Effective Date: July 29, 2021
Your privacy is very important to us. This Privacy Notice sets forth Oxford Lane Capital Corp.’s (‘’our,” “we,” or “Oxford Lane”) policies with respect to personal information we collect and process (“Notice”). This Notice applies to investors, prospective investors, and former investors in Oxford Lane, as well as to visitors of our website and applicants for employment with us.
To the extent the GDPR applies, and for other data privacy laws with a data controller requirement, Oxford Lane is the data controller that directs the purposes for which personal information is processed.
Oxford Lane is located at: 8 Sound Shore Drive – Suite 255, Greenwich, CT 06830
We will use personal information about you only for the purposes and in the manner set forth below, which describes the steps we take to ensure the processing of personal information is in compliance with applicable data protection law, including California’s Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”).
We collect personal information from a number of sources, including:
| when you or your representative provide, or provided, it to us in correspondence (including when you open an investment) and conversations | publicly available and accessible directories and sources |
| when recruitment agencies provide us with information for prospective employees | governmental and competent regulatory authorities to whom we have regulatory obligations |
| when you have made or make transactions or provide transaction documentation | fraud prevention and detection agencies and organizations |
| through the use of cookies and similar technologies |
The types of personal information we collect and share depend on the product or service you have with us. The personal information we collect, the basis of processing and the purposes of processing are detailed below. For EU/UK data subjects, we have a lawful basis under the GDPR for each of our processing activities, as set out below:
| What we collect | Why do we collect it | Lawful Basis |
|---|---|---|
| Personal details such as name, address, postal and email address, phone number, Social Security Number or other Tax ID Number, driver’s license number, employment information, and financial information | To open and administer your investment | As is necessary to enter into or perform our contractual obligations to you (for example, to administer, manage and set up your investment, or to facilitate the transfer of funds, and administering and facilitating any other transaction). It is also necessary to comply with our legal and regulatory obligations, for example, to verify the identity and address of our investors, maintain statutory registers, comply with the U.S. Office of Foreign Assets Control list and other governmental sanction lists, to prevent and detect fraud, to maintain the integrity and security of our systems, to carry out audit checks and conduct surveillance and investigations, comply with lawful requests. It is also in our legitimate interest to manage our risk and monitor, improve our relationship with you, and keep you up to date on our latest offerings and investment opportunities, which are not outweighed by the privacy impacts on you. If you are an applicant for employment, we use this information to set up and administer your application. It is necessary to take steps at your request prior to entering into a contract (e.g. to respond to your queries and to provide you with further information; or where you have submitted an application to become our customer and to verify your creditworthiness. |
| Name, email address, postal address | To provide you with, and inform you about, our investment products and services and keep you updated. | It is in our legitimate interest to keep you up to date on our latest offerings and investment opportunities. |
For California Residents
The personal information about you that we collect includes information within the below categories of data. These categories also represent the categories of personal information that we have collected over the past 12 months. We collect this information as per section 2 above, and we share this information as per section 3 below.
Note that the categories listed below are defined by California state law. Inclusion of a category in the list below indicates only that, depending on the services and products we provide you, we may collect some information within that category. It does not necessarily mean that we collect all information listed in a particular category for all of our customers.
| Categories of data collected | Purpose of collection |
|---|---|
| Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers | As is necessary to perform our obligations to you to administer, manage and set up your investment and to facilitate the transfer of funds, and administering and facilitating any other transactions. As is necessary for compliance with an applicable legal or regulatory obligation which we are subject to verify the identity and addresses of our investors (and, if applicable their beneficial owners) comply with requests from regulatory, governmental, tax and law enforcement authorities maintain statutory registers prevent and detect fraud comply with the U.S Office of Foreign Assets Control list and other governmental sanctions lists carry out audit checks and conduct surveillance and investigations. As is necessary to address or investigate any complaints, claims, proceedings or disputes; to provide you with, and inform you about, our investment products and services monitor and improve our relationships with investors;; send direct marketing communications to you; manage our risk and operations; comply with our audit requirements assist with internal compliance with our policies and process ensure appropriate group management and governance; to maintain the integrity and security of our systems; enable any actual or proposed assignee or transferee, participant or sub-participant of the partnership’s or our rights or obligations to evaluate proposed transactions analyze and manage commercial risks; monitor communications to/from us using our systems facilitate business asset transactions involving the Company or related investment vehicles. If you are an applicant for employment, we use this information to set up and administer your application. |
| Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, your name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, wire transfer information, or any other financial information, such as the amount invested and details of the investment made, medical information, or health insurance information. | As is necessary to perform our obligations to you to administer, manage and set up your investment and to facilitate the transfer of funds, and administering and facilitating any other transactions. As is necessary for compliance with an applicable legal or regulatory obligation which we are subject to verify the identity and addresses of our investors |
| Commercial information, including records of your transactions with us and banking information | As is necessary to perform our obligations to you to administer, manage and set up your investment and to facilitate the transfer of funds, and administering and facilitating any other transactions. As is necessary for compliance with an applicable legal or regulatory obligation which we are subject to verify the identity and addresses of our investors (and, if applicable their beneficial owners) comply with requests from regulatory, governmental, tax and law enforcement authorities maintain statutory registers prevent and detect fraud comply with the U.S Office of Foreign Assets Control list and other governmental sanctions lists carry out audit checks and conduct surveillance and investigations. |
| Professional or employment-related information | As is necessary to perform our obligations to you to administer, manage and set up your investment. If you are an applicant for employment, we use this information to set up and administer your application. |
| Characteristics of classes protected under federal or California law, including: familial status, disability, sex, national origin, religion, color, race, sexual orientation, gender identity and gender expression, marital status, veteran status, medical condition, ancestry, source of income, age, or genetic information. | If you are an applicant for employment, we use this information to set up and administer your application, including to provide any reasonable accommodations you may require. |
| Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement. | To optimize performance of our websites, provide products and services to our customers, and to audit our interactions with our investors and applicants for employment. It is also processed to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for data analytics. It is also necessary to ensure compliance with our policies and procedures. |
We may share your personal information with our adviser, Oxford Lane Management, LLC, and to certain service providers such as our accountants, administrator, attorneys, auditors, transfer agents and brokers, in each case for our everyday business purposes, such as to facilitate the acceptance and management of your investment or account and our relationship with you, or as otherwise permitted by applicable law. We will take reasonably necessary steps to ensure that where personal information is shared, it is treated securely and in accordance with this Privacy Notice and applicable laws. We require our service providers to provide written assurances regarding the security and privacy protections they have in place to protect any personal information transferred or disclosed to them, as well as their compliance with our security requirements and any applicable laws and regulations.
We may also disclose the information we collect:
We do not, and will not, sell personal information to third parties, as that term is defined by California law, nor have we done so in the past 12 months. In addition, we do not share personal information with third parties for their direct marketing purposes.
As a general principle, we do not retain your personal information for longer than we need it. We keep your personal information only for as long as it is required to provide our services, perform our contractual obligations, or to meet our statutory or regulatory requirements. We typically delete personal information about you 6 years after you are no longer our client.
Depending on where you live, your current jurisdiction and applicable data protection laws, and subject to any relevant restrictions/exemption, you may be entitled to certain rights with regards to our processing of your personal information. (Please note: depending on the country you live in and the applicable data protection laws, you may only have access to some of the rights listed below).
Your rights under the California Consumer Privacy Act (“CCPA”)
To the extent we have collected information about you that is not governed by the GLBA or FCRA, you may have the rights described below with respect to personal information about you, residents of California may have certain data protection rights under CCPA relating to certain personal information, including:
| Right of access – You may be entitled to request that we disclose the categories and specific pieces of personal information that we have collected about you, the categories of sources from which the information was collected, the purposes of collecting the information, the categories of third parties we have shared the information with, and the categories of personal information that have been shared with third parties for a business purpose. | Right to “opt-out” of a sale of personal information – if our business practices change and we sell personal information you will be provided with notice and be given the opportunity to opt out of the sale of your personal information. |
| Right of data portability – In some instances, you may have the right to receive the information about you in a portable and readily usable format. Before providing this information, we must be able to verify your identity akin to the request. | Right to have personal information erased – Subject to certain conditions, you may be entitled to request that we delete personal information that we hold. We will not delete personal information about you when the information is required to fulfill a legal obligation, is necessary to exercise or defend legal claims, or where we are required or permitted to retain the information by law. For example, we cannot delete information about you while continuing manage your account or investment. Data solely retained for data backup purposes is principally excluded. |
You may also appoint an authorized agent to make a request on your behalf.
If you chose to exercise any of these rights, to the extent that they apply, U.S. state law prohibits us from discriminating against you on the basis of choosing to exercise the privacy rights.
We may, however, charge a different rate or provide a different level of service to the extent permitted by law.
Your GDPR rights
To the extent the GDPR applies, data subjects of the EU/UK may have certain rights, including:
| the right to access your personal data | the right to restrict the use of your personal data |
| the right to have incomplete or inaccurate data corrected | the right to ask us to stop processing your personal data |
| the right to require us to delete your personal data in some limited circumstances | the right to object to processing of your personal data where that processing is carried out for our legitimate interest or for direct marketing |
| the right in some circumstances to request for us to “port” your personal data in a portable, re-usable format to other organizations (where this is possible) | the right to lodge a complaint about the processing of your personal data with your local data protection authority |
| the right to request information, with respect to our practices within the 12 months prior to your request, regarding the specific personal data we have collected from you, the sources from which we obtained it, the purposes for which we collected, used and shared the personal data, and the categories of third parties with whom we have shared it | |
You may exercise your right to make these requests/objections by contacting us at 1-203-983-5275 or sending us an email at privacy@oxfordfunds.com at any time if you wish to do so.
For a listing of EU Privacy Regulators, please click here: https://edpb.europa.eu/about-edpb/board/members_en
To exercise your rights to request information or the deletion of your personal information, please contact us at 1-203-983-5275, or send us an email at privacy@oxfordfunds.com at any time if you wish to do so.
Before providing information requests in accordance with your rights, we must be able to verify your identity. In order to verify identity, you will need to submit information about yourself, including, to the extent applicable, account information, name, government identification number, date of birth, contact information, or other personal information. We will match this information against information we have previously collected about you to verify your identity and request.
Please note that under California law, we are only obligated to respond to personal information requests from the same consumer up to two times in a 12-month period. Under both EU and California law, if an individual makes unfounded, repetitive, or excessive requests (as determined in our reasonable discretion) to access Personal Data, we may charge a fee subject to a maximum set by law.
If you would like to appoint an authorized agent to make a request on your behalf, you must provide the agent with written, signed permission to submit privacy right requests on your behalf, or provide a letter from your attorney. The agent or attorney must provide this authorization at the time of request. We may require you to verify your identity with us directly before we provide any requested information to your approved agent.
Information collected for purposes of verifying your request will only be used for verification.
If you chose to exercise any of these rights, to the extent that they apply, U.S. state law prohibits us from discriminating against you on the basis of choosing to exercise your privacy rights. We may, however, charge a different rate or provide a different level of service to the extent permitted by law.
We are, of course, happy to provide any further information or explanation needed.
A cookie is a small piece of data that a website asks your browser to store on your computer or mobile device. The cookie allows the website to “remember” your actions or preferences over time. Cookies are widely used in order to make websites work, or to work more efficiently, as well as to provide reporting information. Some cookies are strictly necessary for the functioning of our website.
Why do we use cookies?
We use cookies to learn how you interact with our content and to improve your experience when visiting our website. For example, some cookies remember your preferences and where you left off so that you do not have to repeatedly make these choices when you visit one of our websites.
What types of cookies do we use?
Third-party cookies belong to and are managed by other parties, such as Google Analytics. These cookies may be required to render certain forms, such as email list sign-up. Session cookies are temporary cookies that are used to remember you during the course of your visit to the website, and they expire when you close the web browser. Persistent cookies are used to remember your preferences within the website and remain on your desktop or mobile device even after you close your browser or restart your computer. We use these cookies to analyze user behavior to establish visit patterns so that we can improve our website functionality for you and others who visit our website.
How do I reject and delete cookies?
You can choose to reject or block all or specific types of cookies for FIA by changing your browser settings. Please note that most browsers automatically accept cookies. Therefore, if you do not wish cookies to be used, you may need to actively delete or block the cookies. If you reject the use of cookies, you will still be able to visit our websites but some of the functions may not work correctly. You may also visit www.allaboutcookies.org for details on how to delete or reject cookies and for further information on cookies generally. By using our website without deleting or rejecting some or all cookies, you agree that we can place those cookies that you have not deleted or rejected on your device.
See also:
https://tools.google.com/dlpage/gaoptout
https://support.google.com/ads/answer/2662922?hl=en
We implement and maintain security appropriate to the nature of the personal information that we collect, use, retain, transfer or otherwise process, and will take reasonable steps to protect your personal information against loss or theft, as well as from unauthorized access, disclosure, copying, use or modification, regardless of the format in which it is held. While we are committed to developing, implementing, maintaining, monitoring and updating a reasonable information security program. Unfortunately, no data transmission over the Internet or any wireless network can be guaranteed to be 100% secure. Data security incidents and breaches can occur due to vulnerabilities, criminal exploits or other factors that cannot reasonably be prevented. Accordingly, while our reasonable security program is designed to manage data security risks and thus help prevent data security incidents and breaches, it cannot be assumed that the occurrence of any given incident or breach results from our failure to implement and maintain reasonable security.
Various third parties are developing or have developed signals or other mechanisms for the expression of consumer choice regarding the collection of information about an individual consumer’s online activities over time and across third-party website or online services (e.g., browser do not track signals). Currently, we do not monitor or take any action with respect to these signals or other mechanisms.
We do not offer financial services and products to minors and do not knowingly collect personal information from children under the age of 16. We will delete any personal information we determine to have been collected from a child or user under the applicable age of consent. If you are a parent or guardian of a child under the relevant digital age of consent and believe he or she has disclosed personal information to us, please contact us at 1-203-983-5275 or send us an email at privacy@oxfordfunds.com.
We reserve the right to modify this Notice at any time and without prior notice. Updated privacy policies will be made available through our websites. We will comply with applicable data privacy laws when making changes to our privacy practices. The date at the top of this privacy policy indicates the date when the policy was last updated and the updates went into effect.
If you have any questions regarding this policy or the treatment of your non-public personal information, please contact us at 203-983-5275 or send us an email at privacy@oxfordfunds.com.