PRIVACY POLICY

Effective as of April 13, 2022

At Sterling Technology Ltd we take your privacy very seriously. Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. The policy also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.

We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR). We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to goods and services we offer to individuals and our wider operations in the European Economic Area (EEA).

1. Definitions and interpretation

Account: collectively the personal information, Payment Information and credentials used by Users to access material and/or any communications System on the Platform;

Content: any text, graphics, images, audio, video, software, data compilations and any other form of information capable of being stored in a computer that appears on or forms part of the Platform;

Cookie: a small anonymous text file placed on your computer by Sterling when you visit certain parts of this Platform. This allows us to offer the advanced functionality required for your business purpose;

Data: collectively all information that you submit to the Platform. This includes, but is not limited to, Account details and information submitted using any of our Services or Systems;

Disclaimer: the specific terms and conditions governing your use of a Project within the Platform;

Personal Data: any information relating to an identified or identifiable individual;

Project: a secure data room within the Platform that has been made available for access by you subject to the terms of the appropriate Disclaimer;

Service: collectively any data room, online facilities, tools, services or information that Sterling makes available through the Platform either now or in the future;

Sterling: Sterling Technology Limited operating under its trading name Sterling Data Rooms. All expressions of “we” and “us” are references to Sterling;

System: any online infrastructure that Sterling makes available through the Platform either now or in the future. This includes, but is not limited to, web-based email, message boards, live chat facilities and email links;

User/Users: any third party that accesses the Platform. The expression “you” is a reference to such a user; and

Platform: means the Sterling data room site (vdr.sterlingdatarooms.com) and any sub-domains of this site unless expressly excluded by their own terms and conditions.

2. Data Collected

As part of your engagement Sterling Technology Ltd, the following data may be collected:

1. Name, address, company, role, contact information including email address, telephone number, location;
2. IP address (automatically collected);
3. Web browser type and version (automatically collected);
4. Operating system (automatically collected);
5. Your document review activity within each Project on the Platform;
6. Your account details, such as username and login details
7. Usage Data; and
8. Cookie information (see clause 11 below and our Cookie Policy sterlingvdr.com/cookie-policy).

We collect and use this Personal Data for the purposes described in the section ‘Our use of Data’ below. Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection. Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using the Website and/or our Platform.

Unless specified otherwise, all Data requested is mandatory and failure to provide this Data may make it impossible for Sterling to provide its services. In cases where it is specifically stated that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the service. Users who are uncertain about which Personal Data is mandatory are welcome to contact Sterling.

Users are responsible for any third-party Personal Data obtained, published or shared through this Website and/or the Platform and confirm that they have the necessary lawful basis to provide the Data to Sterling.

3. Our use of Data

1. Data is retained in line with established retention period set out below at clause 10.
2. Unless we are obliged or permitted by law, or as part of the contracted services we provide, and subject to clause 5, we will not share your Data with any third parties.
3. All Personal Data is stored securely in accordance with the principles of the UK General Data Protection Regulation and the EU General Data Protection Regulation. For more details on security, see clause 9 below.
4. If you do not provide the Data requested, it may delay or hinder our ability to provide the best service possible when using our Platform. Specifically, Data may be used by us for the following reasons:
   1. Internal record keeping;
   2. Improvement of Sterling’s products/services;
   3. Transmission by email of Sterling promotional materials that may be of interest to you (only if you have explicitly consented to receive them);
   4. Contact for market research purposes which may be done using email, telephone or mail. Such information may be used to customise or update the Platform.

We collect most Personal Data directly from you, in person, by telephone and via our Platform or website. However, we may also collect information from publicly accessible sources, directly from third parties or from cookies on our website with your consent.

Under data protection law, we can only use your personal data if we have a proper reason, e.g.:

• where you have given consent
• to comply with our legal and regulatory obligations
• for the performance of a contract with you or to take steps at your request before entering into a contract, or
• for our legitimate interests or those of a third party

A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. You can obtain details of this assessment by contacting us (see ‘How to contact us’ below).

The table below explains what we use your personal data for and why.

Sterling processes the Personal Data of Users using computers and/or IT enabled tools, following organizational procedures and undertaking measures strictly related to the purpose indicated. Further details are set out below:

Advertising

This type of service allows Personal Data to be utilised for advertising communication purposes displayed in the form of banners and other advertisements on this Website.

Some of the services listed below may use Cookies to identify Users or they may use the behavioural retargeting technique, i.e. displaying ads tailored to the User’s interests and behaviour, including those detected outside this Website. For more information, please check the privacy policies of the relevant services.

Google AdSense (Google Inc.): This service uses the ‘Double-click’ Cookie, which tracks use of the Platform and User behaviour concerning ads, products and services offered. Users may decide to disable all the double click Cookies by clicking on: google.com/settings/ads/onweb/optout.

Personal Data collected: Cookies; Usage Data. Place of processing: US.

Analytics

The services contained in this section enable Sterling to monitor and analyse web traffic and can be used to keep track of User behaviour using cookies. These cookies are governed by our Cookie Policy sterlingvdr.com/cookie-policy and shall only be activated where the necessary consents are provided

Google Analytics (Google Inc.): Google utilises the Data collected to track and examine the use of this Website, to prepare reports on its activities and share them with other Google services. Google may use the Data collected to contextualise and personalise the ads of its own advertising network. Personal Data collected: Cookies; Usage Data. Place of processing: US.

Google Ads conversion tracking (Google Inc.): This analytics service provided by Google LLC or by Google Ireland Limited, depending on the location this Platform is accessed from, connects data from the Google Ads advertising network with actions performed on this Platform. Personal Data collected: Cookies; Usage Data. Place of processing: US.

HubSpot Analytics (HubSpot, Inc.): This is an analytics service provided by HubSpot, Inc. Personal Data collected: Cookies; Usage Data. Place of processing: US.

LinkedIn conversion tracking (LinkedIn Corporation): This is an analytics service provided by LinkedIn Corporation that connects data from the LinkedIn advertising network with actions performed on this Platform. Personal Data collected: Cookies; Usage Data. Place of processing: US.

Salesforce Analytics Cloud (salesforce.com, inc.): This is an analytics service provided by salesforce.com, inc. Personal Data collected: Cookies; Usage Data. Place of processing: US.

Twitter Ads conversion tracking (Twitter, Inc.): This is an analytics service provided by Twitter, Inc. that connects data from the Twitter advertising network with actions performed on this Website. Personal Data collected: Cookies; Usage Data. Place of processing: US.

5. How and why we use your personal data – sharing

If you are an existing or former customer or business user, we will use your personal data to send you updates (by email, text message, telephone or post) about our products and/or services, including exclusive offers, promotions or new products and/or services. We have a legitimate interest in using your personal data for marketing purposes. This means we do not need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.

You have the right to opt out of receiving marketing communications at any time by contacting us at marketing@sterlingvdr.com or using the "unsubscribe" link in emails.

We may ask you to confirm or update your marketing preferences if you ask us to provide further products and/or services in the future, or if there are changes in the law, regulation, or the structure of our business. We will always treat your personal data with the utmost respect and never sell or share it with other organisations for marketing purposes. For more information on your right to object at any time to your personal data being used for marketing purposes, see ‘Your rights’ below.

We routinely share personal data with:

• third parties we use to help deliver our products and services to you, e.g. payment service providers, warehouses and delivery companies;
• other third parties we use to help us run our business, e.g. marketing agencies, website hosts and website analytics providers;
• our banks

We only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you.

We or the third parties mentioned above occasionally also share personal data with:

• our and their external auditors, e.g. in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations
• our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations
• law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations
• other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible.

The recipient of any of your personal data will be bound by confidentiality obligations.

6. Transferring your personal data out of the UK and EEA

The EEA, UK and other countries outside the EEA and the UK have differing data protection laws, some of which may provide lower levels of protection of privacy.

As we are based in the UK we will also transfer your personal data between the UK and the EEA.

We also offer support services through our sister company based in Chennai, India.

It is sometimes necessary for us to transfer your personal data to countries outside the UK and EEA. In those cases, we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data. For example, in respect of cookies as defined in our Cookie Policy sterlingvdr.com/cookie-policy

Under data protection laws, we can only transfer your personal data to a country outside the UK/EEA where:

• in the case of transfers subject to UK data protection law, the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR.
• in the case of transfers subject to EEA data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy decision’) further to Article 45 of the EU GDPR.
• there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you, or
• a specific exception applies under relevant data protection law.

Where we transfer your personal data outside the UK we do so on the basis of an adequacy regulation or (where this is not available) an appropriate transfer mechanism. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.

Where we transfer your personal data outside the EEA we do so on the basis of an adequacy decision or (where this is not available) an appropriate transfer mechanism. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the EEA unless we can do so on the basis of an alternative mechanism or exception provided by applicable data protection law and reflected in an update to this policy.

Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with the section on ‘Changes to this privacy policy’ below.

If you would like further information about data transferred outside the UK/EEA, please contact us (see ‘How to contact us’ below)

7. Changes of business ownership and control

1. Sterling may, from time to time, expand or reduce its business and this may involve the sale of certain divisions or the transfer of control of certain divisions to other parties. Data provided by Users will, where it is relevant to any division so transferred, be transferred along with that division. The new owner, or newly controlling party, will, under the terms of this Policy, be permitted to use the Data for the purposes for which it was supplied by you.
2. In the event that any Data submitted by Users is transferred in accordance with clause 6, we will as soon as reasonably possible inform you of the changes.

Users have the following rights, which can be exercised free of charge:

For more information on each of those rights, including the circumstances in which they apply, please contact us (see ‘How to contact us’ below).

9. Security

1. Data security is of great importance to Sterling and to protect your Data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure Data collected online.
2. Specifically, we utilise the following system: Information Security Management Systems BS ISO 27001.

Personal Data shall be processed and stored for as long as required by the purpose it has been collected for. Therefore:

• Personal Data collected for purposes related to the performance of a contract between Sterling and the User shall be retained until such contract has been fully performed.
• Personal Data collected for the purposes of Sterling’s legitimate interests shall be retained as long as needed to fulfil such purposes.

Sterling may retain Personal Data for a longer period in circumstances where the User has given consent to such processing, as long as such consent is not withdrawn. Furthermore, Sterling may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.

Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

A Cookie is a small file which is placed onto your device when you use our website. We use Cookies on our website to help us recognise you and your device in order to allow us to store information regarding your preferences and past actions. This does not result in a negative impact to performance or security. For more information about Cookies, visit http://www.allaboutcookies.org/cookies/.

1. We use Cookies when a User joins our Platform for the first time.
2. You may delete Cookies at any time, but it will impact your experience – for example, it will mean typing in your details every time you log in.
3. By default, your browser will accept Cookies. If you would like to change these settings, consult the help menu in your browser.

For further information on cookies, how we use them, when we will request your consent before placing them, and how to disable them, please see our full Cookie Policy at sterlingvdr.com/cookie-policy.

13. Changes to this policy

Sterling reserves the right to change this Privacy Policy as we may deem necessary from time to time or as may be required by law.

Please contact us if you have any queries or concerns about our use of your Personal Data (please see below ‘How to contact us’). We hope to be able to resolve any problem that you may be having.

You also have the right to lodge a complaint with the Information Commissioner [in the UK], our lead supervisory authority in the EEA, and a relevant data protection supervisory authority in the EEA state of your habitual residence, place of work or of an alleged infringement of data protection laws in the EEA.

The UK’s Information Commissioner may be contacted using the details at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.

14. How to contact us

To contact us about your personal data, you may contact our Data Protection Officer at:

Sterling Technology Limited, 33 Aldgate House, Aldgate High Street, London, EC3N 1AH, England

Email: dpo@sterlingvdr.com Tel: +44(0) 20 7100 9680