Introduction

Welcome to Aprirose Limited’s (“Aprirose’s”) privacy notice.Aprirose respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

Purpose of this privacy notice

This privacy notice aims to give you information on how Aprirose collects and processes your personal data. Aprirose is registered with the ICO to process your personal data and our registration number is ZA129898.

Your data will be processed on our behalf by Share In Ltd, a company registered in Scotland (number SC408803) with its registered office Suite 2, Ground Floor Orchard Brae House, 30 Queensferry Road, Edinburgh, United Kingdom, EH3 2HS (“ShareIn”). ShareIn is registered with the ICO to process personal data and their registration number is ZA029742. ShareIn host Aprirose’s website and will be the data processor for the purposes of the Data Protection Act 2018 as amended by The Data Protection, Privacy and Electronic Communications (Amendments) Regulations 2019. Aprirose operate on the terms of a written agreement with ShareIn relating to your personal data

ShareIn Limited uses the Twilio SendGrid email platform when sending email. All of SendGrid's email servers are in the USA and as such Personal Data is being sent to (and stored in) the USA.

Any payment transactions you make through our Website will be made through ShareIn, encrypted through SSL technology. ShareIn are a joint controller in respect of any personal data and any of your personal data they hold will be subject to this privacy policy.

Your data will be held by ShareIn on their secure servers located in the Republic of Ireland, but will be processed by staff who work in the UK. Your data may also be transferred to locations outside the EU where the safeguarding criteria set out in Articles 44-50 of the GDPR are satisfied.

Any payment transactions you make through our website will be made using ShareIn, encrypted by SSL technology. ShareIn is a joint controller in respect of your personal data, and any data they hold is subject to this privacy policy.

We have appointed a data protection officer (the “DPO”) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Contact details

Our full details are:

Full name of legal entity: Aprirose Limited
Title of DPO: Legal and Transaction Manager
Email address: dpo@aprirose.com
Postal address: 1st Floor, 88 Baker Street, London. W1U 6TQ, United Kingdom

You have the right to make a complaint at any time to the Information Commissioner’s Office (the “ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

CHANGES TO THE PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES

This version was last updated on 23rd April 2024. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

The data we collect about you

There are many reasons why we may collect and process your personal information and data, including:

  • to provide and manage products and services you have requested
  • to verify your identity, ensure you meet eligibility requirements, protect against fraud and manage risk
  • to comply with legal or regulatory requirements

Basis of collecting and using your data

When we collect your personal data we either have a lawful basis of doing so, or we obtain your consent to do so.

  • Consent. In specific situations, we can collect and process your data with your consent. You may withdraw your consent at any time but please remember that this could mean we may have to stop providing certain services to you.
  • Contractual obligations. We may process your information where it is necessary to either enter into a contract with you for the provision of our products or services or to perform our obligations under that contract or to provide you with advice or guidance in relation to accessing our products or services that are offered by us, or otherwise to comply with contractual obligations.
  • Legal compliance. If the law or any regulator in any competent jurisdiction requires us to, we may need to collect and process your data and also provide this to the relevant regulator.
  • Legitimate interest. We may process your information in the day to day running of our business, to manage our business and financial affairs and to protect our customers, employees and property. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business. In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.

Please remember that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you.

What we collect

We may collect all or some of the following categories of data from you:

  • Title
  • Full Name
  • Address (including postcode)
  • Date of birth
  • Email address
  • Nationality
  • Bank account details
  • IP addresses
  • Passport (including passport number)
  • Driving license (including driving license number)

When you make an Investment, you will be required to provide your identity document to allow ShareIn to satisfy its Know Your Customer (KYC) regulatory requirements. Any associated personal data contained on that document will be retained by us or ShareIn.

In addition to the above, we will also provide you with your Account Details, which includes your username which is either created by, or assigned to, you. The Account Details should be remembered by you but will be stored by us in case you forget them.

How do we collect and use your data?

We may obtain information in several ways which may include:

  • Information which you give to us, including when you contact us or register your interest in Aprirose;
  • Information that we receive from third parties including third parties who provide services to you or us (including via fraud prevention agencies or government agencies);
  • Information that we learn about you through our relationship with you;
  • Information that we gather from the technology which you use to access our services (for example an IP address or telephone number);
  • Information that we gather from publicly available sources, such as the press, the electoral register, company registers and online search engines.

We collect and process personal information and data about you at the start of, and for the duration of, your relationship with us – in each case where we have a reason for doing so and only where that reason is permitted under data protection law. The section below sets out how we collect and use your data in specific circumstances.

It’s important that you keep your personal information with us up to date, so please let us know if anything changes.

When you contact us

When you contact us (including by phone, email, through social media or through a website contact form) in relation to Aprirose, we may process your personal information (including your name, address, contact details, the name of the organisation you work for and other personal information you’ve given us) in order to respond to your query and provide the customer services you have asked us to (if any; for example providing assistance with the Aprirose platform).

We rely on your consent to handle your personal information in this way. If you do not provide us with the data we request from you for customer services purposes, we may not be able to fully answer your queries. We may log and record the interactions you have with us, such as phone calls, email opens and click throughs to help us better service your requests.

When you register interest in or sign up to Aprirose

When you register your interest in Aprirose, we will use your personal information to complete your registration and evaluate whether you qualify to invest based on applicable regulation. The details we (or our relevant service providers) collect from you may include your name, address, date of birth, email address, phone number, nationality, investor categorisation, anti-crime and fraud information (to verify that you are neither suspected nor a victim of fraud or other offences and that your details do not appear on politically exposed persons and sanctions lists), education (including experience of and understanding of investing), visual images (such as copies of passports or drivers licence to verify identity) and payment or bank account details.

If provided to us, we may also collect vulnerability data, such as your age, any disabilities or health conditions or any financial circumstances of you or a member of your household. It’s important that you keep your personal information up to date, so please let us know if anything changes.

When you register on the Aprirose website, we may share your personal information with third parties involved in the process, such as white label partners, payment providers and agencies whom we use to assess fraud, or security risks. We need to process your personal information in this way to comply with applicable legislation.

Marketing communications

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We may use your Identity, Contact, Technical and Usage Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services may be relevant for you (we call this marketing). You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing. You can ask us to stop sending you marketing messages at any time by contacting us. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us because of a service we have provided to you.

Cookies

Our Website will use cookies (alpha-numeric text files placed on your computer) to:

  • distinguish you from other users;
  • optimise your browsing experience;
  • make necessary improvements to our Website;
  • recognise and count the number of visitors to our Website and see how they move around the Website during use;
  • recognise you when you return to our Website; and
  • record your visit to our website, including any links you may follow.

The following cookies are set to our Website for the listed purposes:

Cookie Purpose
cookiebanner-accepted Records that the button on the cookie banner has been clicked.

Our Website additionally uses Google Analytics, a web analytics service provided by Google, Inc. (Google). Google Analytics uses analytical, performance or targeting cookies to help analyse how you use the Website and compile reports on your activity for us.

Any information generated by the cookie about your use of the Website (including your IP address) will be transmitted to, and stored by, Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the Website, compiling reports on your activity for us and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.

You may refuse the use of cookies by selecting the appropriate settings via the cookies settings, however please note that if you do this your ability to use the Website may be restricted. By using the Website, you consent to the processing of data about you by Google in the manner and for the purposes set out above unless you amend the Cookie default setting.

Except for essential cookies, all cookies will expire after your session.

To make our website better and more secure

We will use your personal information for the purposes of administering our website and making it more secure, including troubleshooting, data analysis, testing, research, statistical and survey purposes. We process your data for this reason because we have a legitimate interest to provide you with the best experience we can, and to ensure that our website is kept secure.

You can task us to stop using your personal information in this way by using the “do not track” functionality in your internet browser. If you enable “do not track” functionality, our website may be less tailored to your needs and preferences.

Technical information and analytics

When you visit our website, we will automatically collect the following information:

  • technical information, including the IP address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, screen resolution, operating system and platform; and
  • information about your visit, including the full Uniform Resource Locators, clickstream to, through and from our website (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page.

We may also collect information on your location on our websites, such as your location data when accessing the website in line with the location settings on your phone or internet browser. This can be disabled or amended via the relevant IOS/Android platforms or in your internet browser settings.

We work closely with various third parties, including advertising networks, analytics providers, hosting providers and search information providers from whom we may also receive general aggregated anonymous information about you.

How we use your information

We will only use or disclose your personal data for the purposes it was collected for and as disclosed in this policy.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Disclosure of your personal data

We may have to share your personal data with the parties set out below for the purposes set out under the heading, “The data we collect about you” above:

  • internal third parties, such as other companies in the Aprirose group acting as joint controllers or processors and who are based inside and outside of the European Union and provide IT and system administration services and undertake leadership reporting.
  • external third parties such as:service providers acting as processors based inside and outside of the European Union who provide IT and system administration services;
  • professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based inside and outside of the European Union who provide consultancy, banking, legal, insurance and accounting services;
  • HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances; and
  • third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions

International transfers

Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Data retention - How long will you use my personal data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.In some circumstances you can ask us to delete your data: see Request erasure below for further information.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. You have the right to:

  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.]
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.