WEBSITE PRIVACY POLICY

1. 1. 1. 1.BACKGROUND
         1. 1.At Christofferson Robb & Company¹ (“CRC” / “we” / “us”) we respect the privacy of our clients and we are committed to keeping all your Personal Data secure. This Privacy Policy governs the handling of Personal Data by CRC in the course of carrying on commercial activities.
         2. 2.In this Privacy Policy, “Personal Data” means any data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, CRC (or its representatives or service providers). In addition to factual information, it includes any expression of opinion about an individual and any indication of the intentions of CRC or any other person in respect of an individual.
      2. 2.THE PRODUCTS AND SERVICES WE PROVIDE
         1. 1.This Privacy Policy relates to the following categories of information that we may collect about you:
            1. 1.information we receive through our websites (“CRC Websites”); and
            2. 2.information we receive in connection with our provision of investment products and services (“CRC Products and Services”).
      3. 3.THE TYPES OF PERSONAL DATA WE COLLECT
         1.  

1.Many of the services offered by CRC require us to obtain Personal Data about you in order to perform the services we have been engaged to provide. In relation to each of the services described at paragraph 2.1 above, we will collect and process the following Personal Data about you:

1. 1. 1. 1. 1.Information that you provide to CRC. This includes information about you that you provide to us. The kind of Personal Data we might ask for may include, by way of a non-exhaustive list:
            1. 1.basic Personal Data (such as first name; family name; position in the company; company name; job title; employment details; company email address; business phone number; business address; city; postcode; country);
            2. 2.sensitive Personal Data, which may be included in information we handle about your nationality, place of birth, health related information, disability status, or details of political affiliations.
         2. 1.  

2.Information that we may collect or generate about you. This includes (by way of non-exhaustive list):

1. 1. 1. 1. 1. 1.a file with your contact history to be used for client relationship purposes so that we may effectively provide services to you in connection with our provision of investment products and services;
            2. 2.information about our clients’ transaction history with us or the funds that we manage; and
            3. 3.information obtained through our traffic and security reports that include information on the internet usage of CRC’s websites (for example, what webpages were visited by each user and any documents downloaded).

1. 1. 1. 3.Information we may obtain from other sources. This includes (by way of non-exhaustive list):
         1. 1.information from publicly available sources, including third party agencies such as credit reference agencies, fraud prevention agencies, law enforcement agencies, public databases, registers and records; and other publicly accessible sources;
         2. 2.information obtained from professional advisers and other agents and/or representatives, including the service providers of the funds we act as investment manager for or any third parties you might ask us to deal with on your behalf;
         3. 3.information obtained from sanctions checking and background screening providers; and
         4. 4.technical information we collect through cookies about the services that you use and how you use them. For more information on the cookies used by CRC please see our Cookies Policy .
2. 1. 4.HOW WE USE YOUR INFORMATION

1. 1. 1. 1.1Your Personal Data may be stored and processed by us in the following ways and for the following purposes:

1. 1. 1. 1. 1.for ongoing review and improvement of the information provided on CRC Websites to ensure they are user friendly and to prevent any potential disruptions or cyber attacks;
         2. 2.to allow you to access and use the CRC Products and Services;
         3. 3.to assess the eligibility of you or the organisation you represent to invest in funds that CRC manages;
         4. 4.to communicate with you in order to provide you with services or information about CRC and CRC Products and Services;
         5. 5.to understand your needs and interests;
         6. 6.for the management and administration of our business;
         7. 7.in order to comply with and in order to assess compliance with applicable laws, rules and regulations, and internal policies and procedures; or
         8. 8.in accordance with section 4.2 below.

1. 1. 1. 1.2However we use Personal Data, we make sure that the usage complies with law and the law allows us and requires us to use Personal Data for a variety of reasons. These include:

1. 1. 1. 1. 9.we need to do so in order to perform our contractual obligations with our clients;
         2. 10.we have obtained your consent;
         3. 11.we have legal and regulatory obligations that we have to discharge;
         4. 12.we may need to do so in order to establish, exercise or defend our legal rights or for the purpose of legal proceedings;
         5. 13.the use of your Personal Data as described is necessary for our legitimate business interests, such as:
            1. 1.allowing us to effectively and efficiently manage and administer the operation of our business;
            2. 2.maintaining compliance with internal policies and procedures;
            3. 3.monitoring the use of our copyrighted materials; and
            4. 4.enabling quick and easy access to information on CRC Products and Services.

1. 1. 2.DISCLOSURE OF YOUR INFORMATION TO THIRD PARTIES
      1. 2.1We may share your Personal Data within CRC for the purposes described above.
      2. 2.2We may also share your Personal Data outside of the CRC group for the following purposes:

1. 1. 1. 1. 14.with third party agents and contractors for the purposes of providing services to us (for example, CRC’s accountants, professional advisors and IT and communications providers). These third parties will be subject to appropriate data protection obligations and they will only use your Personal Data as described in this Privacy Policy;
         2. 15.to the extent required by law or regulation, for example if we are under a duty to disclose your Personal Data in order to comply with any legal obligation (including, without limitation, in order to comply with tax reporting requirements and disclosures to regulators), or to establish, exercise or defend its legal rights;
         3. 16.if we sell our business or assets, in which case we may need to disclose your Personal Data to the prospective buyer for due diligence purposes; and
         4. 17.if we are acquired by a third party, in which case the Personal Data held by us about you will be disclosed to the third party buyer.

1. 1. 3.INTERNATIONAL TRANSFERS OF PERSONAL DATA
      1. (A)CRC is a global business. Our clients and our operations are spread around the world. As a result we collect and transfer Personal Data on a global basis. That means that we may transfer your Personal Data to locations outside of your country.
      2. (B)Where we transfer your Personal Data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. In relation to data being transferred outside of Europe, for example, this may be done in one of the following ways:

1. 1. 1. 1. 18.the country that we send the data to might be approved by the European Commission as offering an adequate level of protection for Personal Data;
         2. 19.the recipient might have signed up to a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your Personal Data;
         3. 20.where the recipient is located in the US, it might be a certified member of the EU-US Privacy Shield scheme; or
         4. 21.in other circumstances the law may permit us to otherwise transfer your Personal Data outside Europe.

1. 1. 1. (C)You can obtain more details of the protection given to your Personal Data when it is transferred outside Europe (including a copy of the standard data protection clauses which we have entered into with recipients of your personal data) by contacting us as described in paragraph 9 below.
   2. 4.HOW LONG WE KEEP YOUR PERSONAL DATA
      1. (A)How long we will hold your Personal Data for will vary and will be determined by the following criteria:

1. 1. 1. 1. 22.the purpose for which we are using it – CRC will need to keep the data for as long as is necessary for that purpose; and
         2. 23.legal obligations – laws or regulation may set a minimum period for which we have to keep your Personal Data.

1. 1. 5.YOUR RIGHTS
      1. (A)In all the above cases in which we collect, use or store your Personal Data, you have the following rights and, in most cases, you can exercise them free of charge:

1. 1. 1. 1. 24.the right to obtain information regarding the processing of your Personal Data and access to the Personal Data which we hold about you;
         2. 25.the right to withdraw your consent to the processing of your Personal Data at any time. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason for doing so. For example, we may need to retain Personal Data to comply with a legal obligation;
         3. 26.in some circumstances, the right to receive some Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit those data to a third party where this is technically feasible. Please note that this right only applies to Personal Data which you have provided directly to CRC;
         4. 27.the right to request that we rectify your Personal Data if it is inaccurate or incomplete;
         5. 28.the right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data but we are legally entitled to retain it;
         6. 29.the right to object to, or request that we restrict, our processing of your Personal Data in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your Personal Data but we are legally entitled to refuse that request; and
         7. 30.the right to lodge a complaint with the relevant data protection regulator if you think that any of your rights have been infringed by us.

1. 1. 1. (B)You can exercise your rights by contacting us using the details listed in section 9 below.
   2. 6.QUESTIONS AND CONCERNS

If you have any questions or concerns about CRC’s handling of your Personal Data, or about this Privacy Policy, please send your query to it@christoffersonrobb.com. We are usually able to resolve privacy questions or concerns promptly and effectively. If you are not satisfied with the response you receive, you may escalate concerns to the applicable privacy regulator in your jurisdiction. Upon request, CRC will provide you with the contact information for that regulator.

1 ‘Christofferson Robb & Company’ refers to Christofferson, Robb & Company LLC and Christofferson, Robb & Company (UK) LLP, acting together or separately as the context requires.

General Data Protection Regulation

Privacy Notice

Christofferson Robb & Company (UK) LLP is a company registered in England and Wales with company number OC303662. Christofferson, Robb & Company, LLC is a company incorporated in the State of Delaware.

These companies are referred to below as ‘CRC.’

For the purposes of the General Data Protection Regulation (‘GDPR’), CRC will normally be the ‘controller’ of personal data that we have received. On occasion CRC may act in the capacity of a Data Processor where we have entered into a contract for the provision of Services.

Please read the following information carefully to understand CRC’s practices in relation to the treatment of your personal data.

 

CRC’s data privacy principles

CRC will:

• Process all personal data in a lawful, fair and transparent manner;
• Only collect personal data where it is necessary for …

–       CRC to provide a service to you / the company you represent (hereinafter referred to as “you,” appropriate to the context);

–       You / the company you represent to provide a service to CRC;

–       CRC to keep you informed of its products and services; or

–       CRC to comply with its legal and regulatory obligations.

• Collect personal data that is adequate, relevant and limited to what is necessary in relation to the specific purpose for which your data will be processed;

• Take all reasonable steps to ensure that personal data is accurate and, where necessary, kept up-to-date;
• Maintain personal data in a form that permits identification no longer than is necessary for the purposes for which the personal data has been collected for processing, in accordance with CRC’s record retention procedures;
• Hold and process personal data in a manner that ensures appropriate security;
• Share personal data with other entities within CRC where necessary for the provision of services. Where such entities are outside of the EEA, personal data will be treated as is required under GDPR;
• Only share personal data outside of CRC where it is necessary to provide the agreed service or where it is necessary for CRC to comply with its legal requirements;
• Only use a service provider based outside of the EEA for the processing of personal data where this is strictly necessary to facilitate our services to you. In all cases, we will ensure service providers are fully compliant with GDPR ahead of transferring any personal data.

Personal data collected by CRC

The type of personal data (e.g., name, contact details, address etc.) that we may collect will depend upon the relationship between CRC and you. The data so collected may be provided directly by you or, where appropriate, provided by third parties e.g., references, credit checks, etc.

As a client, a contact, a service provider or employee (or prospective employee) of CRC we will require some personal information to verify your identity and have the applicable relationship with you. Some of this information may be required to satisfy legal obligations (e.g., HMRC) whereas other information may be required in connection with the provision of services to you. The information collected will vary depending on the service CRC provides to you or you provide to CRC, but typically includes:

• Personal information: Such as your name, date of birth, passport number or national insurance number;

• Contact information: Including your address, telephone number and email address.

Firm storage of personal data

CRC has comprehensive policies and procedures in place to ensure your personal data is kept safe and secure, with these including:

• Data encryption;

• Firewalls;
• Intrusion detection;
• 24/7 physical protection of the facilities where your data is stored;
• Background checks for personnel that access physical facilities; and
• Security procedures across all service operations.

Retention time for personal data

CRC will retain personal data for as long as is necessary for the purposes for which it was collected (or longer period if so required by law or legitimate interests) which will be at least for the period in which CRC has a business interest with you.
Any information that is outside the scope of this requirement will be retained whilst relevant and useful, and destroyed where this ceases to be the case or where the data subject specifically requests this.

 

CRC’s categorisation of you

GDPR requires CRC to inform you of the legal basis on which we maintain your personal data. As a general rule the following is applicable:

• Clients – Information is maintained on the basis of contractual obligation and/or legitimate interests (where relevant);

• Service providers – Information is maintained on the basis of contractual obligation;
• Database/marketing contacts – Information is maintained on the basis of legitimate interest; and
• Other contacts – we may on occasion request your consent to use and process personal data.

Data subjects’ rights

You have certain rights that apply in respect of your personal data, depending on your relationship with CRC and CRC’s legal and regulatory obligations. These include the right to:

• Request a copy of the information that we hold about you. If you would like a copy of some, or all, of your personal information, please email CRC (details shown below). CRC will provide this information to you within one month (with the ability to extend this by an additional two months where necessary), free of charge.

• Request that the information CRC holds about you is erased under certain circumstances including where there is no additional legal and/or regulatory requirement for CRC to retain this information.
• Request that any personal data you have provided to CRC be transmitted to another controller in a commonly used and machine-readable format, otherwise known as ‘data portability’.
• Ensure that your personal information is accurate and up to date, or where necessary rectified. Where you feel that your personal data is incorrect or inaccurate and should therefore be updated, please contact CRC (details shown below).
• Object to your information being processed, for example for direct marketing purposes.
• Withdraw your consent if CRC has relied upon ‘consent’ for the processing of personal data.
• Restrict the processing of your information, for example limiting the material that you receive or where your information is transferred.
• Object to any decisions based on the automated processing of your personal data, including profiling (although CRC does not use any automated processing or profiling). 

• Lodge a complaint with the Information Commissioner’s Office (https://ico.org.uk/concerns/  if you are not happy with the way that we manage or process personal data.

Notification of changes to this policy

CRC may, from time to time, review and update this policy. CRC will maintain the latest version of this policy on its website, and where the changes are deemed material, it will make you aware of these.

 

Contact details for questions

If you have questions, concerns or complaints about the practices contained within this document or how CRC has handled your data, please email the Data Protection Officer at info@christoffersonrobb.com.

California-Specific Privacy Policy

The California Consumer Privacy Act (“CCPA”) imposes certain obligations on Christofferson, Robb & Company LLC (the “Investment Manager”, “we” or “us”) and grants certain rights to California residents (“California Resident,” “you” or “your”) with regard to “personal information.” If you are a California Resident, please review the following information about your potential rights with regard to your personal information under the CCPA. The rights described herein are subject to exemptions and other limitations under applicable law.

Terms used herein have the meaning ascribed to them in the CCPA. The Investment Manager is a “business.” “Personal information” under the CCPA means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a California Resident or a household. It does not include deidentified information, aggregate consumer information or publicly available information, as those terms are defined in the CCPA.

Notice at Collection and Use of Personal Information

Information We Collect

Depending on how you interact with us, we may collect the following categories of personal information from or about you: (i) identifiers and similar information such as, name, address, date of birth, email address, social security number, driver’s license number, passport number, online identifiers or other similar identifiers; (ii) additional information subject to Cal. Civ. Code § 1798.80(e), including your, education, credit card number, state identification card number, signature, bank account or other financial information; (iii) characteristics of protected classifications under federal or certain state laws, including, gender, age, national origin, citizenship status, or marital status; (iv) commercial information, including records of products or services purchased, obtained, or considered, or other purchasing histories or tendencies, including funds invested, investments considered, or sources of wealth; (v) internet or other electronic network activity information, including interactions with our website or use of certain online tools; (vi) professional or employment-related information, including occupation, compensation, employer, and title; and (vii) inferences drawn from any of the information identified above to create a profile reflecting your preferences or similar information, including your potential interest in investing in new funds or products.

How We Use Collected Information

We may use your personal information for the following business or commercial purposes: (i) performing services on our behalf, including maintaining or servicing accounts, providing investor relations services, processing subscriptions, withdrawals, verifying information, processing payments or providing similar services; (ii) performing our contractual obligations to a California Resident as a subscriber to a fund, including processing initial subscriptions and providing updates on a fund’s performance, providing tax reporting and other operational matters; (iii) detecting security incidents and protecting against malicious, deceptive, fraudulent, or illegal activity, including preventing fraud and conducting “Know Your Client,” anti-money laundering, anti-terrorist financing, and conflict checks; and (iv) enabling or effecting commercial transactions, including, using bank account details to remit funds and process distributions.

Our Collection, Use, Disclosure and Sharing of Personal Information

Information We Have Collected

In the preceding 12 months, and depending on how you interact with us, we may have collected the categories of personal information listed above in the “Information We Collect” section.

Sources of Personal Information

We may collect personal information about you directly from you and/or your intermediaries through sources such as: (i) account applications, subscription agreements, and other forms or related documentation; (ii) written, electronic, or verbal correspondence with us or our service providers; (iii) investor transactions; (iv) an investor’s brokerage or financial advisory firm, financial advisor, or consultant; and/or (v) from information captured on applicable websites. In addition, we may collect personal information from different sources, such as: (i) our service providers; (ii) public websites or other publicly accessible directories and sources, including bankruptcy registers, tax authorities, governmental agencies and departments, and regulatory authorities; and/or (iii) from credit reporting agencies, sanctions screening databases, or from sources designed to detect and prevent fraud.

Purposes for Collecting Personal Information

We may collect your personal information for the business or commercial purposes described above in the “How We Use Collected Information” section.

Disclosure and Sharing Personal Information with Third Parties

We do not sell your personal information. We do not knowingly sell the personal information of California residents under 16 years old. We may disclose personal information to third parties in circumstances where we believe in good faith that disclosure is required or permitted under law, to cooperate with regulators or law enforcement authorities, to protect our rights or property or upon reasonable request by the fund in which you have invested.

In the preceding 12 months, we may have disclosed for a business purpose the following categories of personal information to third party entities who assist with fraud prevention, detection and mitigation, including credit agencies and to assist with anti-money laundering or anti-terrorism checks:

• •Identifiers (for example your name, address, DOB, SSN, driver’s license, passport number and online identifiers).
• •Additional information subject to Cal. Civ. Code § 1798.80(e) (for example, a signature, state identification card number, financial information, or bank account information).

We also may share your personal information with our service providers such as our information technology and email providers, the Fund’s administrator, professional services organizations, and other entities that have agreed to limitations on the use of your personal information, or entities that fit within other exemptions or exceptions in or as otherwise permitted by the CCPA.

California Residents’ Rights under the CCPA

If your personal information is subject to the CCPA, you may have certain rights concerning that information, subject to applicable exemptions and limitations, including the right to: (i) be informed, at or before the point of collection, of the categories of personal information to be collected and the purposes for which the categories of personal information shall be used; (ii) request that we delete any personal information about you that we collected, subject to certain exceptions (“Request to Delete”); (iii) request that we, as a business that collects personal information about you and that discloses your personal information for a business purpose, disclose to you (“Request to Know”): (a) the categories of personal information we have collected about you; (b) the categories of sources from which we have collected the personal information; (c) the business or commercial purpose for collecting the personal information; (d) the categories of third parties to whom we disclosed personal information about you for a business purpose; (e) the specific pieces of personal information we have collected about you; and (f) the categories of personal information we have disclosed about you for a business purpose; (iv) opt-out of the “sale” (as that term is defined in the CCPA) of your personal information if a business sells your personal information (we do not); and (v) not be discriminated against because you exercise any of your rights under the CCPA.

The CCPA does not restrict our ability to do certain things like comply with other laws or comply with regulatory investigations. In addition, the CCPA does not apply to certain information like personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act and its implementing regulations. Notwithstanding the foregoing, we reserve the right to retain, and not to delete, certain personal information after receipt of a Request to Delete from you where permitted by the CCPA or where another law or regulation is applicable.

How to Submit a Request under the CCPA

If your personal information is subject to the CCPA, you may submit a Request to Know, as described above, through the following toll-free telephone number 1 (800) 630-6408, or through our website at the following link: www.christoffersonrobb.com (see ‘Contact’ and click on crclegal@christoffersonrobb.com). You may submit a Requests to Delete through the following methods: via email to crclegal@christoffersonrobb.com or by mail to the General Counsel, Christofferson, Robb & Company, LLC, 720 Fifth Avenue, 13th Floor, New York, NY 10019.

We are required to provide certain information or to delete personal information only in response to verifiable requests made by a California resident or their legally authorized agent. When you submit a Request to Know or Request to Delete, we may ask that you provide clarifying or identifying information to verify your request. Such information may include, at a minimum, depending on the sensitivity of the information you are requesting and the type of request you are making, your name and email address. Any information gathered as part of the verification process will be used for verification purposes only.

You are permitted to designate an authorized agent to submit a Request to Know or a Request to Delete on your behalf and have that authorized agent submit the request through the aforementioned methods. In order to be able to act, authorized agents have to submit written proof that they are authorized to act on your behalf, or have a power of attorney. We may deny requests from authorized agents who do not submit proof that they have been authorized by you to act on your behalf. We may also require that you directly verify your own identity with us and directly confirm with us that you provided the authorized agent permission to submit the request.

We will deliver responses to verifiable consumer requests, free of charge, by mail or electronically, at your election. We will try to respond to your Request to Know or to Request to Delete within forty-five (45) days of receipt of the request. If we require more time, we will try to inform you of our need for an extension. Even with an extension, we will try to provide a response within ninety (90) days of initial receipt of the request.

Keep in mind that we are not required to provide information in response to Requests to Know more than twice in a 12-month period. Any response to a Request to Know will only cover the 12-month period preceding the verifiable request.

Contact for More Information

If you have any questions or concerns about this California-specific privacy policy, please contact crclegal@christoffersonrobb.com.

This California-specific privacy policy was last updated on September 7, 2020.