Data Protection

This notice applies to visitors to our website, business contacts (including prospective clients and suppliers), investors and prospective investors, and job applicants.

Controller: Cresvia Capital Fund Management S.à r.l., 2, rue Jean Monnet, L-2180 Luxembourg
Data Protection Officer (DPO): Thorsten Steffen – compliance@cresvia-capital.com

We may collect your contact and identification details (e.g., name, email, phone, company role) and information you provide when contacting us, meeting us at events, or using our services. Data may also come from public sources, professional networks, and business directories.

If you contact us via email or a contact form, we process the data you provide to handle your request (Art. 6(1)(b) or (f) GDPR).
Our web servers also automatically record limited technical data to ensure security and proper operation (Art. 6(1)(f) GDPR), including IP address, date/time, requested URL, referrer, and browser/OS information. These logs are kept for a short period (typically 7–30 days) and then deleted unless needed to investigate security incidents or comply with legal obligations.

We process personal data in order to:

• respond to inquiries and provide information (Art. 6(1)(b) GDPR – contractual necessity),
• manage contracts, clients, suppliers, and investors (Art. 6(1)(b)),
• meet legal and regulatory duties (e.g., AML/KYC, tax laws) (Art. 6(1)(c)),
• maintain business relationships and protect our rights (Art. 6(1)(f) – legitimate interest),
• send marketing communications, where permitted or with consent (Art. 6(1)(a) or (f)).

We may share data with group companies, service providers, professional advisors (lawyers, auditors, accountants), banks, auditors, authorities, and IT/cloud providers. These third parties process data only under GDPR-compliant agreements. If data is transferred outside the EU, Standard Contractual Clauses and other safeguards ensure adequate protection. Where applicable, copies of these safeguards (or a description of them) are available on request.

We keep personal data only as long as necessary for the purposes described above and in line with legal and regulatory requirements. Typically:

• Inquiries: up to 12 months
• AML/KYC: 5–10 years after the end of the relationship, as required by law
• Accounting/tax records: 10 years
• HR/applications: until the end of the recruitment process (unsuccessful candidates) or up to 10 years (employment contracts)

After the applicable period expires, data is securely deleted or anonymised.

If you apply for a role (by email or via a form), we process the data you provide to evaluate your application and manage the recruitment process (Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR for process administration and legal defence).
Unsuccessful applications are kept for the duration of the recruitment process and a short period thereafter (typically up to 6 months) to establish, exercise, or defend legal claims, unless a different period is required by law or you consent to a longer retention. Successful applicants’ data is retained in line with employment law.

Providing personal data may be a legal requirement (e.g., for tax, AML/KYC, employment law) or a contractual requirement (e.g., to enter into a client, supplier, or employment contract). If you do not provide the requested data, we may not be able to enter into or perform the relevant contract.

You may exercise your GDPR rights:

• access, rectification, erasure, restriction, portability, and objection (including marketing),
• withdrawal of consent at any time (without affecting past processing),
• complaint to the Luxembourg CNPD (www.cnpd.public.lu, 15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg).

Requests can be sent to compliance@cresvia-capital.com. We may ask you to confirm your identity and will respond within one month.

We generally do not process sensitive personal data unless legally required (e.g., AML/KYC or employment obligations).

We do not use automated decision-making or profiling that produces legal or similarly significant effects (Art. 22 GDPR).

If a personal data breach occurs that may impact your rights, we will notify you without undue delay and inform the supervisory authority within 72 hours, as required by GDPR.

Some pages may include content from third parties (e.g., maps or videos). When such content loads, your browser may transmit limited technical data (such as IP address) to that provider.