Stockbrook Capital's Privacy Policy

---

Stockbrook Capital (“we”, “us” or “our”) is committed to protecting the privacy and personal data of our clients and website users. This Privacy Policy explains how we collect, use, and safeguard personal information in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all individuals and business clients who interact with us, including users of our website and related services, across the international scope of our operations. We are an award-winning Introductory Broker providing investors (from private individuals to institutions) access to exclusive opportunities in the global private capital markets. Our focus spans various sectors – from alternative investments and emerging markets to infrastructure, technology, renewable energy, natural resources, and UK real estate – reflecting the broad scope of personal data we may handle. By using our services or website, you acknowledge this Policy. We encourage you to read it carefully and contact us with any questions.

Data Controller: Stockbrook Capital Limited (Company No. 10553595) is the data controller responsible for your personal data. Our registered office is at 6-7 Waterside, Station Road, Harpenden, Hertfordshire, AL5 4US, United Kingdom, with principal offices at Bank House, 15 Gosditch Street, Cirencester GL7 2AG (Cotswolds office) and Devonshire House, One Mayfair Place, London W1J 8AJ (Mayfair office) In this Policy, “Stockbrook Capital” or “we” refers to Stockbrook Capital Limited.

Contact for Privacy Matters: If you have any questions about this Policy or your personal data, please contact our Compliance Team (responsible for data protection queries) at compliance@stockbrookcapital.co.uk or by post at the Cirencester address above. While we are not legally required to appoint a Data Protection Officer, we take privacy seriously and have a dedicated compliance function to address your concerns.

ICO Registration: Stockbrook Capital is registered with the UK Information Commissioner’s Office (ICO) as a data controller under registration number ZB902661. You can verify our registration and download our Data Protection registration certificate by searching our company name or number on the ICO’s public register (available on the ICO website). This registration reflects our commitment to handling personal data in accordance with data protection law.

We collect a variety of personal data to carry out our investment introduction and advisory services. This may include:

• Identity Data: Such as full name, title, date of birth, nationality, passport or ID card details, national insurance number, and proofs of identity (which may include information from identity documents and any photographs on them). For corporate clients, this may include details of directors, shareholders or beneficial owners.
• Contact Data: Including personal or business address, email address, telephone numbers, and other contact information.
• Financial Data: For individual investors, this can include bank account details, payment information, details about your income, assets and investment portfolio, tax status, and investment objectives. We may also collect information to assess whether you meet the criteria of a professional or high-net-worth investor (for example, evidence of your investment experience or financial qualifications), as our services are strictly for professional, high-net-worth and sophisticated investors
• KYC and Due Diligence Data: Information collected as part of “Know Your Customer” and anti-money laundering (AML) checks. This includes identity verification data, credit references or sanctions check results, source of funds and wealth, and other due diligence materials required by law (e.g. copies of identification documents, utility bills for address verification, and questionnaires to determine investor eligibility and risk awareness).
• Technical Data: When you visit our website or use our online services (such as our Deal Room platform), we may collect technical information like your Internet Protocol (IP) address, login credentials (username/user ID), browser type and version, time zone setting and location, operating system, and platform, and other technology on the devices you use. We also collect data about your usage of our website (see Cookies below).
• Profile and Usage Data: If you create an account with us (e.g., to access the Deal Room or to subscribe to our newsletters), we maintain data such as your username, password (stored in encrypted form), preferences, investment interests, and history of services or investments you have shown interest in. We also record your interactions with us – e.g. login times, pages visited, and which investment opportunities you review.
• Marketing and Communications Data: Your preferences in receiving marketing from us (such as whether you have subscribed to our weekly newsletters or opted in to other updates) and your communication preferences. We also keep records of your correspondence with us, including inquiries, feedback, or complaints you send to our team.
• Business Client Data: If you represent a business or institutional client, we may collect your professional details (such as job title, employer, and business contact information) as well as details about the organisation you represent (which might include company registration details, financial information, etc.). These details are considered personal data when they identify or relate to a contact person (for example, a corporate client’s representative or a broker/agent acting on a client’s behalf).

Note: We do not generally seek to collect “special category” personal data (such as information about health, genetic/biometric data, or political opinions) or criminal offence data, unless required by law (for instance, as part of due diligence or if you volunteer such information). We ask that you do not provide such sensitive data to us unless necessary. In limited cases, identity documents you provide for verification may incidentally reveal ethnic origin (e.g. from a photograph) or health data (e.g. if you voluntarily disclose health issues affecting your investor status), but we will only process such information in strict accordance with the law and only for the specific purposes required (such as compliance with regulatory obligations).

We collect personal data through several methods:

• Direct Interactions: You may give us your identity, contact and financial data by filling in forms or corresponding with us by post, phone, email or otherwise. This includes personal data provided when you:
  
  • Apply for our services or open an account (e.g. when registering for our online Deal Room or creating an investor profile).
  • Complete investor qualification forms or agreements, such as declaring yourself a professional or high-net-worth investor and confirming your understanding of investment risks.
  • Meet with us or communicate by phone/email, for example when you inquire about investment opportunities, request information or research reports, or give us feedback. We may record or log such communications for compliance and quality assurance.
  • Provide documents for due diligence, such as when uploading identification documents or proof of address to our secure portal (e.g. via the “Register an investor” form where brokers or clients can upload investor documents or responding to our requests for KYC/AML information).
  • Subscribe to our newsletters or marketing by ticking a box on our website forms or explicitly requesting to be added to our mailing list. (For example, our contact form allows you to opt-in to our subscriber list for updates and research reports).
  • Enter into a contract with us (such as a client agreement or a brokerage agreement) or when you engage with our services in any way that requires personal information.

• Automated Technologies or Interactions: As you interact with our website, we automatically collect certain Technical Data about your equipment and browsing actions. We collect this personal data by using cookies, server logs, and other similar technologies. For instance:
  
  • Our website uses cookies to analyse traffic and optimise user experience. Cookies are small text files placed on your device. Some cookies are necessary for the site to function (e.g. to keep you logged in to your account), while others (like analytics cookies) collect information about how you use our site (pages you view, time spent, clicks, etc.). We also use cookies or similar technologies for security purposes (e.g. to distinguish human users from bots via Google reCAPTCHA on our forms) and to remember your cookie preferences (whether you accepted or declined optional cookies).
  • We may use third-party analytics tools (such as Google Analytics) which set their own cookies to collect aggregate information on how visitors use our site. This helps us improve content and user experience. These analytics cookies collect data like your approximate location, device type, and browsing actions on our site. (For more details, see Section 9: Cookies below.)
  • If you receive emails from us (e.g. a newsletter), we may use tracking technologies to see if you open the email or click on links, helping us gauge engagement. You can unsubscribe from marketing emails at any time (see Section 8: Marketing Communications).

• Third Parties or Public Sources: We may receive personal data about you from third parties or publicly available sources, for example:
  
  • Introducers and Brokers: If you were referred to us by a third-party broker, financial adviser, or investment platform, they may provide us with your personal details and background information to set up your engagement with Stockbrook Capital. For instance, we work with independent brokers/agents and may collect data from them when they register you as an investor on your behalf.
  • Our Partner Companies: We sometimes operate in partnership with other companies (for example, regulated financial firms that sponsor or manage the investment opportunities we introduce). In such cases, those partners might share relevant personal data with us – for example, the outcome of an eligibility check or the fact that you invested in a product we introduced – to enable us to manage our relationship with you.
  • Identity Verification Services: We may use external services or databases to verify your identity, perform anti-money laundering screening, or conduct “politically exposed person” (PEP) and sanctions checks. These services might provide us with information such as verification of your identity documents or any flags on your name from sanctions lists.
  • Public Databases: For corporate clients or professional investors, we may collect data from publicly accessible sources like Companies House (for company registration and director information), the FCA register (to confirm regulatory status if you are an intermediary), credit reference agencies, or public websites (e.g. LinkedIn or company websites for professional contact details).
  • Social Media: If you engage with us via social media (for example, by contacting us on our LinkedIn or other official pages), we may receive basic account information from your social media profile. However, we will generally direct you to communicate with us through secure, official channels for any substantive queries.

We will only collect personal data that is necessary for the purposes explained in this policy. If you fail to provide certain information when requested, we may not be able to perform our contract with you (for example, to onboard you as an investor or provide you with an opportunity) or we may be unable to comply with our legal obligations (such as verifying your identity). We will inform you at the time if certain data provision is mandatory and the consequences of not providing it.

We will only use your personal data where the law allows us to. Under UK GDPR, we must have a valid “lawful basis” for each use of your information. The main purposes for which we process personal data, and the corresponding lawful bases, are:

• 5.1 To Provide Our Services and Perform Our Contract with You:
  We use personal data to set up and administer your relationship with Stockbrook Capital, including verifying your identity, creating your client/investor account, determining your eligibility to invest, and facilitating the investments or services you request. This includes:
  
  • Assessing whether you meet the criteria to be classified as a professional, high-net-worth, or sophisticated investor (as required, since our offerings are strictly for professional investors only). We may require you to self-certify or provide evidence of your investor status and understanding of risks.
  • Introducing you to specific investment opportunities (e.g. private placements, funds, or capital raises) and enabling you to participate in those opportunities. This may involve sharing some of your data with the company or fund offering the investment, or with intermediaries involved in the transaction, to arrange your investment (see Section 7: Disclosures).
  • Providing consulting or advisory communications that you have requested. For instance, sending you information memoranda, research reports, or insights related to an opportunity in our private capital marketsportfolio.
  • Administering our “Deal Room” platform (if you use it) – this includes processing your registration, managing login authentication, displaying relevant investment opportunities based on your profile, and enabling any transactions or communications through that platform.
  • Communicating with you about your account and the services: e.g., sending service updates, transaction confirmations, notices about changes to terms or this policy, and responding to any inquiries or support requests you make.
  • General client relationship management, including maintaining contact records and managing any contractual relationship between us.
  • Lawful basis: Performance of a contract – Most of this processing is necessary to deliver the services you have requested under our client agreement or terms of business. Where the individual is not directly a party (for example, you are an officer of a corporate client), our lawful basis may be legitimate interests – specifically, our legitimate interest in effectively providing services to the organisation you represent. We may also rely on consent for certain activities (for example, if you specifically consent to receive services or communications beyond what is necessary for contract performance, though generally our service communications are covered by contract or legal obligations).

• 5.2 To Verify Identity, Conduct Due Diligence and Comply with Legal Obligations:
  We process personal data to fulfill our legal and regulatory duties, particularly those related to financial regulations. This includes:
  
  • Anti-Money Laundering (AML) and Fraud Prevention: Using your identity documents and other information to carry out checks mandated by law (such as verifying identity, screening against sanctions/terrorist financing lists, and monitoring for suspicious activities). We may need to share your details with third-party compliance firms or databases to perform these checks.
  • Investor Eligibility and Suitability: Ensuring we only promote investments to appropriate persons. UK financial regulations (e.g., the Financial Services and Markets Act and FCA rules) restrict certain investment opportunities to certified investor categories. We therefore use your personal data to confirm your status (e.g., self-certified high net worth investor or professional client). This is both a regulatory requirement and part of our contract with you that before receiving any investment particulars, you must classify yourself appropriately and acknowledge the risks.
  • Record-Keeping Obligations: Keeping proper records of transactions, communications, and client identification, as required by laws (such as the Money Laundering Regulations 2017 or HMRC rules). For example, we retain copies of KYC documents and correspondence for a minimum period as required by law (see Section 10: Data Retention).
  • Regulatory Reporting and Audit: We may process and disclose data as needed to comply with requests from regulatory bodies or law enforcement, or during audits/inspections. For instance, if the Financial Conduct Authority (FCA) or Information Commissioner’s Office (ICO) requests information, or if we are required to report certain data breaches or suspicious activities.
  • Lawful basis: Legal obligation – Much of this processing is mandated by UK law or regulations (e.g. verifying identity for AML). Where legal obligation may not strictly apply but it is strongly advisable (e.g., checking investor status to comply with FCA guidance although we ourselves are not FCA-regulated), we rely on legitimate interests in maintaining compliance and ethical business practices. Additionally, processing to prevent fraud is typically in the legitimate interests of our business and its clients (and sometimes necessary for public interest in crime prevention).

• 5.3 To Manage and Improve Our Website, Platform and Services:
  We use data about how users interact with our website and digital platforms to administer and protect our business and website. This includes troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data. For example:
  
  • Monitoring website usage and traffic patterns to improve design and content. We may generate aggregated analytics about what content is most accessed or which marketing campaigns are effective (using cookies/analytics, see Section 9).
  • Ensuring IT security, including by using tools like reCAPTCHA which involve processing some user data to block bots, and keeping logs of login attempts to detect unauthorised access.
  • Testing new features on our Deal Room or website with user data in a controlled manner (where possible, we use anonymized data for testing).
  • Enhancing user experience by remembering your preferences (e.g., your chosen language or cookie settings) through functional cookies.
  • Lawful basis: Legitimate interests – We have a legitimate interest in ensuring the security and usability of our website and services. Where we use non-essential cookies or analytics, we will obtain your consent via the cookies banner (as required by PECR/ePrivacy rules) – see Section 9. You have the right to withdraw consent for cookies at any time (via our Cookie settings or your browser), which will not affect the core service provision but may alter your website experience.

• 5.4 To Provide Client Support and Communications:
  We process personal data when communicating with you for support or operational updates. For example, if you contact us with a question about an investment or need technical help with our online portal, we will use your contact information and any relevant account data to assist you. We may also record phone calls or keep email threads as part of our records. This is important for training, quality assurance, and to have an audit trail of important discussions or agreements. If you visit one of our offices, we might log your name at reception for security and safety purposes.
  Lawful basis: Legitimate interests – It is in both your and our interests that we can communicate effectively and resolve any issues with our services. In some cases, these communications are also part of contract performance(e.g., telling you about changes to a deal you are involved in, or maintenance downtime of our site).

• 5.5 For Marketing and Business Development:
  With your permission or as otherwise allowed by law, we may use your information to inform you about products, services, news or events that we think may interest you. This includes:
  
  • Newsletters and Insight Emails: If you subscribe, we will send periodic emails such as our weekly newsletter (featuring market insights or new investment opportunities), or invitations to events and webinars. We only send these to individuals who have opted-in (e.g., by ticking the consent box on our website forms or explicitly requesting to join our mailing list) or, if you are an existing corporate client, where we have a legitimate interest in keeping you updated on related services (and we have given you an easy opt-out option).
  • Direct Marketing to Businesses: For business clients or prospects, we may send marketing communications to your business contact details under the “soft opt-in” rule or legitimate interest, but only where this is in line with your preferences and permissible by law. We will always offer a clear unsubscribe in any marketing message.
  • Personalising Your Experience: We may tailor what marketing you receive based on your profile. For example, if you have shown interest in renewable energy investments, we might send you information on similar opportunities. This kind of profiling is to ensure our communications are relevant. It does not involve any solely automated decision that has legal or significant effects on you; it’s simply segmentation for marketing efficiency.
  • Marketing Analytics: We may use data like email open rates or website interactions to measure the effectiveness of our campaigns and improve them.
  • Lawful basis: Consent – We will obtain your consent for email marketing to individual recipients (for example, by having you tick an opt-in box or confirm via email). You have the right to withdraw consent at any time by clicking “unsubscribe” in any email or contacting us. In some scenarios involving corporate subscribers (business email addresses), we may rely on legitimate interests to inform you of our services, but only where you would reasonably expect such contact and have not opted out. We balance any such interest with your rights and will honour any opt-out request promptly.

• 5.6 To Fulfill Other Business or Legal Needs:
  There may be other processing activities that arise occasionally, such as:
  
  • Mergers or Business Transactions: In the event that we consider a merger, acquisition, restructuring, or sale of some or all of our business or assets, we may need to process and possibly transfer personal data to potential transaction partners (e.g., as part of a confidential due diligence process). We will ensure any such sharing is done under strict confidentiality and only as far as necessary for the transaction evaluation.
  • Legal Claims: We may process (and retain) personal data as necessary to establish, exercise or defend our legal rights. For instance, if there is a dispute with a client or a need to enforce our terms, we will use relevant data to support our case. This can include sharing information with our legal advisors or courts.
  • Anonymized or Aggregated Data: We may convert personal data into statistical or aggregated form for research or analysis, such that individuals are not identifiable. For example, we might aggregate how many investors from a certain region invested in a type of project, without revealing personal identities. Using data in this way helps us understand trends and does not identify any person, so it is no longer considered “personal data” and may be used for any purpose.
  • Lawful basis: These uses will typically rely on legitimate interests (our legitimate interest in the efficient running, protection, and proper exit strategy of our business, or in defending against claims). If a specific legal requirement applies (such as an order from law enforcement or a court), then legal obligation is the basis. We will ensure that any use under legitimate interests is necessary and proportionate, and will not override your rights and freedoms.

Important: We do not use your personal data for any wholly automated decision-making that produces legal or similarly significant effects about you. Any suitability or eligibility assessments involve human review. While we may use automated tools (e.g., for fraud detection or credit checks), decisions with substantial impact (like whether you can invest or not) are ultimately made by qualified staff, not algorithms alone. If this ever changes, we will update this policy and inform you of your rights regarding automated decisions.

Our website uses cookies and similar technologies to distinguish you from other users and to improve your browsing experience. When you first visit our site, you will be given a choice to Accept or Decline non-essential cookies via our cookie banner. Here is an overview of how we use cookies:

• Types of Cookies:
  
  • Essential Cookies: These are necessary for the website to function. For example, they allow you to log into secure areas (like your account) and load core site features. Without these cookies, services you’ve asked for (such as account login or remembering your progress in a form) cannot be provided. We do not require your consent for essential cookies.
  • Analytics and Performance Cookies: These cookies collect information about how visitors use our site (e.g. which pages are visited most often, whether users encounter errors). We use this information to improve our website over time. We employ Google Analytics and similar tools to help with this; these third-party services may set their own cookies. The data collected (e.g. page response times, referral websites, etc.) is aggregated and not intended to identify you personally. We will only deploy these cookies if you consent via the banner.
  • Functionality Cookies: These remember choices you make to give you better functionality and personal features. For example, we might use a cookie to remember your preferred region or language, or to keep you logged in during a session.
  • Targeting/Marketing Cookies: At present, we do not heavily use targeting or advertising cookies on our site. If this changes (for instance, if we begin showing advertisements or using retargeting pixels), we will update this policy. Any such cookies would require your consent and you would be informed about their purpose.

• Google reCAPTCHA: On forms (such as our contact form or account registration) we implement Google reCAPTCHA for spam protection. This tool may set a cookie or track certain information about your browser to determine whether you are a human user. The use of reCAPTCHA is covered by Google’s Privacy Policy. We implement it based on our legitimate interest in preventing automated abuse of our forms; however, the feature only runs when you interact with the form.
• Managing Cookies: You can manage or disable cookies at any time through our cookie preference center (accessible via the banner or a “Cookies” link on our site) or by adjusting your browser settings. However, blocking or deleting certain cookies may impact your experience; for example, you may not be able to log in or some pages might not remember your preferences. For detailed information on how to control cookies, refer to the help pages of your browser. You can also visit www.allaboutcookies.org for general guidance.
• Do Not Track: Our site does not currently respond to “Do Not Track” signals. If you have questions about our cookie use, feel free to contact us.

For further details, please see our Cookie Policy (if available on our website) which provides more specific information about each cookie and its duration. By continuing to use our website with cookies enabled, you are agreeing to our use of cookies as described here.

We treat your personal data with care and confidentiality. We do not sell your information to third parties. However, in the course of running our business and fulfilling the purposes described above, we may share your personal data with certain trusted third parties. These include:

• Investment and Business Partners: Given our role as an introducing broker working in partnership with other companies and organisations regulated by the FCA, we will share data with such partners when necessary to deliver an investment opportunity or service to you. For example:
  
  • If you choose to invest in a particular project or fund that we introduce, we will need to share your relevant details with the issuer/company or the FCA-regulated firm managing that investment, so they can process the investment (this might include your name, contact, amount invested, and KYC/AML info).
  • In some cases, our partners may include trustees, custodians, or receiving agents appointed for a transaction who verifies investor eligibility and handles AML checks and payment processing for an offer. Such parties will use your data strictly for those purposes and in line with their own legal obligations.
  • We might also share data with co-brokers or referral partners if they introduced you to us or vice versa, to ensure proper management of referral fees and avoid duplicated outreach. This is only done where necessary and usually under contractual terms to protect your data.

• Service Providers (Data Processors): We employ a number of third-party vendors to support our operations. These providers act on our instructions and provide services such as:
  
  • IT and Hosting Services: Companies that host our website, Deal Room platform, or cloud data storage. For instance, if our website is hosted on a third-party server or if we use cloud-based customer relationship management (CRM) software (such as HubSpot or similar) to store client contact details, those providers will process data on our behalf.
  • Email and Marketing Platforms: We may use platforms to send out newsletters or mass communications (for example, an email marketing service provider). If you are on our mailing list, your name and email may be stored with such a service. We ensure these providers have appropriate security and, where required, we have Data Processing Agreements in place.
  • Analytics and Performance Tools: As mentioned in Section 9, tools like Google Analytics may process pseudonymous data about website usage. These tools generally do not receive identifiable personal data (Google Analytics, for instance, uses IP anonymisation by default), but still count as third-party data processors.
  • Professional Advisors: We may share information with our auditors, lawyers, accountants, or other professional advisors where needed for advice or to manage business dealings. For example, if we need legal advice on a client agreement or to handle a dispute, our lawyers would access relevant personal data. They are obligated to keep such data confidential.
  • Administrative and Support Services: We may use outsourced administrative support, couriers (if we mail documents that include personal info), or document storage/shredding companies. All such providers are bound by confidentiality and data protection obligations.

• Regulators and Legal Authorities: If required or appropriate, we will disclose personal data to regulators, government bodies or law enforcement. For example:
  
  • The Information Commissioner’s Office (ICO) or any other data protection authority, if they request information during an investigation or in relation to a complaint (this could include responding to inquiries or demonstrating compliance).
  • The Financial Conduct Authority (FCA) or other financial regulators, if we are involved in or assisting with any regulatory query (even though Stockbrook Capital itself is not FCA-authorised, we engage with FCA-regulated partners and we adhere to regulatory standards, so there may be circumstances where the FCA or similar bodies request information).
  • Law enforcement or courts: If we receive a valid legal demand (such as a court order or subpoena) or need to report suspected criminal activity (e.g. potential fraud or money laundering) to the appropriate authorities. We will verify that any such request is legitimate and only disclose the minimum data necessary.
  • HM Revenue & Customs (HMRC) or other tax authorities, as required by tax laws (for instance, providing information on investment gains or payments if needed for tax compliance by either you or us).

• Within Our Corporate Group: If Stockbrook Capital were to have any subsidiaries, parent company, or affiliated entities (for example, if we establish international offices or related companies in other jurisdictions), we might share personal data within that corporate group as needed for business administration and to provide you services. Currently, Stockbrook Capital operates primarily through a single UK entity, but should this change, intra-group sharing would be covered by appropriate intra-group data protection agreements ensuring equivalent protection.
• Business Transfers: In the event that we undergo a business transition, such as a merger, acquisition by another company, or sale of all or part of our assets, personal data held by us may be transferred to the successor entity. If so, the acquiring party will be bound by this Privacy Policy in relation to your personal data, or we will notify you and obtain your consent if required by law. We will ensure any such transfer is lawful and subject to confidentiality.

In all cases of sharing, we minimise the data disclosed to only what is necessary for the third party’s purpose. We also ensure that any third party we share data with has an obligation to keep it secure and confidential – typically through a written contract or through their regulatory obligations. For example, when sharing data with an FCA-regulated partner, that partner is themselves bound by financial regulations and data protection law to handle your information properly. Similarly, our processors are contractually obligated to process data only for our purposes and to implement strict security measures.

If you would like more details about the third parties with whom we share personal data, you can contact us at any time. We can provide a list of categories of recipients and, where possible, names of key service providers we use for personal data processing.

Stockbrook Capital operates internationally, and as a result your personal data may be transferred to, and stored in, countries outside of the United Kingdom. For example:

• Many of our primary operations are in the UK, but we might engage with investors or partners in other countries (for instance, an investor resident in the EU or a deal partner based in the USA). In providing services to you internationally, there may be cases where personal data is accessed from or sent to locations abroad.
• Some of our external service providers may be based outside the UK (or may use servers located outside the UK). For instance, if we use a cloud IT provider or marketing email service whose data centers are in the United States or the European Economic Area (EEA), your data will be stored on those servers.
• Communications via email or our website can route through international networks or servers (this is generally incidental to how the internet works, but still constitutes a transfer if servers are abroad).

Whenever we transfer your personal data outside of the UK (or outside of the UK/EEA area), we will ensure a similar degree of protection is afforded to it by implementing appropriate safeguards as required by law. These safeguards may include:

• Adequacy Decisions: If the data is sent to a country that the UK (or EU) has determined provides an adequate level of data protection (for example, countries in the EEA are currently recognized by the UK as adequate, and other jurisdictions like New Zealand or Canada have adequacy status), then your data will be protected in essentially the same way as under UK law.
• Standard Contractual Clauses (SCCs): Where we transfer data to a country without an adequacy decision (such as the United States, in cases where our providers are US-based), we will use the relevant ICO or European Commission approved Standard Contractual Clauses in our contracts with the data importer. These are legal clauses that oblige the recipient to protect your data to UK GDPR standards. We also assess on a case-by-case basis whether additional technical and organisational measures are needed to ensure that transferred data remains secure.
• International Data Transfer Agreement (IDTA): If required (for UK-specific transfers), we may use the UK’s International Data Transfer Addendum or Agreement as applicable, either standalone or appended to SCCs, to cover the transfer.
• Binding Corporate Rules: In the event we ever rely on an intra-group scheme for transfers (such as if we have offices in multiple countries under one corporate group), we might implement Binding Corporate Rules. Currently, this isn’t applicable, as our structure is UK-based, but we mention it for completeness.
• Consent in exceptional cases: If none of the above safeguards are available for a particular transfer, we would only transfer with your explicit consent or where the transfer is necessary for our contract with you (e.g., if you instruct us to forward your details to a third party in a country without other protections, after being informed of risks).

You can request a copy of the safeguards we have in place for international transfers by contacting us (using the contact details in Section 2). We will be happy to provide general information about how we ensure compliance when transferring data overseas.

Please note: data transferred to foreign jurisdictions may be subject to local laws (for example, foreign government surveillance or access requests). However, our contractual and technical measures aim to prevent any undue exposure of your personal data. We continuously monitor the legal landscape for international transfers, especially following updates in global data protection laws, and will adjust our practices if needed to maintain compliance.

We recognise the importance of securing your personal data. Stockbrook Capital has implemented appropriate technical and organisational security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered, or disclosed. These measures include:

• Technical Measures: We use secure servers and firewalls to protect our data systems. Our websites and online platforms employ encryption technologies – for instance, we ensure that any personal data you provide through our website forms is transmitted over HTTPS (secure SSL/TLS encryption). Stored data is protected by access controls, and sensitive fields (such as passwords) are hashed or encrypted. We maintain up-to-date anti-malware protection and monitoring tools to detect and block cyber threats. Where we use third-party cloud services, we choose reputable providers that offer robust security certifications (such as ISO 27001 or SOC 2 compliance).

• Access Control: Personal data is only accessible to those employees, contractors, or service providers who have a business need to know. Access to systems containing personal data is restricted and protected by strong authentication (passwords and, where feasible, multi-factor authentication). We regularly review user access rights and revoke any access that is no longer required. All staff are trained on the importance of confidentiality and data security.

• Physical Security: Our offices (including our data storage sites) have appropriate physical security controls. This may include secure entry systems, alarms, and, where data is stored in paper form, locked filing cabinets. The addresses of our offices are public, but access inside is controlled. We also maintain clean desk policies and secure disposal procedures for any physical documents containing personal data.

• Processes and Policies: We have internal policies on data protection, IT usage, and incident response. Staff are instructed on how to handle personal data properly, how to recognize and prevent phishing or other fraudulent attempts, and are required to adhere to confidentiality agreements. We limit the use of personal devices for work and ensure any portable media or print-outs are handled with care.
• Data Minimisation: We collect and process only the personal data that is necessary for our purposes. We anonymise data where possible, especially in testing or analytics contexts. When personal data is no longer needed, we ensure it is securely deleted or destroyed (see Section 10: Data Retention).

• Third-Party Assurance: When we engage third-party processors (as detailed in Section 7), we vet their security practices. We include contractual clauses requiring them to implement appropriate security and to notify us immediately in the event of any data breach or security incident involving our data. For example, if our marketing email provider experienced a breach, they are obligated to inform us so we can take action.

• Monitoring: We monitor our systems for potential vulnerabilities and attacks. We also keep software and systems updated with the latest security patches. Regular backups of critical data are performed, and we have disaster recovery plans in place to ensure business continuity in the event of an IT incident.

Data Breach Procedures: Despite all efforts, no method of transmission over the internet or method of storage is completely secure. We have a detailed Data Breach Response Plan to handle any suspected personal data breach swiftly and effectively. If a breach occurs, we will contain and investigate it immediately. We will assess the risk to your rights and freedoms – if it is likely to result in a significant risk (for example, potential for financial loss, identity theft, or confidentiality breach), we will notify the ICO within 72 hours as required by law. We will also inform affected individuals without undue delay when required (for instance, if there is a high risk of harm from the breach). We document all breaches, regardless of severity, including the facts, effects, and remedial actions taken. In summary, we strive to keep your data secure using industry best practices. However, if you have reason to believe that any interaction with us is no longer secure (for example, if you suspect your account has been compromised), please contact us immediately.

We will retain your personal data only for as long as necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements. In determining the appropriate retention periods, we consider the following criteria:

• Legal and Regulatory Requirements: Certain laws mandate minimum retention periods for specific types of data. For example:
  
  • Anti-Money Laundering (AML) records (such as copies of identity documents and transaction records) are generally required to be kept for five years after the end of the business relationship or the date of a one-off transaction, under UK Money Laundering Regulations. We will typically keep KYC records for at least this period, and possibly longer if recommended by regulators or needed to demonstrate compliance.
  • Contractual and Investment Records: We may keep records of contracts, communications, and transactions for up to six years after our relationship with you ends. This period is often chosen because it aligns with the UK’s statutory limitation period for legal claims (for most contractual claims, six years is the limit to bring an action). Keeping records for this duration helps us defend against any legal claims or queries that arise after you stop being a client. It also aligns with certain tax record requirements, ensuring we have relevant information for HMRC or financial audits.
  • Companies Act requirements: As a business, we keep company records (which might include some personal data, like board meeting minutes containing names) as required by law. Some of these (like statutory registers) may need to be kept indefinitely.

• Business Needs: If you are an active client or have an ongoing relationship with us, we will retain your data for the duration of that relationship. Some specific guidelines:
  
  • Active Accounts: For clients with an active account on our platform or ongoing investments, we retain personal data throughout the life of the account or investment plus a reasonable period (e.g., until the investment is fully exited and all obligations met, plus any additional period required by law or contract).
  • Prospective Clients: If you have shown interest in our services but do not ultimately use them (for example, you inquired or registered but never proceeded with an investment), we may retain your data for a shorter period. Typically, we would keep such inquiry data for a couple of years in case you come back or to follow up, but we will delete it upon request earlier if you prefer (assuming no legal requirement to keep it).
  • Marketing Data: If you have consented to receive marketing, we will keep your contact details until you unsubscribe or ask us to delete them. If you opt-out of marketing, we will add your contact to a “suppression list” (to ensure we do not accidentally send you further communications) and keep that suppression record indefinitely to honour your opt-out.

• Technical Data: Website logs and analytics data are typically kept for a relatively short period (often 12 to 24 months) unless we need to keep them longer (for example, if needed for security investigations). Aggregated analytics that no longer identify you may be kept longer for trend analysis.

• Cookies: Different cookies have different lifespans (see Section 9). For example, session cookies last only while your browser is open, while some analytics cookies may last 6-24 months unless cleared. You can clear cookies at any time from your browser.

After the retention period expires, or if the data is no longer needed, we will securely destroy, delete, or anonymize your personal data. Secure destruction might involve shredding physical documents or using specialized software to permanently erase electronic data. When anonymising, we remove personal identifiers so that the data can no longer be linked to any individual (we may keep anonymised data for analysis).

Exceptions: In some cases, we may retain data for longer than stated above, for instance:

• If there is an ongoing dispute, investigation, or litigation, we will keep data until it is resolved and no further appeal is possible, even if that extends beyond normal retention periods.
• If we are instructed by a regulatory authority or hold a reasonable belief that data must be preserved (e.g. a “litigation hold” in anticipation of legal proceedings), we will not delete relevant data until clearance is obtained.
• Backup archives: Our IT system may keep backups that are not immediately erasable. We will ensure that any such backups are stored securely and are isolated, and we will delete or overwrite them in the normal cycle (which may mean some data persists for a short period beyond its active deletion, but it will not be accessible easily or used for any new purpose in the interim).

If you have any specific questions about our retention practices for different types of data, please contact us. We can provide more detail or consider any valid requests for earlier deletion (see Section 11: Your Rights).

Under data protection law, individuals have a number of rights regarding their personal data. Stockbrook Capital is committed to honoring these rights. Below is a summary of your rights and how you can exercise them:

• 11.1 Right to Be Informed: You have the right to be given clear and transparent information about how your personal data is collected and used. This Privacy Policy is one of the ways we fulfill this right. If you have any questions about our data practices, we will be happy to provide further information.

• 11.2 Right of Access: You have the right to access your personal data that we hold, commonly known as making a “Data Subject Access Request” (DSAR). This means you can ask us to confirm whether we are processing your personal data and provide you with a copy of that data, along with certain supplementary information (similar to what’s provided in this Policy: the purposes of processing, categories of data, recipients, etc.).
  How to exercise: If you want to access the data we hold about you, please contact us (see Section 2 for contact details). To help us process your request, please describe the information you want to see. We may need to verify your identity before releasing data (to ensure we don’t give your data to an unauthorized person). Access requests are generally free of charge, but we are permitted to charge a reasonable fee or refuse if a request is manifestly unfounded or excessive (for example, repetitive requests). We will respond within one month of receiving a valid request (or notify you within that time if we need an extension due to complexity, which can be up to a further two months).

• 11.3 Right to Rectification: You have the right to have inaccurate personal data corrected, or completed if it is incomplete. If you discover that the information we hold on you is incorrect or outdated (for example, you change your address or your name), please inform us so we can update our records.
  How to exercise: Contact us with the details of the data that is incorrect and what the correct data should be. For certain services, you might also be able to log into your account and update your information directly (e.g. update your contact details on our platform). We will make the correction as soon as possible and at the latest within one month, unless there is a reason we cannot (in which case we’ll explain why, e.g., if we believe the data we have is correct and we are legally allowed to keep it as is).

• 11.4 Right to Erasure (Right to be Forgotten): In certain circumstances, you have the right to have your personal data erased. This is not an absolute right, but you can request deletion when:
  
  • The data is no longer necessary for the purposes for which it was collected (and no other lawful basis applies).
  • You originally gave consent for the processing and now choose to withdraw it, and we have no other legal ground to continue processing.
  • You object to processing based on our legitimate interests (or for direct marketing purposes) and we have no overriding legitimate grounds to continue.
  • We have processed your data unlawfully or failed to comply with UK GDPR.
  • There is a legal obligation to erase the data.
    Please note, due to the nature of our services, we often have legal obligations that require retention of certain data (e.g., investment records, anti-money laundering info). We may not be able to erase data immediately if it conflicts with those obligations (see our retention periods in Section 10).
    How to exercise: You can send us a request specifying which data you want erased. We will evaluate if the conditions for erasure are met. If yes, we will erase the data and also notify any third parties who received it (where feasible). If we must refuse (e.g. we must keep the data for legal reasons), we will inform you of the specific reason. We aim to respond to erasure requests within one month.

• 11.5 Right to Restrict Processing: You have the right to request that we restrict (i.e., pause or limit) the processing of your personal data in certain situations. You might exercise this right if:
  
  • You contest the accuracy of your personal data – you can request restriction while we verify the accuracy and correct it.
  • The processing is unlawful, but you do not want the data erased (for example, you prefer we keep the data but not use it).
  • We no longer need the data, but you need it preserved for the establishment, exercise or defense of legal claims.
  • You have objected to processing (see 11.6 below) and we are considering whether our legitimate grounds override yours.
    During a period of restriction, we will store your data but not actively use it (except to the extent needed for legal claims, to protect the rights of others, or with your consent).
    How to exercise: Contact us with your request to restrict, explaining the reason. We will acknowledge and implement the restriction if appropriate. We will also inform you before lifting any restriction.

• 11.6 Right to Object: You have the right to object to certain processing activities:
  
  • Direct Marketing: You can always object to processing of your personal data for direct marketing purposes. If you object, we will stop using your data for marketing immediately. This is an absolute right. (This includes profiling related to direct marketing.) So, if you no longer wish to receive our newsletters or marketing calls, simply let us know and we will remove you from our marketing list.
  • Legitimate Interests: If we are processing your data based on our legitimate interests (see the relevant sections above), you have the right to object to that processing if you feel it impacts your fundamental rights and freedoms. However, we may continue if we have compelling legitimate grounds that override your interests or if the processing is for the establishment, exercise or defense of legal claims. For example, if you object to us processing your data for fraud prevention (which is our legitimate interest), we may argue that we have compelling grounds to continue given the importance of preventing fraud.
    How to exercise: For marketing, you can opt out by clicking “unsubscribe” in emails or asking our caller to not contact you again, or by contacting us directly. For other objections, contact us specifying the processing you object to and your reasons (if applicable). We will respond, either by ceasing the processing or by providing our justification for continuing (if we believe we have overriding grounds).

• 11.7 Right to Data Portability: Under certain conditions, you have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format (for example, CSV or JSON), and you have the right to transmit that data to another controller (or ask us to do so, where technically feasible). This right only applies when:
  
  • The processing is based on your consent or on a contract with you; and
  • The processing is carried out by automated means (i.e., electronic data, not paper files).
    In practice, this right might apply to data you provided in an online account or form. For example, if you gave us data to sign up for our services, you could request a copy of those sign-up details in a portable format to transfer to a different service provider.
    How to exercise: Contact us specifying that you want a copy of your data for portability. If the data meets the criteria, we will provide it in a suitable format (and/or directly transmit to a new provider if you request and if possible). We will do so within one month of your request if feasible.

• 11.8 Rights related to Automated Decision-Making: As noted, we do not carry out solely automated decision-making with legal or similarly significant effects. If we ever introduce automated decision processes (e.g., algorithmic creditworthiness checks with no human oversight), you would have the right not to be subject to such a decision without human intervention, and the right to express your point of view and contest the decision. We will inform you if this becomes relevant. For now, this right is not applicable in any material way given our processes.

• 11.9 Right to Withdraw Consent: In situations where we rely on your consent to process personal data (e.g. for sending electronic marketing communications or placing certain cookies), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing already carried out, but it will mean we stop the specific activity you had consented to. For example, if you consented to our newsletter, you can later opt out and we will cease sending it.
  How to exercise: You can withdraw consent by adjusting your preferences (for example, unchecking a previously checked box, toggling off cookie consent, etc.), clicking “unsubscribe” in an email, or contacting us directly to let us know which consent you are withdrawing.

To exercise any of your rights, please use the contact information provided in Section 2. We may need to ask for certain information to confirm your identity (this is to ensure we don’t disclose data to the wrong person). You do not have to pay a fee to exercise your rights; all legitimate requests are handled free of charge. However, as mentioned, if a request is clearly unfounded, repetitive, or excessive, we may either charge a reasonable fee to cover administrative costs or refuse to comply (we will explain our reasoning in such cases).

We will respond to all valid requests as soon as possible and at the latest within one month, as required by law. If your request is particularly complex or if you have made a number of requests, we may extend this period by an additional two months, but we will inform you of the extension and the reasons for it within the first month.

Your right to complain: If you are dissatisfied with how we have handled your personal data or any request you have made, please let us know so we can try to resolve it. However, if you remain unhappy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. You can contact the ICO at 0303 123 1113 or via their website (ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please consider reaching out to us first.

As noted above, Stockbrook Capital is registered with the UK Information Commissioner’s Office under the Data Protection Regulations. Our ICO registration number is ZB902661, and our certificate can be viewed or downloaded from the ICO’s public register of data controllers. This registration means we have paid the annual data protection fee and have committed to handling personal data in accordance with the ICO’s requirements and data protection law.

You can verify our registration on the ICO website by searching for “Stockbrook Capital Limited” or by using our registration number. The ICO’s register lists our company name and address, registration reference, and the date of our registration’s renewal. For convenience, if you would like a copy of our ICO Registration Certificate, we can provide you a PDF copy upon request, or you may download it directly from the ICO register. (Visit the ICO’s “Search the Register” page and enter our company name; our entry includes a link to the certificate in PDF form.)

Registering with the ICO is one aspect of our compliance. We also actively follow ICO guidance and best practices on data protection. For example, we align our privacy practices with ICO recommendations and ensure staff are trained on GDPR compliance.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make significant changes, we will take steps to inform you: for instance, by posting a prominent notice on our website and, if appropriate, notifying you via email or through your account.

The “Last Updated” date at the top of this Policy indicates when the latest changes were made. Please check back periodically to review any updates.

If we plan to use your personal data for a new purpose not outlined in this Policy, we will provide you with a new notice explaining that use and any relevant conditions, and seek your consent if required.

If you have any questions about this Privacy Policy or how we handle your personal information, please contact our Compliance Team:

• Email: compliance@stockbrookcapital.co.uk
• Postal Address: Compliance Team – Data Protection, Stockbrook Capital Limited, 15 Gosditch Street, Cirencester Gloucestershire GL7 2AG, United Kingdom
• Telephone: +44 (0)1285 440 222 (please ask for the Data Protection compliance manager)

We will be happy to assist with any queries, requests or feedback you have. Your privacy is important to us, and we welcome the opportunity to clarify our practices or address any issues.