This Data Protection Policy (Policy) sets out how the UPMAX Group and its subsidiaries and affiliates (in this data protection policy referred to as UPMAX, we, us or our) protect the confidentiality of the personal data which we collect, hold, use and disclose, for and on behalf of clients.

This policy shall form an integral part of the agreement for services entered into between UPMAX and and the client (the Agreement) insofar as and to the extent that such agreement shall provide for the protection and confidentiality of personal data and where applicable, this policy shall replace any and all other provision made in such agreement, as it relates to the same subject matter. This policy shall form part of any agreement in place between UPMAX and a client as regards the agreement.

We may update this policy from time to time to ensure that it is consistent with the way we process your personal data and/or any changes in laws and regulations applicable to UPMAX.

By continuing to use our services, you signify that you have read and understood this policy.

Definitions

Data subject

The person to whom personal data relates.

Security incident

An infringement of the technical or organizational security measures taken that may lead to a considerable chance of serious adverse consequences or that has serious adverse consequences for the protection of personal data.

Data controller or controller

shall have the meaning given to it under applicable data protection laws and in the case where there shall be more than one data controller, each shall be a joint controller.

Data processor or processor

Shall have the meaning given to it under applicable data protection laws.

Client

Means the party with whom UPMAX shall have contracted with for the provision of services.

Data leak

An incident resulting in unlawful destruction, loss, change, unauthorized disclosure of or access to personal data as a result of a security incident.

Data protection laws

Means any laws or regulations that shall for the time being, be applicable to personal data relating to the protection of personal data but in particular shall include (without limitation):

(a) for the European Union, the regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “the GDPR”);

(b) for the Cayman Islands the Cayman data protection law 2019;

(d) for Singapore, the personal data protection act 2021;

(e) for Hong Kong, the personal data (Privacy) ordinance (Cap. 486) as amended in 2012

Personal data

Means any data regarding a data subject identified or identifiable living person, collected and processed by UPMAX and for the purposes of this policy, the types of personal data may include (without limitation)

(a) Demographic data such as name, gender, date of birth, age, nationality;

(b) Contact details such as home/work/mobile phone numbers, postal addresses and email addresses;

(d) Government identifiers such as passport copies, driver’s licence, income tax number, certificate; and

(e) Criminal records and political associations where they are revealed by client screening.

Agreement

Means the agreement UPMAX shall have entered into with a client for the provision of the services.

Services

Means the services provided by UPMAX to a client as specified in the services agreement and shall include (without limiting the generality thereof) financial advisory and ancillary services, corporate and fiduciary services, reporting and tax services.

Subject transmission request

Means a request by a data subject to have their personal data transferred or transmitted to a third-party controller.

Subject access request

Means a request by a data subject to obtain information about the processing of their personal data or to have the information rectified, erased or blocked.

Party or parties

Means any party who shall be a party to a services agreement.

Interpretation

For the purposes of this policy:

(a) Capitalised words used in this policy without definition, shall have the meaning as otherwise set out herein or as set out in any applicable data protection laws.

Article 1 – Data processing

1. UPMAX obtains personal data of data subjects for the purposes of:

administrative processing of subscription applications;
transfers and requests for redemptions of shares or participations;
to enable UPMAX to perform a risk assessment as prescribed by applicable anti-money laundering and anti-terrorist financing laws and regulations;
to conduct checks and monitoring in accordance with UPMAX KYC policies in force from time to time and as may be required by any applicable laws and regulations;
to enable UPMAX to carry out a classification for FATCA, CRS and other similar regulations and AEOI purposes;
to enable UPMAX to process confidential information in accordance with the performance of the services
complying with any legal obligation to which either party is subject; and
to optimise the global services which UPMAX is able to provide to clients.

2. The details of the processing activities carried out on behalf of the client by UPMAX (such as the subject matter of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects) are listed in Appendix I.

3. The parties shall not process personal data in a way that is incompatible with the purposes agreed above and in the agreement.

4. UPMAX takes no responsibility for obtaining consent by the client for the purposes of sending marketing communications including newsletters or statements.

5. As a data controller, the client remains responsible together with UPMAX for ensuring that all uses of the personal data are in compliance with the privacy laws.

6. UPMAX guarantees that the processing of personal data is done with due care and only processes the personal data made available within the framework of the agreement, except for deviating statutory obligations and/or with the client’s prior permission. UPMAX may decide in its sole discretion on the means of processing of personal data and will inform the client if any relevant changes occur.

Article 2 – Responsibilities of the parties

1. Where the client shall pass the personal data of a data subject to UPMAX, it shall ensure that it is compliant with data protection laws to the extent necessary for the processing of personal data, including:

(a) ensuring it has obtained any necessary consents in order for UPMAX to process the personal data in accordance with the agreement; and
(b) ensuring it has provided adequate notice as required by data protection laws to the processing of the personal data by UPMAX and if applicable the transfer of data outside the European economic area.

2. Where personal data relating to a data subject is collected by UPMAX. we shall, at the time when personal data is obtained, or at least within one month after that time, provide the data subject with all of the following information:

UPMAX’s company information and the contact details;
the contact details of the data protection officer, where applicable;
the purposes of the processing for which the personal data is intended as well as any legal basis for the processing;
the recipients or categories of recipients of the personal data, if any;
where applicable, the fact that UPMAX intends to transfer personal data to a third country or international organisation and reference to the appropriate or suitable safeguards in place.

3. In addition to the information referred to in paragraph 2 of this Article, UPMAX shall, at the time when personal data is obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
the existence of the right to request from UPMAX access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability which is the right of a data subject to receive the personal data concerning him or her, which he or she has made available, in a structured, commonly used and machine-readable format and have it transmitted to another controller without hindrance;
where the processing is based on consent or when it concerns specific categories of personal data, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
the right to lodge a complaint with a supervisory authority;
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as;
whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such personal data.

4. Where UPMAX intends to further process the personal data for a purpose other than that for which the personal data was collected, UPMAX shall request approval from the client first. After approval, UPMAX shall provide the data subject prior to that further processing, with information on that other purpose and with any relevant further information as referred to in paragraph 2 and 3 of this Article.

5. Paragraphs 2, 3 and 4 of this Article shall not apply where and insofar as the data subject already has the information.

6. Each party shall, in respect of personal data, ensure that they have provided sufficient information to the data subjects in order for them to understand which of their personal data is being shared, the circumstances in which it will be shared, the purposes for the data sharing and the identity of with whom the personal data shall be shared.

Article 3 – Non disclosure

The parties undertake not to disclose to third parties anything that comes to the notice of the parties or their employees about the other party’s operations and/or personal data made available, except for information that is known to and/or accessible to anyone, or if such is necessary or mandatory, it is:

within the framework of the implementation of the agreement;
under or in compliance with legislation and regulations, including any applicable regulation or supervision of the services to be provided by UPMAX;
under a statutory obligation to disclose to a judicial authority, government authority or supervisory agency;
under a provisionally enforceable or final and binding court decision;
the information is public other than through a breach by a party of the terms of the agreement; or
with the other party’s written consent.

Article 4 – Security and sub-processing

1. UPMAX shall take and maintain appropriate technical and organisational measures, and if necessary, adjust these to protect the personal data from destruction, loss, falsification, unauthorized dissemination or unauthorized access, or any form of unlawful processing.

2. Under this Article, UPMAX ensures that a duty to protect personal data shall be imposed on third parties to be engaged by it. UPMAX assures the Client that sub-processors will be chosen with the necessary care and that the same data protection obligation as stated in this policy and if relevant is imposed on all its sub-processors. If UPMAX engages a third-party processor for carrying out specific processing activities, the obligations that shall be imposed on that processor by way of a written contract providing sufficient guarantees to implement appropriate technical and organisational measures in such manner that the processing will meet the requirements of the data protection laws.

3. Notwithstanding the obligations under this article, UPMAX may in any case engage third parties that qualify or may qualify as processor for delivering IT solutions to the organisation. UPMAX will obtain the written consent of the client at least 14 days before engaging processors for any task not listed in this article. UPMAX will accurately inform the client on the processors engaged by it and any changes thereof. In case the client has reasonable grounds to object to the use of new or more sub-processors, the client must immediately inform UPMAX of this in writing within 14 days of receipt of this notification. UPMAX will, if the objection is not unreasonable, endeavor to make changes to the services available to the client or to recommend a commercially reasonable change in the configuration of the client or the use by the client of the services to prevent the processing of personal data by the new or other sub-processor objected to, without unjustifiably burdening the client. If UPMAX cannot make this change available within a reasonable period, which period shall not exceed sixty (60) days, the client may terminate the affected part of the agreement, but only in respect of those services that cannot be provided by UPMAX without the use of the new or other sub-processors objected to by means of written notification to UPMAX.

4. If a sub-processor is located in a third country (as defined and or stated under the data protection laws), at the written request of the client and insofar as required, UPMAX shall enter into a model contract (in the name of the client). In this case, the client instructs and authorizes UPMAX to give sub-processors instructions on behalf of the client and to use all rights of client to the sub-processors on the basis of the model contract.

5. UPMAX remains liable to the client for compliance with the obligations of a sub-processor, in case such sub-processor does not fulfill its obligations. However, UPMAX is not liable for damage and claims arising from instructions from the client to sub-processors.

6. Where UPMAX only processes personal data on the instructions of the client, UPMAX has the obligation to demonstrate compliance with paragraph 1 of this article and should cooperate with any reasonable audit request from the client on 30 days notice.

Article 5 – Data retention rules

1. UPMAX shall not retain or process personal data for longer than is necessary to carry out the agreed purposes.

2. Notwithstanding paragraph 1 of this article, the parties shall continue to retain personal data in accordance with any statutory or professional retention periods applicable in their respective countries and/or industry.

Article 6 – Security incidents and data leaks

1. UPMAX shall at all times during the term of the agreement, have measures and procedures in place designed to detect security incidents and data leaks and to take relevant action, including recovery measures. Upon discovery of a security incident or data leak UPMAX shall notify the client without undue delay of security incidents which have resulted in a data leak.

UPMAX shall include information in the notification regarding:

the nature of the infringement;
the nature of the leaked personal data;
the (alleged) cause of the infringement and the (alleged) cause of the leaked personal data;
a description of the infringement found and the probable consequences of the infringement for the processing of personal data;
the measures recommended to limit the negative consequences of the infringement;
the measures UPMAX has taken or proposes to remedy the consequences.

2. In the event of such an infringement in connection with personal data, UPMAX will assist with the obligation of the client pursuant to the applicable data protection laws to inform the data subjects and the supervisory authorities respectively, and to document the personal data breach. Contact details regarding the report are recorded in the client service system. Contacts persons are specified in Appendix I attached to this agreement.

Article 7 – Rights of data subjects

1. Data subjects have the right to obtain information about the processing of their personal data or to have the information rectified, erased or blocked through a subject access request. Data subjects may also request to have their personal data transferred or transmitted to a third-party controller through a subject transmission request.

2. Where the data is to be transmitted to a third-party controller, this shall be done in a structured, commonly used and machine-readable format.

3. UPMAX shall maintain a record of subject access requests and subject transmission requests received by UPMAX, the decisions made and any information that was exchanged, transmitted or transferred.

4. The parties agree that the responsibility for complying with a subject access request or a subject transmission request falls to the party receiving the request in respect of the personal data held by that party.

5. The parties agree to provide reasonable and prompt assistance to each other as is necessary for each party to comply with their obligations under applicable data privacy laws.

Article 8 – Automated decision making

UPMAX does not carry out automated profiling and will not make any decisions based on the automated processing of personal data without informing the client.

Article 9 – Transfer of personal data

1. UPMAX may, in the performance of the services, transfer and provide access to personal data in third countries. Such transfer shall only be made to a country whose laws shall have been assessed by the European Commission to have an adequate level of protection by means of an adequacy decision and in which case the transfer shall be subject to the terms of a contract incorporating standard contractual clauses in the form adopted by the European Commission under Decision 2010/87/EU
(the Model Clauses) or equivalent or replacement decision.

2. UPMAX shall not transfer or provide access to personal data outside a country as referred to in Article 9.1 above, except with the client’s express written permission.

Article 10 – Accountability and obligation to report

1. Following a reasonable request, UPMAX shall provide the client with the necessary information in order for the client to be able to draw an informed opinion on UPMAX’s compliance with its obligations set out under data protection laws

2. Where UPMAX qualifies as a joint controller the parties are responsible for any applicable reporting of the relevant processing of (personal) data to the relevant data protection authority. The parties will cooperate in this regard until the obligations have been met.

Article 11 – Liability

All liability arising from or in connection with this policy follows and is exclusively governed by the liability provisions set out in, or otherwise applicable to, the agreement. Therefore, and in order to calculate liability limits and/or to determine the application of other limitations of liability, any liability arising from this policy is deemed to arise under the relevant agreement.

Article 12 – Duration and termination

1. This policy shall be in force for as long as the agreement is in force. On termination of the agreement, the arrangement of this policy shall end by operation of law without any further (legal) act being required.

2. Early termination of this policy or the arrangement made by it is not possible.

3. Subject to a statutory provision resting with UPMAX, UPMAX shall, in the case of termination of the agreement, and when the processing of personal data is no longer necessary to settle the agreement’s termination, ensure that:

the personal data is returned or provided to the client or a successive contractor designated by the client on a suitable information carrier;
the personal data is destroyed, if the client so requests;
after return, provision or destruction, it immediately ceases and does not resume any processing of (the relevant) personal data.

4. Obligations under the agreement including this policy, which by their nature are intended to continue even after the end of the agreement, continue to exist after the end of the agreement.

Article 13 – Miscellaneous

1. In the event of conflict between the provisions in this policy and the agreement and/or any other agreements between the parties, the provisions of this policy with regard to the data protection obligations of the parties shall prevail. In case of doubt as to whether clauses in these other agreements relate to the data protection obligations of the parties, the arrangements of this policy will prevail.

2. The invalidity or unenforceability of any provision in this policy will not affect the validity or enforceability of the other provisions of this policy. The invalid or unenforceable provision is (i) so modified so as to guarantee its validity or enforceability and at the same time the parties’ intentions are preserved as much as possible or, if not possible, (ii) interpreted as if the invalid or unenforceable part had never been included therein. The foregoing also applies if this policy contains an omission.

3. Personal data which UPMAX processes is stored by UPMAX on its servers and/ or on the servers of the cloud-based database located in Amsterdam. This policy is exclusively governed by the applicable law of the agreement and any dispute in respect of this agreement or execution thereof shall be submitted to the UPMAX entity servicing the client and before the competent court as defined in the agreement.

4. Any amendment to this policy shall be published on the UPMAX website, but shall not reduce or otherwise limit the rights of the client.

Appendix I

Categories of data subjects

The transmitted personal data concern the following categories of data subjects:

The investors or unit holders in the investment financial administrated by us or individuals connected with the investor or unit holders (for example directors, trustees, employees, representatives, shareholders, investors, clients, beneficial owners or agents) which includes, but is not restricted to, data such name, residential address, email address, place of birth, date of birth, bank account details and details relating to your investment activity;
Individuals that represent the client, that are advising the client, that are in any contractual or statutory relationship with the client, or that the client has collected in view of its servicing towards such individuals, or are otherwise connected to such individuals.

Subject of processing

All processing activities (including the collection, organization and analysis of personal data) as are reasonably required to facilitate or support the provision of the services described under the agreement.

Nature and purpose of the processing

UPMAX collects, processes and uses the personal data of the data subjects:

where this is necessary for the performance of the agreement;
where this is necessary for compliance with a legal obligation (such as the anti-money laundering obligation to verify the identity of our clients (and, if applicable, their beneficial owners) and other applicable regulations, such as tax reporting regimes as FATCA and CRS; and/or
where this is necessary for the purposes of the legitimate interests of us or a third party and such legitimate interests are not overridden by your interests, fundamental rights or freedom.

Kind of personal data

The personal data collected, processed and used by UPMAX includes:

names and contact information;
general demographic information (such as gender, age, date of birth, marital status, nationality, employment details, residence, utility bills, etc.);
personal identification documentation and related information such as passport numbers and employee identification numbers;
financial and payment data such as bank account numbers and transaction information;
information related to the provision of the Services

Contact details in case of data breaches

You have the right to request access to, correction or erasure of personal information that we hold about you. All requests will be reviewed and processed in accordance with applicable law.

If you would like to access, correct, or erase your personal information or if you have any questions, comments or complaints (e.g. if you believe that UPMAX has not handled your personal information properly or that it has breached its privacy obligations) or opt out from direct marketing at any time, please contact UPMAX’s office of privacy & data governance in the following ways:

Email address: info@upmaxgroup.com

Postal address: 10 Collyer Quay #40, Ocean Financial Centre, Singapore 049315

The privacy officer will investigate any complaint and notify the individual within reasonable time-frame of the outcome of the investigation.

Please note this updated version of our privacy statement does not substantively change the way we treat personal information in comparison to the previous version of the privacy statement available historically on our websites.