PRIVACY
POLICY

1. Introduction and Scope

Mellion Capital (“we”, “us” or “our”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you: visit our website; engage in investment discussions; receive due diligence materials; or interact with our advisory team. It also sets out your rights and choices in relation to your personal information. By using our services, you consent to the practices described in this policy.

2. Information We Collect

We collect and process various categories of information, including:

2.1 Personal and Identifying Information

• Contact details: name, email address, telephone number, postal address.
• Identification details: government-issued ID numbers, tax identification, date of birth.
• Professional details: employment history, job title, company details, business affiliations.

2.2 Financial and Transactional Information

• Investment records: portfolio holdings, transaction history, investment performance data.
• Payment details: bank account, payment instructions, invoicing and billing records.
• Due diligence information: financial statements, audit reports, tax returns, business plans.

2.3 Technical and Usage Information

• Device information: device type, operating system, browser type, device identifiers.
• Connection information: IP address, geolocation (derived from IP), network provider.
• Usage data: pages visited, time and date stamps, clicks, downloads, session duration.
• Cookies and similar technologies: session cookies, persistent cookies, web beacons.

2.4 Third-Party Information

We may obtain information from third parties, including:

• Professional advisors: legal, accounting, or consulting firms providing due diligence reports.
• Regulatory bodies: publicly available records, sanction lists, or compliance databases.
• Data aggregators: business intelligence platforms or commercial databases.

3. How We Use Your Information

We use your information for the following purposes:

• Provision of Services: to assess, structure, and execute investments; to provide strategic and operational advice; to manage ongoing relationships with Investee companies and co-investors.
• Client Communication: to respond to enquiries, send updates, confirmations, and notifications.
• Due Diligence and Risk Management: to evaluate potential investments, conduct background checks, ensure compliance with internal policies and external regulations.
• Legal and Regulatory Compliance: to comply with statutory obligations, anti-money laundering checks, anti-bribery and corruption reviews, and respond to lawful requests from authorities.
• Improvement of Services: to analyse usage trends, monitor performance, conduct internal audits, and enhance our platforms, processes, and offerings.
• Marketing and Client Relations: to send newsletters, research reports, event invitations, and promotional materials where you have provided consent.
• Business Operations: to administer our business, process invoicing, manage records, enforce agreements, and protect our legal rights.

4. Legal Bases for Processing

We rely on one or more of the following bases when processing your personal information:

• Performance of Contract: where processing is necessary to fulfil our agreement with you or another party.
• Legitimate Interests: where we have a genuine business interest (e.g. safeguarding our assets, preventing fraud, improving services) and such interests do not override your fundamental rights and freedoms.
• Legal Obligations: where processing is necessary to comply with applicable legal or regulatory requirements.
• Consent: where you have provided clear permission for us to process your information for a specific purpose. You may withdraw consent at any time (see Section 8).

5. Information Sharing and Disclosure

We may share your information in the following circumstances:

5.1 Service Providers and Affiliates

We engage third-party service providers—such as IT hosts, payment processors, data analytics firms, document storage providers, and professional advisors—to perform functions on our behalf. These partners are contractually required to handle your information in accordance with this Privacy Policy and to maintain appropriate safeguards.

5.2 Business and Transactional Transfers

In the event of a merger, acquisition, reorganisation, sale of assets, or financing, your information may be transferred to a successor entity. We will notify you of any change in ownership or use of your personal data.

5.3 Legal, Regulatory, and Investigative Requests

We may disclose information if required by law, regulation, or legal process (e.g., court order, subpoena), or in response to lawful requests from governmental authorities. We also cooperate with law enforcement, anti-corruption agencies, and other official bodies as necessary.

5.4 Consent or Instruction

We may share information when you explicitly authorise us to do so—such as providing references to potential co-investors or allowing us to liaise with your advisors. You may revoke this authorisation at any time (see Section 8).

6. International Data Transfers

Your information may be transferred to, stored, and processed in countries other than your country of residence. Whenever we transfer data internationally, we ensure that appropriate contractual or other safeguards are in place so that your rights remain protected, in line with recognised data protection standards.

7. Data Security Measures

We implement a variety of technical and organisational measures to protect your data, including:

• Encryption: data is encrypted in transit (e.g. via TLS) and at rest (e.g. AES-256).
• Access Controls: strict user authentication, multi-factor authentication, role-based access, and secure credential storage.
• Network Security: firewalls, intrusion detection systems, secure VPN connections, and regular penetration testing.
• Operational Security: regular security risk assessments, vulnerability scanning, patch management, and secure coding practices.
• Employee Training: ongoing data protection and cybersecurity training, background checks for personnel with data access.
• Incident Response: established procedures for detecting, investigating, containing, and remediating data incidents, including notification to affected individuals if required.

8. Your Rights and Choices

You have certain rights regarding the personal information we hold about you. To exercise any of these rights, please contact us as indicated in Section 13:

• Access: You may request a copy of the personal information we hold about you.
• Correction: You may request that we amend or update inaccurate or incomplete information.
• Deletion: You may request the erasure of your personal data when it is no longer necessary for the purposes collected, or if you withdraw consent and no other legal basis applies.
• Restriction: You may request that we limit processing of your data—for example, if you contest its accuracy or object to our processing on legitimate grounds.
• Data Portability: You may request to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller, where technically feasible.
• Objection: You may object to our processing of your data on legitimate interest grounds. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

We may require you to verify your identity before responding to any of the above requests. We will comply with your request as soon as reasonably practicable and in accordance with applicable regulations.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience and gather analytics:

• Essential Cookies: Required for core site functionality (e.g. session management).
• Performance and Analytics Cookies: Collect anonymous usage data to help us optimise our website and services.
• Functional Cookies: Remember preferences or settings you have chosen (e.g. language, display preferences).
• Third-Party Cookies: Set by external providers (e.g. analytics or social media plugins) to enable certain features or measure performance.

You can manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect site functionality.

10. Third-Party Links and Services

Our website or communications may contain links to third-party websites, services, or content. This Privacy Policy does not cover those third parties, and we encourage you to review their privacy notices. We are not responsible for their privacy practices or the content of their sites.

11. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, regulatory, or reporting obligations; resolving disputes; and enforcing our agreements.

When no longer required, we securely delete or anonymise your data in accordance with industry best practices.

12. Children’s Privacy

Our services are not directed to individuals under 18. We do not knowingly solicit or collect personal information from children under 18. If you believe we have inadvertently collected data from a child, please contact us immediately for prompt deletion.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will post any material changes on our website with a revised “Last updated” date. For significant changes, we will make reasonable efforts to notify you directly (e.g. by email).

Your continued use of our services following the publication of changes constitutes acceptance of those changes.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

• Email: Legal department