Privacy Notice

1. Who we are and how to contact us

This section gives you the legal name of the company that holds your information – known as the ​‘legal entity’ and tells you how to contact us.

You can find out more about us at www​.val​lalim​it​ed​.com

Valla’s Address is

Valla Limited, including its Affiliation Leader and the Participating Members

First Floor,

7 Esplanade,

St Helier,

Jersey,

JE2 3QA

Contact

Mathew Beale

Head of Compliance and MLRO and Information Security Officer

D/D: +44 (0)1534 883633 / M: +44 (0) 7797 747 490

E: Mathew.​Beale@​vallalimited.​com

Contacting us about data privacy

If you have any questions or want more details about any topics in this Privacy notice or how we use your personal and business information, you can contact Mathew Beale (see above) or email the Valla data privacy team at gdpr@​vallalimited.​com

2. Introduction

This Privacy Notice sets out how Valla deals with your personal data which we collect in the course of you and people and entities connected with you interacting with Valla entities.

Valla as an affiliation leader is made up of different legal entities know as participating members (collectively known as Valla Group) – see table below

Trust Company Business Affiliation for Valla Limited | JFSC Designation | JFSC NO | Valla Limited — | Affiliation Leader – | TCB0147 | | Valla Secretaries Limited – | Participating Member – | TCB0147.02 | | Valla Nominees 1 Limited – | Participating Member – | TCB0147.03 | | Valla Nominees 2 Limited – | Participating Member – | TCB0147.04 | | Valla Foundation Management Limited | Participating Member – | TCB0147.06 |

This privacy notice is issued on behalf of all the Valla entities (affiliation leader and participating members), so when we mention ​“we”, ​“us” or ​“our” in this privacy notice, we are referring to the relevant companies in the Valla Group responsible for controlling and or processing your data.

We will let you know which entity will be the controller/​processor for your personal data if you formally engage us to provide you with a service.

We take privacy and security of your information seriously and will only use such personal information as set out in this Privacy Notice and in ways which are reasonably ancillary to what is set out below.

The identity of the relevant Valla entity responsible for your personal data in such situations can be provided to you by email gdpr@​vallalimited.​com

References to ​“you” include all individuals whose personal data we collect, hold and process in the course of operating the various business within Valla.

Visitors to our website should review our Website Privacy Notice at www​.val​lalim​it​ed​.com

3. The personal information we process

a. Pursuant to sections 4 and 5 of this privacy notice, we may collect various types of personal data about you, including:

Your identification information (which may include your name, ID card and passport numbers, nationality, place and date of birth, gender, photograph and/​or IP address

Your data relating to claims, court cases and convictions,

Your data that identifies direct or indirect Politically Exposed Person (PEP) status,

Your tax status information (which may include your tax residency, tax ID and/​or tax status);

Your contact information (which may include a postal address and e‑mail address and your home and mobile telephone numbers);

Your family relationships (which may include your marital status, the identity of your spouse and the number of children that you have);

Your professional and employment information (which may include your level of education and professional qualifications, your employment, employer’s name and details of directorships and other offices which you may hold);

Your financial information, including sources of funds and wealth and details of your assets (which may include details of your assets, shareholdings and your beneficial interest in assets, and your credit history);

We may also collect and process personal data regarding people connected to us through professional (or other) associations or family relationships.

In addition to the above, we will collect other information as may be necessary for Valla to provide its services and to discharge its anti-money laundering and countering the financing of terrorism (AML/CFT) legal and regulatory obligations to Know its Client through the process of Customer Due Diligence (CDD) process.

4. Where we obtain your personal information

a. Pursuant to section 5 (why we collect your personal information) of this privacy notice we collect your personal information from the following sources:

Personal information which you give to us, including but not limited to:

Such other forms and documents as we may request that are completed in relation to the provision of any of our services;

Information gathered through client due diligence carried out as part of our compliance with regulatory requirements; or

Any personal information provided by way of correspondence with us by phone, e‑mail or otherwise;

Personal information we receive from third-party sources, such as:

Entities in which you or someone connected to you has an interest;

Your legal and/​or financial advisors;

Other financial institutions who hold and process your personal information;

Credit reference agencies and financial crime databases for the purposes of complying with our regulatory requirements; and

Personal information received in the course of dealing with advisors, regulators, official authorities and service providers by whom you are employed or engaged or for whom you act.

Held in a public register, e.g. information that is held in a central register of beneficial ownership in the country of establishment,

Persons that are subject to public disclosure rules, e.g. on exchanges or regulated markets (or consolidated subsidiaries of such persons), or subject to licensing by a statutory regulator

Information that is published in financial statements prepared under generally accepted accounting principles, or information available as a result of a listing of securities on a stock exchange;

Personal information publicly available,

In commercial databases and press reports.

From open internet sources via search engines (e.g. Google, Bing, etc.)

5. Why We Collect Your Personal Information

A. Lawful grounds for processing

a. We may hold and process your personal information on the following lawful grounds:

- The processing is necessary for our legitimate interests, provided your interests and fundamental rights do not override those interests;

- The processing is necessary to comply with our contractual duties;

- The processing is necessary to comply with our legal and regulatory obligations;-

- Where we have obtained your consent to processing your personal information for a specific purpose; and

- On rare occasions, where it is needed in the public interest.

B. Purposes of processing

a. Your personal information may be processed for the purposes set out below (“Purposes”).

b. The Purposes based on our legitimate interests are set out in the following paragraphs ​“b I to b iv” inclusive):

1. Facilitating the administration of our business and/​or our service providers;

2. Communicating with you as necessary in connection with our services;

3. Monitoring and recording telephone and electronic communications and transactions:

i. For quality, business analysis, training and related purposes to improve service delivery; and

ii. for investigation and fraud prevention purposes, for crime detection, prevention, investigation and prosecution of any unlawful act (or omission to act);

4. Disclosing your personal information to any Valla or financial institution in providing our services;

C. Other reasons for processing

a. To enforce or defend our legal and contractual rights or those of third-party service providers;

b. To comply with legal or regulatory obligations imposed on us, including but not limited to discharge its anti-money laundering and countering the financing of terrorism (AML/CFT) legal and regulatory obligations to Know its Client through the process of Customer Due Diligence (CDD) process.

c. Liaising with or reporting to any regulatory authority (including tax authorities) with whom we are either required to cooperate or report to, or with whom we decide or deem it appropriate to cooperate concerning tax matters.

6. Sharing Personal Information

a. To facilitate the running of our business and our services, we may share your personal information with our Group companies and third parties, including

- financial institutions

- investment managers

- lenders

- IT service providers

- auditors

- legal professionals

- Jersey government and regulatory bodies (e.g. JFSC)

b. Where we share your information with a third party, we require the recipients of that personal information to put in place adequate measures to protect it.

c. Where we transfer your personal information outside the European Economic Area, we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the information. This can be done in a number of different ways, for instance:

- The country to which we send the personal information may be approved by the European Commissions providing adequate protection for personal data;

- By utilising a contract based on model contractual clauses which have been approved by the European Commission; or

- Where the recipient is located in the US, it may belong to the EU-US Privacy Shield scheme.

d. In other circumstances, the law may permit us to otherwise transfer your personal information outside the EEA.

- When transferring data between EU AND European Free Trade Association (EFTA). countries the necessary safeguards are deemed to be in place due to GDPR – The EU / EFTA countries are:

a. EU = Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.

b. EFTA = Norway, Liechtenstein and Iceland

- Also, personal data can flow from the EU to a third country without any further safeguard being necessary where the EU has given equivalent status. The European Commission has so far recognised

- Andorra,

- Argentina,

- Canada (commercial organisations),

- Faroe Islands,

- Guernsey,

- Israel,

- Isle of Man,

- Japan,

- Jersey,

- New Zealand,

- Switzerland,

- Uruguay,

- The US (limited to the Privacy Shield framework) as providing adequate protection, and

- UK — the UK is guaranteed at least until 27 June 2025 unless extended.

If you would like further information about the safeguards we have in place to protect your personal information, please contact gdpr@​vallalimited.​com

7. Retention of personal information

a. Your personal information will be retained for as long as required:

- For the purposes for which the personal information was collected;

- In order to establish or defend legal rights or obligations or to satisfy any reporting or accounting obligations; and/​or

- As required by data protection laws and any other applicable laws or regulatory requirements.

8. Access to and control of personal information – your rights

a. You have the following rights (which may be exercisable depending on the circumstances) in respect of the personal information about you that we process:

- The right to access and to have portability of personal information;

- The right to rectify personal information;

- The right to restrict the use of personal information;

- The right to request that personal information is erased; and

- The right to object to processing of personal information.

b. You also have the right to lodge a complaint about the processing of your personal information either with us or with the applicable jurisdictional regulator for data protection matters:

- The Office of the Information Commissioner in Jersey (www.​oic​jer​sey​.org) in connection with Valla entities.

- Where we have relied on consent to process your personal information, you have the right to withdraw consent at any time. You also have the right to object to processing on the basis of legitimate interests (although this right is subject to certain exceptions).

- If you wish to exercise any of the rights set out in this paragraph, please contact gdpr@​vallalimited.​com

9. Communications and media

A. People who email us

a. Valla forces the use of TLS (an encrypted end-to-end tunnel) for the secure transmission of emails.

If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit. Please contact us for further detail should you require it.

b. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software.

c. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

B. Concerning the sending of emails

Valla uses an encryption tool (galaxkey​.com), for all of its confidential messages.

Please contact us at gdpr@​vallalimited.​com for further information.

C. Visitors to our website

a. We are committed to protecting and respecting your privacy on-line. We are aware of the concern which exists over the use of personal information provided over the internet and therefore, we do not collect personal data through our website.

b. We do not control and are not responsible for the privacy policy of any website or organisation to which our website provides links. By including references, hyperlinks or other connections to such third party websites, we do not imply any endorsement of them or any association with their owners or operators.

D. Questions

a. If you have any questions about this data protection Privacy Notice or how we handle your personal information (e.g. our retention procedures or the security measures we have in place), or if you would like to make a complaint, please contact the Data Protection Officer at gdpr@​vallalimited.​com

E. Changes to this privacy notice

a. We keep our privacy notice under regular review.

b. This privacy notice was last updated on 25 April 2023.