Privacy Policy

Your trust is important to us. Timberland Invest Ltd. (C 60291) having its registered office at 171 Old Bakery Street Valletta, VLT 1455 (hereinafter also referred to as the “Company”, “we” “us” or “our”) respects your privacy and is committed to protecting your personal data. The Company collects information from you in order to be able to receive, process and give effect to your subscription to bonds issued by Timberland Securities Investment plc (C 68856).

We take the protection of your personal data very seriously. The purpose of this Notice is to set out the basis on which we will process your personal data when you enter into a relationship with us, to inform you about how we will generally handle and look after your aforementioned personal data, and to tell you about (i) our obligations to process your personal data responsibly, (ii) your data protection rights as a data subject and also (iii) how the law protects you. For sake of clarity, please note that submission of this subscription order creates a contractual relationship between you and the Company.

We process your data in an appropriate and lawful manner, in accordance with the Data Protection Act (Chapter 586 of the Laws of Malta) (the “Act”) and the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), subsidiary legislation and regulations promulgated thereunder, as they may be updated from time to time.

Therefore, this Policy strictly provides an overview and outline of our processing activities and cannot be exhaustive due to the fluidity of your business relationship and the services you may request from us.

It is therefore important that you read this Policy carefully, together with any other privacy Policy or fair processing notice that we may issue on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data (namely, in the context of a service provision). This Policy supplements the other notices and is not intended to override them.

When accessing our website, we may automatically collect certain information, in particular your IP Address. Please refer to our IP and Cookie Policy available here: https://www1.timberland-malta.com/cookie-policy/ for more information about how the website https://www1.timberland-malta.com/ uses cookies.

Moreover, certain processing activities which we wish to carry to out require your express consent, as indicated below in this Policy. Your consent is kindly requested to enable these activities (as described in detail below). We shall request your consent for specific activities by means of separate Consent Forms which will explain the purposes for processing for which we are requesting consent should this be necessary.

1. Name and address of the data controller

The Company (as previously defined) is the controller and responsible for your personal data.

Timberland Invest Ltd. (C 60291)
with its registered office at
Old Bakery Street 171
Valetta, VLT 1455,
Malta

You can contact our data protection contact point at any time about any data protection issues at the above‐mentioned business address or email us on the following email address:

E-Mail: info@timberland-malta.com

2. Collection and storage of personal data

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). In the interest of clarity, personal data does not include information relating to a legal person (for example, a company or other legal entity). In that regard, information such as a company name, its company number, registered address and VAT number does not amount to personal data in terms of both the Act and the GDPR. Therefore, the collection and use of information strictly pertaining to a legal person does not give rise to data controller obligations at law. Naturally, we will still treat any and all such information in a confidential and secure manner.

During the course of our relationship with you we may collect and process the following personal data: which we have grouped as follows:

Identity Data includes your first name, maiden name (where applicable), last name, title, address, date of birth, gender, nationality, marital status and dependents.
Contact Data includes the your email address, mobile number, telephone number and next of kin details.
Transaction Data includes the following information: (i) account statements, (ii) payment orders and transfer instructions, (iii) a history of the customer’s payments and transactions with the Company, (iv) relative details of each individual transaction and generally (vi) data stemming from the performance of our contractual obligations.
Compliance Data primarily includes the following documentation relating to the customer: (i) copy of identity card or passport, (ii) issued utility bills, (iii) tax domicile status and (iv) source of wealth documentation.
Additional Compliance Data includes, for particular cases, the following additional documentation: (i) copies of bank statements held with credit institutions and (ii) documentary evidence showing your source of funds such as asset contracts, public wills or testamentary (as relevant to the particular circumstances).
General Due Diligence Data includes due diligence information on customers collected from third-party and publicly available sources at point of application. This would primarily relate to the creditworthiness and the existence of any Court orders, judicial acts or pending litigation against the prospective customer.
Usage Data includes information about how the customer uses our services (including in terms of frequency).
Regulatory Data includes information necessary to determine the suitability and appropriateness of the investment and determine your experience in investing in certain financial products. This would detailed information on knowledge and experience with different financial instruments (in particular securities), investment behaviour and strategy, including the scope of your investments, the frequency with which you trade financial instruments and risk appetite. Such a suitability assessment also includes information on your financial situation, including assets, liabilities and expenses as well as income derived from employment, self-employed activity or other commercial activity.
Tax Data includes information on your tax residency status, your tax identification number and FATCA status
Contact and Recording Data. Over the course of the business relationship, particularly as a result of personal, telephone or written contact initiated by you or the Company, additional personal data is created, e. g., information about the contact channel, date, occasion and result, (electronic) copies of correspondence and information on participation in direct marketing activities. We also record your (i) telephone calls with us and (ii) our conversations with you that take place at our premises (recordings).
Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the website
Marketing and Communications Data includes the customer’s preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregate may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

As indicated, we do collect Special Categories of Personal Data about you, specifically as a result of the information that we collect and process in terms of Compliance Data. The collection and processing of this information is necessary in order to for us to (i) conduct and carry out our internal Know-Your-Customer (“KYC”) due diligence, (ii) comply with our various legal and regulatory obligations as a licensed financial institution, including in particular our Anti-Money Laundering (“AML”) obligations, (iii) fulfil any mandated external regulated reporting, such as the Financial Intelligence Analysis Unit (“FIAU”) and (iv) abide by Court orders.

3. Obligation to Provide Data

Within the scope of our business relationship, you must provide personal data which is necessary for the initiation and execution of the business relationship. As a rule, we would not be able to enter into a business relationship, execute an order or continue an existing relationship without the data that we are mandated at law to collect and process. Specifically, provisions on anti-money laundering require that we verify the identity of a prospective customer before entering into a business relationship, for example by means of an identity card, utility bill and even references.

Accordingly, where we need to collect personal data by law, or under the terms of the contract we have with you (pursuant to your entry into a business relationship with us), or as otherwise part of our defined legitimate interests, and you fail to provide that data when requested, we may not be able to perform the contract that we have or which we are otherwise trying to enter into with you.
In most cases, by failing to provide us with the necessary information and documents, we will not be allowed to enter into or otherwise continue your requested business relationship. In the case of an existing relationship, we would have to exercise our prerogative to terminate the contract and relationship. We will notify you if this is the case at the time.

4. How is your personal data collected?

We use different methods to collect data from and about you including through:

Customer On-boarding. Upon the start of our relationship with you in order to provide the services which you request we shall ask you for your Identity, Compliance, Tax and Regulatory Data
Service Use. Through your use of our services, we generate and compile your Transaction Data, including in the form of records. These sets of data are either issued or made available to you upon request, and are processed by us for the purposes set out below. To perform certain service requests (e.g. transactions of a certain size), you will also need to provide us with the Additional Compliance Data that we require.
Direct Interactions: You may give us your Identity, Contact, Compliance and Transaction Data by filling in our forms or by corresponding with us by post, phone, e-mail or otherwise. This includes personal data you provide when you:
- contact us with complaints or queries;
- report issues;
- submit the Compliance Data or Additional Compliance Data that we request;
- request marketing to be sent to you;
- participate in a survey; or
- give us some feedback.
Automated technologies or interactions. As you interact with our website, internet, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.
Third parties or publicly available sources. We may receive personal data about you, such as Identity, Contact and Compliance, from various third parties and public sources (e.g. debtor directors, company registers, registers of associations, other public registers, public court documents, media and the Internet).

5. Purposes for Processing

We process your personal data in accordance with the General Data Protection Regulation (GDPR).

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances.

Where we need to perform the contract we are about to enter into or have entered into with you in respect of your business relationship with us.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Where we need to comply with a legal or regulatory obligation.

Generally we do not rely on consent as a legal basis for processing your personal data, other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to such marketing at any time by contacting us at info@timberland-malta.com

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Kindly note that we may process your personal data for more than one lawful ground, depending on the specific purpose for which we are using your data.

Accordingly, please contact us at info@timberland-malta.com if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity	Type of data	Lawful basis for processing including basis of legitimate interest
To decide whether to accept your subscription and your relationship with us and, if positive, to enter into a business relationship with you.	Identity Contact Compliance General Due Diligence	Performance of a contract with you or take steps at your request prior to entering into a contract with you. Necessary for our legitimate interests (to verify your identity and suitability for our business, and your ability to meet financial commitments).
To process and perform transactions and financial services requested by the customer, including the following: deposits; transfer instructions; fund withdrawals and releases; processing and production of statements; Asset management Manage transactions; Collect and recover money which is owed to us (debt recovery).	Identity Contact Compliance Regulatory, Transaction; Tax; and Recording	Performance of a contract with you or take steps at your request prior to entering into a contract with you. Necessary for our legitimate interests (to recover debts due to us).
To fulfil our: internal AML compliance policies and requirements; obligations under the PMLA and PMLFTR; and external regulated reporting and obligations to the MFSA and FIAU (amongst others). For legal, tax, insurance, accounting and other general compliance purposes, To abide by Court orders, Consult and exchange data with credit agencies.	Compliance Additional Compliance Court Data Regulatory Transaction Recording	Necessary to comply with a legal obligation (both statutory requirements, financial supervisory requirements and in respect of Court orders). Necessary for our legitimate interests: detection and prevention of fraud, money laundering and any other criminal activity, identity and age verification, satisfaction of tax law control, asserting legal claims and mounting a defence in the event of litigation, credit checks, credit or default risks, risk assessment and management, to ensure that we carry out your instructions accurately
To manage our relationship with you which will include: Notifying you about changes to our terms or privacy notices; Responding to complaints, queries and/or reported issues; Dealing with requests; Asking you to participate in a survey; and Requesting feedback from you.	Identity Contact Usage Marketing and Communications Recording	Performance of a contract with you Necessary for our legitimate interests (for customer service matters, to study how customers use our services, to enable a review, assessment or rating of our operations, to develop them and grow our business, market and opinion research, to the extent you have not objected to having your data processed for direct marketing purposes). Necessary for our legitimate interests (for the purpose of the resolution of complaints).
To administer and protect our business and our website, (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	Identity Contact Technical Contact Recording	Necessary for our legitimate interests – for running, administering and protecting our business, network security and IT operations, measures to ensure against trespassing and server or network hacks , to prevent fraud and to maintain the confidentiality of transactions, and in the context of a business reorganisation or group restructuring exercise) Performance of a contract with you (ensuring that your transactions remain secure and confidential).
To deliver advertisements to you and measure or understand the effectiveness of the advertising we serve to you	Identity Contact Usage Marketing and Communications Technical	Necessary for our legitimate interests (to study how existing customers use our services, to develop them, to grow our business and to inform our marketing strategy).
To make suggestions and/or recommendations to you, as an existing customer, about our other services that we feel may be of interest to you.	Identity Contact Technical Customer Contact	Necessary for our legitimate interests (to develop our services and grow our business)

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around advertising and marketing communications. Through your Identity, Contact, Technical and Usage Data, we would be able form a view on what we think you may want or need and what may be of interest to you. This would then enable us to determine which of our particular services may be most relevant for you (we call this marketing).

In that regard, will only send you advertising and marketing communications:

if you have entered into a business relationship with us, actually make use of our services and are thus an existing and ongoing customer; and
provided you have not opted out of receiving marketing from us (see Your Legal Rights below).

Opting out

You can ask us to stop sending you advertising and marketing communications at any time by:

following the opt-out links on any marketing message sent to you;
contacting us at any time at info@timberland-malta.com

Where you opt out of receiving such communications, this will not apply to personal data collected by us as a result of your entry into a business relationship with us and our service provision, or which we otherwise process to ensure compliance with our legal obligations or to fulfil our defined legitimate interests.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at
info@timberland-malta.com.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

6. Transfers of personal data to third persons

Your personal data will not be forwarded to third parties for purposes other than those listed below. Those employees of our Company who come into contact with your data are subject to a strict duty of confidentiality, and we constantly monitor its compliance. We have also bound and will continue to bind to confidentiality in writing any other persons with whom we cooperate and who come or might come into contact with your data.

The recipients of personal data may be:

Public domestic and foreign bodies and institutions, in particular regulators, public authorities and governmental agencies both within and outside the EU, insofar as a statutory or official obligation subsists (including The Financial Intelligence Analysis Unit, Malta Financial Services Authority and Commissioner of Inland Revenue, each of which require reporting in respect of processing activities and activities of our customers in certain circumstances). ;
Other credit and financial service institutions, similar institutions and processors to which we transmit personal data in order to fulfil our business relationship with you (specifically, processing of bank references and statements, compliance services, data screening for anti-money laundering purposes, appraisals, loan processing services, collateral management, payment card processing).;
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
Third party service providers which may be necessary to carry out the contract entered into with you and provide the services which you request, specifically: banking information, support/maintenance of EDP/IT applications, archiving, document processing, call centre services, controlling, data screening for anti-money-laundering purposes, data destruction, purchasing/procurement, customer management, marketing, reporting, research, risk controlling, telephony, website management, investment services, share register, fund or investment management, auditing services, payment transactions.

We may only forward information about you to third parties if required to do so by law, if you have given your consent or if we are authorised to provide information and the processors commissioned by us guarantee confidentiality and compliance with the requirements of GDPR. We require all third parties to respect the security and secrecy of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Additionally, in the case of transactions effected via SWIFT, we may be required to disclose your personal data to the United States authorities or any other authorities as required, in order to comply with legal requirements applicable in the United States or in any other country for the prevention of crime.

Data is only transmitted to countries outside the EU or the European Economic Area (EEA), referred to as third countries, if this is required to execute your orders (e.g. payment and securities orders), if required by law (e.g. tax reporting obligations or if you have given us your consent.

Whenever we transfer your personal data to third countries, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission and, in the absence of such a decision, in the basis of Standard Contractual Clauses which have been specifically approved by the European Commission for third-country transfers of personal data;
Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

As indicated, we may also be required to share your information with overseas government authorities and regulatory agencies, for the detection and prevention of crime.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

7. Duration of storage and erasure of personal data

The personal data you provide will only be stored and processed as long and to the extent necessary to fulfill our contractual and statutory obligations. In this regard, it should be noted that our business relationship may last several years and your personal data shall be retained for the duration of such relationship.

To determine the retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable contractual and statutory obligations.

If the data is no longer required for the performance of our contractual and statutory obligations, then it shall be deleted unless the Company needs to process it further (for a limited time) for the following purposes:

Compliance with records retention periods under account, compliance, financial and tax laws;
Preservation of evidence within the scope of applicable statutes of limitations and prescriptive periods.

By and large, in the latter case, our retention of your data shall not exceed the period of six (6) years from the date of the termination of your business relationship with us. This period of retention enables us to use the data in question for the defence of possible future legal claims (taking into account the timeframe of the applicable prescriptive period at law).

Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us info@timberland-malta.com

8. Your rights as a data subject

When your personal data is processed, you are a data subject as defined by the GDPR and you have rights in relation to us as the data controller as described in this section.

Right of confirmation and access, Art. 15 GDPR You have the right to obtain confirmation from us at any time as to whether any personal data concerning you is processed by us.
Where that is the case, you have the right to access to the data and the following information:
- the categories of personal data processed;
- the recipients or categories of recipient to whom the personal data about you has been or will be disclosed;
- the envisaged period for which the personal data about you will be stored, or, if concrete details are not possible, the criteria used to determine that period;
- the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning you by the controller or to object to such processing;
- the existence of the right to lodge a complaint with a supervisory authority;
- where the personal data is not collected from the data subject, any available information as to its source;
- the existence of automated decision‐making, including profiling, pursuant to Art. 22 (1) and (4) GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Furthermore, you have the right to be informed if personal data is transferred to a country which is not a member state of the EU (“third country”) or to an international organisation. In this context, you can demand to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.
Right to rectification, Art. 16 GDPR You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Furthermore, you have the right – taking into account the purposes of the processing – to have incomplete personal data completed, including by means of providing a supplementary statement:
Right to erasure (‘right to be forgotten’), Art. 17 GDPR You have the right to demand the erasure of personal data concerning you without delay where one of the following grounds applies:
- the personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- you withdraw consent on which the processing is based according to Art. 6(1)(a) or Art. 9(2)(a) GDPR and where there is no other legal ground for the processing;
- you object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR;
- the personal data concerning you was unlawfully processed.
- Your personal data has to be erased to comply with a legal obligation according to Union or EU Member State law to which the controller is subject.
- Your personal data has been collected in relation to information society services in accordance with Art. 8(1) GDPR.
If the Company or the Portfolio in question has made the affected personal data public and is obliged pursuant to the above provisions to erase the personal data, then we are also obliged to inform other controllers who process the data that you, as data subject, have requested the erasure of any links to, or copies or replications of, that personal data.

In this regard, taking into account the available technology and the implementation costs, we take appropriate measures, including technical measures, to comply with these obligations, at least to the extent that processing is no longer necessary, i.e. that no legal provisions prescribe this and that no legitimate interests prevent deletion.

There are certain exceptions where we may refuse a requested erasure, e.g. if the personal data is required to comply with a legal obligation or for the assertion, exercise or defence of legal claims.
Right to restriction of processing, Art. 18 GDPR You have the right to demand that we restrict the processing of your personal data where at least one of the following applies:
- you contest the accuracy of the personal data, for a period enabling the data controller to verify the accuracy of the personal data;
- the processing is unlawful and you request, instead of erasure of the personal data, the restriction of its use;
- we no longer need the personal data for the purposes of the processing, but you need it for the assertion, exercise of or defence of legal claims.
- you have objected to processing pursuant to Art. 21(1) GDPR and it has not yet been determined whether or not the legitimate grounds of the Company or the Portfolio in question override your grounds.
Where processing of your personal data has been restricted, such personal data shall – with the exception of storage – only be processed with your consent or for the enforcement, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. In such a case you shall be informed by us before the restriction is lifted.
Notification obligation, Art. 19 GDPR If you have asserted your right to rectification or erasure of personal data or restriction of processing, we shall be obliged to notify each recipient to whom your personal data has been disclosed of such rectification or erasure of personal data or restriction of processing, unless this proves impossible or involves disproportionate effort. You can therefore demand that we inform you about those recipients.
Right to data portability, Art. 20 GDPR You have the right to receive your personal data which you have supplied to us in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Moreover, when exercising your right to data portability according to Art. 20(1) GDPR you can demand that the personal data be transferred directly from one controller to another controller to the extent that this is technically feasible and that this does not adversely affect any rights and freedoms of others.
Right to object, Art. 21 GDPR
- Objection in individual cases For reasons relating to your particular situation, you have the right to object any time to the processing of your personal data pursuant to Art. 6(1)(e) GDPR (data processing in the public interest) and Art. 6(1)(f) GDPR (data processing for the purposes of legitimate interests).
  If an objection is lodged, your personal data will no longer be processed unless there are demonstrably compelling reasons outweighing your interests, rights and freedoms. Continued processing is also possible if the processing serves to assert, exercise or defend legal claims.
- Objection to direct marketing Under certain circumstances, your personal data may be processed for direct marketing purposes. You have the right to object to such processing at any time. This also applies to profiling, as far as it is connected to direct marketing. You can object to direct marketing at any time by sending an email to info@timberland-malta.com or else following the relevant links in any direct marketing messages sent.
  You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which
  is based on Art. 6(1)(e) or (f) GDPR. This also includes profiling based on those provisions.
  
  We shall no longer process the personal data in the event of objection unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the enforcement, exercise or defence of legal claims.
  
  Where your personal data is processed for direct marketing purposes, you shall have the right to object at any time to the processing
  of your personal data for such marketing; this also includes profiling, to the extent that it is related to such direct marketing.
  
  Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.
Right to withdraw consent, Art 7(3) GDPR If you have given your consent to data processing, you have the right to withdraw2 this consent at any time with effect for the future. Any processing of personal data which took place before such withdrawal shall not be affected.
Should you wish to exercise your right to withdraw consent, please sent an e-mail addressed to info@timberland-malta.com.
Right to lodge a compliance with a supervisory authority You have the right to lodge a complaint at any time to a competent supervisory authority on data protection matters, such as in particular the supervisory authority in the place of your habitual residence or your place of work. In the case of Malta, this is the Office of the Information and Data Protection Commissioner (the “IDPC”) (https://idpc.org.mt). We would, however, appreciate the opportunity to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.

9. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time. Please check this page frequently in order become familiar with the latest version of our Privacy Policy.