1. Introduction

This Online Privacy Policy (“Policy“) applies to the Graha Capital Group of companies. This Policy explains how we comply with local laws and regulatory requirements in the jurisdiction we operate in.

Graha Capital Group is committed to protecting the privacy of all personal information or data entrusted to it.  This Policy describes how Graha Capital Group collects, uses, retains, discloses, and protects personal information, including any data you may provide to us through your use of this website or other Graha Capital Group websites or mobile or web applications. This Policy supplements any other privacy policy or fair processing notice that Graha Capital Group may have provided to you on specific occasions and is not intended to override them. It is important that you read this Policy together with any other privacy policy or fair processing notice, so that you are fully aware of how and why Graha Capital Group uses your personal information.

2. What is personal information

Personal information or personal data (“personal information”) means information about an identifiable individual. This includes factual or subjective information, recorded or not, that can be used, either alone or in combination with other information, to identify an individual. It also includes data points that when combined with other information could identify an individual. It doesn’t include information about an individual that is publicly available. It also does not include aggregate or anonymous data that cannot identify an individual. 

3. What personal information we collect

Graha Capital Group collects personal information from individuals, for example, from customers, clients, tenants, suppliers, service providers, employees, or other individuals. Graha Capital Group collects personal information that’s necessary to deliver products and services, enhance your experience and interactions with us, manage our business operations and fulfil our legal, regulatory and security obligations.

Depending on your products, the services you use, or your interactions with us, the personal information we need may includes:

• contact information – such as your name, mailing address, email address, phone number
• demographic information – such as your age, employment details, marital status, beneficiary information, nationality
• health information – such as your lifestyle information, health, and medical history
• financial information – such as contributions, investment funds and accounts, retirement goals, source of income, intended use of account, risk tolerance, credit score and credit report from credit rating agencies
• identifiers – such as bank account numbers, government issued IDs or other personal identifiers
• supporting documents – such as tax slips, bank statements, identity verification documentation, proof of relationship, power of attorney
• information about your interactions with us – such as your consents, survey responses, call centre interactions, complaints
• employment and job application information or lease application information – this may include some of the information described above, as well as background checks, letters of reference and any additional information provided by you in a job or lease application form
• Information collected automatically using automated means, further described below
• Information collected from third parties and other sources, further described below

Children’s personal information

Graha Capital Group does not knowingly solicit or collect any personal information from or market products and services directly to children under the age of majority. Graha Capital Group’s products, service and website(s) are for those who are over the age of majority. We would only collect information about children from parents or legal guardians when they are covered under their agreements, leases, policies, or assigned as beneficiaries, for example.

If you are under the age of majority, please do not submit any personal information to us. If Graha Capital Group is notified or discovers that a child under the age of majority has submitted personal information to us, we will take reasonable steps to delete the information.

4. How we collect personal information

Graha Capital Group may collect personal information directly from an individual, through automated means, or from third parties or other sources.

Directly from an individual

Graha Capital Group collects personal information you provide directly to us when you communicate with us in person, by mail, through email, over the telephone, through our websites or in any other direct manner, for instance when you sign an agreement, apply for a lease, participate in a survey, consent to receiving marketing or commercial-related communications, submit a job application, or upload content to our websites.

Through automated means

Graha Capital Group or our service providers may collect automatically information using automated means when you contact us over the phone, interact with our websites, or visit our managed properties or office locations. This may include the following types of personal information:

• Technical information when you visit or use a Graha Capital Group website. We may automatically collect, for example, your phone number, internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our websites to manage and improve our operations.
• Video surveillance and recordings to protect you, our tenants, employees and other individuals who visit our managed properties or office locations, and to maintain the security of these locations.
• Audio equipment and recordings when you contact us by phone or through other electronic means we may use audio recordings for quality assurance and training purposes. We will inform you before any call is recorded.
• Cookies, pixels and similar technologies when you visit or use a Graha Capital Group website. We use this information to understand how our users interact with our websites to improve the display and content of our websites. We may also use this information for advertising purposes. To learn more about our use of these technologies and how to manage your preferences, please see the “Cookies and Similar Technologies” section below.
• Electronic access card or key fob information if used when you access our managed properties or office locations.
• Information generally transmitted by mobile devices, such as, for example, an international mobile equipment identifier (“IMEI”) or media access control (“MAC”) addresses. 

5. How we use personal information

Here are some examples of how we may use your personal information in connection with you or your business:  

Delivering products and services

• manage accounts and provide administrative support
• understand needs and suitability of our products
• process applications and transactions
• manage investments and payments
• provide updates on accounts, products and services
• investigate complaints and respond to inquiries

Enhancing experience and interactions

• personalize and improve the experience while using our websites or online platforms
• better understand interest in our products and services
• enable the use of online tools
• deliver targeted and personalized marketing
• display customized preferences (language, time zone, etc.) on our websites or online platforms 

Managing our business operations

• analyze and improve internal business processes
• develop products and services
• determine the effectiveness of marketing and advertising
• evaluate and improve the functionality of our websites or online platforms
• measure engagement and gain a better understanding of behaviours on our websites or online platforms

Fulfilling security and legal obligations

• confirm identity to make sure no one else is accessing information without authorization
• enhance digital security including preventing and detecting security threats and unauthorized activities
• implement risk management programs and procedures to protect against fraud, errors or misrepresentations
• meet regulatory or contractual requirements, such as financial and regulatory reporting
• enable financial institutions and service providers to meet their regulatory obligations

We may need to use your personal information in other ways, as required by law. If we need to use your personal information for any other purposes, we will do so only with your consent where it is required.

We may analyze data collected through automated means to evaluate and improve your digital experience. We may collect this personal information directly or indirectly through third parties. We may also share aggregated, anonymous data with third parties. This data cannot directly identify you. We may combine some of the data we collect through automated means with other data we have about you for analytics. 

6. How we retain personal information

BGO maintains policies and practices governing the retention and destruction of personal information in its possession or custody. We retain your personal information for as long as it is necessary to fulfill the purposes for which it was collected or used and to comply with applicable laws. After the personal information is no longer necessary either for the purpose for which it was collected or to comply with any laws, it will be destroyed or made anonymous in accordance with applicable legal requirements.

7. How we share personal information and with whom

We are responsible for protecting the confidentiality of all personal information in our possession. That includes information transferred to third parties performing services on our behalf such as our agents, service providers or our affiliates. Unless prohibited by legal or contractual requirements, we and some of these third parties may store or process your information outside the jurisdiction where it was collected. In those cases, we follow all local laws, and the processing of your personal information may be subject to the laws of those other jurisdictions. We always require that these third parties protect your personal information consistent with our privacy policies and practices and comply with relevant laws.

In respect of personal information disclosed to third parties, Graha Capital Group takes appropriate steps, where permitted by law, to ensure that such third parties use the personal information only in connection with the purposes for which the information was collected and safeguard the personal information against unauthorized use or disclosure.

In some cases, laws require us to share information with regulators or government agencies.

With your consent

We may also share or disclose your personal information when we have your implied or express consent.

8. How we manage consent

The collection, use or disclosure of your personal information by Graha Capital Group requires your knowledge and consent. At certain times, your consent for the collection, use and disclosure of your personal information may be implied from the manner in which it is collected. For example, when you provide Graha Capital Group with your personal information in connection with a lease, you have implicitly consented to Graha Capital Group collecting, using and disclosing your personal information in a manner necessary to determine your suitability for, and administer, your lease.

You may also expressly provide your consent. If Graha Capital Group collects, uses or discloses personal information for purposes other than those described above, prior to the collection, use and/or disclosure of such personal information, unless required to be disclosed by law, you will be informed of and your consent obtained prior to Graha Capital Group’s collection, use and/or disclosure of that personal information. If Graha Capital Group intends to use and/or disclose personal information that Graha Capital Group previously collected for a new purpose which is not authorized under applicable laws, your consent will be obtained before Graha Capital Group uses and/or disclose it for that new purpose.  

You may always choose not to supply Graha Capital Group with your personal information. Furthermore, previously granted consent may be withdrawn at any time (subject to certain legal or contractual restrictions) by notifying the Privacy Officer in writing. Keep in mind that by withdrawing your consent (in whole or in part) to our collection, use or disclosure of your personal information, we may no longer be able to provide you with the services you requested.  

9. How we protect your personal information

Graha Capital Group will protect your personal information in a manner that is consistent with and appropriate to the sensitivity of that personal information. For example, we employ physical safeguards (such as the use of locked cabinets and storage facilities), technical safeguards (such as the use of passwords and encryption), and organizational safeguards (such as installing access controls and limiting access to need to know employees) to ensure your personal information is protected while it is under our care. We also use contractual measures to protect any personal information disclosed to third parties outside the jurisdiction where you reside.

Data Governance and Security Measures

Graha Capital Group maintains policies and practices which ensure the protection of your personal information. Depending on the volume and sensitivity of the information, the purposes for which it is used and the format in which it is stored, we implement a combination of measures to protect your personal information, including:

• Internal policies and procedures that define the roles and responsibilities of our employees throughout the information life cycle and limits their access to such information on a “need-to-know” basis;
• If information is collected or stored in electronic format, technical safeguards such as encryption, firewalls, antivirus software and similar measures;
• A designated Privacy Officer to monitor Graha Capital Group’s compliance with applicable data protection laws;
• Privacy impact assessments (“PIAs”) for new business initiatives and significant changes to processes that pose a high risk to the privacy of individuals.
• Employee privacy and data security training;
• Procedures for receiving, investigating and responding to complaints or inquiries regarding Graha Capital Group’s information handling practices, including any security incidents involving personal information;
• Framework governing the retention and destruction of personal information;
• Contractual protections and other measures to ensure that service providers with whom we share personal information maintain adequate privacy protections and standards. For example, we generally require our service providers to notify us in case of any actual or suspected security incident. We also try to monitor and audit their compliance with these requirements in various ways.

Graha Capital Group undertakes to use reasonable efforts to maintain the accuracy, completeness and currency of your personal information that is held by Graha Capital Group as is necessary to full fill the purpose for which it was collected and is to be used. Graha Capital Group may, from time to time, ask you to confirm the accuracy of your personal information for such purpose.

Cookies and Similar Technologies

When you visit the Graha Capital Group website(s), we may collect and use your internet protocol address to help diagnose problems with our server and to administer the website(s), to understand how users interact with the Graha Capital Group website(s), and to gather broad demographic information. Graha Capital Group may also collect web page choices, browser type, operating system, and time you spend on the site to help Graha Capital Group improve your experience.

Graha Capital Group uses “cookies”, a technology that installs a small amount of information on a website user’s computer, to permit our website to recognize future visits using that computer and to avoid having to register your contact information at each visit. Cookies enhance the convenience and use of our website(s). For example, the information provided through cookies is used to recognize you as a previous user of our website(s), to track your activity on our website(s), to respond to your needs, and to otherwise facilitate your experience on our website(s).

You may choose to decline cookies if your browser permits, but doing so may affect your use of our website(s) and your ability to access certain features of our website(s) or engage in transactions through our website(s).

We may use the following types of cookies on our website(s):

• Strictly necessary cookies: these cookies are essential to allow you to fully use our website and its full features. These cookies do not gather information about you that could be used for marketing.
• Performance cookies: these cookies collect information about how our visitors use our website, to help us understand what sections of our site are popular and help us fix errors on any of our web pages.
• Marketing and targeting cookies: these collect information about your browsing habits and are placed by third party providers and ourselves. The information in these cookies is anonymized but they contain a unique key that can distinguish individual browsing habits, or if an individual user has clicked on an advert we have placed. We use these cookies to understand if our marketing is effective, and if our recommendations for you are a good fit.

Within our applications, Graha Capital Group may also use analytic tools and automated tracking technology or methods. Graha Capital Group may use these tools to analyze and enhance the user experience. Graha Capital Group may use third-party advertising networks to display advertising on our websites or other websites. These advertising networks may use cookies or similar technologies to track your navigation habits on our websites and third-party websites to serve you advertising that is customized to your inferred interests and preferences. For example, a cookie may be placed on your computer when you visit a Graha Capital Group website, which is recognized and used by third-party advertising networks to serve you with a Graha Capital Group and when you visit other websites within their advertising network.

As described above, you may be able to set your browser to decline cookies. If you decline cookies, you may still receive online advertising; however, it may be less personalized. Some advertising networks participate in industry programs that include web pages to visit to opt-out. You can find out more about turning off cookies at the independent website allaboutcookies.org.

Third Party Websites

Graha Capital Group may provide links to other websites that are not operated or controlled by Graha Capital Group. These websites are not governed by this Policy. You should review the privacy policy associated with any linked website prior to visiting the site or providing any information.

10. Changes to our Privacy Policy

We may make changes to this Policy from time to time. Any changes we make will become effective when we post a modified version on our websites. If the changes we make are significant, we will provide a more prominent notice when required by applicable laws.

By continuing to use our products and services after the modified version of the Policy has been posted or after you have been informed of such update, you are accepting the changes to the Policy. If you do not agree to the changes in our Policy, it is your responsibility to stop participating in our programs, and/or using our services or purchasing our products. It is your obligation to ensure that you read, understand, and agree to the latest version of the Policy as posted. The “Last Updated” at the top of this Policy indicates when it was last updated.