.png){kind=small}
Privacy Notice
Acre Impact Capital
This notice explains how Acre Impact Capital collects, uses, and protects personal data in the ordinary course of its business activities. It applies to individuals whose data we process, including counterparties, professional contacts, investors, service providers, and visitors to our website or digital platforms. We are committed to handling personal data responsibly and in accordance with applicable data protection law.
Last updated: May 2026 · Version 1.0
1. Who we are and how to contact us
Acre Impact Capital operates through two entities:
Acre Capital Management
Incorporated in Mauritius (Company Number: 193238 GBC), licensed by the Financial Services Commission of Mauritius as a Global Business Company and Collective Investment Scheme manager. Registered office: Level 5, Alexander House, 35 Cybercity Ebene, Mauritius.
Acre Impact Capital Limited
Incorporated in England and Wales (Company Number: 11324187, registered office: 167-169 Great Portland Street, W1W 5PF, London, United Kingdom, United Kingdom.
For individuals located in the UK or EU, the data controller is Acre Capital Limited. For individuals located in Mauritius or other jurisdictions, the data controller is Acre Capital Management, which is subject to the Data Protection Act 2017 of Mauritius (administered by the Data Protection Office).
References to “Acre Impact Capital”, “we”, “us”, or “our” in this notice refer to both entities acting together, as appropriate to the context.
We have appointed a Data Protection Officer (DPO). To contact our DPO or to raise any data protection query, please write to: info@acre.capital
2. Who this notice applies to
This notice applies to identifiable individuals whose personal data we process, including:
Current and prospective investors, limited partners, and co-investors
Counterparties, borrowers, and project sponsors in our investment activities
Individuals who submit enquiries, request documents, or contact us through our website or by email
Authorised representatives and beneficial owners of investor entities
Professional advisers, consultants, and service providers
Visitors to our offices or events
NOTE: It does not apply to our employees and contractors, whose data is governed by separate internal policies.
3. What personal data we collect and where we get it from
We collect personal data directly from you (for example, when you contact us, submit a form, or enter into a business relationship with us) and from third-party sources, including your employer or organisation, other professional contacts, publicly available sources (company registers, regulatory databases, professional profiles, media), and business-risk screening providers.
The types of personal data we may process include:
Identity and contact data:
Name, job title, employer, email address, telephone number, postal address.
KYC and compliance data:
Passport or identity document details, date and place of birth, source of wealth, beneficial ownership information, relationships with politically exposed persons, sanctions screening results, and other information required under applicable anti-money laundering and financial crime prevention obligations.
Professional and relationship data:
Records of meetings, correspondence, and interactions in the course of our investment and fund management activities; notes from due diligence processes; records of fund subscriptions, drawdown notices, and distributions.
Website and technical data:
IP address, browser type, pages visited, and other technical information collected automatically when you visit our website.
Form submission data:
Information submitted through our website forms, including document access requests — name, organisation, role, email address, and the purpose stated by the requestor.
Communication data:
Email correspondence and other written communications with us.
Data we do not seek to collect:
We do not seek to collect special category data (such as health, religious belief, or political opinion) in the ordinary course of our activities. If such data is voluntarily provided in a context where it is relevant, we will treat it with additional care and will only retain it where there is a clear legal basis to do so
4. How we use your data and our legal basis
We use personal data only for the purposes for which it was collected or for compatible purposes. The main uses, and the legal bases we rely on under UK GDPR, EU GDPR, and the Mauritius Data Protection Act 2017, are set out below.
Purpose | Description | Legal basis |
|---|---|---|
Audits and reporting | Internal and external auditing, impact reporting, fund performance reporting to LPs. | Legal obligation; legitimate interests |
Protecting our business interests | Protecting confidential information, preventing fraud, evaluating or defending legal claims. | Legitimate interests |
Website and platform operation | Operating and improving our website; responding to online enquiries. | Legitimate interests |
Legal and regulatory compliance | Complying with FSC, FCA, AML, tax, and other applicable regulatory requirements; responding to regulatory enquiries. | Legal obligation |
Professional relationship management | Maintaining contact records, managing meetings and correspondence with counterparties, advisers, and institutional partners. | Legitimate interests |
Document access requests | Reviewing requests for documents, preparing NDAs, transmitting approved documents. | Contract; consent; legitimate interests |
Investor onboarding and KYC | Verifying identity, conducting AML and sanctions screening, maintaining regulatory records. | Legal obligation |
Fund and investment management | Managing fund operations, processing subscriptions and redemptions, issuing drawdown and distribution notices. | Contract; legal obligation |
Where we rely on legitimate interests, we have assessed that our interests do not override your rights, given the institutional and professional context in which we operate.
We do not use personal data for retail marketing, automated profiling, or credit scoring.
.png){kind=small}
All third-party processors are required to handle data under appropriate contractual safeguards consistent with applicable data protection law.
5. Who we share your data with
We do not sell or rent personal data. We may share it with the following categories of recipients, strictly on a need-to-know basis:
Legal advisers:
For transaction structuring, NDA preparation, and dispute resolution.
Compliance and KYC providers:
For screening and verification services.
IT and platform providers:
Including cloud hosting, email, document management, CRM, and investor portal providers, acting as data processors under appropriate agreements.
Fund administrators and auditors:
In connection with fund operations, regulatory reporting, and financial audits.
Regulators and public authorities:
Including the FSC (Mauritius), FCA (UK), and other competent authorities, where required or permitted by law.
Professional advisers:
Including accountants, tax advisers, and consultants, under confidentiality obligations.
6. International transfers
Acre Impact Capital operates across multiple jurisdictions. Personal data may be transferred between our Mauritius and UK entities and to counterparties, advisers, and service providers located in other countries, including in Africa and continental Europe.
Where data is transferred outside the UK or EEA, we ensure that appropriate safeguards are in place, which may include:
-
Adequacy decisions issued by the UK Secretary of State or the European Commission in respect of the recipient country
-
UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs), as applicable
-
Other transfer mechanisms permitted under applicable data protection law
Mauritius has been granted adequacy status by the European Commission under EU GDPR. For UK-to-Mauritius transfers, we apply safeguards consistent with the UK’s international transfer framework. You may request further information about the specific safeguards applied to any transfer by contacting us at the address in section 1.
7. How long we keep your data
We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law. Key retention periods are:
Data category | Retention period |
|---|---|
Website technical data | 12 months |
General correspondence | 6 years from last contact |
Document access requests (declined or incomplete) | 12 months from submission |
Document access requests (approved) | Duration of NDA plus 6 years |
Investor and fund records | Duration of fund plus 10 years |
KYC and AML records | 5 years from end of business relationship (or longer if required by applicable law) |
At the end of the applicable retention period, personal data will be securely deleted or anonymised.
8. Data security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include, among others, access controls, encryption of data in transit, and regular review of our information security practices.
Where we engage third-party service providers who process personal data on our behalf, we require them to implement equivalent standards of security under written data processing agreements.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, and will notify affected individuals where required by law. Our DPO is responsible for managing our breach response process.
If you believe your personal data may have been compromised, please contact us immediately at info@acre.capital.
9. Your rights
Under UK GDPR, EU GDPR, and the Mauritius Data Protection Act 2017, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions in certain circumstances.
Right | What it means |
|---|---|
Access | To receive a copy of the personal data we hold about you and information about how we use it. |
Rectification | To have inaccurate or incomplete personal data corrected. |
Erasure | To request deletion of your personal data where there is no compelling reason for us to continue processing it. |
Restriction | To request that we restrict processing of your data in certain circumstances, for example while a complaint is being investigated. |
Portability | To receive personal data you have provided to us in a structured, machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means. |
Objection | To object to processing based on legitimate interests or for direct marketing purposes. |
Withdraw consent | To withdraw consent at any time where processing is consent-based. Withdrawal does not affect prior processing. |
Automated decisions | Not to be subject to a decision based solely on automated processing. We do not currently carry out such processing. |
To exercise any of these rights, please contact us at info@acre.capital. We will respond within one calendar month of receipt of your request and may ask you to verify your identity before processing it. We will not charge a fee for handling requests unless they are manifestly unfounded or excessive.
You also have the right to lodge a complaint with the relevant supervisory authority:
-
UK: Information Commissioner’s Office (ico.org.uk)
-
EU: Your national data protection authority (list at edpb.europa.eu)
-
Mauritius: Data Protection Office (dataprotection.govmu.org)
We ask that you contact us in the first instance before escalating to a supervisory authority, as we will endeavour to resolve any concern promptly and directly.
