We take the privacy of your personal data seriously and are committed to protecting the confidentiality and security of the information entrusted to us in accordance with applicable data protection law in the jurisdictions where we operate, including the European General Data Protection Regulation (GDPR). “Personal data” or “personal information” means any information about an individual from which that individual can be identified.
Data Protection Principles
XSML will ensure that it will:
- Lawfully, fairly, and transparently process personal data
- Process the Data for limited purposes and will not use the Data for a purpose other than those agreed by the data subjects. If the data held by XSML is requested by an external organization, it will only be shared if agreed by the data subject. External organizations must state the purpose for requesting the data.
- Hold adequate, relevant, and not excessive data. XSML will monitor the purpose of data held for its purposes, ensuring it holds neither too much nor too little data in respect of the individuals about whom the data is held. If data provided for an intended purpose deemed excessive, it will be immediately permanently deleted and/or destroyed.
- Hold accurate and where necessary up to date data. It is the responsibility of individuals and/or organizations to ensure data held by XSML is accurate and up to date. Verbal confirmation will also be accepted as confirmation that current data held is accurate. It is the responsibility of the data subject to notify XSML for their data to be updated. Upon notification, it is the responsibility of XSML to ensure all relevant data has been updated.
- Store data only as long as it is necessary. XSML discourages retention of data for longer than is required.
- Process data in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing against accidental loss, destruction or damage, using appropriate technical or organization measures.
- Keep all data secure. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of data. XSML uses multiple factor authentication for their personnels to be able to log into the XSML systems. XSML has a comprehensive Information Technology and Cyber Security Policy and Procedures which all personnel are required to adhere with
- Any hard copies of personal or financial data are kept in a locked filing cabinet and can only be accessed by authorized XSML personnel.
What information may we collect from you?
We may collect, use, store and transfer different kinds of personal information about.
- Identity Data includes first name, maiden name, last name, username or similar identifier, title, date of birth and gender. This may also include images (such as CCTV images) and photographs, films and video recordings which may be taken at visits or events organised or attended by XSML.
- Contact Data includes postal address, email address and telephone numbers.
- Technical Data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website. Security data such as passwords or memorable information is always encrypted and cannot be accessed by us.
- Profile Data includes your username and password, your interests, preferences, feedback, and survey responses.
- Usage Data includes information about how you use our website, products, and services.
- Marketing and Communications Data includes your preferences in receiving marketing and other information we may send to you and or that you may receive from our third parties and your communication preferences.
How do we collect your information?
We typically collect or obtain Personal Data directly from you, your authorized representatives or third parties unless it is unreasonable or impracticable to do so. The collection of Personal Data usually may take place as follows (no exhaustive list):
You may give us your identity, contact and financial information by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal information you provide when you:
- Use our website
- Subscribe to our (future) newsletter
- Register for any event we may organize
- Visit our premises or participate in one of our meetings / events
- Establish a business relationship with us
- Apply for financing with us
- Apply for a job or internship with us
- Submit a response to an invitation to tender (or equivalent)
- Communicate with our employees or authorized representatives
- Give us some feedback or submit a complaint
We may also receive personal information about you from third parties or publicly available sources: analytics providers, advertising networks or search information providers, data brokers or aggregators.
We also may carry out Know Your Customer (KYC) and other due diligence checks on potential employees, directors or officers, contractors, clients, and suppliers.
How do we use your information?
We will only use your personal information for the purposes for which we collected it. The main purposes for which we use your information are as follows:
- For procurement and recruitment/employment purposes
- For compliance with and fulfilment of a legal obligation to which we are subject
- For the fulfilment of our contractual obligations
- In relation to the prevention of money laundering and terrorism financing and the prevention of crime and fraud
- To improve our website, products/services, marketing, customer relationships and experiences
- To manage our relationship with you which will include notifying you about changes to our terms or Privacy Notice
- To keep you informed about XSML when you subscribe to our newsletter
- To process and respond to your enquiry, application, or complaint, for example, in respect of an investment proposal, working for XSML or providing products or services to XSML.
We may use your information for another reason where we reasonably consider that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
On what legal bases do we process personal data?
The law specifies certain ‘lawful bases’ for which we are allowed to use Personal Data. These include:
- Consent: where you have consented to our use of your information for a specific purpose.
- Contract performance: where your information is necessary to enter into or perform our contract with you (or to take steps at your request before entering into such a contract).
- Legal obligation: where we need to use your information to comply with our legal and regulatory obligations.
- Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
- Vital interests: in rare situations it may be necessary to use your information to protect someone’s life.
- Public interest: there may be times when we need to share your personal information to perform a task in the public interest.
Most commonly, we rely on the following legal basis to use your personal information:
- to perform the contract, we are about to enter into or have entered into with you.
- it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- to comply with a legal or regulatory obligation.
We do not rely on consent as a legal basis for processing your personal data other than in relation to sending marketing information and communications to you. You have the right to withdraw consent to this at any time by contacting us.
Do we share personal data with third parties?
XSML Capital does not trade, rent, or sell any personal data to any other organisation or third party. Your information is only provided to the relevant authorities unless you give your consent or if required by law, and to service providers such as our bankers, auditors, legal advisors, and other service providers. We restrict the information that is passed on to the minimum.
We may further share Personal Data with third parties, for example in the context of reasonable anti money laundering, Know Your Customer (KYC) or our investor due diligence or those of third parties.
Other examples of third parties:
- Third parties providing services or advice to us, such as accountants, fund administrators, lawyers, consultants, auditors, insurers, agents etc. and subcontractors acting on our behalf.
- Representatives, agents, intermediaries and/or third-party product providers appointed by a (prospective) investor (such as accountants, professional advisors, and product providers)
- Social media companies (in a secure format) or other third-party advertisers (subject to your consent) so they can display relevant messages to you and others about us and our activities.
We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
Our website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Do we transfer data to recipients outside the EU?
XSML may share Personal Data within its organization and with other organizations. This may involve transferring information outside the EU as most of our offices are based in African countries. XSML uses specific contract clauses approved for use in the EU which give personal information the same protection it has in the EU.
How is your personal data protected?
We have put in place appropriate security measures (physical, technical, and organizational safeguards) to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We use safeguards such as firewalls, intrusion detection, anti-virus technology and password login to prevent unauthorized access. The effectiveness is periodically tested. We also have appropriate controls and mechanisms in place to detect, respond and recover in cases of adverse events.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
If you use our website or services, you are responsible for maintaining the confidentiality of your login details if available. Please remember that the transmission of data over the internet is never completely secure. Although we do our utmost to protect your Personal Data, we cannot guarantee the security of the data you submit through our website. Any transmission is at your own risk.
For how long do we keep your persnal data?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
For What data protection rights do you have?
If XSML processes Personal Data about you, you have certain rights under data protection laws as listed below.
- Right to information. You have the right to obtain information about whether we process Personal Data about you and, if necessary, to more detailed information about the use of your Personal Data.
- Right to access to your personal information. This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
- Right to rectification of the Personal Data that we hold. You may ask us to amend your Personal Data if you believe that is inaccurate or incomplete. We may need to verify the accuracy of the new data provided by the data subject.
- Right to erasure of personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it and we are not obliged to retain it. Please note, however, that we may not always be able to comply with this request of erasure for specific legal reasons which will be notified, if applicable, at the time of the request.
- Right to restrict. You have the right to have the processing of your Personal Data temporarily restricted by us if you doubt the accuracy of the Personal Data or restrict the use of the data instead of having it deleted.
- Right to data portability: If you have provided us with your Personal Data, you may have the right to have us transmit it to you electronically, if this is technically feasible.
- Right to withdraw consent when we rely on consent to process your personal information. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case when consent is withdrawn.
- Right to lodge a complaint. You have the right to lodge a complaint with the relevant data protection authority if you think that any of your rights have been infringed by us.
Before we respond to your request, we may ask you for proof of identity. This way, we can ensure that Personal Data is not passed on to unauthorized persons.
Who to contact in case of questions or concerns about data protection?