Investors and Business contacts
1. INTRODUCTION
1.1 We value your privacyInvestors and business contacts, are informed that their personal information (i.e. any information relating to an identified or identifiable natural person, “Personal Data”) or Personal Data of their representatives (such as employees, managers, board members, signatories, beneficial owners, etc) – all such individuals, “Individuals” – provided and/or collected in connection with an investment in and/or (potential) investment by MiddleGame Ventures Fund I SCSp (the “Fund”) will be processed by MiddleGame Ventures S.A. under its responsibility (as data controller, hereafter the “Controller”) and its service providers (the “Processors”) as data processors in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended from time to time (the “General Data Protection Regulation”, “GDPR”), as well as any applicable law or regulation relating to the protection of personal data (together the “Data Protection Law”).
The Controller and Processors collect and use Personal Data for the purposes of providing investment services, managing customer relations and complaints, managing, testing, securing and optimising their systems and compliance with legal or regulatory obligations (including tax reporting), based either on the necessity for the provision of the services, legal obligations or their legitimate interests.
The Controller and Processors may also use personal data for marketing purposes (such as market research or in connection with investments) or business contacts relationship management, based on their legitimate interests or as required, based on consent.
Personal Data processed includes mainly identification details, including professional details, financial and tax information necessary for the provision of the services and legal reporting and KYC/AML related information and is kept for a period of up to ten (10) years after the liquidation of the Fund.
Personal Data may be shared by the Controller and Processors with affiliates, service providers and third parties (including authorities), some of which are not located within the European Economic Area (“EEA”), in countries that may not provide the same level of personal data protection than the EEA. In such cases, appropriate safeguards are put in place.
The following Privacy Notice includes the details of the purposes of data processing, types of data processed, of individuals concerned, disclosures made, transfers of data abroad and individual’s rights in relation to their Personal Data as well as the contact details as to where further requests and complaints may be made.
1.2 Electronic storage
The Controller and Processors may store and process, by electronic or other means, Personal Data of Individuals on computer systems.
2. COUNTERPARTIES
2.1 ControllerThe Controller of Personal Data is MiddleGame Ventures S.A.
Next to the Controller, further entities may process Personal Data of Individuals as data controllers in the course of the investment in the Fund, such as local and foreign authorities, courts, governmental or regulatory bodies, including tax authorities.
2.2 ProcessorsService providers listed in the Fund’s private placement memorandum process Personal Data on behalf of the Controller (the “Service Providers”).
In particular, Société Générale Bank & Trust (“SGBT”) processes Personal Data of Individuals as a Service Provider and a Processor on behalf of the Controller, in particular in its roles as Domiciliary, Corporate and Accounting Agent, as Administrative, Registrar and Transfer Agent as well as Depositary and Paying Agent of the Fund. SGBT’s Privacy Notice with further details as to the Bank’s role as Processor can be found at https://www.sgbt.lu/en/data-policy/data-protection/
.
Further entities (also Processors) may process Personal Data of Individuals on behalf of the Controller and the Service Providers, in particular their affiliates and own service providers such as auditors, legal, financial, technical advisers or CRM software providers.
The Processors act as data processor on behalf of the Controller and, in certain circumstances, as data controller, in particular for managing, testing, securing and optimising their systems and compliance with their own legal obligations in accordance with applicable laws and regulations (such as anti-money laundering identification) and/or order of competent jurisdiction.
3. DATA SUBJECTS
The Controller and Processors may process Personal Data of Investors and business contacts (if individuals) and any individuals connected to them (if legal entities), such as signatories, employees, ultimate beneficial owners, individual shareholders, etc.
4. PERSONAL DATA PROCESSED
Personal Data on Individuals processed by the Controller and Processors includes the following categories, without limitation:
Personal identification data, including electronic identification data and identification data issued by public authorities (e.g. passport or national ID)
Bank and financial data, such as account numbers and type and number of shares held
Tax information
Personal details such as gender, age, date and place of birth, etc.
Education
Professional and employment details such as employer, position, professional contact details
Judicial data, criminal records, criminal offences or convictions and similar
Political status
Images and sound
Any other Personal Data that is necessary to the Controller and the Processors for the purposes described in this Privacy Notice.
5. SOURCE OF PERSONAL DATA
Personal Data is collected directly from the Individuals, from the Investor or business contact, or may be collected through publicly accessible sources including company and trade registers in relevant jurisdictions or other third party data sources such as European, national or foreign authorities (e.g. sanctions lists) or screening databases such as Thomson Reuters World-Check.
6. PURPOSES OF DATA PROCESSING
Personal Data may be processed for the purposes of:
(a) Providing investment services such as
(i) Account opening
(ii) Subscriptions and redemptions
(iii) Verification of transfer agent registers
(iv) Contract notes
(v) Client reporting
(vi) Cash transfers
(vii) Shareholder notices
(viii) Shareholder meetings
(ix) Proxy voting
(x) Corporate actions
(xi) Dividend distribution
(b) Managing Investors and business contacts communications, relationship and complaints
(c) Strategic marketing (such as market research or in connection with investments)
(d) In-house legal advice and litigation management
(e) Managing, testing, securing and optimising the Controller’s systems and infrastructure, through measures such as:
(i) Managing IT assets
(ii) Controlling building access
(iii) Video surveillance
(iv) Maintaining and using document archiving systems
(v) Managing access rights
(vi) Testing system and applications
(vii) Monitoring email systems
(viii) Managing technical incidents and providing user support
(ix) Maintaining and using incident and threat management systems
(x) Ensuring business continuity and disaster recovery
(xi) Applying whistleblowing processes
Personal Data may also be processed to comply with legal or regulatory obligations including, but not limited to
(i) legal obligations under applicable fund law;
(ii) internal and external audits;
(iii) prevention of terrorism financing law;
(iv) anti-money laundering law (such as carrying out customer due diligence);
(v) prevention and detection of crime;
(vi) tax law (such as reporting under the FATCA and the CRS Law (as applicable)).
7. PROCESSING GROUNDS
The Controller and Processors may collect, use, store, retain, transfer and/or otherwise process Personal Data:
(a) as a result of the subscription of the Investors to the shares of the Fund, where necessary to perform the services or to take steps at the request of the Investors prior to such subscription, including the holding of shares in general and/or;
(b) to comply with a domestic legal or regulatory obligation of the Controller or the Processors and/or;
(c) for the purposes of the legitimate interests pursued by the Controller or by the Processors, which mainly consist in
(i) the performance of the services in the event where the application of subscription is not entered into directly by the concerned Investors as natural persons;
(ii) the management, testing, securing and optimising of their systems and infrastructure;
(iii) the management of Investors and business contacts communications, relations and complaints;
(iv) the provision of in-house legal advice and management of contentious proceedings;
(v) compliance with foreign laws and regulations and/or any order of a foreign court, government, supervisory, regulatory or tax authority, including when providing the services to any beneficial owner and any person holding shares directly or indirectly in the Fund;
(vi) strategic marketing (such as market research or in connection with investments), unless consent is required;
(d) pursuant to the Individuals’ consent, for strategic marketing purposes, where the legitimate interests pursued by the Controller or by the Processors do not suffice. In such case, Individuals may withdraw their consent for the future at any moment using the contact details in clause 13 below.
8. RECIPIENTS OF PERSONAL DATA
Personal Data may be disclosed to and/or transferred to by the Controller and Processors to their affiliates and service providers, as well as any court, governmental or regulatory bodies including tax authorities (i.e. the “Authorised Recipients”).
The Authorised Recipients may act as data processor on behalf of the Controller or, in certain circumstances, as data controller for pursuing their own purposes.
The Investors and business contacts acknowledge that the Authorised Recipients, including the Processors, may be located outside of the European Economic Area (“EEA”) in countries which are not subject to an adequacy decision of the European Commission and which do not offer the same level of data protection as in the EEA or where data protection laws might not exist.
A list of Authorised Recipients is included with SGBT’s Privacy Notice and can be reviewed at https://www.sgbt.lu/en/data-policy/data-protection/.

Project Affinity Inc., which acts as a provider of CRM software solutions to the Controller, is also an Authorised Recipient.

9. INTERNATIONAL DATA TRANSFERS
The Controller undertakes not to transfer the Personal Data to any third parties other than the Authorised Recipients, except as disclosed to the Investors and business contacts from time to time or if required or permitted by applicable laws and regulations, including Data Protection Law, or by any order from a court, governmental, supervisory or regulatory body, including tax authorities.
By subscribing shares in the Fund and/or by providing their Personal Data to the Controller, Investors acknowledge that Personal Data may be processed for the purposes described above and in particular, that the transfer and disclosure of Personal Data may take place to countries which do not have equivalent data protection laws to those of the EEA, including the Data Protection Law, or that are not subject to an adequacy decision of the European Commission.
These countries include the USA.
The Controller may transfer Personal Data to the Authorised Recipients (i) on the basis of appropriate safeguards according to Data Protection Law, such as standard contractual clauses, binding corporate rules, an approved code of conduct, or an approved certification mechanism or, (ii) for the performance of the Investment Services or for the implementation of pre-contractual measures taken at the Investors’ request or, (iii) for the Processors to perform their services rendered in connection with the Investment Services or, (iv) for important reasons of public interest or, (v) for the establishment, exercise or defence of legal claims or, (vi) where the transfer is made from a register which is legally intended to provide information to the public or, (vii) for the purposes of compelling legitimate interests pursued by the Controller or the Processors, to the extent permitted by Data Protection Law.
10. INFORMATION TO DATA SUBJECTS
Insofar as Personal Data provided by and/or collected from the Investors or business contacts include Personal Data concerning Individuals, the Investors and business contacts (as the case may be) represent that they have authority to provide Personal Data of Individuals to the Controller and/or Processors. If Investors or business contacts (as the case may be) are not natural persons, they confirm that they have undertaken to inform any Individuals about the processing of their Personal Data and their rights as described under this Privacy Notice, in accordance with the information requirements under the Data Protection Law. The Controller and Processors may assume, where applicable, that Individuals have, where necessary, been informed of the processing and transfer of their Personal Data and of their rights as described under this Privacy Notice.
11. MANDATORY DATA PROCESSING
Answering questions and requests with respect to Individuals’ identification and shares held in the Fund, FATCA and/or CRS is mandatory. Investors acknowledge and accept that failure to provide relevant personal data requested by the Controller or Processors in the course of their relationship with the Fund may prevent them from maintaining the holding of their shares in the Fund and may be reported to the relevant Luxembourg authorities.
Investors acknowledge that the Controller or Processors may report any relevant information in relation to their investments in the Fund to the Luxembourg tax authorities (Administration des Contributions Directes) which will exchange this information on an automatic basis with the competent authorities in the United States or other permitted jurisdictions as agreed in the FATCA, CRS or similar legislation, at OECD and EU levels or equivalent Luxembourg legislation.
12. DATA SUBJECT RIGHTS
Each Individual may request (i) access to, rectification, or deletion of, any incorrect Personal Data concerning him/her, (ii) a restriction of processing of Personal Data concerning him/her and, (iii) to receive Personal Data concerning him/her or to transmit those Personal Data to another controller in accordance with Data Protection Law and (iv) to obtain a copy of or access to the appropriate or suitable safeguards which have been implemented for transferring the Personal Data outside of the EEA, in the manner and subject to the limitations prescribed in accordance with Data Protection Law. In particular, Individuals may at any time object, on request and free of charge, to the processing of Personal Data concerning them for any processing carried out on the basis of the legitimate interests of the Controller or Processors.
13. CONTACT DETAILS AND SUPERVISORY AUTHORITY
For any information related to the processing of their Personal Data by the Controller or the Processors under this Privacy Notice, Individuals can contact MiddleGame Ventures, 9 rue du Laboratoire, L-1911 Luxembourg, Grand-Duchy of Luxembourg, or via email at info@middlegamevc.com.
In case an Individual wants to formulate a complaint in terms of the data processing under this Privacy Notice, such complaint should also be addressed to the above contact details. Should the Controller not be able to resolve such complaint and in any event, the Data Subject may address a complaint to the supervisory authority, the Commission Nationale pour la Protection des Données (“CNPD”), either online via the following link https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html or by using the contact details below:
National Commission for Data Protection
15, Boulevard du Jazz
L-4370 Belvaux
(+352) 26 10 60 -1

14. RETENTION PERIODS
Personal Data is held until the liquidation of the Fund and a subsequent period of ten (10) years thereafter where necessary to comply with applicable laws and regulations or to establish, exercise or defend actual or potential legal claims, subject to the applicable statutes of limitation, unless a longer period is required by applicable laws and regulations. In any case, Personal data will not be held for longer than necessary with regard to the purposes described in this Privacy Notice, subject always to applicable legal minimum retention periods.

Service Providers
1. INTRODUCTION
1.1 We value your privacyMiddleGame Ventures S.A. and our affiliates and service providers, as our data processors (“we”, “us”), will collect, store, use, disclose or otherwise process personal data of individuals (“you”) with whom we correspond and communicate.
We will process your personal data in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation”, “GDPR”), as amended or replaced from time to time, as well as any applicable law or regulation relating to the protection of personal data (together the “Data Protection Law”).
We mainly collect and use your Personal Data for the purposes of corresponding and communicating with you; for organising the services we deliver to you or receive from you; for managing, testing, securing and optimising our systems and infrastructure; and for compliance with legal or regulatory obligations, based either on the necessity for the processing of your personal data, legal obligations or our legitimate interests.
Personal data processed includes mainly identification and professional details (and exceptionally other details as disclosed in this Privacy Notice) and is kept for a period of up to 10 years after the end of our relationship.
Personal Data may be shared by us with other entities, acting as controllers or processors of your personal data and which are not located within the European Economic Area (“EEA”), in countries that may not provide the same level of data protection than the EEA. In such cases, appropriate safeguards are put in place.
Our Privacy Notice sets out to explain the details of the our role as data controller, the purposes of data processing, types of data processed, of individuals concerned, disclosures, transfers and individual rights as well as contact details as to where further requests may be made.
1.2 Electronic storageWe will store and process, by electronic or other means, your personal data on computer systems.
2. COUNTERPARTIES
2.1 ControllersYour personal data provided or collected in the course of our relationship will be processed by MiddleGame Ventures S.A. as data controller (the “Controller”).
Further entities may process your personal data as data controllers in the course of the performance of services by the Controller, such as local and foreign authorities, courts, governmental or regulatory bodies, including tax authorities.
2.2 ProcessorsOther entities may process your personal data as a processor on our behalf, in particular our affiliates and service providers such as auditors, legal, financial or technical advisers (the “Processors”).
The Processors may act as data processor on our behalf and, in certain circumstances, as data controller, in particular for managing, testing, securing and optimising their systems and infrastructure and compliance with their own legal obligations in accordance with applicable laws and regulations (such as anti-money laundering identification) and/or order of competent jurisdiction.
3. DATA SUBJECTS
We process personal data about you (in the course of your duties as our service provider, or as a contact person or representative for one of our service providers) and about any other individuals whose personal data you may provide to us.
4. PERSONAL DATA PROCESSED
Personal data processed by us may include the following categories, without limitation:
Personal identification data, including electronic identification data (e.g. an email, IP address, usernames and passwords, access rights, etc.) and identification data issued by public authorities (e.g. passport or national ID)
Bank and financial data (e.g. account numbers)
Tax information (e.g. tax identification number)
Personal details such as gender, age, date and place of birth, etc.
Education and business career
Professional and employment details such as employer, position, professional contact details
Details on products and services delivered or received
Judicial data, criminal records, criminal offences or convictions and similar
Images and sound
Any other personal data that is necessary to us for the purposes described in this Privacy Notice or that is voluntarily disclosed by you.
5. SOURCE OF PERSONAL DATAPersonal Data is collected directly from you or provided by entities (such as our service providers or business partners) we have a relationship with.
6. PURPOSES OF DATA PROCESSINGYour personal data may be processed for the purposes of:
(a) Managing communications, relations and complaints
(b) Managing the services we deliver to you or receive from you
(c) In-house legal advice and litigation management
(d) Managing, testing, securing and optimising the Controller’s systems and infrastructure, through measures such as:
(i) Managing IT assets
(ii) Controlling building access
(iii) Video surveillance
(iv) Maintaining and using document archiving systems
(v) Managing access rights
(vi) Testing system and applications
(vii) Monitoring email systems
(viii) Managing technical incidents and providing user support
(ix) Maintaining and using incident and threat management systems
(x) Ensuring business continuity and disaster recovery
(xi) Applying whistleblowing processes
Personal Data may also be processed to comply with legal or regulatory obligations including, but not limited to
(i) legal obligations under applicable laws and regulations we are subject to, including anti-money laundering, anti-bribery laws, mandatory reporting laws and similar;
(ii) internal and external audits;
(iii) prevention and detection of crime.
7. PROCESSING GROUNDS
We collect, use, store, retain, transfer and/or otherwise process personal data:
(a) as a result of the entering into a business relationship between us and you or the entity that provided your personal data to us (e.g. your employer), where necessary to perform the services, to enter into contact and communicate in general; and/or
(b) to comply with a domestic legal or regulatory obligation we are bound to; and/or
(c) for the purposes of the legitimate interests pursued by us or by the entity that provided your personal data to us, which mainly consist in
(i) the performance of the services, to enter into contact and communicate in general in the event where your personal data was not directly provided to us by you;
(ii) the management, testing, securing and optimising of our systems and infrastructure;
(iii) the management of service providers communications, relations and complaints;
(iv) the provision of in-house legal advice and management of contentious proceedings;
(v) marketing, invitation to events, newsletters and similar communications;
(vi) compliance with foreign laws and regulations and/or any order of a foreign court, government, supervisory, regulatory or tax authority.
8. RECIPIENTS OF PERSONAL DATA
Your personal data may be disclosed to and/or transferred by us to our affiliates and service providers, as well as any court, governmental or regulatory bodies including tax authorities (i.e. the “Authorised Recipients”).
The Authorised Recipients may act as data processor on behalf of us or, in certain circumstances, as data controller for pursuing their own purposes.
You acknowledge that the Authorised Recipients may be located outside of the European Economic Area (“EEA”) in countries which are not subject to an adequacy decision of the European Commission and which do not offer the same level of data protection as in the EEA or where data protection laws might not exist.
9. INTERNATIONAL DATA TRANSFERS
We undertake not to transfer your personal data to any third parties other than the Authorised Recipients, except as disclosed by us to you from time to time or if required or permitted by applicable laws and regulations, including Data Protection Law, or by any order from a court, governmental, supervisory or regulatory body, including tax authorities.
By entering into a relationship with us, you acknowledge that your personal data may be processed for the purposes described above and in particular, that the transfer and disclosure of your personal data may take place to countries which do not have equivalent data protection laws to those of the EEA, including the Data Protection Law, or that are not subject to an adequacy decision of the European Commission.
These countries include the USA.
We may transfer your personal data to the Authorised Recipients (i) on the basis of appropriate safeguards according to Data Protection Law, such as standard contractual clauses, binding corporate rules, an approved code of conduct, or an approved certification mechanism or, (ii) for the performance of services or for the implementation of pre-contractual measures or, (iii) for the Processors to perform their services rendered in connection with the services or, (iv) for important reasons of public interest or, (v) for the establishment, exercise or defence of legal claims or, (vi) where the transfer is made from a register which is legally intended to provide information to the public or, (vii) for the purposes of compelling legitimate interests pursued by us, to the extent permitted by Data Protection Law.
10. DATA SUBJECT RIGHTS
You may request (i) access to, rectification, or deletion of, any incorrect personal data, (ii) a restriction of processing of personal data, (iii) to receive a copy of your personal data or to have such data transferred to a third party in accordance with Data Protection Law and (iv) to obtain a copy of or access to the appropriate or suitable safeguards which have been implemented for transferring your personal data outside of the EEA, in the manner and subject to the limitations prescribed in accordance with Data Protection Law. In particular, you may at any time object, on request and free of charge, to the processing of your personal data for any processing carried out on the basis of our legitimate interests.
11. CONTACT DETAILS AND SUPERVISORY AUTHORITY
For any information related to the processing of your personal data by the Controller or the Processors under this Privacy Notice, you can contact MiddleGame Ventures, 9 rue du Laboratoire, L-1911 Luxembourg, Grand-Duchy of Luxembourg, or via email at info@middlegamevc.com.
In case you want to formulate a complaint in terms of the data processing by the Controller, the Processors and their affiliates or service providers under this Privacy Notice, such complaint should also be addressed to the above contact details. Should the Controller not be able to resolve such complaint and in any event, you may address a complaint to the supervisory authority, either online via the following link https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html or by using the contact details below:
National Commission for Data Protection
15, Boulevard du Jazz
L-4370 Belvaux
(+352) 26 10 60 -1

12. RETENTION PERIODS
​Personal Data is held until the end of our business relationship (or as the case may be the end of our business relationship with the entity that provided your personal data to us) and a subsequent period of 10 years thereafter where necessary to comply with applicable laws and regulations or to establish, exercise or defend actual or potential legal claims, subject to the applicable statutes of limitation, unless a longer period is required by applicable laws and regulations. In any case, your personal data will not be held for longer than necessary with regard to the purposes described in this Privacy Notice, subject always to applicable legal minimum retention periods.