HERITAGE M&A RESEARCH INSTITUTE is the person responsible for the development, maintenance and management of the technological solutions underlying the Platforms (as defined below).

HERITAGE M&A RESEARCH INSTITUTE SAS  (“We” or “Heritage”) has prepared this privacy policy (the “Privacy Policy”) to describe to you our practices regarding the personal data collected from users (the “Personal Data”) during the utilization of the website: HeritageMA.com and any other connected websites, links or interactive forms (altogether, the “Platforms”) for the provision of our M&A intermediation services (collectively, the “Services”).

We are committed to providing the highest level of privacy and security regarding the collection and use of your Personal Data. This Privacy Policy describes how we may collect, use and disclose your personal information.

Please take the time to read this Privacy Policy carefully. By using the Platforms, you consent to our use of your Personal Data in accordance with the Terms of Use and this Privacy Policy (available on the Website).

This Privacy Policy was last updated on 01.06.2024.

• Personal Data which is processed through the Platforms

It is essential to us to collect, store and process only the minimum required amount of Personal Data so that we can offer and perform our Services. The typical Personal Data we collect from you are: 

• Name and surname
• E-mail address 
• Phone number
• Data about your business (in the public domain or that you provide us under NDA)
• Contractual data related to the Services provided
• Anti Money Laundering / Know Your Customer (AML/KYC) related information

• Information about disputes/complaints
• Geolocation data which is processed in anonymised form

• Purpose and Legal Basis for the data processing

We retain and process your Personal Data for the following main purposes:

• Contractual Purposes – The data you provide will be processed by us for the purpose of entering into a contract and fulfilling contractual and pre-contractual obligations, so that you can request Services as well be notified of support and maintenance updates. Legal basis for this purpose is the execution of the contract and/or pre-contractual measures. The provision of data is necessary for the fulfillment of contractual purposes. Failure to provide it will make it impossible to conclude the contract, carry out the requested service and/or respond to your questions or requests.

• Purpose of fulfilling legal obligations – Data will be used to fulfill obligations under applicable laws, which includes bookkeeping and to notify you for security or fraud protection. Legal basis for this purpose is the fulfillment of legal obligations. The provision of data for this purpose is mandatory, and without it, processing activities cannot be carried out.

• Direct Marketing Purposes – Only with your explicit and specific consent may data be used to conduct market surveys, promotional activities and send commercial information about our company, the Platforms, our Services, products and promotional initiatives. Legal basis for this purpose is consent, which is always freely revocable. Communications for Direct Marketing Purposes may be made through traditional and electronic mail, telemarketing, text messaging, notifications, social media and messaging platforms. The provision of data for this purpose is free, however, it is necessary for us to carry out the activities described above. In the absence of such conferment, you will not receive such communications.

• Profiling Purposes for Improving Service Offerings – We use the data to perform statistical analysis, aggregate marketing profiles, to improve campaigns as well as to infer patterns of usage of our services (including the Services) and to assist business directions in developing digital strategies. Legal basis for this purpose is consent, which is always freely revocable. The provision of data for this purpose is free, however, it is necessary for us to carry out the activities described above. In the absence of such provision, there will be no consequences for you apart from the fact that we will not be able to carry out the profiling described.

• Direct Marketing Purposes by Third Parties – Only with your explicit and specific consent, your data may be provided to other companies, which may contact you as owners of autonomous initiatives for statistical analysis, market surveys, and sending commercial information on services and promotional initiatives. We may disclose the results of aggregated data about you for marketing or promotional purposes, as further described below. We may disclose to the owners of certain content available through the Services, or their representatives, the following types of aggregated data about usage of such content: the number of views and the number of users who view the content, statistical information about users who view the content by geography, the referring URLs of users who view the content, the number of users who interacted with the content in specific ways, and other similar aggregated information relating to usage of the content. Legal basis for this purpose is consent, which is always freely revocable. Third-party communications may be made through traditional and electronic mail, telemarketing, text messaging, notifications, social media, and messaging platforms. The provision of data for this purpose is free, however, it is necessary for third parties to carry out the activities described above. In the absence of such provision, you will not provide third parties with the data and you will not receive such communications. 

• Statistical Analysis Purposes – The data will be used to carry out statistical and aggregate analysis activities, without affecting the individual data subject. Legal basis for this purpose is the legitimate interest of conducting aggregate analysis to plan business strategy according to the target market and the performance of the service and products offered, which will ultimately result in benefits for the data subject.  

• Purposes of promoting similar services (“Soft Spamming”) – Data will be used to enable us to promote and sell directly services similar to those you have already purchased, using the email address you provided in the context of a previous purchase, provided that you do not exercise your right to object by contacting us or through the appropriate link at the bottom of any email with promotional content that will be sent to you. Legal basis for this purpose is legitimate interest and the interest of the data subject in question. The provision of data for this purpose is optional, and in the absence of the provision, we will not be able to contact you with promotions on products and services similar to those already sold.

• Purpose of Customer Support and assistance in the solving of a complaint through the Platform – Customer support data is collected on a case-by-case basis and stored for the purpose of resolving disputes and service quality issues. We may use the platforms of our contractual partners to investigate and to respond to relevant complaints. In case you lodge a complaint through the Platforms or otherwise, we process the latter and run an investigation. To the extent permitted by law, we may record and monitor your communications with us to ensure compliance with our legal and regulatory obligations and our internal policies. Legal Basis for this purpose is legitimate interest or the interest of the data subject. The provision of data for this purpose is optional, but in the absence of the provision, we will not be able to assist you in these matters.

• Other Purposes for Legitimate Business Interest or Interests of the data subject:

1. 1. assessing customer suitability for services;
   2. anti-money laundering (AML), Know Your Customers (KYC) assessments;
   3. conducting market research and surveys with the aim of improving our products and services.
   4. for the prevention, detection, investigation and prosecution of crime (including without limitation, money laundering, terrorism, fraud and other financial crime) in any jurisdiction, identity verification, government sanctions screening and due diligence checks in compliance with applicable laws;
   5. to comply with local or foreign law, regulations, voluntary codes, directives, judgements or court orders, and any authority, regulator or enforcement agency policies, reporting requirements under financial transaction legislation and demands or requests of any authority, regulator, enforcement agency or exchange body;
   6. to seek professional advice, including in connection with any legal proceedings (including any prospective legal proceedings), for obtaining legal advice or establishing, exercising or defending legal rights;
   7. if it is necessary for the proper operation of our systems, our protection or the protection of our users and customers, or for the enforcement of our Terms of Use;
   8. servicing our relationship with you, for example administration and accounting, billing and auditing and other legal purposes;
   9. security, payment verification, preventing and detecting money laundering, fraud and other crime, recovering debt;
   10. to notify you about changes to our services;

• Personal Data collection process

We collect your Personal Data in a number of different ways, including the following:

• if you provide it when communicating with us (for example when registering for our Services or creating an account);
• if you purchase any services;
• if you enter a competition or promotion;
• if you make payments or modify your account details;
• when you visit our Platform (for example by cookies, technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform and other browser-generated information such information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from the Platforms (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number).

• Data Retention and Duration of Processing

• We will store data according to the following criteria:
  • Account usage – Your personal profile and account data will be retained whilst you continue to be an active and registered user of the Platforms, and for up to 7 years following cessation of your activity on the Platforms. If your account is closed, Personal Data will be deleted (according to the policies set out in this section), unless such data is required to be retained for accounting, dispute resolution or fraud prevention purposes.
  • Contractual purposes – up to the time necessary for the performance of the services you have requested and thereafter at most until the statute of limitation for exercising the respective rights has elapsed (in principle 10 years).
  • Purposes of compliance with legal obligations – until the end of the mandatory retention period established by applicable laws (particularly accounting and tax laws).
  • Direct Marketing Purposes – until consent is withdrawn or cancelled and, in the case of your inactivity and lack of contact with us (e.g., not opening emails, not registering for events, not purchasing products or services, etc.), after 5 years.
  • Profiling Purposes for Improvement of Service Offerings – data processed from time to time, will be deleted after 12 months from the start of processing.
  • Direct Marketing Purposes by third parties – until consent is revoked or cancelled and, in case of your inactivity and lack of contact with us (e.g., you don’t open emails, you don’t register for events, you don’t purchase products or services, etc.), after 5 years.
  • Statistical analysis purposes – until the request for data deletion or deletion depending on the retention time of one of the other pursued purposes.
  • Purposes of promoting similar products or services (“Soft Spamming”) – Personal Data may be retained at most until you object, which may be at any time, and, in case of your inactivity and lack of contact with us (e.g., you do not open emails, do not register for events, do not purchase products or services, etc.), after 5 years.
  • In the event that there are suspicions of criminal offence, fraud or false information having been provided, the data will be stored for 10 years in order to hinder the renewed registration of the person who acted unlawfully.
  • In case of payment disputes, Personal Data will be retained until the dispute has been resolved or until the statute of limitation of the claim has elapsed (in principle for 5 years). 
  • In all other cases, we will erase or anonymise your data once it is no longer necessary for the purpose we obtained it for.

• Recipients of the Personal Data and Location of processing

• In addition to our company, we allow third party service providers to process Personal Data where this is needed in connection with a service they provide to us. These arrangements may involve your Personal Data being located in various countries around the world including Switzerland where we have our head office. You should be aware that different privacy laws may apply in these countries from any laws that may apply in the country where you are located. We will always strive to adopt the highest standards of privacy protection wherever your personal information is located. Our Privacy Policy does not apply to third-party websites where our online advertisements are displayed or to linked third-party websites which we do not operate or control.
• We may share your Personal Data with selected third parties including:
  • business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
  • advertisers and advertising networks that require the data to select and serve relevant adverts to you and others;
  • analytics and search engine providers that assist us in the improvement and optimisation of our website; and
  • credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you;
  • in the event that we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets;
  • if we or substantially all of our assets are acquired by a third party, in which case Personal Data held by us about our customers will be one of the transferred assets; and
  • if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce or apply any agreements between us and you, or to protect the rights, property, or safety of us, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
• Only our authorized employees, and the authorized employees of our contractual partners, can access Personal Data, to the extent necessary to comply with requests of the users in connection with the Services as well as ensuring the adequate functioning of the Platforms. 
• Any processing of Personal Data by any third party shall occur under the same conditions as established in this Privacy Policy and accordance with applicable laws.
• Your Personal Data will be processed within the territories of the European Union. Any Personal Data collected in the course of providing the Services is transferred to and stored in servers and data centers operated through Amazon Web Services, which are located in the EU.
• Information that we collect may be stored and processed in and transferred between any of the countries in which we operate to enable us to use the information in accordance with this Privacy Policy. Any transfers of Personal Data will be done in compliance with applicable laws. You expressly agree to such transfers of Personal Data.
• If you are a user from the EU / EEA, should it become necessary for technical and/or operational issues to use entities located outside the EU / EEA, or should it become necessary to transfer some of the collected data to technical systems and services managed in the cloud and located outside the EU / EEA, the processing will be executed in accordance with the provisions of Chapter V of the GDPR and authorized on the basis of specific decisions of the European Union.  Therefore, all necessary precautions will be taken in order to ensure the most complete protection of Personal Data by basing such transfer: a) on adequacy decisions of the third country recipients as expressed by the European Commission; b) on adequate guarantees expressed by the third party recipient pursuant to Article 46 of the GDPR; c) on the adoption of so-called Binding Corporate rules. 

• Security of your Personal Data

The security of your Personal Data is fundamental to us and we have invested significant resources to protect their safekeeping and confidentiality. When using external service providers, we require them to adhere to the same high-standards we have adopted. Personal Data may be transferred or stored at a location outside of your country of residence, however, regardless of where those are transferred or stored, we take all steps reasonably necessary to ensure that your Personal Data is kept safe at all times.

As the Internet is not a truly secure form of communication, which bears inherent risks when sending and receiving information, we do not accept responsibility or liability for the confidentiality, security or integrity of your Personal Data in connection with its transmission over the Internet.

That said, we take all reasonable care in the collection, storage, processing and disclosure of your Personal Data and have implemented internal security procedures to minimize the risk that unauthorized parties will be able to access it. It is because of these security procedures that we may ask for proof of identity before we disclose any personal information about you.

To help protect your Personal Data and minimise the risk of it being intercepted by unauthorised third parties our secure servers use industry standard Secure Socket Layer (SSL) and Transport Layer Security (TLS) technology when you submit information to us through our website. This security is documented by the usage of the secure “https” protocol and the padlock on the URL bar.

• Privacy Rights

You have the following rights in respect of your Personal Data that we hold as provided for by applicable laws:

• Right to access. You have the right to access the personal information that we hold about you – which are accessible through the Platforms – in a structured and machine-readable format.
• Right to rectification. You may have the right to require us to correct any inaccurate or incomplete personal information we hold about you. 
• Right to erasure. In certain circumstances you may have the right to the erasure of your Personal Data we hold about you (for example where it is no longer necessary in relation to the purposes for which it was collected or processed – or – you withdraw your consent or object to processing and there are no legitimate grounds to continue the processing).
  • You should also bear in mind that any request to delete your Personal Data is possible only if your account is also deleted. As a result of that you will not be able to use the Services.
  • We respond to any request to delete Personal Data submitted by e-mail within a month and will specify the period of data deletion.
  • In case we are required to store Personal Data pursuant to a legal obligation, we will not be able to comply with your request for deletion. 
• Right to restriction. You may have the right to request that we restrict processing of your personal information in certain circumstances (for example where the accuracy of the Personal Data is contested by you, for a period enabling us to verify the accuracy of that Personal Data).
• Right to portability. You may have the right to portability which allows you to move, copy or transfer Personal Data. We will respond to any request for transfer of Personal Data submitted by e-mail within a month and specify when the data transfer will take place. After we have verified the customer in question, we will provide you with your Personal Data.
• Right to object. You have the right to object to and suspend the processing of your Personal Data where: (i) the processing is performed for direct marketing purposes; and (ii) the processing is performed for statistical survey purposes. You also have the right to object at any time, for reasons related to your particular situation, to the processing of personal data concerning you based on legitimate interest, including profiling based on it. We shall refrain from processing unless we can demonstrate compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject in question or for the establishment, exercise or defense of a legal claim; 
• Rights in relation to automated decision making and profiling. You have the right not to be subject to a decision that affects you based solely on automated processing and have the right to obtain human intervention to review decisions made which were based on automated processing.
• Right to revoke, restrict, suspend or stop, at any time, the consent given for the processing of your Personal Data, without affecting the lawfulness of the processing based on the consent given before revocation.
• Right to obtain additional information upon request, including:
  • the types of personal data of the data subject being processed;
  • the decisions taken on the basis of automated processing;
  • the rules and criteria of the periods for which the personal data will be stored and kept; and
  • the measures to be taken upon the occurrence of a data breach

If you want to modify your Personal Data, delete your e-mail address from our promotion e-mail list, or cancel your account, you may update your Personal Data in the settings or contact our support team. The mere deletion of your e-mail address from our e-mail list or database will not delete the user data you submitted to us or previous records of using our Services, nor will it delete the information stored in our data back-up and archiving. 

If you wish to exercise one of these rights, please contact us using the information in the ‘Contacting us’ section of this Privacy Policy. Please note that an archive copy of any information provided to us may be retained by us as may be required by the law and for audit purposes.

• Direct marketing and benefits

• We will only use your e-mail address to send direct marketing messages if you have given us the permission to do so via our Platforms. You may withdraw your consent for data processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt-in to the use of your personal information for marketing purposes. 
• If you no longer wish to receive direct marketing messages, please click the “Unsubscribe” link in the footer of our e-mail or change the settings related to direct marketing in the Platforms. You can also contact us at privacy@HeritageMA.com should you wish to withdraw your consent or opt out of marketing communications at any time.
• We may direct to you marketing campaigns that contain gifts, sweepstakes and other marketing or promotional materials.

• Third Party Websites

The Platforms may contain links to other websites. We are not responsible for such third party websites’ privacy policies or practices.

• Changes to the Privacy Policy

Please ensure you regularly review this Privacy Policy as we may, in our sole discretion, modify and update this Privacy Policy from time to time. 

• Contacting Us, Dispute Resolution and Remedies

• If you have any questions, comments about this Privacy Policy or if you wish to exercise one of the rights as per Clause “Privacy Rights”, you may contact us by e-mail at privacy@HeritageMA.com
• Disputes relating to the processing of Personal Data are resolved through our in-platform customer support or by contacting privacy@HeritageMA.com  
• In case you believe that the data processing is unlawful or are still concerned about our handling of your personal information, you are entitled to lodge the procedure before the competent National Authority. For users resident in the European Union, you can find the list and contacts of EU National Data Protection Authorities here.