Who the controller of your personal data is
How to contact us
What personal data we collect
Where do we source your personal data, and how?
Who we share your personal data with?
Where do we transfer your personal data to?
What are the purposes and legal grounds for our processing of your personal data?
How we look after your personal data
How long we keep your personal data for
How we keep your personal data up to date
Your rights in respect of your personal data
Your FAQs answered
Children
Cookies

Section 1: How this privacy notice applies to you

This privacy notice applies to you as a:

visitor to our website located at http://www.epiris.co.uk and any other website that we operate (the “websites”); and/or
shareholder, director or senior member of staff (either an employee, independent contractor or any other non-employee classification) of a business into which we are considering making an investment.

The above individuals are collectively referred to in this privacy notice as “you”, or “your”.

Any notices or statements relating to data, data protection, fair processing, and/or privacy that we may issue at the time of collecting personal data about you will supplement this privacy notice. They are not intended to override it.

We may change this privacy notice from time to time to reflect changes in the law and/or our personal data handling activities and data protection practices. We encourage you to check this privacy notice for changes whenever you visit our website, as we may not always notify you of the changes.

Please note that our websites contain links to third party websites. These links are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites or online services operated by third parties, and Epiris is not responsible for the data protection or privacy policies of those third parties.

Section 2: Who the controller of your personal data is

The websites are made available by Epiris LLP (“Epiris”, “we”, “us”, “our”).

We are the controller of any of your personal data pursuant to the EU General Data Protection Regulation 2016/679 (GDPR), the GDPR as incorporated into the laws of the United Kingdom and the UK Data Protection Act 2018 together with any other relevant applicable data laws and regulations.

Epiris is an English company (registration number: OC412384) and our registered office is at Forum St Pauls, 33 Gutter Lane, London EC2V 8AS.

Section 3: How to contact us

If you have any questions or concerns regarding the practices described in this privacy notice, please contact us by:

email at dataprotection@epiris.co.uk; or

post to FAO: Compliance Manager at Epiris LLP, Forum St Pauls, 33 Gutter Lane, London EC2V

If you do contact us, we will do our utmost best to address any concerns you may have about our processing of your personal data.

Section 4: What personal data we collect

Personal data means any information relating to an identified or identifiable individual. It does not therefore include data where the identity has been irreversibly removed (anonymous data).

We may collect, process, use, store, share, and transfer (generically referred to in this privacy notice as handling) the following different types of personal data about you depending on how we interact with you.

Website use

Contact information and communications – when you contact us via email, telephone, or by other means we will collect personal data including your name, home address, personal and work-related email addresses, telephone number and the content of your communications;
Personal details – including date of birth, gender, visa status, nationality, image, national insurance number, copy of your passport
Technical data – when you use our websites, we will automatically receive technical information, such as IP address, browser type and language, access times and referring website addresses. For more information please see Section 15 below;
Other data – any other personal data, which you may provide to us via our

Investment purpose

Contact information and communications – including name, home address, work-related email addresses, telephone number. When you contact us, we also collect the content of your communications;
Personal details – including date of birth, gender, visa status, nationality, image, national insurance number, copy of your passport;
Professional and educational information – including previous or concurrent positions held, qualifications, language skills, attendance at educational establishments;
Role details – such as status of your current position, performance ratings, details of any disciplinary actions, contract length, benefit plan participation details, leave, periods of absence, job history;
Financial details – such as salary information, benefit information, pension details, details of any shareholding you might have in any other business;
Referee data – such as the referee name, email address, telephone number, employment information and qualifications. If you provide us with personal data about a third party, please provide them with this privacy notice.
Assessment information – including information on (our evaluation of) your performance on assessment and personality tests you may take so we can better assess your suitability for involvement in a transaction.
AML information – such as information relating to anti-money laundering checks and other background information we are legally required to collect from you.

We will not collect any special categories of personal data about you.

Special categories of personal data include personal data that reveal your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.

References throughout this privacy notice to your personal data are to all the types of personal data listed within this Section 4 that apply to you and any other types that we collect from you.

Section 5: Where do we source your personal data, and how?

We will primarily collect your personal data directly from you when you visit our websites.

In the case of the investment purpose, we will collect it from you directly or from the company into which we are considering making the investment.

We also obtain personal data from third parties, such as background checking organisations, identity verification organisations, and your referees. In addition, we collect personal data from publicly available sources (such as LinkedIn).

Some personal data is automatically collected when you use the websites, through cookies and similar technologies. Please read Section 15 for more information.

Section 6: Who do we share your personal data with?

We do not sell personal data. In accordance with applicable law, we may disclose your personal data to the following categories of entities:

Service providers, which help us operate the websites or our business including:

identity verification organisations;
background checking organisations;
any other third party service providers, (such as hosting, information technology and cybersecurity, email delivery, and website analytics services).

Your referees, to assess your suitability for involvement in a transaction.

Affiliates of Epiris LLP, including any entity that we may establish or purchase from time to time.

Our professional advisors, including our lawyers, auditors, bankers, and insurers, where necessary in the course of the professional services that they render to us.

Authorities and others, including law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.

Business transferees, including acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganisation, sale or other disposition of all or any portion of the business or assets of, or equity interests in, Epiris or our affiliates (including in connection with a bankruptcy or similar proceedings).

Section 7: Where do we transfer your personal data to?

We generally store and handle your personal data on servers located in an EEA member state or in the UK. We may transfer your personal data to service providers or other third parties, in countries outside the UK or the EEA such as the US, which may not provide the same protections as the data protection laws where you are based. When we transfer your personal data to third countries, unless we can rely on a derogation provided under applicable data protection laws, we will ensure that relevant safeguards are in place to afford adequate protection for your personal data and we will comply with applicable data protection laws, by relying on an adequacy finding by the UK Government or by the European Commission or on pre-approved contractual protections for the transfer of your personal data. For more information about how we transfer personal data internationally, please contact us.

Section 8: What are the purposes and the legal grounds for our processing of your personal data?

Website use

Purpose/Activity	Types of personal data	Legal basis/grounds for handling
To operate, maintain, improve, monitor, and protect the websites, including troubleshooting, testing, and research to keep the website secure; and investigating and protecting against fraudulent, harmful, unauthorised, or illegal activity.	Contact information Technical data	The processing is necessary for the legitimate interest of operating and maintaining safe and functional websites.
To enable us to respond to an enquiry or other request you make when you contact us via our websites, and to provide you with support.	Contact information Personal details Technical data	The processing is necessary for the legitimate interest of responding to an enquiry or providing you with information that you have requested.
To better understand how you interact with our websites, including its functionality and features, and ensure that content is presented in the most effective manner and is personalised to you.	Technical data	The processing is necessary for the legitimate interest of being able to offer our website visitors the best experience we can.
For marketing purposes, in the form of newsletters, invitations to events, and competitions run by us.	Contact information Personal details	The processing is necessary for the legitimate interest of sending marketing to website visitors.
To comply with laws and regulations and to defend Epiris against legal claims or disputes, including to protect our, your, or others’ rights, privacy, safety, or property.	Contact information Personal details Technical data	The processing is necessary to comply with legal obligations or for the legitimate interest of defending Epiris against legal claims or disputes.

Investment purpose

Purpose/Activity	Types of personal data	Legal basis/grounds for handling
For the purposes of: assessing potential transactions; maintaining records of investments; administering any transaction that we enter into; assessing your suitability for involvement in a transaction, including by verifying your identity; providing periodic business updates; seeking and receiving advice from our professional advisers, including accountants, lawyers, and other consultants.	Contact information Personal details Professional and educational information Role details Financial details	The processing is necessary for the legitimate interest of assessing whether or not we will invest in the business you are connected to; or, the processing is necessary to (take steps to) enter into a contract with you.
For the purposes of complying with legal and regulatory requirements relating to counter-terrorist financing or KYC and anti-money laundering laws and regulations.	Contact information Personal details Professional and educational information Role details Financial details	The processing is necessary for compliance with a legal obligation to which we are subject.
To comply with laws and regulations and to defend Epiris against legal claims or disputes, including to protect our, your, or others’ rights, privacy, safety or property.	Contact information Personal details Professional and educational information Role details Financial details	The processing is necessary for compliance with a legal obligation to which we are subject.
Complying with our regulatory, tax, and legal obligations, including assessing and managing risk.	Contact information Personal details Professional and educational information Role details Financial details	The processing is necessary for compliance with a legal obligation.

Section 9: How we look after your personal data

We take appropriate technical, physical, and organisational measures designed to protect your personal data against unauthorised access, unlawful processing, accidental loss or damage, and unauthorised destruction. However, no security measures are failsafe and we cannot guarantee the security of your personal information.

In determining the appropriate security measures, we will take into account technological developments and assess the measures against the risk of harm that may result from any security breach.

Equipment and Information Security

To safeguard against unauthorised access to your personal data by third parties, all electronic copies of your personal data held by us is and will be maintained on systems that are protected by secure network policies and procedures, firewalls, network auditing, and intrusion detection systems.

The servers holding your personal data are backed up on a regular basis to avoid the consequences of any inadvertent erasure or destruction of such data. The servers are stored in facilities with comprehensive security and fire detection and response systems.

Access Security

We limit access to internal systems that hold your personal data to a select group of authorised users. Access to your personal data for investment purposes is limited to and provided to individuals for the purpose of assessing whether or not we will invest in the business to which you are related. Decisions regarding such access are made by our Compliance Officer.

If you suspect any misuse, loss of, or unauthorised access to your personal data, please let us know immediately by contacting us.

Section 10: How long we keep your personal data for

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.

In the case of the investment purpose, for example, we will retain your personal data for the period it takes for us to make an assessment as to whether or not to invest in the business to which you are connected.

When determining any appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances, you may ask us to delete your personal data. Please see the Section 12 below for further information.

Section 11: How we keep your personal data up to date

We take reasonable steps to ensure that your personal data is accurate, complete and up to date. We may contact you from time to time to check that the personal data is still correct.

Please let us know of any changes to your personal data as soon as you reasonably can so that we can uphold our commitment to accuracy, completeness and currency.

Section 12: Your rights in respect of your personal data

We set out below a list of the legal rights that you have under data protection laws in relation to our handling of your personal data. Note that they don’t apply in all circumstances:

Right to opt-out of marketing communications – We may send you marketing information by email. You may choose to stop receiving marketing communications by contacting us at dataprotection@epiris.co.uk or by following the unsubscribe language in such communications.

Right to be informed – about your personal data and details of the handling and processing of that personal data and information, including the safeguards used to protect any of your personal data in the event that we transfer it outside the EEA or the UK;

Right of access – to your personal data and to obtain information about how we handle and process it;

Right to have inaccuracies corrected – this is a right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed;

Right of erasure – of your personal data, which is also known as the “right to be forgotten”;

Right to restrict handling and processing – of your personal data, which includes requesting us to suppress your personal data file;

Right to move, copy, or transfer– your personal data to another organisation, also known as “data portability”;

Right to object – to the handling and processing of your personal data for certain purposes;

Right to withdraw consent – you may withdraw any consent or permission that you have previously provided to us in relation to our handling and processing of your personal data; and

Right to complain – in all circumstances, you may complain to:
- us in relation to the handling of your personal data; or
- your local supervisory authority

Procedure to exercise your legal rights

Contact us – if you wish to exercise any of your legal rights please contact us at dataprotection@epiris.co.uk. In this instance, we’ll explain first whether or not the right you wish to exercise applies. We will then facilitate your request in accordance with the procedure below, if it does apply. Depending on where you reside, you may be entitled to empower an authorized agent to submit requests on your behalf. You are entitled to exercise the rights described above free from discrimination.

Fees – you will not have to pay a fee to access your personal data or to exercise any other rights that may apply. We may, however, charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Our request for further information – we may need to request certain information from you to help us confirm your identity before giving you the right to access your personal data (or to exercise any of your other rights that apply). This is a security measure to ensure that any personal data is not disclosed to any person who does not have the right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. If applicable, we will also require authorized agents to confirm their identity and authority, in accordance with applicable laws.

Response time – we will respond to all legitimate requests as soon as we It should not take longer than a month to do so. Occasionally, it may take us longer than a month if your request is particularly complex or if you have made a number of requests. In this case, we will notify you and keep you updated.

Section 13: Your FAQs answered

Who can I ask about this notice? – to ask us anything in relation to this privacy notice or any personal data that we may hold, please simply contact us at dataprotection@epiris.co.uk.

Can I request that you stop using my personal data? – you have legal rights in respect of your personal data. Please refer to Section 12 for more information on what legal rights you have and how you can exercise them.

What should you do if your personal data changes? – you should tell us by contacting us, so that we can update our records.

Do you have to provide your personal data to us? – no, you do not. However, should you choose not to this may affect our ability to invest in the company to which you are connected.

Section 14: Children

Our website and investment activities are not directed at children, and we do not knowingly collect personal data from anyone under the age of 18. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us at dataprotection@epiris.co.uk.

Section 15: Cookies

Cookies are small files stored on your device to uniquely identify your browser or to store information or settings in the browser to allow us to distinguish you from other users of our websites for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functionality, and helping us understand activity and patterns.

Our third-party service providers may also collect information about your usage and activity on the website using certain technologies which provide cookie-equivalent functionality but can store larger amounts of data, including on your device outside of your browser in connection with specific applications. The use of these technologies by our third-party service providers, and/or partners is subject to their own privacy policies and is not covered by this privacy notice, except as required by law.

This privacy notice refers to all these technologies collectively as “cookies”.

You can decide if you want to accept cookies by changing the settings on your browser to either accept all cookies, reject all cookies or notify you when a cookie is set.

We can use both session-specific and persistent cookies.

Session-specific cookies are deleted when you leave the website. We use session cookies for the following purposes:

to hold the information given while using an interactive tool on the website;
to hold your details when you are logged into the site;
to hold your search criteria while you are doing a search of the website; and
to collect website usage and performance information - website usage information cookies contain no personal information and cannot be used to identify you.

Persistent cookies remain on your computer for a specified time. We use persistent cookies to collect website usage information for use as described above. These cookies do not directly identify you.

We use the following categories of cookies:

Removing and disabling cookies

You will be presented with a cookie banner to provide permissions prior to non-Essential cookies being set. In this case, we only set these non-Essential cookies with your consent. Further, if you do not wish to accept cookies on to your machine you can disable them via Cookie Settings, or by adjusting the settings on your browser. However this will affect the functionality of the websites you visit.