Privacy statement

This privacy statement was last updated on 1st August 2023.

1. Important notice

This is the Privacy Notice of Covesta Limited (company number 13292589) whose registered office is at Brooks House, Alexander Place, 13 - 17 Princes Road, Richmond, England, TW10 6DQ (“Covesta”,“we”, “us” or “our”) and sets out how we collect and process your personal data. This Privacy Notice also provides certain information that is legally required and lists your rights in relation to your personal data. Please read this Privacy Notice to understand how we may use your personal data.

This Privacy Notice relates to personal information that identifies “you” meaning a User of our Platform and any individual who browses our website. If you are an employee, contractor or otherwise engaged in work for us or applying to work for us, a separate privacy notice applies to you instead.

This Privacy Notice is not intended for children and we do not knowingly collect personal data relating to children. Additionally, this Privacy Notice is not intended to apply to personal data collection during the recruitment of employees, for which there is a separate privacy notice. 

This Privacy Notice may be reviewed and amended from time to time. As a result of improvements we make to our services, changes in the law or developments in technology, we may change the information we hold about you, the method and purposes for which we process such information. If we make any substantial change in the way in which we use your personal information we will notify you by email.

2. Categories of personal data we collect

Personal data means any information that can identify a living person, whether directly or indirectly. The categories of personal data about you that we may collect, use, store, share and transfer are:

  • Individual Data. This includes personal data which relates to your identity, such as your first name, middle name, last name, username or similar identifier, marital status, title, date of birth and gender and your contact details such as your billing address, delivery address, email address and telephone numbers;        
  • Advertising Data. This includes personal data which relates to your advertising preferences, such as information about your preferences in receiving marketing materials from us and our third parties and your communication preferences;
  • Information Technology Data. This includes personal data which relates to your use of our platform, such as your internet protocol (IP) address, login data, traffic data, weblogs and other communication data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our platform;
  • Account and Profile Data. This includes personal data which relates to your account or profile on our Platform, such as your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses;
  • Economic and Financial Data. This includes personal data which relates to your finances and investments, such as your bank account and payment card details and information which we may collect from you for the purposes of the prevention of fraud;
  • Investment Data. This includes personal data on our Platform which relates to the transactions you have conducted with us, such as details about payments to and from you, details of your investments, other shareholder information, high net worth investor/ sophisticated investor declarations and other details of your use of our services and platform; and
  • Market Research Data. This includes personal data which is gathered for the purposes of market research.

We may also create personal data about you, for example, if you contact us by telephone to make a complaint, for example about our services, then we may make a written record of key details of the conversation so that we can take steps to address the complaint.

We also obtain and use certain aggregated data such as statistical or demographic data for any purpose (“Aggregated Data”). Aggregated Data may be derived from your personal data but does not directly or indirectly reveal your identity. For example, we may aggregate your Information Technology Data to calculate the percentage of users accessing a specific feature on our platform. However, if we re-combine or re-connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.

We do not collect any information about criminal convictions and offences.

3. The sources from which we obtain your personal data

We obtain your personal data from the following sources:

  1. Directly from you, either in person, via our platform or by telephone. This could include personal data which you provide when you:
    1. create an account on our platform;
    2. subscribe to or engage with platform functionality;
    3. register interest in a pitch or make an offer to an investee business;
    4. provide details in connection with any documentation you propose to enter into; and
    5. complete a survey from us or give us feedback.
  2. Via automated technologies, such as cookies, server logs and other similar technologies. We may automatically collect Information Technology Data about your equipment, browsing actions and patterns by using cookies, server logs and other similar technologies. We may also receive Information Technology Data about you if you visit other websites employing our cookies.
  3. From someone else, such as:
    1. other members of any investment group of which you are a member;
    2. investment managers;
    3. your legal and/or financial advisors;
    4. financial and payment institutions;
    5. other third party intermediaries, such as brokers and agents;
    6. credit reference agencies and financial crime databases;
    7. analytics providers;
    8. advertising networks;
    9. search information providers;
    10. providers of technical, payment and delivery services;
    11. data brokers or aggregators
  4. From publicly available sources, such as:
    1. Companies House;
    2. the electoral roll; and
    3. HM Land Registry

4. How we use your personal data

We collect personal data about you in order to

  1. perform our contractual obligations to you. This would include:
    • operating the Covesta platform in the manner described in our Investor Terms and Investee Terms;
    • orders placed by us where you are a supplier to Covesta;
    • making or receiving payments, fees and charges;
    • collecting and recovering money owed; and
    • disclosing your personal data (including your identity and interest in an investee company) to any bank, financial institution, portfolio company (where relevant) or other third party lender providing any form of facility, loan, finance or other form of credit or guarantee to an investee company or its affiliates;
  2. manage our relationship with you including
    • to send you important notices such as communications about changes to our terms and conditions and policies (including this Privacy Notice);
    • to provide you with important real-time information about services you have requested from us (e.g. a changes due to unforeseen circumstances);
    • to send you information you have requested;
    • to deal with your enquiries; and
    • to ask you to leave a review or feedback on us;
  3. administer our business and carry out business activities;
  4. make suggestions and recommendations to you about investment opportunities or platform functionality that may be of interest to you, deliver relevant website content and advertisements to you and to measure or understand the effectiveness of our advertising;
  5. for internal purposes to use data analytics, to identify usage trends, determine and measure the effectiveness of and to improve our platform, marketing, customer relationships and experiences;
  6. protect our business including to deal with any misuse of our platform and to comply with our security policies;
  7. use your personal data to comply with our own legal and industry obligations e.g. to comply with health and safety requirements, perform due diligence, or to assist in a police investigation;
  8. enforce or apply our contractual arrangements with you and third parties;
  9. to detect and prevent fraud and other illegal activities (and to assist regulators, trade bodies and law enforcement agencies in relation to the same);
  10. finance, restructure, sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers; and
  11. investigate and defend any third-party claims or allegations.

5. Our lawful basis for processing your personal data

Where we may rely on consent

For certain purposes it may be appropriate for us to obtain your prior consent. The legal basis of consent is only used by us in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way.

In the event that we rely on your consent, you may at any time withdraw the specific consent you give to our processing your personal data. Please contact us using the contact details set out in paragraph 1 to do so. Please note even if you withdraw consent for us to use your personal data for a particular purpose we may continue to rely on other lawful bases to process your personal data for other purposes.

Other legal bases we may rely on

Where we are relying on a basis other than your consent, the lawful basis for processing personal data will be one of the following:

  1. the processing is necessary in order for us to comply with our legal obligations (such as compliance with anti-money laundering legislation);
  2. the processing is necessary for the performance of a contract you are party to or in order to take steps at your request prior to you entering into a contract;
  3. processing is necessary for the establishment, exercise or defence of legal claims; or
  4. the processing is necessary for the pursuit of our legitimate business interests. In particular, our legitimate interests include:
    • the provision of the platform and activities we carry out through or ancillary to the platform;
    • the recovery of debt;
    • the provision of administration and / or IT services;
    • the security of our IT network;
    • the prevention of fraud;
    • marketing of goods and services and promotion of our business;
    • the reorganisation or sale or refinancing of the business;
    • the study in how to develop and the update of our products and services;
    • the development of our business strategy; and
    • protecting our business and property; or
  5. the processing is necessary in order to protect the vital interests of an individual e.g. where there is a medical emergency at one of our premises.

6. Who receives your personal data

We may disclose your personal data to:

  1. other investors with whom you are connected (e.g. as part of an investment group or similar) or who are also investing or proposing to invest in the same investment opportunity as you;
  2. our group companies and affiliates or third party data processers who may process data on our behalf to enable us to carry out our usual business practices. Any such disclosure will only be so that we can process your personal data for the purposes set out in this Privacy Notice;
  3. banks, financial institutions and other third party lenders;
  4. HMRC, legal and other regulators or authorities, including those who request your personal data or to report any potential or actual breach of applicable law or regulation;
  5. external professional advisers such as accountants, bankers, insurers, auditors and lawyers;
  6. law enforcement agencies, courts or other relevant party, to the extent necessary for the establishment, exercise or defence of legal rights;
  7. third parties where necessary for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and
  8. third parties which are considering or have decided to acquire some or all of our assets or shares, merge with us or to whom we may transfer our business (including in the event of a reorganisation, dissolution or liquidation).

7. Personal data about other people which your provide to us

If you provide personal data to us about someone else (such as one of your directors or employees, or someone with whom you have business dealings) you must ensure that you are entitled to disclose that personal data to us and that, without our taking any further steps, we may collect, use and disclose that personal data as described in this privacy notice.

You must ensure the individual concerned is aware of the various matters detailed in this privacy notice, as those matters relate to that individual, including our identity, how to contact us, the way in which we collect and use personal data and our personal data disclosure practices, that individual's right to obtain access to the personal data and make complaints about the handling of the personal data, and the consequences if the personal data is not provided.

8. Accuracy of your personal information

It is important that the personal data we hold about you is accurate and current and we take all reasonable precautions to ensure that this is the case but we do not undertake to check or verify the accuracy of personal data provided by you. Please keep us informed if your personal data changes during your relationship with us either by logging onto your account on the website or by contacting us. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.

9. International transfers of personal data

It is possible that personal data we collect from you may be transferred, stored and/or processed outside the United Kingdom including outside the European Economic Area.

In connection with such transfers we will ensure that:

  1. there are appropriate safeguards in place such as binding corporate rules or approved model contractual clauses. A copy of the appropriate safeguard can be obtained by contacting us using the contact details set out in paragraph 2; or
  2. the transfer is to a country that provides an adequate level of protection; or
  3. one of the derogations for specific situations applies to the transfer including explicit consent or necessary for the performance of a contract or exercise or defence of legal claims.

10. Where we store your personal data

The data that we collect from you is stored in the UK, but data may also be processed by staff operating outside the EEA who work for us or for one of our suppliers for the purposes set out above only. In order to ensure that any third party treats your personal data in a way which is consistent with UK and EU laws on data protection, we have put in place agreements with those third parties which contain provisions approved by the EU for protecting personal data.

Our primary servers are located in the EU with hosting partner Amazon Web Services, and your personal information will be routed through, and stored on, these servers when you use the platform. If the location of our servers changes in the future, we will update this statement. Therefore you should review this statement regularly to keep informed of any updates.

We use additional service provides that may store your information:

Customerly

We use Customerly to provide website and in-platform support to current and prospective users. To do this a simple profile of each individual is maintained within Customerly to enable us to provide a tailored and informed support service.

You can read more information about Customerly's data processing and data protection at:
https://www.customerly.io/privacy/

Postmark

We use Postmark to send emails from the platform. To do this a copy of every email message is sent to and stored on the Postmark servers including your email address. Copies of email messages are retained for up to 45 days and are used to provide platform support. This information is transferred to servers located in the USA. The transfer is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework.

You can read more information about Postmark's data processing and data protection at:
https://wildbit.com/privacy-policy

11. How long we will store your personal data for

We will store your personal data for the time period which is appropriate in accordance with the following criteria:

  1. the on-going business operation / relationship that we have with you;
  2. the completion of the purpose for which the personal data was given;
  3. our legal obligations in relation to that personal data and other legal requirements;
  4. the type and size of the data held and whether any if it is deemed to be special category personal data; or
  5. our accounting requirements in relation to that personal data.

12. Contractual or statutory requirements on you to provide personal data

In certain circumstances the provision of personal data by you is a requirement to comply with the law or a contract, or necessary to enter into a contract.

It is your choice as to whether you provide us with your personal data necessary to enter into a contract or as part of a contractual requirement. If you do not provide your personal data then the consequences of failing to provide your personal data are that we may not be able to perform to the level you expect under our contract with you. An example of this would be where you are unable to make an investment as we do not have your full details, or where we cannot perform our contract with you at all because we rely on the personal data you provide in order to do so. Please see our Investor Terms for further details.

13. Your rights in relation to personal data

Subject to applicable law including relevant data protection laws, in addition to your ability to withdraw any consent you have given to our processing your personal data, you may have a number of rights in connection with the processing of your personal data, including:

  1. the right to request access to your personal data that we process or control;
  2. the right to request rectification of any inaccuracies in your personal data or, taking into account the purposes of our processing, to request that incomplete data is completed;
  3. the right to request, on legitimate grounds as specified in law:
    1. erasure of your personal data that we process or control; or
    2. restriction of processing of your personal data that we process or control;
  4. the right to object, on legitimate grounds as specified in law, to the processing of your personal data;
  5. the right to receive your personal data in a structured, commonly used and machine-readable format and to have your personal data transferred to another controller, to the extent applicable in law; and
  6. the right to lodge complaints regarding the processing of your personal data with the Information Commissioner’s Office [or other relevant supervisory body]. Please see https://ico.org.uk/concerns/ for how to do this.

If you would like to exercise any of the rights set out above, please contact us using the contact details set out below.

14. Technical and security measures

We take the security of your personal data seriously and have technical and organisational measures to ensure a level of security appropriate to the risk.

We use a mixture of measures including utilising technology to combat cybersecurity, data management techniques, user access and management procedures, physical security and guidelines for personnel.

Our measures are aimed at having the ability to:

  1. ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and
  2. restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

15. Links to other websites

This policy only applies to us. If you link to another website from our website, you should remember to read and understand that website’s privacy policy as well. We do not control unconnected third-party websites and are not responsible for any use of your personal data that is made by unconnected third party websites.

16. How to contact us

This Privacy Notice applies where we are a controller in respect of your personal data – this is where we decide how and why your personal data is processed.

If you wish to correct your personal data held by us or to opt out at any time from receiving marketing correspondence from us or to alter your marketing preferences please contact dpo@covesta.com.

If you need to contact us in connection with our use or processing of your personal data or gain access to it then our contact details are dpo@covesta.com.

For the purposes of the Data Protection Act 2018 (DPA) and/or in the Regulation (EU) 2016/679 (General Data Protection Regulation) as amended) (together “Data Protection Laws”), the data controller can be contacted at dpo@covesta.com.

If you have any questions, want to exercise any of your rights or make a complaint, please contact us at dpo@covesta.com or using the address details at the beginning of this statement. If we are unable to resolve your complaint you may contact the Information Commissioner’s Office at the Exchange Tower, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Tel: 0303 123 1113.