Privacy Policy
Effective date: [TBD at publication] Last updated: [TBD at publication]
Draft note for GreenMax legal review. This is a baseline privacy policy drafted to reflect the data flows of the new greenmaxcap.com website. All bracketed items require confirmation or are decisions for GreenMax leadership and counsel. This document is not legal advice and should be reviewed by qualified counsel before publication.
1. About this policy
This Privacy Policy explains how [GreenMax Capital Group legal entity name] ("GreenMax," "we," "us," or "our") collects, uses, and protects personal data in connection with the website located at greenmaxcap.com (the "Site").
GreenMax is the data controller responsible for personal data processed through the Site. If you have any questions about this policy or how we handle your personal data, please contact us at [privacy contact email — to be designated].
We have written this policy in plain language so that it is accessible to anyone who visits the Site. Where we use technical or legal terms, we explain them.
2. Scope
This policy applies to personal data we collect through the Site. It does not apply to:
- Personal data collected through platforms, programs, or facilities we manage under mandate (including Mwinda, CEI Africa, PIFORES, G4A, GSA, and related vehicles), which are governed by their own program-specific agreements and privacy terms
- Personal data collected in the course of contractual engagements, advisory services, or investor relationships, which is governed by the relevant contractual terms
- Third-party websites linked from the Site, which are governed by those parties' own policies
3. What we collect and why
We have designed the Site to collect the minimum personal data necessary to operate it. In practice, this means we collect very little.
3.1 Server and log data
When you visit the Site, our hosting and content delivery provider automatically receives and processes basic technical information, including:
- Your IP address
- Browser type and version
- Operating system
- Referring page and pages visited
- Date and time of access
We process this information for the purposes of delivering the Site to you, maintaining security, preventing fraud and abuse, and diagnosing technical problems. Our legal basis for this processing is our legitimate interest in operating a secure and reliable website (GDPR Article 6(1)(f)).
3.2 Analytics
We use [analytics provider — to be finalized: Cloudflare Web Analytics or Plausible Analytics] to understand, in aggregate, how visitors use the Site so that we can improve it. This analytics service is privacy-preserving and does not use cookies or collect personal identifiers. It does not track individual users across sessions or websites.
Our legal basis for this processing is our legitimate interest in understanding and improving the Site (GDPR Article 6(1)(f)).
3.3 Interactive map
The Site uses Mapbox to display an interactive map of the countries in which we operate. When the map loads, Mapbox receives your IP address in order to serve the map tiles. Mapbox processes this data as a data processor on our behalf, under its published Data Processing Addendum.
Our legal basis for this processing is our legitimate interest in providing a functional, informative website (GDPR Article 6(1)(f)).
3.4 Video content
We host most video content on Mux, which does not use cookies or collect personal identifiers when you view a video.
In limited cases, we embed video hosted on YouTube. YouTube embeds are not loaded automatically. Before any YouTube content loads, you will see a placeholder and a notice that clicking will load content from YouTube. If you choose to load a YouTube embed, YouTube (a Google service) may set cookies and receive information about your visit, including your IP address. This processing is governed by Google's own privacy policy.
Our legal basis for processing data in connection with Mux-hosted video is our legitimate interest in delivering multimedia content (GDPR Article 6(1)(f)). For YouTube-hosted video, our legal basis is your consent, given by clicking to load the embed (GDPR Article 6(1)(a)).
3.5 Content management
Published content on the Site is managed through Sanity. Sanity processes data as our processor, under its published Data Processing Addendum. The Site does not require you to create an account, log in, or submit personal data to view content.
3.6 What we do not collect
The Site does not include a contact form, newsletter signup, user registration, or commenting system. We do not collect names, email addresses, postal addresses, phone numbers, or similar identifying information through the Site. We do not knowingly collect data from or direct any content to children under 16.
If you contact us directly by email or other means outside the Site, we will process your communication and any personal data it contains for the purpose of responding to you. Our legal basis is our legitimate interest in responding to enquiries (GDPR Article 6(1)(f)).
4. Cookies
The Site does not set marketing, advertising, or tracking cookies. We use only cookies that are strictly necessary for the Site to function, which include:
- Security cookies set by our content delivery provider to detect bots and mitigate abuse
Because these cookies are strictly necessary to deliver the service you have requested, they do not require consent under the ePrivacy Directive or GDPR. We do not display a cookie banner because there are no non-essential cookies for you to consent to.
If you choose to load a YouTube video embed, YouTube may set its own cookies after you take that action. This occurs only with your affirmative click.
5. Third-party processors
We use the following third parties to help us operate the Site. Each processes personal data only on our documented instructions, under a written data processing agreement, and subject to appropriate security measures.
- Cloudflare, Inc. — Hosting, content delivery, DNS, and security. Global. Transfers covered by EU Standard Contractual Clauses and the Data Privacy Framework.
- Sanity AS — Content management system. Primary processing in the EU, with headquarters in Norway (an adequacy-decision country).
- Mapbox, Inc. — Interactive map. United States. Transfers covered by EU Standard Contractual Clauses and the Data Privacy Framework.
- Mux, Inc. — Video hosting and delivery. United States. Transfers covered by EU Standard Contractual Clauses and the Data Privacy Framework.
- [Analytics provider — to be finalized] — Aggregate website analytics. Location and transfer mechanism to be confirmed once the provider is selected.
Each processor maintains its own list of sub-processors. We review these lists periodically.
6. International transfers
GreenMax is headquartered in [jurisdiction — to be confirmed] and works with service providers located in the United States and other countries. Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, including:
- The European Commission's Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum
- The EU-U.S., UK Extension to the EU-U.S., and Swiss-U.S. Data Privacy Framework, where the receiving party is certified
You can request more information about these safeguards by contacting us at [privacy contact email].
7. How long we keep data
We retain server logs for [retention period — typically 30–90 days, to be confirmed with hosting provider defaults] for security and diagnostic purposes. Aggregate analytics data is retained indefinitely in non-identifying form.
If you email us directly, we retain your correspondence for as long as reasonably necessary to respond to your enquiry and for a reasonable period afterward for recordkeeping, typically no longer than [retention period to be decided — suggest 24 months].
8. Your rights
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights in relation to your personal data:
- Right of access. You can ask us to confirm whether we hold personal data about you and to provide a copy.
- Right to rectification. You can ask us to correct inaccurate or incomplete personal data.
- Right to erasure. You can ask us to delete your personal data in certain circumstances.
- Right to restrict processing. You can ask us to limit how we use your personal data in certain circumstances.
- Right to data portability. You can ask us to provide your personal data in a structured, commonly used format.
- Right to object. You can object to processing based on legitimate interests.
- Right to withdraw consent. Where we rely on consent, you can withdraw it at any time.
- Right to lodge a complaint. You can complain to your local data protection authority. A list is available at edpb.europa.eu/about-edpb/about-edpb/members_en.
Residents of other jurisdictions may have similar rights under applicable local law.
To exercise any of these rights, please contact us at [privacy contact email]. We will respond within the timeframes required by applicable law, typically within one month.
9. Security
We take appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption of data in transit, access controls, and selection of service providers that maintain recognized security certifications (including SOC 2 Type II and ISO 27001 where applicable).
No system is completely secure. If we become aware of a personal data breach affecting your rights, we will notify you and relevant authorities as required by applicable law.
10. Children
The Site is directed to institutional and professional audiences. It is not intended for children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe we have inadvertently collected such data, please contact us and we will take appropriate steps to delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we do, we will update the "Last updated" date at the top of this page. Material changes will be announced on the Site.
12. Contact
If you have questions, concerns, or requests relating to this policy or your personal data, please contact:
[GreenMax Capital Group legal entity name] [Registered office address] [Privacy contact email]
For data protection matters specifically, you may address correspondence to our [data protection contact / designated officer — to be named].