ATRATO ONSITE ENERGY (THE “COMPANY”) PRIVACY POLICY

1. Scope

1.1 Atrato Onsite Energy Holdco Limited (Company, We, Our, Us) is a renewable energy company incorporated in England and Wales.

We are committed to safeguarding the privacy and confidentiality of the personal data entrusted to us, and have implemented policies and controls to ensure the security of your personal data. This Privacy Policy relates solely to our processing of personal data where the share register services and administration and related services of our business are delivered. In the event that additional processing is required, we may issue a further supplementary privacy notice specifically in relation to that processing.

1.2 This Privacy Policy is addressed to the following categories of data subjects:

(a) our investors;
(b) our beneficial owners;
(c) our directors;
(d) staff located at our affiliates;
(e) third party supplier contacts; and
(f) our customers.

1.3 The Company’s website may contain links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that the Company does not accept any responsibility or liability for their policies or processing of your personal data. Please check these policies before you submit any personal data to such third party websites.

2. Purpose

2.1 The purpose of this Privacy Policy is to allow you to understand what personal data the Company will collect (or which will be collected on its behalf), how we will use it, and who may access it.

2.2 By providing your personal data to us, whether via our website, in person, in writing, via one of our service providers or over the phone, you acknowledge the processing set out in this Privacy Policy. Further notices highlighting certain uses we wish to make of your personal data together with the ability to opt in or out of selected uses may also be provided to you when we collect personal data from you.

3. Personal data that the Company collects

3.1 The Company only collects the personal data that we determine is required for the purposes set out at
Section 4: Purposes for which we use your personal data, below. We may collect:

(a) Information you provide to the Company ► personal data that you provide to the Company, such as when contacting us using the email or physical address(es) listed on our website, including your name, email address, bank account details (where required) and other contact details;

(b) KYC and due diligence information ► information obtained by third
party screening providers and publicly available information and background screening, where required by law or applicable financial regulations;

(c) Our correspondence ► if you contact us, we will typically keep a record of that correspondence. You will be informed in the event that any call is being recorded. If you object to this, you can end the call at that point and utilise an alternative method of communication should you prefer;

(d) Device Information ► such as information about your operating system, browser, software applications, geolocation, security status and other device information in order to improve your experience, to protect against fraud and manage risk;

(e) Marketing and communications information ► including your preferences for
receiving marketing from us and our third parties and your communication preferences; and

(f) Website and communication usage ► details of your visits to the Company’s website and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.

4. Purposes for which we use your personal data

4.1 When the Company collects your personal data, we may use or disclose it for the basis” that allows that use of your personal data. An explanation of the scope of the “lawful bases” can be found at Annex A to this Privacy Policy.

(a) To understand who our beneficial owners are and undertake reporting and
analysis ► Our corporate records contain information in respect of beneficial owners including names and addresses, account designations and the amount of shares held. Lawful bases: legitimate interests (to undertake reporting and analysis); legal obligations; legal claims (where applicable)

(b) For administrative purposes ►we may process your personal data to deal with queries, organise and minute all meetings, liaise with directors regarding meetings and accommodation and directors’ requirements for board and committee meetings, maintain and keep a register of directors and monitoring directors’ interests and conflicts.

Lawful bases: legitimate interests (to make corporate decisions and ensure that our directors are engaged and consulted appropriately); legal obligations; legal claims (where applicable)

(c) To comply with legal or regulatory requirements, or as otherwise permitted by law ► we may process your personal data to comply with our regulatory requirements (for example, to comply with KYC, antimoney laundering or insider dealing requirements) or dialogue with our regulators or to defend or prosecute claims which may include disclosing your personal data to third parties, the court service, fraud agencies and/or regulators or law enforcement agencies. This may involve background checks including screening against PEP, sanctions and/or anti-money-laundering databases on a periodic basis.
It is possible that special categories of personal data (e.g. political opinions, religious beliefs, ethnicity) and/or data relating to criminal convictions or offences may be received as a result of these background checks where such information has been made public or is relevant to the necessary checks.
Lawful bases: legal obligations; legitimate interests (to cooperate with law enforcement and regulatory authorities); legal claims (where applicable). Where special categories of personal data or data relating to criminal convictions or offences is processed, we will rely on substantial public interest (fraud prevention) or legal claims, as applicable.

(d) To inform you of changes ► to notify you about changes to the Company’s services and products; Lawful bases: legitimate interests (to notify you about changes to the Company’s services)

(e) To provide you with marketing materials ► to provide you with updates and offers, where you have chosen to receive these . We may also use your information for marketing our own products and services to you by post, email, SMS, and phone and, time we collect your data to conduct any of these types of marketing. We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to
you or you may opt out by contacting us as set out in the Contact Us section below. Lawful bases: consent, legitimate interest where are not required to rely on consent (to services)

(f) To re-organize or make changes to the Company’s business ► in the event that the Company:

(i) is subject to negotiations for the sale of the Company’s business or part thereof to a
third party;
(ii) is sold to a third party; or
(iii) undergoes a re-organisation,

we may need to transfer some or all of your personal data to the relevant third party (or its advisors) as part of any due diligence process for the purpose of analysing any proposed sale or re-organisation. The Company may also need to transfer your personal data to that reorganised entity or third party after the sale or re- organisation for them to use for the same purposes as set out in this policy;

Lawful bases: legitimate interests (in order to allow the Company to change its
business); legal claims (where applicable)

(g) To communicate effectively with you and conduct the Company’s business ► to conduct the Company’s business (including dealing with customers’ queries relating to purchase agreements), including to your queries, to otherwise communicate with you (and keep a record of that including recordings of telephone conversations relating to your shareholding), or to carry out our obligations arising from any agreements entered into between you and the Company.

Lawful bases: contract performance; legitimate interests (to enable the Company to perform its obligations and provide its services to you, for the purposes of maintaining service standards and, if applicable, for the prevention, detection, investigation and prosecution of fraud); legal claims (where applicable)

5. Sharing your personal data (and transfers outside of the UK or EEA)

5.1 The Company will only use or disclose your personal data for the purpose(s) for which it was collected and as otherwise identified in this Privacy Policy.

5.2 Sharing outside of the Company: personal data may be provided to third parties, including our administrators, legal advisors, auditors, financial advisors, regulatory authorities or other self-regulatory organisations (when required to satisfy the legal or regulatory requirements of governments), regulatory or law enforcement authorities (where required or in cases of suspected criminal activity or contravention of law), or to comply with a court order or for the protection of our assets.

5.3 Transfers outside of the UK or the EEA: Your personal data may be accessed
by suppliers or other persons in, transferred to, and/or stored at, a destination
outside the UK or the EEA in which data protection laws may be of a lower standard than in the UK or the EEA. The Company will, in all circumstances, implement appropriate safeguards to protect the personal data as set out in this Privacy Policy, including by way of data transfer agreements incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal data or by data controllers and processors in jurisdictions without adequate data protection laws.

5.4 Where the Company transfers personal data from inside the UK or the EEA to outside the UK and the EEA, the Company may be required to take specific additional measures to safeguard the relevant personal data. Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal data to these jurisdictions. In countries which have not had these approvals (see the full list here http://ec.europa.eu/justice/data-protection/internationaltransfers/adequacy/index_en.htm), The Company will establish legal grounds justifying such transfer, such as EU Commission-approved model contractual clauses, or other legal grounds permitted by applicable legal requirements.

6 Retention of your personal data

6.1 The Company’s retention periods for personal data are based on business needs and legal requirements. The Company retains your personal data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. For example, the Company may retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When personal data is no longer needed, the Company either irreversibly anonymises the data (and the Company may further retain and use the anonymised information) or securely destroys the data.

7 Safeguarding your personal data

7.1 The Company uses physical, electronic and procedural safeguards to protect against unauthorised use, access, modification, destruction, disclosure, loss or theft of your personal data in the Company’s custody or control.

7.2 The Company has agreements and controls in place with third party service providers requiring that any information the Company provides to them must be safeguarded and used only for the purpose of providing the service the Company has requested the company to perform.

Security over the internet

7.3 No data transmission over the internet or website can be guaranteed to be secure from intrusion. However, the Company maintains commercially reasonable physical, personal data in accordance with data protection legislative requirements.

7.4 All information you provide to the Company is stored on our or our subcontractors’ secure servers and accessed and used subject to the Company’s security policies and standards. You are responsible for complying with any other security procedures of which you have been notified by the Company.

8 Changes to this Privacy Policy

8.1 From time to time, the Company may, without giving notice, make changes to this Privacy Policy. Where these changes are significant, we will take reasonable steps to bring these to your attention.

9 Your Rights

9.1 If you have any questions in relation to this Privacy Policy or in relation to the Company’s use of your personal data, you should first contact the Company at the email address provided in the Contact Us section below.

Under certain conditions, you may have the right to require the Company to:

(a) provide you with further details on the use the Company makes of your information;

(b) provide you with a copy of information that you have provided to the Company;

(c) update any inaccuracies in the personal data the Company or its service providers hold;

(d) delete any personal data that the Company no longer has a lawful ground to use;

(e) where processing is based on consent, to withdraw your consent so that the Company stops that particular processing;

(f) object to any processing based on the legitimate interests ground unless the Company’s reasons for undertaking that processing outweigh any prejudice to your data protection rights;

(g) object to receiving marketing communications from the Company by contacting us as set out in the Contact Us section below; and

(h) restrict how the Company uses your information while a complaint is being investigated.

9.2 Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and the Company’s interests (e.g. the maintenance of legal privilege). If you exercise any of these rights, the Company will check your entitlement and respond in most cases
within a month.

9.3 If you are not satisfied with the Company’s use of your personal data or the
Company’s response to any exercise of these rights you have the right to
complain to your local data protection regulator. The relevant regulator is listed
here.

Jurisdiction Data Protection Regulator
UK Information Commissioner’s Office
Wycliffe House
Water Lane Wilmslow
Cheshire SK9 5AF
Email: dataprotectionfee@ico.org.uk
Telephone: 0303 123 1113

10 Contact Us

10.1 If you have any questions or concerns about our privacy practices, the privacy of your personal data or you want to change your privacy preferences, please contact the Company at its registered office (for the attention of Atrato Onsite Energy, 3rd Floor, 10 Bishops Square, London E1 6EG.

10.2 If after contacting the Company you do not feel that the Company has adequately addressed your concerns, you are entitled to contact your local data protection regulator identified above.

ANNEX A: Table of Lawful Bases

Use of personal data under applicable data protection laws must be justified under one of a number of legal “grounds” and the Company is required to set out the grounds in respect of each use in this policy. An explanation of the scope of the grounds available is set out below. The Company notes the grounds that it uses to justify each use of your information next to the use in the “Purposes for which we use your personal data” section of this Privacy Policy.

These are the principal legal grounds that justify our use of your information:
Consent: where you have consented to the Company’s use of your information.
More information is set out at Section 5. You may withdraw your consent by contacting us at the email address provided in the Contact Us section of this Privacy Policy or by clicking through unsubscribe wording in the relevant correspondence.

Contract performance: where your information is necessary to enter into or perform the Company’s contract with you.

Legal obligation: where the Company needs to use your information to comply with its legal obligations.

Legitimate interests: where the Company uses your information to achieve a legitimate interest and the Company’s reasons for using it outweigh any prejudice to your data protection rights.

Legal claims: where your information is necessary for the Company to defend, prosecute or make a claim against you, the Company or a third party.