Privacy Policy - True Wind True Wind

True Wind Capital Management, L.P. Privacy Policy

I. Introduction

This Comprehensive Privacy Policy (“Privacy Policy”) describes how True Wind Capital Management, L.P. and its affiliates (together, “True Wind”, the “Partnership”, “we” or “us”) collect, use and disclose personal information we gather through our websites, other digital properties, paper forms, and our other interactions with individuals (collectively, “you” or “your”). This Privacy Policy does not address our privacy practices with respect to any nonpublic personal information we may collect from you as an investor in investment vehicles that we sponsor or manage. We address these practices in separate notices to individuals associated with investors or potential investors. Our privacy policy for California applicants is available here.

When we use the term “Personal Information” or “Personal Data”, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Where applicable, it includes “personal information”, “personal data”, or the equivalent as defined in the applicable data protection and privacy laws, including the EU General Data Protection Regulation (Regulation 2016/679)(the “EU GDPR”) or the “UK GDPR” (as defined in the UK Data Protection Act 2018 and together with the EU GDPR, the “GDPR”, and the California Consumer Privacy Act (“CCPA”).

“Personal Information” or “Personal Data” does not include information about an individual that is deidentified or aggregated, such as deidentified or aggregate consumer information.

California or EU/UK residents can find more specific information regarding their rights under the CCPA and GDPR sections, respectively.

II. How We Collect Personal Information

We collect personal information about individuals from a variety of sources, including:

Meetings, telephone conversations, emails or other forms of electronic messages, and other interactions with you, including via the Internet such as on our LinkedIn page or this website, or at our offices;
The public domain, e.g., the Internet, books, journals/magazines, news reports, public registries, etc.;
Our website, data portals or online data rooms (collectively, “Sites”), including any registration information or information captured via “Cookies”;
Governmental and competent regulatory authorities to whom we may have regulatory obligations;
Your transactions with us, our affiliates, or others.

We may combine information obtained about you from these various sources, including the information you have provided to us directly either in person or electronically, such as through email correspondence.

III. Categories of Personal Information We Collect and the Purposes for Which We Collect It.

In the last 12 months, we have collected the following categories of Personal Information for the purposes set out in the table below. Depending on the nature of the data and your relationship with True Wind, we use the data for different business purposes.

Categories of Personal Information Collected	Business Purpose for Processing	Legal Basis for Processing
Identifiers (e.g., name, address, email address, telephone number, other contact information)	· Operating our business (including verifying your identity, detection, and prevention of fraud); · Marketing (including to communicate with you and provide you with information we believe may be of interest to you, including potential investments); · Communicating with you (including customer service); · To exercise our legal rights where it is necessary to do so, such as to detect, prevent, or respond to fraud claims, intellectual property infringement claims, or violations of law or misuse of information or our Sites; · Compliance with various tax, accounting, regulatory, governmental, and law enforcement requests or requirements; · Maintaining books and records, ensuring effective group management and governance; · Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and assisting in the prosecution of those responsible for such activity; · Ensuring a safe and healthy office environment for employees and visitors; · Establishing or exercising our legal rights, or responding to or defending legal claims (including those relating to fraud, intellectual property, violations of law or misuse of information or our Sites), investigations, examinations, and requests from third parties, regulatory, self-regulatory, administrative, law enforcement agencies and other oversight bodies; or · Maintaining the ongoing safety, security, and integrity of our business, services, physical premises, and information technology systems and assets, monitoring and managing access to our systems and facilities, and customizing and securing your account with us.	· Complying with legal obligations · Pursuing our legitimate interests or those of a third party, except where such interests are overridden by your interests, fundamental rights, or freedoms · Consent (where applicable)
Internet or other electronic network activity, such as your activity on our Sites (e.g., IP addresses, geospatial and location data, browsing and search history, engagement data on Sites, etc.)	· Compliance with various tax, accounting, regulatory, governmental, and law enforcement requests or requirements; · Maintaining the ongoing safety, security, and integrity of our business, services, physical premises, and information technology systems and assets, monitoring and managing access to our systems and facilities, and customizing and securing your account with us. · Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and assisting in the prosecution of those responsible for such activity; · Measuring user activity on our Sites and developing ideas for their future improvements.	· Pursuing our legitimate interests or those of a third party, except where such interests are overridden by your interests, fundamental rights, or freedoms

Categories of Personal Information Collected

Business Purpose for Processing

Legal Basis for Processing

Identifiers (e.g., name, address, email address, telephone number, other contact information)

· Operating our business (including verifying your identity, detection, and prevention of fraud);

· Marketing (including to communicate with you and provide you with information we believe may be of interest to you, including potential investments);

· Communicating with you (including customer service);

· To exercise our legal rights where it is necessary to do so, such as to detect, prevent, or respond to fraud claims, intellectual property infringement claims, or violations of law or misuse of information or our Sites;

· Compliance with various tax, accounting, regulatory, governmental, and law enforcement requests or requirements;

· Maintaining books and records, ensuring effective group management and governance;

· Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and assisting in the prosecution of those responsible for such activity;

· Ensuring a safe and healthy office environment for employees and visitors;

· Establishing or exercising our legal rights, or responding to or defending legal claims (including those relating to fraud, intellectual property, violations of law or misuse of information or our Sites), investigations, examinations, and requests from third parties, regulatory, self-regulatory, administrative, law enforcement agencies and other oversight bodies; or

· Maintaining the ongoing safety, security, and integrity of our business, services, physical premises, and information technology systems and assets, monitoring and managing access to our systems and facilities, and customizing and securing your account with us.

· Complying with legal obligations

· Pursuing our legitimate interests or those of a third party, except where such interests are overridden by your interests, fundamental rights, or freedoms

· Consent (where applicable)

Internet or other electronic network activity, such as your activity on our Sites (e.g., IP addresses, geospatial and location data, browsing and search history, engagement data on Sites, etc.)

· Compliance with various tax, accounting, regulatory, governmental, and law enforcement requests or requirements;

· Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and assisting in the prosecution of those responsible for such activity;

· Measuring user activity on our Sites and developing ideas for their future improvements.

· Pursuing our legitimate interests or those of a third party, except where such interests are overridden by your interests, fundamental rights, or freedoms

We use Personal Information for the purposes for which we collected it as set out either in this Privacy Policy or as otherwise communicated to you, as well as any purpose that is compatible with the same. If we need to use your Personal Information for an unrelated purpose, we will contact you to the extent required under applicable data protection and privacy laws.

Sensitive Personal Information

We do not process Personal Information for inferring characteristics about consumers.

IV. How Long We Retain Personal Information

We retain your Personal Information for 5 years or as long as necessary to fulfill the purposes for which the Personal Information is collected, as described above. The retention period may be extended if we are required to preserve information in connection with litigation, investigations, or proceedings, or if a longer retention period is required or permitted by applicable law or conforms with industry best practice. This may be subject to your right, under certain circumstances, to have certain of your Personal Information erased. In determining data retention periods, we consider local laws, regulatory requirements and guidance, as well as contractual obligations and your reasonable expectations and requirements.

V. How We Disclose Personal Information

We may disclose the Personal Information set out in Section III above to third parties for business, commercial, and legal purposes, depending on the context. In the past 12 months we may have disclosed the categories of Personal Information described in Section III to the following parties:

Affiliated companies;
Service providers and vendors whom we rely on to operate our business and comply with applicable law;
Website service providers .

We may disclose Personal Information for various business, commercial, and legal purposes, including:

complying with regulations or self-regulatory requirements (such as complying with a subpoena, or responding to court orders or legal investigations), including when we believe in good faith that disclosure is legally required;
protecting your safety or security or protecting the safety and security of tangible or intangible property that belongs to us, to you or to third parties;
establishing, exercising or defending legal claims, or where it is otherwise necessary to protect the rights and property of True Wind; and
to potential acquirers or successors of True Wind, in the event substantial assets of True Wind or one or more of its businesses or affiliates are acquired or merged with another entity (including reorganization, dissolution, or liquidation).

True Wind does not sell or share Personal Information for cross-contextual behavioral advertising.

VI. Protection of Information

We endeavor to protect your personal information. We endeavor to use technical, administrative, and physical methods to maintain the integrity and security of Personal Information. However, there is no such thing as “perfect security” on the Internet, and third parties may unlawfully intercept or access transmissions or private communications. We will not be responsible or liable for any damages, losses or causes of action arising out of or in connection with the disclosure of your personal information. You use our Site and send us information at your own risk.

VII. How We Use Cookies & Tracking Technologies

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser (“Cookie”). The identifier is then sent back to the server each time the browser requests a page from the server.

Our Site uses “cookies” to facilitate your ongoing access to and use of our Site and helps us in the ongoing maintenance of our Site. Cookies are small text files that may be placed on your browser when you visit our web site. We do not use cookies for targeted marketing purposes.

Cookies We Use

Cookie Type	Name	Purpose	Expiry
Essential	_tccl_visitor	GoDaddy sets this cookie to collect aggregated, anonymized data to improve the site’s performance.	1 year
Essential	_tccl_visit	GoDaddy sets this cookie to collect aggregated, anonymized data to improve the site’s performance.	30 minutes

Monitoring

We may monitor or record telephone calls, emails, web chat or other communications for regulatory and security purposes. When visiting our offices, cameras, access control systems and/or other monitoring systems may be in operation for security reasons as well as safety and office management purposes.

Do Not Track

We do not track visitors of the Sites over time and across third party websites to provide targeted advertising and therefore do not respond to Do Not Track (“DNT”) signals. However, some third-party sites do keep track of your browsing activities when they serve you content, which enables them to tailor what they present to you. If you are visiting such sites, your browser allows you to set the DNT signal so that third parties (particularly advertisers) know you do not want to be tracked. You may consult the help pages of your browser to learn how to set your preferences so that websites do not track you.

VIII. International Data Transfers

True Wind is based in the United States and the Personal Information you provide to us will be received in the United States and stored on cloud-based servers, including those which are maintained by third-party providers in the U.S.

Where we receive your Personal Information directly in the United States (“U.S.”) we are not responsible for its transfer outside the European Economic Area (“EEA”) (or the United Kingdom (“UK”) as applicable). We do not intend to transfer your Personal Information to other countries outside the U.S. If we were to receive your Personal Information in the context of the activities of an establishment in the EEA or the UK and if we were to transfer it to a jurisdiction with a less robust data protection regime, we would take appropriate steps to ensure it is adequately protected as required by applicable data protection laws, such as by entering into appropriate data transfer agreements with third-party recipients of Personal Information incorporating standard contractual clauses approved by the European Commission or the UK government. Were any transfer to take place under a written contract, you have the right to request a copy of that contract by contacting True Wind using the details in the “How to Contact Us” section.

Where no appropriate safeguards can be put in place, we may transfer the Personal Information outside of the EEA or the UK on another legal ground, such as:

if the transfer is necessary for the performance of our obligations under a contract between you and True Wind, or if the transfer is necessary to the performance of a contract between True Wind and a third party, and the contract was entered into in your interest;
explicit consent; or
if the transfer is necessary to establish, exercise, or defend legal claims or to protect your vital interests.

IX. Children’s Privacy

The Site and our services are directed toward and designed for use by persons aged 16 or older. We do not intend to collect or have actual knowledge that we collect Personal Information from individuals under the age of 16. If you are under the age of 16, please do not provide us with any Personal Information. If you have reason to believe that a person under the age of 16 has provided Personal Information to us without parental consent, please contact us using any of the methods described in the “How to Contact Us” section of this Privacy Policy, and we will endeavor to delete that data from our systems.

X. California “Shine the Light” Law

California Civil Code Section 1798.83, known as the “Shine the Light” law, gives California consumers the right to request and obtain from us a list of their Personal Information (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year and the names and addresses of those third parties. Requests may be made only once a year and are free of charge.

XI. CCPA Rights and Disclosures

California residents have certain rights under the California Consumer Privacy Act (“CCPA”). The CCPA requires covered businesses to make disclosures to consumers regarding the collection and use of their Personal Information, and generally gives consumers the right to opt out of the sale and demand the deletion of such information. These rights include:

Right to access: you may ask for the Personal Information we have collected about you, their sources, the business or commercial purposes for the collection, and the categories of third parties with whom we have disclosed your Personal Information, if any.
Right to deletion: you may request we delete Personal Information we have collected about you. Please note that we may not be able to delete your data if we need it to comply with legal obligations or otherwise have reason to retain your information for a lawful purpose;
Right to correction: you may request we correct inaccurate Personal Information that we maintain about you; and
Right to nondiscrimination: we will not discriminate against you should you choose to exercise any of your privacy rights under the CCPA.

True Wind currently does not and has not sold or shared in the preceding calendar year or past 12 months Personal Information with third parties for direct marketing or cross-contextual behavioral advertising purposes.

True Wind does not knowingly sell or share for cross-contextual behavioral advertising purposes Personal information of Individuals under the age of 16.

Exercising your rights

You can exercise rights regarding your Personal Information by using the methods in “XIV. How to Contact Us” section. Your request must:

Provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Information or an authorized representative of such person.
Describe your request with sufficient detail to allow us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide non-public Personal Information if we cannot verify your identity or authority to make the request and confirm that the requested Personal Information relates to you. We will use the information provided in a request solely to verify your identity or authority to make the request.

Request by an authorized agent

You may appoint a representative to exercise the rights under the CCPA on your behalf, but we may require steps to verify the request is legitimate, such as a signed permission evidencing you have authorized the representative to make a request on your behalf.

Our process for responding to requests

Once we receive your request and verify your identity using one or more of the below verification methods, we will disclose such information to you or delete the same, unless a legal exception applies.

Verification methods:

Ask you to provide information we have on file about you, such as your name and contact details.
Ask the main contact for the organization we have on file to confirm the request.

We may deny your deletion request if we have a legal basis, such as for security or fraud detection, for retaining the information.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

XII. GDPR Disclosures

This GDPR Statement applies to you to the extent the GDPR (as defined in Section I) applies to our processing of your Personal Data (as defined in the GDPR). PLEASE READ THIS GDPR STATEMENT CAREFULLY. IT CONTAINS IMPORTANT INFORMATION REGARDING THE USE AND PROCESSING OF YOUR PERSONAL DATA AS WELL AS INFORMATION CONCERNING YOUR RIGHTS WITH RESPECT TO YOUR PERSONAL DATA.As used in this GDPR Statement:

Controller means the entity that determines the purposes and means of the processing of personal data.

Criminal Offences Data means personal data about any actual or alleged criminal convictions or offences related security measures.

EEA means the member states of the European Economic Area.

Personal Data means information from which it is possible to identify a natural person (an individual), or information from which any individual is identifiable.

Processing means anything that is done with personal data (whether by automated means or not), such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Processor means a person or entity that processes personal data on behalf of a controller.

Sensitive Personal Data means special categories of personal data and/or criminal offences data.

Special Categories of Personal Data means personal data about an individual’s race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, or any other information that may be deemed to be sensitive under applicable law and includes, for the purposes of this Privacy Statement, criminal offences data.

UK means the United Kingdom.

We, Us, Our means the Partnership and its delegates.

With respect to your Personal Data, True Wind is a controller. We “control” the Personal Data you have provided, including making sure it is kept secure. We make decisions on how to use and protect your Personal Data, but only to the extent we have informed you about the use or are otherwise permitted by law.

What Personal Data do we collect? Please see Section III for the categories of Personal Data we may collect. While we do not generally seek to collect or process Sensitive Personal Data, we may do so where there is a lawful basis for doing so, such as, for example (and to the extent permitted under the GDPR) when it is necessary for reasons of substantial public interest, or you have made certain Sensitive Personal Data manifestly public.

Why do we process Personal Data? True Wind needs a lawful basis to process your Personal Data. True Wind is prohibited from processing Sensitive Personal Data unless processing is justified by reference to one of a limited number of recognized grounds, such as explicit consent. Depending on the nature of the data and your relationship with True Wind, there can be more than one lawful basis for processing. Please see Section III for the purposes and legal bases for processing the various categories of Personal Data we may collect.

Where we engage a third-party processor, the processor will be subject to contractual obligations to: (i) process in accordance with the GDPR and our prior written instructions; and (ii) use measures to protect the confidentiality and security of the personal data, including compliance with the requirements for delegation of processing and for transfers of personal data outside of the EEA and/or the UK, as applicable.

How do we disclose Personal Data? Please see Section V. How We Disclose Personal Information.

Will Personal Data be transferred outside of the EEA or the UK? Please see Section VIII. International Data Transfers.

How long do we retain your Personal Data? Please see Section IV. How Long We Retain Personal Information.

What are my rights with respect to my Personal Data?

We take reasonable steps designed to ensure any Personal Data we maintain is accurate and, where necessary, kept up to date. Subject to applicable law, you have certain data protection rights with respect to personal data controlled by us, including the right to:

receive confirmation of the Personal Data we have concerning you and access to that Personal Data, and information regarding processing of such Personal data, including safeguards used if Personal Data is transferred outside of the EEA (or where applicable, the UK);
rectify or update Personal Data that is incomplete or inaccurate;
erase Personal Data in certain circumstances;
restrict the use of your Personal Data in certain circumstances;
ask us to stop processing your Personal Data in certain circumstances; and
receive your Personal Data in a structured, commonly used, and machine-readable format, and the right to request that we transmit such data to another controller, in certain circumstances.

If we rely on your consent as a legal basis for processing your Personal Data, including to transfer your Personal Data outside of EEA or the UK, you will be able to withdraw your consent at any time. If you withdraw your consent you may, depending on the circumstances, no longer be able to partake in certain activities or receive certain products or services, such as participate in your investment. We will inform you of the exact consequences of withdrawing your consent to a specific transfer at the relevant point in time.

To exercise one or more of the data protection rights set forth above, please contact us as detailed in the “XIV. How to Contact US” section.

To obtain further information and/or make a complaint to the data protection regulator in your country see the following list of EU authorities: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

In the UK, the relevant data protection authority is the Information Commissioner’s Office, whose contact details are available at https://ico.org.uk/global/contact-us/.

XIII. Governing Law

The laws of the State of California govern this Privacy Policy. Any dispute relating to this Privacy Policy or your use of the Sites shall be resolved solely in the state or federal courts located in San Francisco, California. You agree to waive trial by jury in any such action.

XIV. How to Contact Us

If you have any questions regarding this Privacy Policy or other privacy-related practices, or wish to notify us of any errors or changes as to any Personal Information you provide us through the Sites or other means, you can contact us in the following ways:

Calling us toll-free at 866-780-9189
Emailing us at [email protected]

For GDPR purposes, please contact the Chief Compliance Officer at the above email address.

This Privacy Policy is available in alternative formats upon request.

XV. Third Party Websites

This Privacy Policy does not apply to any third-party website(s) to which our Sites may link. Should you choose to visit these third-party websites, we encourage you to review their privacy policies to ensure you understand and are comfortable with their practices concerning your Personal Information. True Wind is not responsible for the content of privacy policies or data practices of third parties that collect your information.

Last Updated: October 12, 2023