Privacy Protection Policy

Privacy Protection

Regulation S-P (“Reg S-P”), the U.S. Privacy Act of 1974, the CCPA, GDPR, the Cayman Islands Data Protection Law (“DPL”), and the UK’s Data Protection Act 2018 (collectively referred to as “Privacy Rules”), all require companies to adopt and implement policies and procedures that are reasonably designed to protect the confidentiality of nonpublic personal records. Privacy Rules apply to “consumer” records, meaning records regarding individuals, families, or households. Reg S-P does not explicitly apply to the records of companies, investors in a private investment vehicle, or individuals acting in a business capacity, but the corresponding Privacy Rules may impose similar disclosure and safeguarding obligations. Pillsbury Lake Capital LLC (hereinafter, “Pillsbury” or the “Company”) is committed to protecting the confidentiality of all non-public information regarding its Clients, Investors, Borrowers, prospects, and Employees (“Nonpublic Personal Information”).

Privacy Rules require the Company to provide its Clients and Investors with notices describing the Company’s privacy policies and procedures. These privacy notices must be delivered to all new Clients upon inception of an arrangement, and at least annually thereafter. Reg S-P does not require the distribution of privacy notices to companies, to investors in a private investment vehicle, or to individuals acting in a business capacity, but in accordance with the Privacy Rules, the Company provides privacy notices to all Clients and Investors.

Guiding Principles

The Company will seek to limit its collection of Nonpublic Personal Information to that which is reasonably necessary for legitimate business purposes. The Company will not disclose Nonpublic Personal Information except in accordance with these policies and procedures, as permitted or required by law, or as authorized in writing by the Client or Investor. The Company will never sell Nonpublic Personal Information or share Nonpublic Personal Information with nonaffiliated third parties.

With respect to Nonpublic Personal Information, the Company will strive to: (a) ensure the security and confidentiality of the information; (b) protect against anticipated threats and hazards to the security and integrity of the information; and (c) protect against unauthorized access to, or improper use of, the information. The Company will promptly notify any impacted Clients, Investors, prospects, and Employees of any threats to, or improper disclosure of, Nonpublic Personal Information.

Although these principles and procedures apply specifically to Nonpublic Personal Information, Employees must be careful to protect all of the Company’s proprietary information.

Data Protection Principles

When Processing Nonpublic Personal Information, the Company aims to comply with the following core Data Protection principles:

a. Lawfulness, fairness and transparency

Nonpublic Personal Information must be processed fairly, transparently and lawfully. An individual’s Nonpublic Personal Information must not be processed unless there are lawful grounds for doing so and the data subject has the right to understand and request as to how and why their Nonpublic Personal Information is being processed either upon or before collecting it.

b. Purpose Limitation

Nonpublic Personal Information must be processed only for specified and lawful purposes. Nonpublic Personal Information must not be processed in any manner which is incompatible with the specified and lawful purpose.

c. Data Minimization

Nonpublic Personal Information that is processed must be adequate, relevant and limited to the minimum data necessary for the lawful purposes for which it is processed.

d. Accuracy

Nonpublic Personal Information must be accurate and, where appropriate, kept up-to-date. Any Nonpublic Personal Information which is incorrect must be rectified as soon as possible.

e. Data Retention

Nonpublic Personal Information must be kept for no longer than is necessary considering the lawful purpose(s) for which it is processed.

f. Security

Nonpublic Personal Information must be protected against unauthorized or unlawful processing, including transmission, accidental loss, destruction or damage through appropriate technical and organizational measures.

Risks

In developing these policies and procedures, the Company considered the material risks associated with privacy protection. This analysis included risks such as:

  • Nonpublic Personal Information is not recorded accurately or protected from inadvertent alteration or destruction;
  • Nonpublic Personal Information is not protected from unauthorized access (electronic or physical) by outside intruders, unaffiliated third-party service providers, or unauthorized Employees;
  • Nonpublic Personal Information can be accessed, copied, or destroyed by physical or electronic intrusions;
  • False or misleading disclosures are made to Clients or Investors about the use or protection of Nonpublic Personal Information;
  • Third-party service providers have adopted inadequate policies and procedures to protect Nonpublic Personal Information;
  • Company fails to comply with applicable regulatory and international privacy laws;
  • Company trade secrets are not protected from unauthorized access by Employees or third-party service providers; and
  • Company uses information obtained from affiliates for marketing purposes without ensuring that affected individuals have been given adequate notice and an opportunity to opt out.

The Company has established the following guidelines to mitigate these risks.

Policies and Procedures

What this Policy Covers

This Policy covers our use and treatment of personally identifiable information (also referred to as PII, personal data, “Personal Information”, or “Nonpublic Personal Information”):

  • That the Company may collect when a Client, Investor, or prospect (collectively, “Client”) accesses or uses our services or website in any manner (collectively, the “Services”).

By accessing or using the Company’s Services, a Client acknowledges and agrees that they consent to the practices and policies outlined in this Policy.

A Client’s choices include how one can object to certain uses of information about the Client and how one can access and update certain information about the Client.

The Company does not knowingly collect or solicit personal information from children or anyone under the age of 16 or knowingly allow such persons to use, access or register for the Services. Neither the Company’s website, Services, nor this Policy, are directed to such persons.

What Information is Collected about Clients

1. Information provided to the Company:

The Company receives and stores any information a Client knowingly provides. This can include collecting the following Nonpublic Personal Information in the context of the Company’s business relationship with the Client:

  • A subscription into any of PILLSBURY’s funds, investment vehicles, joint ventures, co-investment vehicles, managed accounts, SMAs, sub-advised accounts, etc.;
  • A partnership;
  • Contract with any of PILLSBURY’s affiliates;
  • Identity & Contact Data: includes first name, last name, or similar identifiers, postal address, email address and telephone numbers;
  • Marketing and Communications Data: includes a Client’s choices as well as preferences in receiving marketing from the Company and the Company’s third parties, and a Client’s communication preferences;
  • Client email behavior through email services;
  • Customary business communication (electronic, telecommunications, or physical);
  • Use of the Company’s website;
  • Information submitted through any support or Client portal related to the Services;
  • Website data: includes internet protocol (IP) address, names associated with the IP address, internet service provider (ISP), as well as information about how a Client uses the Company’s website; and
  • Various other communications means and methods.

A Client can choose not to provide the Company with certain information, but then a Client may not be able to register with the Company or take advantage of some of the Company’s services and/or features or receive the Company’s mailings, articles, thought pieces, etc.   Some of this information may include:

  • Contact information (address, telephone number, email address, etc.)
  • Account numbers (for accounts involved in the business relationship)
  • Driver’s License number, Passport number, or other Government issued identification;
  • Tax identification numbers; and
  • Legal documents as required in the account opening/servicing process.

If a Client has provided the Company with a means of contacting the Client for particular purposes, the Company may use such means to communicate with the Client for those purposes. If a Client previously provided the Company with such information but no longer wishes to receive such communications, a Client can indicate their preference by contacting the Company.  

2. Information the Company receives from other sources:

The Company may receive information about Clients from:

  • Other Service users (e.g. if a Client’s email address is mentioned in feedback or designated as a contact); and
  • Third-party services (e.g. if a Client links another account he/she owns to the Services, the Company may receive a Client’s name and email address as permitted by the Client’s profile settings in order to authenticate the Client). The information the Company receives depends on the settings, permissions and privacy policy controlled by that third-party service. A Client is responsible for checking the privacy settings and notices in these third-party services to understand what data may be disclosed.

3. Personal Information Requests

Each individual has a right under the Privacy Rules to request from PILLSBURY the personal information and data that has been stored and used.  PILLSBURY will provide the requested information in accordance with the specific jurisdictional requirements.  If any Client wishes to request the usage of their personal information and data, they can contact the Company to make such request.

How the Company Uses Information It Collects

How the Company uses the Nonpublic Personal Information it collects depends in part on which Services are provided to a Client, how a Client uses them, and any preferences a Client has communicated to the Company.

The Company may use information about a Client:

  • To provide the Services requested;
  • To manage the Company’s relationship with a Client including responding to inquiries, and notifying a Client about changes in the Company’s terms or this Privacy Policy;
  • To register a Client for events (for example, an information event or distribution list notification of current offerings, services, market updates, thought pieces, articles, postings, etc.);
  • For AML/KYC due diligence purposes;
  • For security (to authenticate a Client, verify accounts and activity, monitor suspicious or fraudulent activity, etc.);
  • To provide support, as applicable;
  • To operate and maintain the Services offered;
  • To process Company interaction with a Client;
  • To communicate with a Client about the Company’s Services;
  • To protect the Company’s legitimate business interests and legal rights;
  • To share data with the Company’s trusted service providers (i.e. compliance, tax/audit, fund administration, IT service provider, etc.) in order to provide the Services; and
  • With a Client’s consent: the Company uses information about a Client where the Client has given the Company consent to do so for a specific purpose not listed above.

 

Legal basis for processing (for EEA users):

If a Client is an individual in the European Economic Area (EEA), the Company collects and processes information about a Client only where the Company has the legal basis for doing so under applicable EU laws. The legal basis depends on the Services provided to a Client.  This means the Company may collect and use a Client’s information only where:

  • The Company needs it to provide a Client with the Services, including providing support and personalized features and to protect the safety and security of the Services;
  • It satisfies a legitimate interest (which is not overridden by a Client’s data protection interests);
  • A Client gives consents for the Company to do so for a specific purpose; or
  • The Company needs to process a Client’s data to comply with a legal obligation.

 

Legal basis for processing (for CIMA users):

The legal basis for processing personal data are set out in schedule 2 of the Data Protection Legislation (DPL). Principally, all of the conditions are equal so that none is preferable to any other. At least one of these conditions must apply whenever personal data is processed:

  • Consent: the individual has given clear consent for the Company to process personal data for a specific purpose;
  • Contract: the processing is necessary for performance of a contract or because they have asked to take specific steps before entering into a contract;
  • Legal obligation: the processing is necessary to comply with a law (not including contractual obligations); or
  • Legitimate interests: Processing necessary information for legitimate interests pursued by the data controller or a third party, except where it is unwarranted because of prejudicing the rights and freedoms or legitimate interests of the individual.

The legal basis for processing sensitive personal data are set out in schedule 3 of the DPL. At least one of these conditions, in addition to a condition for processing above, must apply whenever sensitive personal data is processed:

  • Consent: the individual has given clear consent for the Company to process their sensitive personal data for a specific purpose;
  • Employment: the processing of sensitive personal data imposed by law in the context of the individual’s employment; Data Protection Law 2017 – Guide for Data controllers v1.03 January 2019 83;
  • Made public: processing of sensitive personal data that has been made public by the individual; or
  • Legal proceedings: processing of sensitive personal data is necessary for legal proceedings, legal advice or legal rights.

 

Legal basis for processing (for UK users):

The Company’s use of personal data follows the rules called ‘data protection principles. This information needs to be:

  • Used fairly, lawfully and transparently;
  • Used for specified, explicit purposes;
  • Used in a way that is adequate, relevant and limited to only what is necessary;
  • Accurate and, where necessary, kept up to date; and
  • Kept for no longer than is necessary handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage.

Affiliated Third Parties:
The Company may disclose Client information to affiliated third parties, but only in the interest of conducting Company and Client-related business.

Client Right to Opt-Out

As stated previously, the Company does not sell a Client’s Non-public Personal Information. The Company does provide a Client the ability to opt-out of having their information stored, within the legal and regulatory guidelines. If any Client wishes to opt-out of PILLSBURY’s use and storage of their information, the Client can contact the Company to make such request. The Company will comply with all such opt-out requests in accordance with the specific jurisdictional requirements.

Protecting Confidential Information

Employees will maintain the confidentiality of information acquired in connection with their employment, with particular care being taken regarding Nonpublic Personal Information. Improper use of the Company’s proprietary information, including Nonpublic Personal Information, is cause for disciplinary action, up to and including termination of employment for cause and referral to appropriate civil and criminal legal authorities. Consequently, all Employees (including long-term consultants and temporary interns) are required to sign and adhere to a confidentiality agreement covering these and other matters.

Nonpublic Personal Information will be restricted to Employees who have a need to know such information.

Specific Jurisdiction Requirements

1. Cayman Islands Data Protection Law

PILLSBURY may act as a Controller of Personal Data and as a Processor of Personal Data in the following scenarios:

  • In the context of the business activities of PILLSBURY;
  • For the provision or offer of services to individuals; and
  • In the context of human resources where PILLSBURY has employee personal data.

We have appointed a Data Protection Contact who is responsible for overseeing questions in relation to this Privacy Notice.

2.European Union GDPR

PILLSBURY will process personal data in the legitimate interests of providing or potentially providing investment management services. In Compliance with GDPR, we have appointed a Data Protection Compliance Manager (DPCM) who is responsible for overseeing questions in relation to this Privacy Notice. Individuals are free to withdraw their consent at any time.

3. United Kingdom – Data Protection Act

If you are a user located in the United Kingdom, The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).  Under the Data Protection Act 2018, you have the right to find out what information PILLSBURY stores about you. These include the right to:

  • be informed about how your data is being used
  • access personal data
  • have incorrect data updated
  • have data erased
  • stop or restrict the processing of your data
  • data portability (allowing you to get and reuse your data for different services)
  • object to how your data is processed in certain circumstances

4. California – California Consumer Privacy Act of 2018 (“CCPA”)

Pursuant to the California Consumer Privacy Act of 2018 (“CCPA”), we are providing the following additional details regarding the categories of Personal Information that we collect, use, and disclose about California residents.

Collection, Disclosure of Personal Information

The following chart includes: (1) the categories of Personal Information, as listed in the CCPA, that we plan to collect and have collected and disclosed within the preceding 12 months; and (2) the categories of third parties to which we disclosed Personal Information for our operational business purposes within the preceding 12 months.

Categories of Personal Information

Identifiers, such as name, contact information, IP address that can reasonably be linked or associated with a particular consumer or household, and online identifiers

Personal information as defined in the California customer records law, such as name, signature, address, and telephone number

Internet or network activity information, such as browsing history, search history and interactions with our online properties or ads

Employment Information. Professional or employment-related information, such as work history and prior employer

Under the CCPA, if a business sells Personal Information, it must allow California residents to opt-out of the sale of their Personal Information.  However, we do not “sell” and have not “sold” Personal Information for purposes of the CCPA in the last 12 months.

Sources of Personal Information

As described above, we collect this Personal Information from you and from publicly available databases and joint marketing partners, when they share the information with us. 

Use of Personal Information

Requests to Know and Delete 

If you are a California resident, you may make the following requests:

“Request to Know” – you may request that we disclose to you the following information covering the twelve (12) months preceding your request:

  1. The categories of Personal Information we collected about you and the categories of sources from which we collected such Personal Information;
  2. The specific piece of Personal Information we collected about you;
  3. The business or commercial purposes for collecting (if applicable) Personal Information about you; and
  4. The categories of Personal Information about you that we otherwise shared or disclosed, and the categories of third parties with whom we shared or to whom we disclosed such Personal Information (if applicable).

“Request to Delete” – you may request that we delete Personal Information we collected from you.

To make a Request to Know or a Request to Delete, please contact the Company.  We will verify and respond to your request consistent with applicable law, considering the type and sensitivity of the Personal Information subject to the request.  We may need to request additional Personal Information from you, such as provide a few examples of the types of Personal Information you may request in order to verify a request, in order to verify your identity and protect against fraudulent requests.  You may make a request on behalf of a child who is under 13 years old if you are the child’s parent or legal guardian.  If you make a Request to Delete, we may ask you to confirm your request before we delete your Personal Information.

If you want to make a Request to Know or a Request to Delete as an authorized agent on behalf of a California resident, you may use the submission methods noted above.  As part of our verification process, we may request that you provide, as applicable, proof concerning your status as an authorized agent, which also may include:

  1. Proof of your registration with the California Secretary of State to conduct business in California;
  2. Proof of a power of attorney from the resident pursuant to Probate Code sections 4121-4130.

If you are an authorized agent and have not provided us with a power of attorney from the resident pursuant to Probate Code sections 4121-4130, we may also require the resident to:

  1. Verify the resident’s own identity directly with us; or
  2. Directly confirm with us that the resident provided you permission to make the request.
Right to Non-Discrimination
You have the right to be free from unlawful discriminatory treatment for exercising your rights under the CCPA. 
Do Not Track Signals
We do not currently respond to browser do-not-track signals.

Changes to this Policy

The Company is committed to complying with data privacy laws in every jurisdiction it does business. As such, the Company may amend this Policy from time to time. Use of information the Company collects now is subject to the Policy in effect at the time such information is used. If the Company makes changes in the way it uses Personal Information, the Company shall notify its Clients.