Privacy Notice

1. Who we are

Verdant Rock Limited ("we," "us" or "the Company") is a Bermuda exempted company limited by shares, with its registered office at Park Place, 55 Par La Ville Road, Hamilton HM 11, Bermuda. We are registered as a Class 3B insurer by the Bermuda Monetary Authority ("BMA") under the Insurance Act 1978.

References to "you" or "your" mean any individual whose personal information we use. If you provide us with personal information about another individual, you must ensure that individual has received a copy of this Notice before you do so.

2. Applicable law

We process personal information in accordance with the Personal Information Protection Act 2016 ("PIPA") and any subordinate regulations. Nothing in this Notice is intended to confer rights beyond those provided under PIPA.

3. Personal information we collect and how we collect it

We define "personal information" as any information from which an individual could be identified, directly or indirectly, by itself or when combined with other information or context.

We collect personal information:

• directly from you (e.g., when you interact with our website or digital platforms, communicate with us, register for updates, attend events or submit applications);
• from third parties in the course of our operations (e.g., advisors, service providers in connection with our underwriting and capital-markets activities, market-research providers, and due-diligence sources); and
• from publicly available sources (e.g., public registries and social-media platforms).

4. Information we collect

We may collect:

• identification data – name, date of birth, nationality, government-issued identification numbers, photo identification;
• contact data – email address, phone number, postal address;
• professional data – job title, employer, professional affiliations;
• financial data – financial products and services you obtain, credit-risk and financial-crime risk ratings;
• transactional data – information relating to your use of our services and accounts;
• digital data – website interaction data, login credentials and, where applicable, biometric authentication data;
• due-diligence data – information obtained through know-your-customer and sanctions screening; and
• employment data – if you are an employee or candidate, your application, supporting documents and employment records.

We do not knowingly collect personal information relating to children.

5. Purposes and lawful conditions for use

Under PIPA, we may use your personal information only where a lawful condition applies. We use your personal information for the following purposes, relying on the corresponding PIPA conditions:

• Performance of a contract: to consider applications for, offer, provide and manage our products and services; to pay or collect amounts owed.
• Compliance with law: to comply with applicable laws, regulations and regulatory requirements, including financial-crime prevention, sanctions, tax-reporting and disclosure obligations.
• Consent: to send you marketing materials and communications (you may withdraw consent at any time).
• Necessary for a task carried out in the public interest or the exercise of official authority: where required by regulatory or governmental direction.
• Employment relationship: to manage current, past or prospective employment relationships.
• Reasonable expectations: where, giving due weight to the sensitivity of the information, you would not reasonably be expected to object and the use does not prejudice your rights.

We also use personal information for the following operational purposes, in each case relying on one or more of the conditions above:

• managing communications with clients, investors, advisors and stakeholders;
• sending updates, newsletters and event invitations (with your consent);
• registering event participants and managing logistics;
• conducting surveys, benchmarking and market analysis;
• maintaining platform security, preventing fraud and safeguarding confidential information; and
• designing and improving our products, services and marketing.

6. What we do not do

We do not sell, license, transmit or disclose personal information outside of our group of companies except as described in this Notice. In particular:

• We do not sell or rent your personal information.
• We do not use your personal information for unrelated or unauthorised purposes.
• We do not rely on automated decision-making that has legal or similarly significant effects on you.

7. Disclosure of personal information

We may disclose personal information to:

• business partners with which we work;
• service providers and third parties that process personal information on our behalf to perform functions for us, subject to contractual obligations requiring compliance with PIPA, equivalent security standards, and 24-hour breach notification;
• third parties to whom you have consented to our sharing data (e.g., employment referees);
• local or overseas regulators, law-enforcement authorities, government agencies and tax authorities;
• any third party in connection with a potential transfer, merger or acquisition of our business or assets, provided the recipient has agreed to maintain confidentiality and comply with applicable data-protection requirements;
• lawyers, auditors, consultants and other professional advisors; and
• our current and future parents, affiliates and subsidiaries.

All third parties to whom we disclose personal information are required by contract to comply with PIPA, to confirm that the Company retains ownership of the data, to maintain security and confidentiality standards equivalent to our own, and to return or securely destroy all data upon termination of the engagement.

8. Email

We appreciate your questions and comments about our website and services and welcome your email messages to mailboxes listed on our websites. We may share your messages with others within our organisation, such as our personnel who are most capable of addressing the issues contained in your message. We may retain copies of your message and may archive your message in accordance with our Data Protection and Retention Policy.

9. Transfer of personal information outside Bermuda

We may transfer personal information outside Bermuda in connection with our operations. Before any such transfer, a written risk assessment is conducted and approved by the Company's Privacy Officer. The transfer mechanism and legal basis are documented and maintained for regulatory inspection.

If the receiving jurisdiction does not provide a level of protection comparable to PIPA, we ensure that contractual protections are in place requiring the recipient to safeguard the personal information, notify us of adverse events and use the information solely for the purposes for which it was collected.

10. Confidentiality and security

We apply industry-standard technical and organisational safeguards to protect personal information against unauthorised access, loss, misuse or alteration. Access is restricted to authorised personnel bound by confidentiality obligations. Further detail is set out in our Cyber Risk Policy and IT Security Policy.

We welcome suggestions to improve our systems or processes regarding confidentiality and security. Please contact us at info@verdant-rock.com.

11. Use of "cookies" or other data collection tools

A cookie is a piece of information which a web server may place on your computer when you visit a website. Cookies are commonly used by websites to improve the user experience and have not been known to transmit computer viruses or otherwise harm your computer. Many cookies last only through a single website session, or visit. Others may have an expiration date, or may remain on your computer until you delete them.

We may use cookies for a number of purposes – for example, to maintain continuity during a user session, to gather data about the usage of our website for research and other purposes, to store your preferences for certain kinds of information and marketing offers, or to store a user name or encrypted identification number so that you do not have to provide this information every time you return to our website.

Our cookies will track only your activity relating to your online activity on this website, and will not track your other Internet activity. Our cookies do not gather personally identifiable information.

You can decide if and how your computer will accept a cookie by configuring your preferences or options in your browser. However, if you choose to reject cookies, you may not be able to use certain of our online products and services or website features.

12. Retention of information

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law or regulatory standards. Applicable minimum retention periods are set out in our Data Protection and Retention Policy.

In determining the appropriate retention period, we consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it and whether those purposes can be achieved by other means, and applicable legal requirements.

Once no longer needed, personal information is securely deleted or anonymised in accordance with our Data Protection and Retention Policy, using certified erasure or cryptographic wiping for electronic data and cross-shredding or pulping for paper records. All destruction events are logged and a Data Destruction Certificate is issued.

13. The right to verify the accuracy of information we collect and your other rights under PIPA

Under PIPA, you have the following rights in relation to your personal information:

• Access – you may request access to your personal information, including a copy of the information held, the purposes for which it is used and to whom it has been disclosed. We will respond within 45 days of receiving a written request.
• Correction – if you believe your personal information is inaccurate, you may ask us to correct it. We will take reasonable steps to verify accuracy and respond within 45 days.
• Blocking – in certain circumstances, you may request that we block the use of your personal information.
• Marketing opt-out – you may request that we cease marketing to you at any time.
• Complaint – you may lodge a complaint with the Privacy Commissioner for Bermuda.

We may charge a reasonable fee for access requests, not exceeding any prescribed maximum. In exceptional circumstances (large data requests, need for third-party advice, or unreasonable interference with operations), we may extend the 45-day response period by up to 30 days, with notice to you.

Where requests are manifestly unfounded or excessive (particularly where repetitive), we may decline to act. We may also be required to retain personal information to comply with legal or regulatory obligations notwithstanding a request for deletion.

14. Changes to this privacy notice

We may change this Notice at any time and from time to time. The most recent version of the Notice is reflected by the effective date at the top of this Notice. This Notice is not intended to and does not create any contractual or other legal right in or on behalf of any party.

15. Contacting us

If you have any questions about this Notice or would like to learn more about how we protect privacy, please contact us at info@verdant-rock.com.