Connect
A conversation of trust
We partner with entrepreneurs, families, and institutions who share our belief in long-term vision, disciplined execution, and trust above all else.
Privacy Policy
MPM CAPITAL LTD.
PRIVACY POLICY & DATA GOVERNANCE FRAMEWORK
1. INTRODUCTION
1.1 Purpose of this Policy
This Privacy Policy and Data Governance Framework (“Policy”) defines how MPM Capital Ltd. (“MPM Capital”, “Controller”, “we/us”) processes, protects, stores, and governs personal data in the course of its business operations, investment activities, website operation, and corporate communication.
It provides transparent and comprehensive information to all data subjects, including clients, investors, partners, employees, job applicants, and website visitors.
1.2 Legal Compliance
MPM Capital processes personal data in full compliance with:
- Regulation (EU) 2016/679 (“GDPR”)
- Act CXII of 2011 on Informational Self-Determination (“Infotv.”)
- Act V of 2013 on the Civil Code
- Act C of 2000 on Accounting
- AML/KYC obligations under financial regulations
- Sector-specific rules for investment management and private equity operations
1.3 Scope of the Policy
This Policy applies to:
- All personal data processed by MPM Capital
- All employees, contractors, processors, and third-party service providers
- All digital and physical environments (IT systems, servers, cloud services, mobile devices, paper records)
The Policy is published on www.mpm-capital.com and is available upon request.
2. DATA CONTROLLER INFORMATION
Name: MPM Capital Ltd.
Registered address: 1054 Budapest, Akadémia utca 9. 4th floor, no. 1
Company registration number: 01-10-049608
Tax number: 26193472-2-41
Email: office@mpm-capital.com
3. DEFINITIONS
3.1 GDPR Terms
- Personal Data: any information identifying a natural person
- Controller: determines purposes and means of processing
- Processor: processes data on behalf of Controller
- Consent: freely given, informed, explicit indication of wishes
- Data Subject: individual whose data is processed
3.2 Data Protection Incident
Any event resulting in unlawful or accidental destruction, loss, alteration, unauthorized disclosure, or access to personal data.
4. DATA PROCESSING PRINCIPLES
MPM Capital adheres to all seven GDPR Article 5 principles:
- Lawfulness, fairness, transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Both the Controller and the data subject are obligated to ensure accuracy and timely updates of data.
5. LAWFUL BASES OF PROCESSING
MPM Capital processes data on the following legal grounds:
5.1 Consent
- Marketing communications
- Non-essential cookies
- Voluntary inquiries
- Social media interactions
5.2 Contract Performance
- Investment transactions
- Advisory and consulting agreements
- Client onboarding and due diligence
5.3 Legal Obligation
- Accounting and taxation rules (8-year retention)
- AML/KYC checks and recordkeeping
- Compliance audits
5.4 Legitimate Interest
- Business communication
- Network and information security
- Website traffic analysis (where essential cookies apply)
6. CATEGORIES OF PERSONAL DATA PROCESSED
6.1 Website Visitors and Analytics
- IP address, device type, browser information
- Cookie identifiers
- Analytics data (Google Analytics)
6.2 Clients, Investors, Counterparties
- Name, address, contact data
- Identification documents (ID, passport)
- AML/KYC information
- Contractual and financial information
- Investment and transaction records
6.3 HR, Employment & Recruitment
- Personnel files, contracts, payroll
- Attendance, compliance training
- Background checks
- Performance evaluations
6.4 Business Communications
- Emails, notes, meeting minutes
- Phone logs
- Correspondence related to investments or transactions
7. PURPOSES OF PROCESSING
- Managing client and investor relationships
- Performing investment and advisory activities
- Fulfilling statutory accounting obligations
- AML/KYC due diligence
- Operating and securing the corporate IT infrastructure
- HR and employment administration
- Website analytics and performance optimization
- Social media interaction and communication with the public
8. SECURITYMEASURES
Retention is basedon statutory obligations and business needs:
Data Category
Retention Period
Accounting & Taxation
8 years
AML/KYC Documentation
8 years
Contracts & Business Records
Contract term + 5 years
HR/Employment Data
5–50 years (statutory rules)
Website Analytics Data
up to 26 months
CVs / Job Applications
6 months (unless consent for longer storage)
After the retention period expires, data is deleted or anonymized.
9. SECURITY MEASURES
9.1 Technical Controls
- AES-256 encrypted storage
- Multi-factor authentication (MFA)
- Role-based access control with least-privilege model
- Firewalls, antivirus, and endpoint protection
- Secure cloud backups
- Network intrusion detection
- Regular vulnerability and penetration testing
9.2 Organizational Controls
- Annual GDPR and security training
- Signed NDAs for all staff and contractors
- Internal access rights review
- Clean desk and restricted access policy
- Documented incident response procedures
10. DATA GOVERNANCE FRAMEWORK
10.1 Processing Activity Registry
A full GDPR Article 30 register is maintained.
10.2 DPIA – Data Protection Impact Assessment
Required for:
- New or high-risk IT systems
- Vendor onboarding
- Changes in business model with data impact
10.3 Vendor and Processor Management
All processors must:
- Sign a Data Processing Agreement (DPA)
- Demonstrate GDPR-compliant security controls
Hosting provider:
Webflow, Inc.
398 11th Street, Floor 2, San Francisco, CA 94103
support@webflow.com (Acts strictly under Controller’s instructions)
10.4 Internal Audits
Annual reviews covering:
- Access controls
- Security practices
- Retention schedules
- Processor compliance
11. COOKIES & TRACKING TECHNOLOGIES
11.1 Types of Cookies
- Essential/session cookies – needed for website function
- Functional cookies – remember preferences
- Analytics cookies – Google Analytics (via consent)
- Marketing cookies – only with explicit consent
11.2 User Control
- Consent banner appears on first visit
- Users may modify cookie settings anytime
- Browsers allow deletion/blocking of cookies
12. SOCIAL MEDIA PROCESSING
MPM Capital maintains profiles on platforms such as LinkedIn, Facebook, Instagram.
Data is processed based on:
- The data subject’s voluntary interaction
- The platform’s own privacy rules
- Consent for messaging or following the page
13. DATA SUBJECT RIGHTS
Data subjects may exercise the following rights under GDPR:
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to object (incl. marketing)
- Right to data portability
- Right to withdraw consent
- Right to lodge a complaint with:
Hungarian Data Protection Authority (NAIH)
1055 Budapest, Falk Miksa utca 9–11
ugyfelszolgalat@naih.hu
+36 (1) 391-1400
Data subjects may also pursue judicial remedies before a competent court.
14. INTERNATIONAL DATA TRANSFERS
Transfers outside the EU rely on:
- European Commission adequacy decisions
- Standard Contractual Clauses (SCCs)
- Supplementary security measures
MPM Capital assesses each cross-border transfer to ensure GDPR-level protection.
15. DATA INCIDENT RESPONSE
In case of a personal data breach:
- Internal investigation and containment
- Risk assessment
- Notification to NAIH within 72 hours (unless unlikely to pose risk)
- Notification to data subjects if the risk is high
- Documentation of incident and remediation steps
16. AMENDMENTS TO THE POLICY
MPM Capital may amend this Policy due to:
- Legal or regulatory changes
- New processing activities
- Supervisory authority recommendations
- Changes in IT infrastructure or organizational structure
Updates are published online. Continued use of services constitutes acceptance.
Signed in Budapest, 28 November 2025
MPM Capital Ltd.