Exhibit A Spaces Limited

WHO WE ARE

Exhibit A Spaces Limited is a limited company, registered in England and Wales. Its registration number is 07092355 and its registered office is at 2nd Floor, 10-12 Bourlet Close, London W1W 7BR. 

The expression “we”, where used in this Policy, means Exhibit A Spaces Limited and the expressions “us” and “our” should be read accordingly.

ABOUT THIS PRIVACY POLICY

We are committed to protecting and respecting the privacy of customers, suppliers, their employees and workers and other individuals with whom it communicates. For the purposes of the relevant data protection legislation, including the General Data Protection Regulation, the “data controller” is Exhibit A Spaces Limited.

This Privacy Policy sets out the basis on which we collect personal data (as defined below) from you and the way in which it will be processed by us. Please read this Privacy Policy carefully to understand our policy and practices regarding personal data and how we shall treat it.

It is important that you read this Privacy Policy together with any other privacy notice or fair processing notice that we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your personal data.

This Policy supplements any other such notices and is not intended to override them.

If you have any questions about this Policy, or if you wish to send us a request to exercise any of your legal rights (which are described elsewhere in this Privacy Policy), please contact our Privacy Team: privacy@exhibitaspaces.com or +44 (0)207 030 3291

PURPOSES FOR WHICH WE COLLECT INFORMATION

We shall only use personal data to the extent that the law allows us to do so. Most commonly, we will use personal data in the following circumstances:

1. To provide products and services to an individual or to the organisation by which the individual is employed or engaged, either at the individual’s or his or her organisation’s request or in order to fulfil an existing contract;

2. Where we need do so in order to comply with a legal or regulatory obligation; or

3. Where it is necessary to do so for our legitimate interests pursued by us or a third party and the interests and fundamental rights of the individual do not override those interests. “Legitimate Interest” means our interest in conducting and managing our business to enable us to give the best service or product and a secure experience, and the interest of our business generally. We ensure that we consider and balance any potential impact on individuals and their rights before we process their personal data for our legitimate interests. We do not use personal data for activities where our interests are overridden by the impact on the individual (unless we have the individual’s consent or are otherwise required or permitted to do so by law).

TYPES OF PERSONAL DATA WE COLLECT

“Personal data” means any information which identifies (or from which we can identify) a natural person, as opposed to a company or other organisation. We may collect, use, store and transfer the following different kinds of personal data about individuals:-

• “Identity Data”, which comprises an individual’s first name, last name and title;

• “Contact Data”, which comprises an individual’s address, email address and telephone number(s);

• “Financial Data”, which comprises an individual’s bank account or payment card details;

• “Transaction Data”, which comprises details about payments made by an individual to us or by us to an individual (if the individual is a sole trader) or the organisation by which the individual is employed or engaged, and details of services that the individual or organisation has purchased from us

• “Technical Data”, which comprises an individual’s IP address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the device(s) used to access our website;

• “Usage Data”, which comprises information about how an individual uses our website, products or services; and

• “Marketing and Communications Data”, which comprises an individual’s preferences in receiving marketing from us or third parties on our behalf, and the individual’s communication preferences.

AGGREGATE DATA

We may also collect, use and share “Aggregated Data”, such as statistical or demographic data. Aggregated Data may be derived from an individual’s personal data but does not constitute “personal data” in law as it does not directly or indirectly reveal an individual’s identity. For example, we may aggregate (i.e. combine with information relating to others) Usage Data to calculate the percentage of users accessing a specific feature of our website. However, if we combine or connect Aggregated Data with other information so that it can directly or indirectly identify an individual, we treat the combined data as personal data and use it strictly in accordance with this Privacy Policy.

MINIMUM REQUIRED INFORMATION

Where we need to collect personal data by law, or in order to provide products or services that we have agreed to provide to an individual or the individual’s organisation, and the individual fails to provide the minimum required data when requested, we may not be able to provide that advice or those services and may, as a consequence, have to cancel our agreement to provide the products or services in question. In that event we shall notify the individual or the organisation accordingly. For example, if the individual is a sole trader and has asked us to open a trading account, we may ask for details of trade references in order to assess the application and complete our identity, money laundering and credit checks before we are able to open an account for the individual.

HOW WE USE PERSONAL DATA

We use your personal information in connection with our business activities. In particular, we may use your personal information in the following ways:

• to carry out our obligations arising from any contracts entered into between an individual or the individual’s organisation and us; for example, the use of payment card details and a delivery address to process and fulfil an order(s);

• to provide, enhance and personalise your experience on our website;

• to manage and administer any other arrangements between you and us (or one or more of our affiliates);

• to notify you about changes to our services and to otherwise communicate with you; for example, we will use your contact details in order to respond to any queries that you submit to us;

• at or following any purchase or order you make, we may carry out security checks to protect against fraudulent transactions and to prevent and detect criminal activity; for example, we may undertake verification checks to identify any discrepancies with your payment details;

• to carry out market research; for example, we may contact you (including by email) to obtain your feedback on our products and services, and we may use details of your purchases to understand market trends and to identify popular products;

• to help us review, develop and improve the products and services we offer, including our website. We monitor details of your visits to our website, including, but not limited to, traffic data and page views for business and data analysis. We may also use your personal information to provide you with information about products, services, promotions and offers that may be of interest to you where we have obtained implied consent (for example, if you have ordered something from us or made an enquiry) or you have signed up to receive marketing messages. 

WHEN MAY WE SHARE PERSONAL DATA?

We require all third parties to respect the security of personal data and to treat it in accordance with the law. We do not allow our third-party suppliers or service providers to use personal data of which we are the controller for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions. We shall not share personal data with any third parties for marketing purposes without the individual’s express consent. We may, however, share personal data with third parties in the following circumstances:

(a) Service Providers
We will share personal data with service providers where this is necessary in order to provide the individual or organisation with products or services that the individual or organisation has ordered. Examples of service providers include payment processors, hosting services, suppliers, subcontractors and delivery services. We may also need to share personal data with third party software or IT support providers for the purpose of system administration, data security, data storage, back up, disaster recovery and IT support.

(b) To transfer information in the case of a sale, merger, consolidation, liquidation, reorganisation, or acquisition
We may share personal data with third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use personal data in the same way as set out in this Privacy Policy.

(c) To protect the rights, property, or safety of our business and other customers
We reserve the right to disclose or share an individual’s personal data in order to comply with any legal or regulatory requirements, enforce our terms and conditions (or any other agreement we enter into with the individual or organisation), or to protect the rights, property, or safety of our business and other customers. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. We may also need to share information with HM Revenue & Customs, regulators and other authorities acting as processors based in the United Kingdom, who require reporting of processing activities in certain circumstances. We may also share an individual’s personal data with our professional advisers including lawyers, bankers, auditors, accountants and insurers who provide us with legal, financial and banking, audit, insurance, accounting and consultancy services.

INTERNATIONAL TRANSFERS

As we operate globally across the UK, Europe, US, and UAE, your information may be transferred to and processed in countries outside your location.

We ensure appropriate safeguards are in place, including:

• Adequacy Decisions: Transfers to countries with adequate data protection standards

• Standard Contractual Clauses: EU-approved contract terms for international transfers

• Partner Agreements: Ensuring our international partners maintain appropriate security measures

WHERE WILL WE STORE PERSONAL DATA?

All personal data provided to us is stored on our internal software and (in some instances) accounting software. We use our best endeavours to ensure that all personal data is treated securely and in accordance with this Policy and comply with the relevant data protection legislation within the United Kingdom. This includes examining the security procedures of our service providers.

We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify individuals affected and any applicable regulator of a breach where we are legally required to do so.

Please note that the transmission of information via the internet is not completely secure. Although we shall do our best to protect all personal data, we cannot guarantee the security of data transmitted to our site; any transmission is at the individual’s own risk. Once we have received an individual’s personal data, we shall use effective safeguarding procedures and security features to try to prevent any unauthorised access to it.

HOW LONG WILL WE RETAIN PERSONAL DATA?

We will only retain personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process it and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise an individual’s personal data (so that it can no longer be associated with the individual) for research or statistical purposes in which case we may use this information indefinitely without further notice.

In some circumstances an individual can ask us to delete his or her data: see the “Right to be Forgotten” section below for further information.

SUBJECT RIGHTS

Under certain circumstances, an individual has the following rights:

• to request that we provide the individual with a copy of the personal data that we hold about him or her (“Access Request”);

• to request that we rectify any personal data that we hold about an individual (“Right to Rectification”);

• to request that we erase any personal data that we hold about an individual (“Right to be Forgotten”);

• to restrict the level of processing we carry out with an individual’s personal data (“Restriction of Processing”);

• to obtain from us all personal data that we hold about an individual in a structured, machine-readable form, and have this information transmitted to another organisation (“Data Portability”);

• to object to our processing personal data in certain ways (“Right to Object”); and

• to withdraw consent at any time to our processing of his or her personal data.

Please see the relevant sections below for further details on an individual’s rights as a data subject.

Any of these rights may be exercised by contacting our Privacy Team: privacy@exhibitaspaces.com or +44 (0)207 030 3291. An individual also has the right to lodge a complaint with the Information Commissioner’s Office if unhappy in any way with how we have treated his or her personal information. 

We would, however, appreciate the opportunity to deal with an individual’s concerns before a complaint is made to the Information Commissioner’s Office, and would therefore ask individuals please to contact us in the first instance.

We shall comply with any request made under this section as soon as possible, and normally within one month from the date on which the request is received. However, if necessary, for example if the request is particularly complex or we receive a number of similar requests, we may extend this period by an additional two months, but we shall notify the individuals who have made if we need to do this.

Individuals will not usually have to pay a fee to access personal data (or to exercise any of their other rights). However, please note that where we receive requests under this section which are manifestly unfounded or excessive, for example because they are repetitive in nature, we may:

• charge a reasonable fee considering the administrative costs of providing the information or taking the action requested; or

• refuse to act on the request.

We may need to request specific information from an individual to help us confirm an individual’s identity and verify his or her right to access their personal data (or to exercise any other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact an individual to ask for further information in relation to the individual’s request in order to speed up our response.

ACTION REQUEST

An individual has the right to request a copy of the information that we hold about him or her at any time. This enables the individual to receive a copy of the personal data that we hold and to check that we are lawfully processing it. Please note that in most circumstances, we shall not make a charge for this. However, we may charge a reasonable fee based on administrative costs for any further copies requested.

RIGHT TO RECTIFICATION

An individual has the right at any time to ask us to rectify any personal data that we hold about him or her and which is incorrect or incomplete. 

This enables the individual to have corrected any incomplete or inaccurate data that we hold, though we may need to verify the accuracy of any new data that the individual provides to us.

If we have disclosed any incorrect or incomplete data to any third parties, we shall inform them of any necessary amendments or corrections made to the personal data of the individual concerned.

RIGHT TO BE FORGOTTEN

An individual has the right at any time to ask us to erase the personal data that we hold about him or her if:

• it is no longer necessary for us to handle that personal data for the purpose for which it was originally collected;

• the individual has withdrawn consent for us to hold that personal data (where consent was the basis on which it was collected or used);

• the individual objects to the processing of the data and there is no lawful overriding reason for us to continue processing it;

• the personal data was unlawfully processed; or

• we have to erase the personal data in order to comply with a legal obligation.

Please note, however, that we may not always be able to comply with a request of erasure for specific legal reasons: in that event we shall inform the individual of those reasons at the time when erasure is requested.

RESTRICTION OF PROCESSING

An individual may ask us to restrict how we use his or her data in the following circumstances:

• where the individual believes that the personal data we hold about him or her is inaccurate, he or she may ask that we refrain from using that data until we can verify the accuracy of it;

• where we have unlawfully processed personal data, the individual may ask that we restrict our usage of it rather than erase it completely; or where the individual has objected to our use of his or her personal data but we need to verify whether we have overriding legitimate grounds to use it.

Where we no longer need to hold personal data, the individual may nevertheless require us to retain it for the purpose of establishing, exercising or defending a legal claim.

DATA PORTABILITY

An individual has the right to obtain from us all personal data which he or she previously provided to us in a structured, commonly used and machine readable form, provided that such data was processed based on the individual’s consent, or for the purpose of a contract between us, and the processing was carried  out by automated means. This right only applies to automated information for which the individual originally provided consent for us to use or where we used the information to perform a contract with the individual personally.

This will allow an individual to move, copy or transfer personal data easily from one IT environment to another (for example, if the individual wishes to change legal advisers). Alternatively, we can transmit such data directly to another organisation.

Please note that we shall not be able to comply with a data portability request if this will affect the rights and freedoms of others.

RIGHT TO OBJECT

An individual has the right to object, on grounds relating to his or her particular situation, to our processing of his or her personal data where we are doing this for the performance of a task carried out in the public interest (about which we shall have advised the individual, if applicable), or where we are carrying out processing for the purposes of legitimate interests pursued by us.

An individual also has the right at any time to ask us not to process his or her personal data for direct marketing or profiling purposes (to the extent that such profiling is related to such direct marketing). We shall have informed the individual prior to obtaining his or her personal data whether we intend to process that personal data for this purpose, or if we intend to disclose it to any third party for such purposes. If we process personal data for automatic decision making or profiling purposes (i.e. to analyse or predict an individual’s personal preferences or transaction history, and such profiling is automated) we shall inform the individual in advance, and will only do this where this is a necessary condition of entering into a contract between the individual and us, or where the individual has given us explicit consent to do so.

RIGHT TO WITHDRAW CONSENT

Where an individual has given consent to the processing by us of any personal data, he or she has the right to withdraw that consent at any time. 

However, this will not affect the lawfulness of any processing carried out before consent is withdrawn. If an individual withdraws consent, we may no longer be able to provide advice or services to the individual or to the individual’s organisation. We shall advise the individual (and, if applicable, may inform other individuals in the same organisation) if this is the case at the time when consent is withdrawn.

In addition to any other way in which we make available to individuals the ability to withdraw consent to the processing of personal data, an individual may also withdraw consent at any time by contacting our Privacy Team: privacy@exhibitaspaces.com or +44 (0)207 030 3291.