Privacy Policy

MPM CAPITAL LTD.

PRIVACY POLICY & DATA GOVERNANCE FRAMEWORK

‍

1. INTRODUCTION

1.1 Purpose of this Policy

This Privacy Policy and Data Governance Framework (“Policy”) defines how MPM Capital Ltd. (“MPM Capital”, “Controller”, “we/us”) processes, protects, stores, and governs personal data in the course of its business operations, investment activities, website operation, and corporate communication.

It provides transparent and comprehensive information to all data subjects, including clients, investors, partners, employees, job applicants, and website visitors.

‍

1.2 Legal Compliance

MPM Capital processes personal data in full compliance with:

• Regulation (EU) 2016/679 (“GDPR”)
• Act CXII of 2011 on Informational Self-Determination (“Infotv.”)
• Act V of 2013 on the Civil Code
• Act C of 2000 on Accounting
• AML/KYC obligations under financial regulations
• Sector-specific rules for investment management and private equity operations

‍

1.3 Scope of the Policy

This Policy applies to:

• All personal data processed by MPM Capital
• All employees, contractors, processors, and third-party service providers
• All digital and physical environments (IT systems, servers, cloud services, mobile devices, paper records)

The Policy is published on www.mpm-capital.com and is available upon request.

‍

2. DATA CONTROLLER INFORMATION

Name: MPM Capital Ltd.
Registered address: 1054 Budapest, Akadémia utca 9. 4th floor, no. 1
Company registration number: 01-10-049608
Tax number: 26193472-2-41
Email: office@mpm-capital.com 

‍

3. DEFINITIONS

3.1 GDPR Terms

• Personal Data: any information identifying a natural person
• Controller: determines purposes and means of processing
• Processor: processes data on behalf of Controller
• Consent: freely given, informed, explicit indication of wishes
• Data Subject: individual whose data is processed

3.2 Data Protection Incident

Any event resulting in unlawful or accidental destruction, loss, alteration, unauthorized disclosure, or access to personal data.

‍

4. DATA PROCESSING PRINCIPLES

MPM Capital adheres to all seven GDPR Article 5 principles:

1. Lawfulness, fairness, transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

Both the Controller and the data subject are obligated to ensure accuracy and timely updates of data.

‍

5. LAWFUL BASES OF PROCESSING

MPM Capital processes data on the following legal grounds:

5.1 Consent

• Marketing communications
• Non-essential cookies
• Voluntary inquiries
• Social media interactions

5.2 Contract Performance

• Investment transactions
• Advisory and consulting agreements
• Client onboarding and due diligence

5.3 Legal Obligation

• Accounting and taxation rules (8-year retention)
• AML/KYC checks and recordkeeping
• Compliance audits

5.4 Legitimate Interest

• Business communication
• Network and information security
• Website traffic analysis (where essential cookies apply)

‍

6. CATEGORIES OF PERSONAL DATA PROCESSED

6.1 Website Visitors and Analytics

• IP address, device type, browser information
• Cookie identifiers
• Analytics data (Google Analytics)

6.2 Clients, Investors, Counterparties

• Name, address, contact data
• Identification documents (ID, passport)
• AML/KYC information
• Contractual and financial information
• Investment and transaction records

6.3 HR, Employment & Recruitment

• Personnel files, contracts, payroll
• Attendance, compliance training
• Background checks
• Performance evaluations

6.4 Business Communications

• Emails, notes, meeting minutes
• Phone logs
• Correspondence related to investments or transactions

‍

7. PURPOSES OF PROCESSING

• Managing client and investor relationships
• Performing investment and advisory activities
• Fulfilling statutory accounting obligations
• AML/KYC due diligence
• Operating and securing the corporate IT infrastructure
• HR and employment administration
• Website analytics and performance optimization
• Social media interaction and communication with the public

‍

8. DATA RETENTION & DELETION

Retention is based on statutory obligations and business needs:

Data Category

Retention Period

Accounting & Taxation

8 years

AML/KYC Documentation

8 years

Contracts & Business Records

Contract term + 5 years

HR/Employment Data

5–50 years (statutory rules)

Website Analytics Data

up to 26 months

CVs / Job Applications

6 months (unless consent for longer storage)

After the retention period expires, data is deleted or anonymized.

‍

9. SECURITY MEASURES

9.1 Technical Controls

• AES-256 encrypted storage
• Multi-factor authentication (MFA)
• Role-based access control with least-privilege model
• Firewalls, antivirus, and endpoint protection
• Secure cloud backups
• Network intrusion detection
• Regular vulnerability and penetration testing

9.2 Organizational Controls

• Annual GDPR and security training
• Signed NDAs for all staff and contractors
• Internal access rights review
• Clean desk and restricted access policy
• Documented incident response procedures

‍

10. DATA GOVERNANCE FRAMEWORK

10.1 Processing Activity Registry

A full GDPR Article 30 register is maintained.

10.2 DPIA – Data Protection Impact Assessment

Required for:

• New or high-risk IT systems
• Vendor onboarding
• Changes in business model with data impact

10.3 Vendor and Processor Management

All processors must:

• Sign a Data Processing Agreement (DPA)
• Demonstrate GDPR-compliant security controls

Hosting provider:
Webflow, Inc.
398 11th Street, Floor 2, San Francisco, CA 94103
support@webflow.com (Acts strictly under Controller’s instructions)

‍

10.4 Internal Audits

Annual reviews covering:

• Access controls
• Security practices
• Retention schedules
• Processor compliance

‍

11. COOKIES & TRACKING TECHNOLOGIES

11.1 Types of Cookies

• Essential/session cookies – needed for website function
• Functional cookies – remember preferences
• Analytics cookies – Google Analytics (via consent)
• Marketing cookies – only with explicit consent

11.2 User Control

• Consent banner appears on first visit
• Users may modify cookie settings anytime
• Browsers allow deletion/blocking of cookies

‍

12. SOCIAL MEDIA PROCESSING

MPM Capital maintains profiles on platforms such as LinkedIn, Facebook, Instagram.
Data is processed based on:

• The data subject’s voluntary interaction
• The platform’s own privacy rules
• Consent for messaging or following the page

‍

13. DATA SUBJECT RIGHTS

Data subjects may exercise the following rights under GDPR:

1. Right of access
2. Right to rectification
3. Right to erasure (“right to be forgotten”)
4. Right to restriction of processing
5. Right to object (incl. marketing)
6. Right to data portability
7. Right to withdraw consent
8. Right to lodge a complaint with:
   Hungarian Data Protection Authority (NAIH)
   1055 Budapest, Falk Miksa utca 9–11
   ugyfelszolgalat@naih.hu
   +36 (1) 391-1400

Data subjects may also pursue judicial remedies before a competent court.

‍

14. INTERNATIONAL DATA TRANSFERS

Transfers outside the EU rely on:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs)
• Supplementary security measures

MPM Capital assesses each cross-border transfer to ensure GDPR-level protection.

‍

15. DATA INCIDENT RESPONSE

In case of a personal data breach:

1. Internal investigation and containment
2. Risk assessment
3. Notification to NAIH within 72 hours (unless unlikely to pose risk)
4. Notification to data subjects if the risk is high
5. Documentation of incident and remediation steps

‍

16. AMENDMENTS TO THE POLICY

MPM Capital may amend this Policy due to:

• Legal or regulatory changes
• New processing activities
• Supervisory authority recommendations
• Changes in IT infrastructure or organizational structure

Updates are published online. Continued use of services constitutes acceptance.

‍

Signed in Budapest, 28 November 2025

MPM Capital Ltd.

‍