Privacy Notice

1. Who we are

PropUp Corporate ('we' or 'us' or 'our') refers to the following legal entities who individually act as the data controller:

• PropUp Corporate is incorporated in England and Wales with company number 14608866. Registered office: 412 Malden Road, London, KT4 7NG

PropUp Corporate gathers and processes your personal data in accordance with this privacy notice and relevant data protection laws. We may process personal data without your knowledge or consent, in compliance with this notice, where this is required or permitted by law.

This notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data.

2. Personal information processing

a. Restructuring and Insolvency - Corporate Clients Privacy Notice

In this section, the term "Company" refers to the business which is subject to an Insolvency or restructuring regime (each referred to as an "Insolvency").

Insolvency Practitioners and PropUp Corporate's roles in Insolvency Proceedings

Definitions under Data Privacy Laws:

• A controller is an individual or legal person who decides how and why personal data is processed. A controller is in control and is responsible for the collection, keeping and use of personal data.
• A processor is an individual or legal person (other than an employee of a controller) which processes personal data on behalf of a controller.

The data controller for personal data processed by the Company prior to the Insolvency is the Company.  Upon appointment, the Insolvency Practitioners act in the capacity of agents of the Company in fulfilling the role of managing the Company's affairs, business and property and so the Company continues to be the controller for personal data collected and processed in this context.

The Insolvency Practitioner will typically be the Data Controller in respect of the information and the personal data they process to comply with their own legal and regulatory requirements as Insolvency Practitioners.

PropUp Corporate may act as a data processor on behalf of the Insolvency Practitioner or the Company as appropriate in relation to the engagement.

What we collect

We collect personal data about our clients in relation to a Corporate Insolvency (directors, shareholders, partners and owners) which is necessary to effectively deploy our professional services as agreed with our clients.

The types of data we collect, and process can vary, it may include:

• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
• Date of birth;
• Gender;
• Marital status, cohabitees/co-occupants and dependents;
• National Insurance number;
• Occupation and function within the Company;
• Bank account details, payroll records and tax status information;
• Location of employment or workplace;
• Salary/wage details;
• Pension arrangements and benefits;
• Details of any vehicle provided to you by the Company;
• Details of any other valuable property (assets) that you have acquired from the Company;
• Amounts of any bonuses, dividends or other financial benefits received by you from the Company;
• Photo ID produced to confirm your identity;
• Details of any personal guarantees or indemnities you may have given in respect of the Company's liabilities
• Any explanation you provide of the reasons for the Company's insolvency (where appropriate);
• Details of any proposed role or function you may undertake in respect of a successor business (where appropriate);

In limited circumstances, we may also collect, store and use "special categories" of more sensitive personal information.

We collect data:

• Directly when you initially contact us and through the advisory process
• Indirectly through subsequent interactions with our clients, from a third party acting on our clients' instructions, or from other third parties (including publicly available information such as Companies House)
• From time to time, we may collect additional personal information in the course of our investigation into a Company's affairs. These investigations may involve contacting third parties that are known or suspected to have had business or financial dealings with the client, where we consider that the information they may provide could assist us to properly administer the affairs of the Company
• From a number of other sources in a formal Insolvency process, such as the Official Receiver (in England), Accountant in Bankruptcy (in Scotland), In all cases (both solvent and insolvent) information may also be received from the creditors, debtors and employees of the Company, and/or other stakeholders in the process that make such information available to us in the course of administering the affairs of the Company
• From information contained in the Company's books and records which is obtained when the officeholder is appointed though in respect of this information, the Office Holder will not generally be a Data Controller of it but will be acting as agent on behalf of the business

How we use your personal data and legal basis for processing

We process your personal data for various purposes including (but not limited to):

We may also use personal information in the following situations, which are likely to be less common:

• when it is necessary to protect your interests, if you are identified as being subject to a vulnerability;
• when it is necessary to protect someone else's interests (for instance, if you have or have been alleged to have acted in a violent or abusive manner toward our staff); or
• when it is necessary in the public interest or for official purposes as an Insolvency Office Holder (such as in connection with any corporate governance offences that have or are alleged to have been committed).

If you fail to provide personal information

If you fail to provide certain information when requested, we may take steps to compel you to provide it in Court and/or to acquire the information we need to properly administer the affairs of an insolvent Company from third parties.

Special categories (sensitive) personal data

Some categories of personal data are considered by law to be particularly sensitive and are therefore classed as "special categories" of personal data. These relate to a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. This type of data is afforded additional protection.

There are a number of situations where we might possess special categories of data about you:

• In limited circumstances, special category data may be provided by you where it impacts on the financial position of the Company and is relevant to ensure appropriate advice is given and subsequent disclosure made. Depending on the insolvency procedure we may not need your consent to have or use this information, where it is relevant to the performance of our functions as an Insolvency Practitioner. Where your consent is required, you will be provided with full details of the information that is sought and the reason it is needed, so that you can carefully consider whether to consent. It is not a condition of us providing you with restructuring advice or insolvency services that you agree to any request for consent. You have the right to withdraw any given consent at any time, upon which we will no longer process the information for the purpose originally agreed to, unless there is another legitimate basis for doing so in law
• We may possess special category information where it is needed in relation to legal claims or proceedings relating to the affairs of the Company. Depending upon the nature of the information we receive, we may not need your consent to have this information
• When such information is needed in the public interest, such as where you lack the mental capacity to deal with the affairs of the Company or where a lasting power of attorney has been provided to another person in respect of your affairs, we do not require your consent to have this information

Information about criminal convictions

We envisage that we may hold information about criminal convictions where these are relevant to the causes of failure of the Company or the performance of the functions of an Office Holder. If it becomes necessary to do so, we will only use this information where we have a legal basis for processing the information. This will usually be where such processing is necessary to carry out the role and function of an Insolvency Office Holder.

We may also use information relating to criminal convictions where:

• it is necessary in relation to legal claims
• it is necessary to protect your vital interests (or someone else's vital interests) and you are not capable of giving consent
• Where it is relevant to the statutory reporting obligations of an Insolvency Office Holder
• you have already made the information public, or the information is otherwise in the public domain

We will only collect information about criminal convictions if it is appropriate given the nature of the role of a restructuring adviser or Insolvency Office Holders. Relevant convictions would typically be those relating to theft, fraud or dishonesty, money laundering or terrorist financing.

Sharing and disclosing your personal data

We do not share or disclose any of your personal data without your consent, other than for the purposes specified in this notice or where there is a legal requirement. When we share data with others, we ensure contractual arrangements and security mechanisms are in place to protect the data and to comply with our data protection, confidentiality and security standards.

Your personal data may be shared with:

• Third parties involved in Insolvency proceedings, including but not limited to the courts, Official Receiver, creditors, Companies House and other third parties involved
• Third party organisations that provide identification checking services
• Third party organisations that provide applications/functionality, data processing or IT services to us
• Other third parties as instructed by youOur trade associations, professional bodies and business associates e.g. agents, auditors, solicitors, accountants etc.

Occasionally, we may also need to disclose your personal data in the following circumstances:

• Based on our legitimate interests, to third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
• To law enforcement officials, law courts and government and regulatory authorities: (a) if we believe disclosure is required by any applicable law, regulation or legal process; or (b) to protect and defend our rights, or the rights or safety of third parties, including to defend against legal claims based on our legitimate interests.
• In exceptional circumstances, to third parties to protect your vital interests if you fell ill or suffered an injury at one of our events or on our premises.

How long we keep your data

We only ever retain personal data for as long as is necessary for the purposes for which it was collected, and we have strict review and retention policies in place to meet these obligations. We keep personal data in accordance with our internal retention policies, which are determined in accordance with our regulatory obligations and good practice.

We retain records collected and created in Formal Insolvency matters for 7 years after the conclusion of the case administration and the officeholder's discharge of appointment.

Your rights

Your rights in relation to the personal data that we process will depend upon the lawful basis or bases upon which we are holding it.  This will vary depending upon where the information has come from (yourself or a third party, such as the Official Receiver in an Insolvency situation) and the nature of our relationship with you. Personal data may be held for more than one lawful basis. Details of the basis or bases we believe we have for processing your data can be found in the relevant sections of our Privacy Notice.

• Prospective Clients: If we have provided you with advice about restructuring options or cessation options, you will have a number of rights available to you, which may include access, restriction or transfer and to a lesser degree, erasure.
• Insolvency Act Clients: Where we are formally appointed to administer the affairs of a Company (in Liquidation (solvent or insolvent), Administration, Administrative Receivership, Receivership or Company Voluntary Arrangement), there are certain periods that the law requires us to maintain information about the case. Where we are formally appointed to administer the affairs of a business, we are unlikely to be able to agree to a request to erase, restrict or transfer your information, but will explain this to you in further detail should such a request be made.
• Erasure and Rectification: Upon commencement of a formal insolvency, where that information will form part of the legal records of the case and we will be required to retain it, we would be unable to erase or rectify any information though we will make a record where you consider it to be inaccurate. We will always be grateful to receive updates to contact information etc. but will not be able to amend or erase historic information that is part of the formal record of an Insolvency case, such as your address at the time of the Insolvency or the amounts stated owed to the creditors.
• Portability: This right only applies to information that you have provided (so would not apply to information supplied to us by the Official Receiver, or the people you owe money to in an Insolvency situation.) It does not apply to formal Insolvency cases, where our lawful basis for processing is "legal obligation".
• Restriction of processing: In the case of a formal Insolvency appointment, we are unlikely to be able to restrict or erase any data that forms part of the formal record of the Insolvency case, though any such request will be considered upon its merits and a full explanation will be provided to you in response to your request.
• Legal Claims: Where legal claims are involved, we may not be able to provide you with access to all of the information we hold, as some of it will be subject to legal professional privilege.

b. Restructuring and Insolvency - Personal Clients Privacy Notice

In this section, the term "Debtor" refers to an individual who is subject to an Insolvency or restructuring regime (each referred to as an "Insolvency").

Insolvency Practitioners and PropUp Corporate's roles in Insolvency Proceedings

Definitions under Data Privacy Laws:

• A controller is an individual or legal person who decides how and why personal data is processed. A controller is in control and is responsible for the collection, keeping and use of personal data.
• A processor is an individual or legal person (other than an employee of a controller) which processes personal data on behalf of a controller.

The data controller for personal data processed by the Debtor prior to the Insolvency is the Debtor.  Upon appointment, the Insolvency Practitioners act in the capacity of agents of the Debtor in fulfilling the role of managing the Debtor's affairs, business and property and so the Debtor continues to be the controller for personal data collected and processed in this context. The Insolvency Practitioner will typically be the Data Controller in respect of the personal data they process to comply with their own legal and regulatory requirements as Insolvency Practitioners.

PropUp Corporate may act as a data processor on behalf of the Insolvency Practitioner or the Debtor as appropriate in relation to the engagement.

What we collect

We collect personal data about our Personal Insolvency clients which is necessary to effectively deploy our services as agreed with our clients.

The types of data we collect, and process can vary, it may include:

• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
• Date of birth;
• Gender;
• Marital status, cohabitees/co-occupants and dependents;
• National Insurance number;
• Occupation;
• Accounting information (where self-employed or a higher rate tax payer)
• Bank account details, payroll records and tax status information;
• Location of employment or workplace;
• Salary/wage details;
• Housing benefit, Social Security or Tax Credit information;
• Student loans or grants
• Pension arrangements and benefits;
• Savings accounts and plans
• Shareholdings
• Life assurance policiesInsurance policies;
• Details of any vehicle you own or use and the associated running costs;
• Details of any other valuable property (assets) that you own or have an interest in;
• Account numbers and amounts you owed to your creditors;
• Details of your regular monthly expenditure, including to whom it is paid;
• Photo ID produced to confirm your identity;
• Leases and tenancy agreements;
• Property ownership information;
• Directorships information;
• Any explanation you provide for the reasons for your debt problems (where appropriate);

In limited circumstances, we may also collect, store and use "special categories" of more sensitive personal information.

We collect data:

• Directly when you initially contact us and through the advisory processIndirectly through subsequent interactions with you, from a third party acting on your instructions, or from other third parties (including publicly available information)
• From time to time, we may collect additional personal information in the course of our investigation. These investigations may involve contacting third parties that are known or suspected to have had business or financial dealings with you, where we consider that the information they may provide could assist us to properly administer the Debtor's estate
• From a number of other sources in a formal Insolvency process, such as the Official Receiver (in England), Accountant in Bankruptcy (in Scotland), and in all cases from the creditors, debtors and employees of the Client, and/or other stakeholders in the process that make such information available to us in the course of administering the Debtor's estate

How we use your personal data and legal basis for processing

We process your personal data for various purposes including (but not limited to):

We may also use personal information in the following situations, which are likely to be less common:

• when it is necessary to protect your interests, if you are identified as being subject to a vulnerability;
• when it is necessary to protect someone else's interests (for instance, if you have or have been alleged to have acted in a violent or abusive manner toward our staff); or
• when it is necessary in the public interest or for official purposes as an Insolvency Office Holder (such as in connection with any bankruptcy offences that have or are alleged to have been committed)

If you fail to provide personal information

If you fail to provide certain information when requested, we may take steps to compel you to provide it in Court and/or to acquire the information we need to properly administer your affairs from third parties.

Special Categories (sensitive) Personal Data

Some categories of personal data are considered by law to be particularly sensitive and are therefore classed as "special categories" of personal data. These relate to a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. This type of data is afforded additional protection.

There are a number of situations where we might possess special categories of data about you:

• In limited circumstances, special category data may be provided by you where it impacts on your financial position and is relevant to ensure appropriate advice is given and subsequent disclosure made. Depending on the insolvency procedure we may not need your consent to have or use this information, where it is relevant to the performance of our functions as an Insolvency Practitioner. Where your consent is required, you will be provided with full details of the information that is sought and the reason it is needed, so that you can carefully consider whether to consent. It is not a condition of us providing you with restructuring advice or insolvency services that you agree to any request for consent. You have the right to withdraw any given consent at any time, upon which we will no longer process the information for the purpose originally agreed to, unless there is another legitimate basis for doing so in law
• We may possess special category information where it is needed in relation to legal claims or proceeding relating to your debt problems. Depending upon the nature of the information we receive, we may not need your consent to have this information.
• When such information is needed in the public interest, such as where you lack the mental capacity to deal with your financial affairs and/or where a lasting power of attorney has been provided to another person in respect of your affairs, we do not require your consent to have this information

Information about criminal convictions

We envisage that we may hold information about criminal convictions where these are relevant to the causes of your debt problems or the performance of the functions of an Office Holder. If it becomes necessary to do so, we will only use this information where we have a legal basis for processing the information. This will usually be where such processing is necessary to carry out the role and function of an Insolvency Office Holder.

We may also use information relating to criminal convictions where:

• it is necessary in relation to legal claims
• it is necessary to protect your vital interests (or someone else's vital interests) and you are not capable of giving consent
• you have already made the information public, or the information is otherwise in the public domain

We will only collect information about criminal convictions if it is appropriate given the nature of the role of a restructuring advisor or Insolvency Office Holders. Relevant convictions would typically be those relating to theft, fraud or dishonesty, money laundering or terrorist financing.

Sharing and disclosing your personal data

We do not share or disclose any of your personal data without your consent, other than for the purposes specified in this notice or where there is a legal requirement. When we share data with others, we ensure contractual arrangements and security mechanisms are in place to protect the data and to comply with our data protection, confidentiality and security standards.

Your personal data may be shared with:

• Third parties involved in Insolvency proceedings, including but not limited to the courts, Official Receiver, Accountant in Bankruptcy, creditors, and other third parties involved
• Third party organisations that provide identification checking services
• Third party organisations that provide applications/functionality, data processing or IT services to us
• Our trade associations, professional bodies and business associates e.g. agents, auditors, solicitors, accountants etc.

Occasionally, we may also need to disclose your personal data in the following circumstances:

• Based on our legitimate interests, to third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
• To law enforcement officials, law courts and government and regulatory authorities: (a) if we believe disclosure is required by any applicable law, regulation or legal process; or (b) to protect and defend our rights, or the rights or safety of third parties, including to defend against legal claims based on our legitimate interests.
• In exceptional circumstances, to third parties to protect your vital interests if you fell ill or suffered an injury at one of our events or on our premises.

How long we keep your data

We only ever retain personal data for as long as is necessary for the purposes for which it was collected, and we have strict review and retention policies in place to meet these obligations. We keep personal data in accordance with our internal retention policies, which are determined in accordance with our regulatory obligations and good practice.

We retain records collected and created in Formal Insolvency matters for 7 years after the conclusion of the case administration and the officeholder's discharge of appointment.

Your Rights

Your rights in relation to the personal data that we process will depend upon the lawful basis or bases upon which we are holding it.  This will vary depending upon where the information has come from (yourself or a third party, such as the Official Receiver or Accountant in Bankruptcy in an Insolvency situation) and the nature of our relationship with you. Personal data may be held for more than one lawful basis. Details of the basis or bases we believe we have for processing your data can be found in the relevant sections of our Privacy Notice.

• Prospective Clients: If we have provided you with advice about restructuring options, you will have a number of rights available to you, which may include access, restriction or transfer and to a lesser degree, erasure.
• Insolvency Act Clients: Where we are formally appointed to administer the affairs of a Debtor (in sequestration, bankruptcy, trust deed or individual voluntary arrangement), there are certain periods that the law requires us to maintain information about your case. Where we are formally appointed to administer the affairs of a Debtor, we are unlikely to be able to agree to a request to erase, restrict or transfer your information, but will explain this to you in further detail should such a request be made.
• Erasure and Rectification: Upon commencement of a formal Insolvency, where that information will form part of the legal records of the case and we will be required to retain it, we would be unable to erase or rectify any information though we will make a record where you consider it to be inaccurate. We will always be grateful to receive updates to contact information etc. but will not be able to amend or erase historic information that is part of the formal record of an Insolvency case, such as your address at the time of the Insolvency or the amounts you stated that you owed to your creditors.
• Portability: This right only applies to information that you have provided (so would not apply to information supplied to us by the Official Receiver, Accountant in Bankruptcy, or the people you owe money to in an Insolvency situation.) It does not apply to formal Insolvency cases, where our lawful basis for processing is "legal obligation".
• Restriction of processing: In the case of a formal Insolvency appointment, we are unlikely to be able to restrict or erase any data that forms part of the formal record of the Insolvency case, though any such request will be considered upon its merits and a full explanation will be provided to you in response to your request.
• Automated decision-making: The amounts you may be asked to pay each month from your income towards the repayment of your debts may be calculated using tools which assess the level of surplus income available for debt repayment once your allowable expenditure has been deducted. These tools do permit an element of human intervention, although the initial calculation is an automated one.Different tools are used depending on whether you live in Scotland and England, different tools may be used for different types of debt solution. If you would like further information about the tools used to calculate any contribution you may have to make, please contact us at compliance@propup.com.
• Legal Claims: Where legal claims are involved, we may not be able to provide you with access to all the information we hold, as some of it will be subject to legal professional privilege.

c. Corporate Clients (and individuals whose personal data is obtained in association)

(and individuals whose personal data is obtained in association)

What we collect

We collect personal data about our corporate clients (and associated individuals) which is necessary to effectively deploy our professional services as agreed with our clients.  We ask our clients to provide the necessary information to other associated data subjects regarding their personal data use whilst performing our services.

The types of data we collect, and process can vary, it may include:

• Personal details e.g. name and date of birth
• Contact Information e.g. email address, contact number and postal addresses
• Anti-Money Laundering (AML) Identification information (i.e. driver's licence and passport copies which include biographical and contact information)
• Employee Information e.g. role, experience, benefits and salary
• Financial Information e.g. salary and payroll information, and other financial-related details such as income and investments etc
• Statutory Company Information (including business activities)

On occasion, for some of our services and when required under a legal obligation, we may also process sensitive data (such as race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records) about you, which we ensure is processed securely and within the strict legal parameters.

We collect data;

• Directly when you initially contact us
• Indirectly through subsequent interactions with our clients, from a third party acting on our clients’ instructions, or from other third parties (including publicly available information)

How we use your personal data and legal basis for processing

We process your personal data for various purposes including (but not limited to):

Sharing and disclosing your personal data

We do not share or disclose any of your personal data without your consent, other than for the purposes specified in this notice or where there is a legal requirement. When we share data with others, we ensure contractual arrangements and security mechanisms are in place to protect the data and to comply with our data protection, confidentiality and security standards.

Your personal data may be shared with:

• Third party organisations such as appropriate lenders and lawyers to facilitate the set up and completion of a transaction
• Third party organisations that provide identification checking services
• Third party organisations that provide applications/functionality, data processing or IT services to us
• Other third parties as instructed by youOur trade associations, professional bodies and business associates e.g. auditors, insurers, solicitors, accountants etc.

Occasionally, we may also need to disclose your personal data in the following circumstances:

• Based on our legitimate interests, to third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
• To law enforcement officials, law courts and government and regulatory authorities: (a) if we believe disclosure is required by any applicable law, regulation or legal process; or (b) to protect and defend our rights, or the rights or safety of third parties, including to defend against legal claims based on our legitimate interests.
• In exceptional circumstances, to third parties to protect your vital interests if you fell ill or suffered an injury at one of our events or on our premises.

How long we keep your data

We only ever retain personal data for as long as is necessary for the purposes for which it was collected, and we have strict review and retention policies in place to meet these obligations. We keep personal data in accordance with our internal retention policies, which are determined in accordance with our regulatory obligations and good practice.

We retain records and documentary evidence created in the provision of our professional services for 7 years after the end of the engagement, in the absence of specific legal, regulatory or contractual requirements.

d. Stakeholders in relation to an Insolvency Privacy Notice

In this section, the term "Company" refers to the business which is subject to an Insolvency or restructuring regime (each referred to as an "Insolvency").

Insolvency Practitioners and PropUp Corporate's roles in Insolvency Proceedings

Definitions under Data Privacy Laws:

• A controller is an individual or legal person who decides how and why personal data is processed. A controller is in control and is responsible for the collection, keeping and use of personal data.
• A processor is an individual or legal person (other than an employee of a controller) which processes personal data on behalf of a controller.

The data controller for personal data processed by the Company prior to the Insolvency is the Company.  Upon appointment, the Insolvency Practitioners act in the capacity of agents of the Company in fulfilling the role of managing the Company's affairs, business and property and so the Company continues to be the controller for personal data collected and processed in this context.

The Insolvency Practitioner will typically be the Data Controller in respect of the information and the personal data they process to comply with their own legal and regulatory requirements as Insolvency Practitioners.

PropUp Corporate may act as a data processor on behalf of the Insolvency Practitioner or the Company as appropriate in relation to the engagement.

What we collect

We collect personal data about stakeholders in relation to an Insolvency when we provide advice to a Company or Debtor about their financial difficulties so that we can get a full picture of their circumstances.  When a Company or Debtor is subject to formal Insolvency proceedings, the Debtor or controllers of the Company are required to provide certain information.

The types of data we collect, and process can vary, it may include:

Creditors: If you are owed money as an individual (for instance, because you are a sole trader who has not been paid for work you have conducted), we need to know your name, address, contact email (if you have one), confirmation of the amount you are owed and your bank account details. This is so that we can contact you with notification about the case, provide you with an opportunity to exercise your rights as a creditor and facilitate an electronic bank transfer if necessary. We are unlikely to hold any other personal information about you.

Book Debtors: If you are a customer of a Company that is insolvent and haven't paid for the product or service you received, it is likely that we will hold details of your name, address, contact email (if you have one) and confirmation of the amount owed. We need this information so that we can collect any amounts that are due to the Company. We will be unlikely to hold any other personal information about you.

Employees: If you were employed by a Company that has become Insolvent, the Insolvency Office Holder has a number of responsibilities in relation to money that the Company owes you. We are likely to be processing the following information:

• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
• Date of birth
• Gender
• Employee information such as national insurance number, occupation and function within the Insolvent business, location of employment or workplace, salary, record of your holiday entitlement and other absence information
• Financial Information such as bank account details, payroll records and tax status information

We may also have access to your full personnel file, although this will be information we have access to as an agent on behalf of your former employer and we do not consider ourselves to be the Data Controller of it, although will use our best endeavours to ensure that it is only processed in accordance with the legislation.

Other Stakeholders: An Insolvency Office Holder will interact with various parties in the course of their investigations into and administrations of the affairs of an Insolvent entity.

In the course of that work, we may come into possession of various items of personal data, such as (but not limited to):

• Share ownership information, including bank details if required
• the contents of wills
• the details of beneficiaries under a trust
• the beneficiaries under assurance and insurance policies
• vehicle ownership details
• the details of joint owners of property or other assets
• the spouses, cohabitees and dependents of Debtors and their financial contribution to shared expenditure
• details of parties jointly liable for any debts owed by the Insolvent entity
• any other information that is relevant to the assets, liabilities or causes of failure of the Insolvent entity

We collect data:

• From our clients during an advisory process or formal insolvency proceedings
• From information contained in the Company's books and records which is obtained when the officeholder is appointed though in respect of this information, the Office Holder will not generally be a Data Controller of it but will be acting as agent on behalf of the Company
• From time to time, we may collect additional personal information in the course of our investigation into a Company's affairs. These investigations may involve contacting third parties that are known or suspected to have had financial dealings with the Company, where we consider that the information they may provide could assist us to properly administer the affairs of the Company
• From a number of other sources in a formal Insolvency process, such as the Official Receiver (in England), Accountant in Bankruptcy (in Scotland). In all cases (both solvent and insolvent) information may also be received from the creditors, debtors and employees of the Company, and/or other stakeholders in the process that make such information available to us in the course of administering the affairs of the Company

How we use your personal data and legal basis for processing

Personal information will only be processed when there is a lawful basis for doing so.  Most commonly, we will use personal information collected in connection with Insolvency proceedings for the proper performance of the statutory functions of an Insolvency Office Holder and/or where it is necessary to do so in respect of legal claims.

The situations in which we envisage using your personal information are as follows:

• to notify you of your rights as a creditor or former employee
• to adjudicate on the amounts you claim to be owed by an Insolvent entity
• to recover money that you owe to a Company
• paying dividends to creditors and distributions to shareholders
• in pursuance of the lawful functions of an Insolvency Office Holder in investigating the affairs of the Insolvent entity and the causes of their Insolvency (where appropriate)in the recovery of any assets that you have acquired from the Company in a manner which may be challengeable under law
• when selling or otherwise disposing of the assets of the Insolvent entity
• when reporting periodically to the people the Insolvent entity owes money to
• when gathering evidence for possible legal proceedings
• when reporting upon directors' conduct in relation to the Company, as required by the Company Directors Disqualification Act 1986 to prevent fraud, Money Laundering or Terrorist Financing
• any other purpose as may be required by relevant legislation in connection with formal insolvency proceedings or the administration of the affairs of the Insolvent entity

If you fail to provide personal information

If you fail to provide certain information when requested, you may be unable to assert your rights in the Insolvency proceedings. In some instances, the Insolvency Office Holder may take steps to compel you to provide it in Court and/or to acquire the information we need to properly administer the affairs of the Company from third parties.

Special categories (sensitive) personal data

Some categories of personal data are considered by law to be particularly sensitive and are therefore classed as "special categories" of personal data. These relate to a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. This type of data is afforded additional protection.

There are a limited number of situations where we might possess special categories of data about stakeholders:

• When we are administering the affairs of a Company we may need to assess whether a stakeholder is subject to a particular circumstance, vulnerability (including a lack of mental capacity) or any other special factor which should be taken into account by us when making decisions about how we administer the affairs of the Company. This information may have been provided by you directly or may have been brought to our attention by a third party (such as the Official Receiver, Accountant in Bankruptcy, a relative or family member, or someone the Company owes money to). Depending upon the nature of the information we receive, we may not need your consent to have or use this information, where it is relevant to the performance of our functions as an Insolvency Office Holder
• We may possess special category information where it is needed in relation to legal claims or proceedings relating to the affairs of the Company. Depending upon the nature of the information we receive, we may not need your consent to have this information

We consider it unlikely that we will be routinely processing special categories of personal data, other than in relation to the claims of employees as against their former employer. In this regard, we will generally be acting as an agent on behalf of the Company, rather than as Data Controller.

Information about criminal convictions

We envisage that we may hold information about criminal convictions where these are relevant to the causes of failure of the Company or the performance of the functions of an Insolvency Office Holder. If it becomes necessary to do so, we will only use this information where we have a legal basis for processing the information. This will usually be where such processing is necessary to carry out the role and function of an Insolvency Office Holder.

We may also use information relating to criminal convictions where:

• it is necessary in relation to legal claims
• it is necessary to protect a person's vital interests and they are not capable of giving consent
• it is relevant to the statutory reporting obligations of an Insolvency Office Holder
• the information is already in the public domain

We will only collect information about criminal convictions if it is appropriate given the nature of the role of a restructuring advisor or insolvency Office Holders. Relevant convictions would typically be those relating to theft, fraud or dishonesty, money laundering or terrorist financing.

Sharing and disclosing your personal data

We do not share or disclose any of your personal data without your consent, other than for the purposes specified in this notice or where there is a legal requirement. When we share data with others, we ensure contractual arrangements and security mechanisms are in place to protect the data and to comply with our data protection, confidentiality and security standards.

Your personal data may be shared with:

• Third parties involved in Insolvency proceedings, including but not limited to the courts, Official Receiver, Accountant in Bankruptcy, other creditors, Companies House, the Redundancy Payments Service and other third parties involved
• Third party organisations that provide applications/functionality, data processing or IT services to us
• Our trade associations, professional bodies and business associates e.g. agents, auditors, solicitors, accountants etc.

Occasionally, we may also need to disclose your personal data in the following circumstances:

• Based on our legitimate interests, to third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice
• To law enforcement officials, law courts and government and regulatory authorities: (a) if we believe disclosure is required by any applicable law, regulation or legal process; or (b) to protect and defend our rights, or the rights or safety of third parties, including to defend against legal claims based on our legitimate interests
• In exceptional circumstances, to third parties to protect your vital interests if you fell ill or suffered an injury at one of our events or on our premises

How long we keep your data

We only ever retain personal data for as long as is necessary for the purposes for which it was collected, and we have strict review and retention policies in place to meet these obligations. We keep personal data in accordance with our internal retention policies, which are determined in accordance with our regulatory obligations and good practice.

We retain records collected and created in Formal Insolvency matters for 7 years after the conclusion of the case administration and the officeholder's discharge of appointment.

Your rights

Please note that where a subject access request relates to information held by the Insolvent entity prior to the office holder's appointment, we are unable to assist as the data controller for personal data processed by the Company or Debtor prior to the Insolvency is the Insolvent entity.

e. PropUp Corporate Transition

What we collect

We collect personal data necessary to manage our relationship with you and to deploy our PropUp Corporate Transition services effectively.

The types of data we collect, and process can vary, it may include:

• Name
• Date of Birth
• Contact Information
• National Insurance Number
• Anti-Money Laundering Identification information (such as driver’s licence and passport copies)
• Company information
• Any other data included in a submitted profile or CV

We collect data from you:

• Directly, for example, when you initially request for information, register for a PropUp Corporate Transition Account, or when you email us
• Indirectly through our subsequent interactions with you

We ask that you do not provide sensitive data (such as race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records) to us when submitting your CV or using our website; if you choose to provide sensitive data to us for any reason, the act of doing so constitutes your explicit consent for us to collect and use that data in the ways described in this privacy statement or as described at the point where you choose to disclose this data.

How we use your personal data and legal basis for processing

We process your personal data on the following legal bases for the following purposes.

Marketing

We would like to send you information by email and call you about our products and services, updates about our business, as well as about events which we think you may be interested in.

We will give you the opportunity to opt out of receiving marketing communications from us when we first contact you. Also, you can change your marketing preferences at any time by clicking on the "unsubscribe link" in any of our marketing communications or by visiting your preference settings page.

If your consent is not refreshed through your preference settings page within a 3 - year cycle, we will contact you to ask for your refreshed consent. This is to ensure we hold accurate marketing consent for you.

Sharing and disclosing your personal data

We do not share or disclose any of your personal data without your consent, other than for the purposes specified in this notice or where there is a legal requirement. When we share data with others, we ensure contractual arrangements and security mechanisms are in place to protect the data and to comply with our data protection, confidentiality and security standards.

Your personal data may be shared with:

• Potential businesses for assignments
• Individuals and organisations who hold data related to your reference or application to work with us, such as current, past or prospective employers, educators and examining bodies and employment and recruitment agencies
• Third party organisations that provide identification checking services

Occasionally, we may also need to disclose your personal data in the following circumstances:

• Based on our legitimate interests, to third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice
• To law enforcement officials, law courts and government and regulatory authorities: (a) if we believe disclosure is required by any applicable law, regulation or legal process; or (b) to protect and defend our rights, or the rights or safety of third parties, including to defend against legal claims based on our legitimate interests
• In exceptional circumstances, to third parties to protect your vital interests if you fell ill or suffered an injury at one of our events or on our premises

How long we keep your data

We only ever retain personal data for as long as is necessary and we have strict review and retention policies in place to meet these obligations. We will delete your personal data from our systems if there has been no adequate contact activity with you for 5 years. It is unlikely that your data will be relevant for the purpose it was collected after this period.

Adequate contact activity means written or verbal communication between us, or when you are actively using our online services for example by submitting your updated CV onto our website.

Where you have opted out of us using your details for marketing, we will not continue to send you marketing. However, if you are still a client, we will need to retain your contact details to communicate with you about ongoing matters.

Where you have consented to us using your details for marketing, we will keep such information until you notify us otherwise and/or withdraw your consent.

Closing your account

When you choose to delete your account, or if your application to be registered for our PropUp Corporate Transition services is not approved, all your data associated with that account will be permanently deleted and cannot be recovered.

We reserve the right to keep any materials in a closed account as necessary to preserve and protect our rights as allowed by law (for example, to preserve records of a dispute) or to comply with our obligations under local law (for example, to keep an email address).

f. Recruitment Applicants

What we collect

We collect personal data necessary to conduct our recruitment process effectively.

The types of data we collect, and process can vary, it may include:

• Name
• Contact Information
• Professional Profile
• Qualifications (Education/Professional)
• Skillset
• Career history/summary
• Achievements
• References
• Hobbies and Interests

We collect data:

• Directly, for example, if you have given us your CV through our careers page, LinkedIn message response or direct email to an PropUp Corporate email inbox
• Indirectly through third parties like recruitment agents

We ask that you do not provide sensitive data (such as race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records) to us during our recruitment process; if you choose to provide sensitive data to us for any reason, the act of doing so constitutes your explicit consent for us to collect and use that data in the ways described in this privacy statement or as described at the point where you choose to disclose this data.

How we use your personal data and legal basis for processing

We process your personal data on the following legal bases for the following purposes.

Sharing and disclosing your personal data

We do not share or disclose any of your personal data without your consent, other than for the purposes specified in this notice or where there is a legal requirement. When we share data with others, we ensure contractual arrangements and security mechanisms are in place to protect the data and to comply with our data protection, confidentiality and security standards.

Your personal data may be shared with:

• Organisations that provide apprenticeships
• Organisations that provide professional qualifications
• Previous employers (as part of the referencing process)

Occasionally, we may also need to disclose your personal data in the following circumstances:

• Based on our legitimate interests, to third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice
• To law enforcement officials, law courts and government and regulatory authorities: (a) if we believe disclosure is required by any applicable law, regulation or legal process; or (b) to protect and defend our rights, or the rights or safety of third parties, including to defend against legal claims based on our legitimate interests
• In exceptional circumstances, to third parties to protect your vital interests if you fell ill or suffered an injury at one of our events or on our premises

How long we keep your data

We only ever retain personal data for as long as is necessary and we have strict review and retention policies in place to meet these obligations. Where you have provided your personal data e.g. CV to facilitate our recruitment process, we will keep such data for a maximum of 18 months.

g. Datarooms

What we collect

We collect personal data about you to help us to manage our relationship with you and to advertise business/asset acquisition opportunities.

The types of data we collect, and process can vary, it may include:

• Name
• Contact Information
• Company information

We collect data:

• Directly from you, for example from our business contacts (e.g within our CRM system), when you request for information, register for a Datarooms account, respond to our IP-bid.com advert, or when you email us
• Indirectly through our interactions with you

How we use your personal data and legal basis for processing

We process your personal data on the following legal bases for the following purposes.

Marketing

We would like to send you information by email and call you about our products and services, and updates about our business.

If you are a corporate contact, we will send marketing communications to your company email address unless you have opted out. We will give you the opportunity to opt out of receiving marketing communications from us when we first contact you. Also, you can change your marketing preferences at any time by clicking on the "unsubscribe link" in any of our marketing communications or by visiting your preference settings page.

For non-corporate contacts, we will only send marketing communications to your personal email address if those communications related to goods, services or opportunities which are similar to services we have already provided to you in the past or which you have expressed an interest in, or if you have consented to us contacting you in this way. You can change your marketing preferences at any time by clicking on the "unsubscribe link" in any of our marketing communications or by visiting your preference settings page.

If your consent is not refreshed through your preference settings page within a 3-year cycle, we will contact you to ask for your refreshed consent. This is to ensure we hold accurate marketing consent for you.

Sharing and disclosing your personal data

We do not share or disclose any of your personal data without your consent, other than for the purposes specified in this notice or where there is a legal requirement. When we share data with others, we ensure contractual arrangements and security mechanisms are in place to protect the data and to comply with our data protection, confidentiality and security standards.

Your personal data may be shared with:

• Target businesses relating to business/asset acquisition opportunities
• Third party organisations that provide applications/functionality, data processing or IT services to us for example, providers of data technology, cloud-based software as a service providers, data analysis, data back-up, security and storage services

Occasionally, we may also need to disclose your personal data in the following circumstances:

• Based on our legitimate interests, to third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice
• To law enforcement officials, law courts and government and regulatory authorities: (a) if we believe disclosure is required by any applicable law, regulation or legal process; or (b) to protect and defend our rights, or the rights or safety of third parties, including to defend against legal claims based on our legitimate interests
• In exceptional circumstances, to third parties to protect your vital interests if you fell ill or suffered an injury at one of our events or on our premises

How long we keep your data

We only ever retain personal data for as long as is necessary and we have strict review and retention policies in place to meet these obligations. We will delete your personal data from our systems if there has been no adequate contact activity with you for 3 years. It is unlikely that your data will be relevant for the purpose it was collected after this period.

Adequate contact activity means written or verbal communication between us, or when you are actively using our online services for example by expressing your interest in an acquisition opportunity or updating your personal details on our website.

Where you have opted out of us using your details for marketing, we will not continue to send you marketing. However, if you are still a contact, we will need to retain your contact details to communicate with you about ongoing matters.

Where you have consented to us using your details for marketing, we will keep such information until you notify us otherwise and/or withdraw your consent.

h. Company Profiling

What we collect

We collect personal data necessary to conduct our company profiling process effectively.  We collect personal data as part of the business information collected to perform our company profiling service.

The types of data we collect, and process can vary.  It may include:

• directors
• company secretaries
• shareholders and persons with significant control

We collect personal data as part of the business information feed we procure from our business information partner Vistra Business Information Limited. The data provided by Vistra Business Information originates from Companies House and comprises publicly available data taken from the following sources:

• Form 288’s
• Company Annual Returns

How we use your personal data and legal basis for processing

We process your personal data on the following legal bases for the following purposes.

Sharing and disclosing your personal data

We do not share personal data when we disclose our insight reports which is the key output from our company profiling tool to our internal and external partners.

When we do share your personal data with others, we ensure contractual arrangements and security mechanisms are in place; this ensures data is protected in transit and we comply with our data protection, confidentiality and security standards.

We do not share or disclose any of your personal data other than for the purposes specified in this notice or where there is a legal requirement. As such, your personal data is shared with third party organisations that provide applications/functionality, data processing or IT services to us. It may also be shared with our business associates e.g. agents, auditors, solicitors, accountants etc.

Rights

Incorrect data

We are reliant upon our supplier Vistra Business Information Limited for the provision of accurate data. However, you have the right to request that we:

• Rectify your personal data that is inaccurate; and
• Complete any incomplete data.

If you do exercise your right to rectification, we will communicate the requested change to our information provider; Vistra Business Information Limited who will then take appropriate steps to check the data and endeavour it is corrected where necessary.

Right to be forgotten

You can request for the erasure of the personal data we hold about you in certain circumstances, for instance, where it is no longer necessary, or it was not acquired for a lawful purpose.

We will comply with your rights to erase your data under the following circumstances:

The data has ceased to be publicly available (Companies House); orWe no longer need to use it.

How long we keep personal data

We only ever retain personal data for as long as is necessary for the purposes for which it was collected, and we have strict review and retention policies in place to meet these obligations. Director and shareholder data is overwritten monthly as part of our monthly data refresh. Therefore, the maximum age-lag for any personal data item on our bespoke software is no longer than one month. Our insight reports are purged on an annual basis.

i. Website Visitors

What we collect

We may capture limited personal data automatically via the use of cookies on our websites. Please see the section on cookies below for further data. The data captured within cookies is used only in an anonymous form; no individual is identified.

We collect personal data about you to manage our relationship with you. In most cases, this will include:

NameContact information

We collect data from you:

Directly, for example, when you initially request for information, or when you email usIndirectly through our subsequent interactions with you

We ask that you do not provide sensitive data (such as race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records) to us when using our websites; if you choose to provide sensitive data to us for any reason, the act of doing so constitutes your explicit consent for us to collect and use that data in the ways described in this privacy statement or as described at the point where you choose to disclose this data.

Cookies

A *'*cookie' is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing. When you visit a site that uses cookies for the first time, a cookie is downloaded onto your computer/mobile device so that the next time you visit that site, your device will remember useful information such as pages visited or logging in options.

Cookies are widely used to make websites work, or to work more efficiently, and our site relies on cookies to optimise user experience and for features and services to function properly.

Most web browsers allow some control to restrict or block cookies through the browser settings, however if you disable cookies you may find this affects your ability to use certain parts of our website or services.

How we use your personal data and legal basis for processing

We process your personal data on the following legal bases for the following purposes.

Sharing and disclosing your personal data

We do not share or disclose any of your personal data without your consent, other than for the purposes specified in this notice or where there is a legal requirement. When we share data with others, we ensure contractual arrangements and security mechanisms are in place to protect the data and to comply with our data protection, confidentiality and security standards.

Your personal data may be shared with:

• Third party organisations such as appropriate lenders and lawyers to facilitate the set up and completion of a transaction
• Third party organisations that provide applications/functionality, data processing or IT services to us for example, providers of data technology, cloud-based software as a service providers, data analysis, data back-up, security and storage services
• Third party organisations that provide identification checking services

Occasionally, we may also need to disclose your personal data in the following circumstances:

• Based on our legitimate interests, to third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice
• To law enforcement officials, law courts and government and regulatory authorities: (a) if we believe disclosure is required by any applicable law, regulation or legal process; or (b) to protect and defend our rights, or the rights or safety of third parties, including to defend against legal claims based on our legitimate interests
• In exceptional circumstances, to third parties to protect your vital interests if you fell ill or suffered an injury at one of our events or on our premises

How long we keep your data

We only ever retain personal data for as long as is necessary (e.g. for as long as we have, or need to keep a record of, a relationship with the relevant individual) and we have strict review and retention policies in place to meet these obligations.

g. Suppliers

What we collect

We collect personal data necessary to manage our supplier relationship. These include subcontractors and individuals associated with our suppliers and subcontractors.

The types of data we collect, and process can vary, it may include:

• Name
• Contact Information
• Company information
• Financial information

We collect data:

• Directly from you
• Indirectly, through our interactions with you
• From other third parties (including publicly available information)

How we use your personal data and legal basis for processing

We process your personal data on the following legal bases for the following purposes.

Sharing and disclosing your personal data

We do not share or disclose any of your personal data without your consent, other than for the purposes specified in this notice or where there is a legal requirement. When we share data with others, we ensure contractual arrangements and security mechanisms are in place to protect the data and to comply with our data protection, confidentiality and security standards.

Your personal data may be shared with:

• Third party organisations that provide applications/functionality, data processing or IT services to us
• Our trade associations, professional bodies and business associates

Occasionally, we may also need to disclose your personal data in the following circumstances:

• Based on our legitimate interests, to third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
• To law enforcement officials, law courts and government and regulatory authorities: (a) if we believe disclosure is required by any applicable law, regulation or legal process; or (b) to protect and defend our rights, or the rights or safety of third parties, including to defend against legal claims based on our legitimate interests.
• In exceptional circumstances, to third parties to protect your vital interests if you fell ill or suffered an injury at one of our events or on our premises.

How long we keep your data

We only ever retain personal data for as long as is necessary for the purposes for which it was collected, and we have strict review and retention policies in place to meet these obligations. We keep personal data in accordance with our internal retention policies, which are determined in accordance with our regulatory obligations and good practice.

k. Office Visitors

We implement access controls at our offices as part of our security measures.

Visitors to our offices are required to sign in at reception.

We keep our visitors' records secure and delete them periodically. We also ensure that there is restricted access to the records.

Sharing and Disclosing Your Personal Information

We do not share or disclose any of your personal information without your consent, other than for the purposes specified in this notice or where there is a legal requirement like health and safety. If we do transfer your data to a third-party controller, we ensure we include an appropriate Data Transfer Agreement to protect your data.

l. Business Contacts

What we collect

We collect personal data about our clients and contacts to help us run our business effectively, to manage our relationship with you and to develop potential business leads. We store the data in our Client Relationship Management (CRM) system and supporting systems.

The types of data we collect, and process can vary, it may include:

• Your name
• Company name
• Email address
• Business telephone number: direct dial-in (DDI) and mobile
• Job title
• Your hobbies or interests, so we can invite you to events we think you will be interested in
• Your PropUp Corporate contacts
• Details of events you have previously attended, meetings we have had with you or hospitality provided to youIf you attend our events, any dietary requirements or details of any adjustments of which you may have informed us
• If you register and attend webinars/training facilitated or hosted by us, we collect details of your registration, subsequent attendance and feedback
• Business related personal data about you which generally focus on your home life e.g. marital status, spouse name and number of children. This information is used to tailor our communication and event invitation to you

We collect this data:

• Directly from you, for example, if you have given us your business card or told us in an email or other correspondence
• Indirectly through our interactions with you

How we use your personal data and legal basis for processing

We process your personal data on the following legal bases for the following purposes.

Special Categories of Personal Data

We may ask if you have any dietary requirements and you may also inform us of adjustments you require. This could reveal data about your religious beliefs (in the case of dietary information) or data about your health. This data is given special protection under the law as it is particularly sensitive.

(You do not have to provide this information to us. However, please note, we will not be able to cater for your specific dietary needs and may not be able to make all the necessary adjustments for you without this information).

We will obtain your explicit consent through an email requesting your preferences and a section to enable you to give your explicit consent for the processing of this data.

We will only use the data to the extent necessary.

Marketing

We would like to send you information by email and to call you about our products and services, updates about our business, as well as about events which we think you may be interested in.

If you are a corporate contact, we will send marketing communications to your company email address unless you have opted out. We will give you the opportunity to opt out of receiving marketing communications from us when we first contact you. Also, you can change your marketing preferences at any time by clicking on the "preference centre" in any of our marketing communications.

For non-corporate contacts, we will only send marketing communications to your personal email address if those communications relate to services or opportunities which are similar to what we have already provided to you in the past or which you have expressed an interest in, or if you have consented to us contacting you in this way. You can change your marketing preferences at any time by clicking on the "preference centre" in any of our marketing communications.

If your consent is not refreshed through our 'preference centre' within a 5-year cycle, we will contact you to ask for your refreshed consent. This is to ensure we hold accurate marketing consent for you.

Sharing and disclosing your personal data

We use third party processors to provide several services and business functions. Those processors will have access to your personal data for these purposes; we require all processors acting on our behalf to only process your data in accordance with instructions from us and to comply fully with this privacy notice, the data protection laws and any other appropriate confidentiality and security measures.

Your personal data may be shared with:

• Our Client Relationship Management (CRM) software provider
• Software providers of supporting systems (e.g. email distribution)
• Organisations that provide seminar/presentation venues
• Organisations that provide sports ground/arenas
• Organisations that have security access requirements
• Third party travel, hospitality providers or venues
• Organisations investigating Bribery case

Occasionally, we may also need to disclose your personal data in the following circumstances:

• When we provide resources to host events/webinars on behalf of other organisations, we share your data with these organisations as part of the event administrative process. The information shared includes details of your registration and subsequent attendance. We do not retain this data ourselves; we delete this information once shared with the relevant organisation.
• Based on our legitimate interests, to third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice
• To law enforcement officials, law courts and government and regulatory authorities: (a) if we believe disclosure is required by any applicable law, regulation or legal process; or (b) to protect and defend our rights, or the rights or safety of third parties, including to defend against legal claims based on our legitimate interests
• In exceptional circumstances, to third parties to protect your vital interests if you fell ill or suffered an injury at one of our events or on our premises

How long we keep your data

We only ever retain personal data for as long as is necessary and we have strict review and retention policies in place to meet these obligations. We will delete your personal data from our CRM system if there has been no adequate contact activity with you for 5 years. It is unlikely that your data will be relevant for the purpose it was collected after this period.

Adequate contact activity means written or verbal communication between us, for example by expressing your interest in attending hospitality events, training or seminars or updating your personal details on our CRM system.

We will keep information about your dietary requirements in line with our retention policy, however, you will have the ability to amend, review and update the information we hold regarding your dietary requirements per event invitation.

Where you have opted out of us using your details for marketing, we will not continue to send you marketing. However, if you are still a contact, we will need to retain your contact details to communicate with you about ongoing matters.

Where you have consented to us using your details for marketing, we will keep such data until you notify us otherwise and/or withdraw your consent.

m. Digital Meeting Recordings (Video/IP Telephony)

What we collect

During a recorded meeting we will collect personal data about you. In most cases, this will include:

• Your name
• Your voice and anything you say during the interaction
• Your image (during digital video meetings in which you enable your device’s camera)

If you provide sensitive data (such as race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records) to us when on a call or meeting for any reason, the act of doing so constitutes your explicit consent for us to collect that data in the ways described in this privacy statement or as described at the point where you choose to disclose this data.

How we use your personal data and legal basis for processing

Sharing and disclosing your personal data

We do not share or disclose any of your personal data without your consent, other than for the purposes specified in this notice or where there is a legal requirement. When we share data with others, we ensure contractual arrangements and security mechanisms are in place to protect the data and to comply with our data protection, confidentiality and security standards.

Your personal data may be shared with:

• Third party organisations such as appropriate lenders and lawyers to facilitate the set up and completion of a transaction
• Third party organisations that provide identification checking services
• Third party organisations that provide applications/functionality, data processing or IT services to us
• Other third parties as instructed by youOur trade associations, professional bodies and business associates e.g. auditors, insurers, solicitors, accountants etc.

Occasionally, we may also need to disclose your personal data in the following circumstances:

• Based on our legitimate interests, to third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
• To law enforcement officials, law courts and government and regulatory authorities: (a) if we believe disclosure is required by any applicable law, regulation or legal process; or (b) to protect and defend our rights, or the rights or safety of third parties, including to defend against legal claims based on our legitimate interests.
• In exceptional circumstances, to third parties to protect your vital interests if you fell ill or suffered an injury at one of our events or on our premises.

How long we keep your data

We only ever retain personal data for as long as is necessary for the purposes for which it was collected, and we have strict review and retention policies in place to meet these obligations. We keep personal data in accordance with our internal retention policies, which are determined in accordance with our regulatory obligations and good practice.

We retain records and documentary evidence created in the provision of our professional services for 7 years after the end of the engagement, in the absence of specific legal, regulatory or contractual requirements.

n. Brokerage Services

What we collect

We collect personal data necessary to manage our relationship with you and to deploy our brokerage services effectively.

The types of data we collect, and process can vary, it may include:

• Your name
• Date of birth
• Company name
• Email address
• Business telephone number: direct dial-in (DDI) and mobile
• Job title
• Personal Assets (if you are a sole trader, for example)

We collect this data:

• Directly from you, for example, over a telephone or email introduction.
• Indirectly through our interactions with you.

How we use your personal data and legal basis for processing

We process your personal data on the following legal bases for the following purposes.

Sharing and disclosing your personal data

We use third party processors to provide several services and business functions. Those processors will have access to your personal data for these purposes; we require all processors acting on our behalf to only process your data in accordance with instructions from us and to comply fully with this privacy notice, the data protection laws and any other appropriate confidentiality and security measures.

Your personal data may be shared with:

• Prospective Lenders
• Our email hosting provider (for example, when we send emails to you)

Occasionally, we may also need to disclose your personal data in the following circumstances:

• Based on our legitimate interests, to third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
• To law enforcement officials, law courts and government and regulatory authorities: (a) if we believe disclosure is required by any applicable law, regulation or legal process; or (b) to protect and defend our rights, or the rights or safety of third parties, including to defend against legal claims based on our legitimate interests.
• In exceptional circumstances, to third parties to protect your vital interests if you fell ill or suffered an injury at one of our events or on our premises.

How long we keep your data

We only ever retain personal data for as long as is necessary for the purposes for which it was collected, and we have strict review and retention policies in place to meet these obligations. We keep personal data in accordance with our internal retention policies, which are determined in accordance with our regulatory obligations and good practice.

We retain records and documentary evidence created in the provision of our professional services for 7 years after the end of the engagement, in the absence of specific legal, regulatory or contractual requirements.

3. Your rights

Your rights in relation to the personal data that we process will depend upon the lawful basis or bases upon which we are holding it. This will vary depending upon where the information has come from (yourself or a third party), and the nature of our relationship with you. Personal data may be held for more than one lawful basis. Details of the basis or bases we believe we have for processing your data can be found in the relevant sections of our Privacy Notice.

You will not normally have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Please note, some of these rights only apply in certain circumstances and we may not be able to fulfil every request.

Responding to your request

If we receive a request from you to exercise any of the below rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.

We will respond to your request within one month of verifying your identity; earlier if at all possible. Where your request is declined, a written explanation will be provided to you.

Access to your personal data: You have the right to ask us to confirm whether we process your personal data and to access the personal data along with the following information: -

The purposes of the processingThe categories of personal data concernedThe recipients to whom the personal data has/will be disclosedHow long we intend to store your personal dataYour right to request to have your personal data rectified, erased, to restrict the processing of the data or to object to the processingIf we did not collect the data directly from you, available information about the sourceWhether it has been used for any automated decision-making

Consent: Generally, we do not rely on consent as a legal basis for processing your personal data (as we can usually rely on another legal basis).  However, where you have given us your consent to use personal data, you can withdraw your consent at any time.

Right to object: You can object to our processing of your personal data where we are relying on a legitimate interest (or those of a third party), including for profiling, and there is something about your particular situation which makes you want to object to processing on this ground. Please contact us as noted above, providing details of your objection. You also have the right to object where we are processing your personal data for direct marketing purposes.

Rectification: If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to correct it as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.

Erasure: You can ask us to delete your personal data in the following instances;

the personal data is no longer necessary in relation to the purposes for which they were collected and processed;our legal grounds for processing is consent, you withdraw consent and we have no other lawful basis for the processing;our legal grounds for processing is that the processing is necessary for legitimate interests pursued by us or a third party, you object to our processing and we do not have overriding legitimate grounds;you object to our processing for direct marketing purposes;your personal data have been unlawfully processed; or your personal data must be erased to comply with a legal obligation to which we are subject.

Portability: You can ask us to provide you or a third party with some of the personal data that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred. This right only applies to information which you provided to us, where our lawful basis for processing the personal data is consent or necessity for the performance of our contract with you and the processing is carried out by automated means.

Restriction of Processing: You can ask us to restrict the personal data we use about you in the following instances:

you contest the accuracy of your personal data and we are verifying the accuracy of the data your data has been unlawfully processed but you oppose erasure and request restriction instead we no longer need the personal data but you need us to keep it in order to establish, exercise or defend a legal claim you have objected to us processing your data and we are considering whether our legitimate grounds override yours

Automated decision-making: Automated decision-making takes place when an electronic system uses personal data to decide without human intervention. You have the right not to be subject to automated decisions that will create legal effects or have a similar significant impact on you, unless you have given us your consent, it is necessary for a contract between you and us or is otherwise permitted by law. You also have certain rights to challenge decisions made about you.

4. Safeguarding measures

We take various measures and precautions to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place. We regularly review the appropriateness of the measures we have in place to keep the data we hold secure. However, as the internet is not completely secure, and we do our best to protect your personal data, the transmission of your data to us is done at your own risk.

If you have any concerns about the security of the personal data we hold about you, or suspect that a data breach has occurred, please contact us at compliance@propup.com.

5. Change of processing purpose

Information provided by you or collected from third parties will only be used for the informed original purpose; unless we reasonably consider that we need to use it for another reason, and that reason is compatible with the original purpose.

If in the future we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information.

Please note that we may process your personal information without your knowledge or consent, in compliance with this privacy notice, where this is required or permitted by law.

6. Changes to this privacy policy

We reserve the right to update this privacy notice at any time, and we will provide you with access to a new privacy notice when we make any substantial updates.

7. International Transfers

It may sometimes be necessary to transfer personal data overseas. For example, our system providers and suppliers may transfer to, store and process your personal data in the United States.

Any transfer of your data will be subject to an Information Commissioner’s Office approved contract that will safeguard your privacy rights and give you remedies in the unlikely event of a security breach.

8. Complaints

We hope that you won't ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to compliance@propup.com. We will investigate and respond to any complaints we receive.

You also have the right to lodge a complaint with the information commissioner's office ("ICO") (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website.

9. How to contact us

If you have questions or concerns regarding this privacy policy, or if you have a complaint, you should first contact us at compliance@propup.com.