Purpose and Scope
The purpose of this policy regarding privacy (this “Policy”) is to ensure that the policies and procedures of Watermill Management Company, LLC (the “Company”) regarding the use and handling of Personal Information (as defined below) comply with all requirements of applicable law.
The Company is committed to protecting the non-public personal information that it receives from time to time with respect to current and prospective individual investors (“Investors”) and the private entities in which they invest (“Clients”) in connection with the provision of its investment advisory or other services. Non-public personal information, which is generally obtained from applications, forms and other documentation, as well as from specific transactions between the Client or Investor and the Company, may include, among other things, the Investor’s or Client’s name, address, social security number or tax identification number, bank account information, financial information, investment objectives, actual investments made and other information with respect to the investment advisory or other services provided to or on behalf of the Client or Investor by the Company (“Personal Information”). To that end, the Company has adopted this Policy to:
- ensure the security and confidentiality of Personal Information;
- protect against anticipated threats or hazards to the security or integrity of Client and Investor records and other information; and
- protect against unauthorized access to or use of Personal Information that could result in substantial harm or inconvenience to Clients or Investors.
Protecting the confidentiality and security of Personal Information is a top priority for the Company. In general, the Company shall not use or disclose Personal Information for any purpose other than in connection with the servicing of an Investor’s account and as may be required by applicable law. The Company’s employees and other associated persons (including service providers) shall be prohibited from disclosing Personal Information to third-parties unless required by operation of law, and, in such event, only in a manner permitted by Regulation S-P or other applicable law (each, a “Permitted Disclosure” and collectively, “Permitted Disclosures”). All such employees and other associated persons must at all times adhere to this Policy, and the Chief Compliance Officer shall be responsible for enforcing this Policy.
All Personal Information shall be governed by this Policy, whether or not such information is derived from applications, agreements, forms or other documentation, or in connection with specific transactions between the Company and its Clients and Investors, and including any such information that may be created, sent, received and/or stored by the Company. In that connection, as noted above, all of the Company’s employees and other associated persons (including service providers) shall at all times endeavor to:
- ensure the security and confidentiality of Personal Information;
- protect against anticipated threats or hazards to the security or integrity of Investor records and other information; and
- protect against unauthorized access to, or use of, Personal Information that could result in substantial harm or inconvenience to Clients or Investors.
The Company has physical, procedural and electronic safeguards that facilitate the Company’s compliance with applicable law pertaining to safeguarding the security, confidentiality and integrity of Personal Information. Personal Information shall be collected by the Company under the supervision of the Chief Compliance Officer, and stored in one or more databases in accordance with the Company’s Policy Regarding Recordkeeping. Such database(s) shall only be accessible by authorized employees and other associated persons of the Company and at all times the information stored therein shall remain subject to this Policy.
Notice and Disclosure
Content of Notice
Regulation S-P requires the Company to provide the Investors in its Clients with a “clear and conspicuous” notice (a “Privacy Notice”) that accurately reflects its privacy policies and practices. The Privacy Notice shall generally describe the following:
- the Company’s policies and practices to protect Personal Information;
- categories of Personal Information that are collected;
- categories of Personal Information that are disclosed; and
- if applicable, categories of Personal Information disclosed about former Investors and Clients and categories of affiliates and non-affiliated third-parties that may receive Personal Information; and
- if applicable, conditions under which Personal Information may be disclosed to affiliates and non-affiliated third-parties.
Based on the foregoing, the Company shall provide an initial Privacy Notice to each new Investor in any of its Clients or no later than when the relationship is established with such Investor, and an annual Privacy Notice to each existing Investor.
In accordance with applicable law, a description of this Policy shall be included in all of the Company’s new account documentation and shall be delivered to all existing Investors in any of its Clients annually. The Company shall also promptly deliver to existing Investors in any of its Clients a modified or revised Privacy Notice prior to:
- disclosing a new category of Personal Information;
- disclosing Personal Information to a new category of non-affiliated third-parties; or
- disclosing Personal Information about a former Investor in any of its Clients to a non-affiliated third-party.
A revised Privacy Notice is not required to be delivered if the Company discloses Personal Information to a new non-affiliated third-party if such third-party was adequately described in a prior notice.
Privacy Notices may be provided to Investors or Clients in conjunction with other information that the Company desires to use or disseminate, so long as the Privacy Notice is clear and conspicuous. Privacy Notices shall be delivered in such a manner that each Investor can reasonably be expected to receive actual notice in writing, or, if the Investor agrees, electronically.
A copy of the Company’s current general Privacy Notice is attached as EXHIBIT A hereto.
Disclosure to Affiliates
The Company and its employees and other associated persons generally may share Personal Information with any affiliate, including to assist the Company in offering products or services to investors; provided, that investors have been given clear and conspicuous notice of the information sharing between affiliates by the Company or the applicable affiliate providing the Personal Information.
Disclosures to Non-affiliated Third-Parties
The Company and its employees and other associated persons generally may only disclose or otherwise give access to Personal Information to a non-affiliated third-party if such third-party has signed a non-disclosure agreement approved by the Chief Compliance Officer, and only in the following situations:
- to non-affiliated third-parties (including disclosure to attorneys, accountants, auditors and other service providers) in connection with the administration, processing and servicing of Client or Investor transactions;
- to non-affiliated third-parties at the direction or otherwise with the consent of the Client or Investor;
- to persons acting in a fiduciary or representative capacity on behalf of the Client or Investor;
- to a consumer reporting agency, subject to prior written approval by the Chief Compliance Officer; and
- to comply with applicable law or any civil, criminal or regulatory audit, investigation, examination, compliance request or other proceeding, or any subpoena, summons or other order issued by any court or other governmental authority or otherwise pursuant to any judicial process, in each case subject to prior written approval by the Chief Compliance Officer.
Except in connection with Permitted Disclosures, neither the Company nor any of its employees or associated persons shall:
- copy, upload, or distribute Personal Information from the Company’s databases or other external sources that originate from the Company;
- distribute Personal Information to anyone other than authorized personnel; or
- store, print, download, record or distribute any file or other document containing Personal Information.
The Chief Compliance Officer shall supervise the implementation and management of the privacy safeguards set forth below, and shall diligently monitor changes in applicable law.
All Personal Information, as well as all related files and records of the Company and its employees and other associated persons, shall be maintained on a network or system with appropriate access controls (a “Confidential System”) to prevent unauthorized access to the Company’s premises, including controls to authenticate and grant access only to authorized individuals and entities. Employees and other associated persons of the Company may not access or use Personal Information, unless there is a legitimate business need for such access or use.
Monitoring and Prevention
The Company shall develop monitoring systems and other procedures to detect actual and attempted attacks on, or other intrusions into, facilities and other locations, including electronic locations, where Personal Information is held. Personal Information will be held in secure media, and measures to protect against destruction, loss or other damage shall be implemented by the Company. To preserve the integrity and security of Personal Information in the event of computer or other technological failure, these measures will include disaster recovery and other response programs, including, where the Company deems appropriate, reconstructing destroyed, lost or otherwise damaged Personal Information.
- We collect nonpublic, personal information about our investors from the following sources:
- Applications, forms, correspondence and other communications. The information we collect can include name, address, social security number, assets, income and investment objectives; and
- Customers’ transactions and investments with us and others (such as payment history, account balances and parties to transactions).
- Our internal data security policies restrict access to nonpublic, personal information to authorized employees. We maintain physical, electronic and procedural safeguards to guard nonpublic, personal information. Employees who violate our data security policies are subject to disciplinary action, up to and including termination.
- To the extent permitted by applicable law, we reserve the right to disclose nonpublic, personal information about our investors and former investors to our affiliates in order to provide our investors with access to product offerings and product upgrades, and in order for our affiliates to provide services to us and our investors, such as investment advisory services and transaction processing.
- We reserve the right to disclose nonpublic, personal information about our investors and former investors to non-affiliated third parties with whom we have contracted to perform services on our behalf, such as accounting, legal, marketing and data processing services. We may disclose all of the information that we collect, as described above.
- We may also disclose nonpublic, personal information about our investors and former investors as permitted or required by law.
- On all occasions when it is necessary for the Company to share a customer or former customer’s personal information with non-affiliated parties, the Company will require that such information only be used for the limited purpose for which it is shared and will advise such parties not to further share such information with others except to fulfill that limited purpose.
 For purposes of this Policy, the term “affiliate” shall mean any individual or entity that controls, is controlled by, or is under common control with the Company.
 For purposes of this Policy, the term “non-affiliated third-party” shall mean any individual or entity other than an affiliate or a person jointly employed or otherwise retained by the Company and any individual or entity that is not an affiliate.