Privacy Policy
Updated April 1, 2024
Introduction
Cambridge Associates, LLC and its affiliates (collectively referred to as “Cambridge Associates”, “we”, “us”, or “our” herein) provide discretionary and non-discretionary portfolio management investment services, research and performance monitoring to nonprofit institutions, family offices, corporate and public pension funds, public authorities and sovereign wealth funds. Cambridge Associates and its employees place a high priority on protecting sensitive personal and financial information. We do not disclose clients’ confidential information, or that of former clients, except as permitted by you, required by law, or as otherwise detailed in this Privacy Policy.
This Privacy Policy describes what personal information we collect, how we use and share that information, and your choices concerning our data practices. California residents should click here for additional information regarding their privacy rights. Residents of the European Union and United Kingdom can find additional information regarding their rights below. The transfer of personal data of EU residents to third countries are governed by the use of Standard Contractual Clauses where required.
What Personal Information We Collect and From Where We Get It
We may collect personal information about you from your discussions and correspondence with us, from legal documents, from information you supply about your investments or portfolio, from your incoming wire transfers or invoice payments, and from applications and other forms completed by you on our website, online platforms, or other media or provided to us by your authorized representatives and other fiduciaries. We may also collect personal information from email correspondence, telephone calls, paper communications, social media, our own websites and online platforms, or when you subscribe to our newsletter, visit our offices, enquire about or request products, goods, services, or other information from us, provide products or services to us and attend trade events such as conferences or exhibitions. This information may include contact details, biographical data, income, transaction history, assets, risk tolerance, wire transfer instructions, banking details, and tax, identification, social security, and account numbers, as well as information on your investment assets.
For those visiting our websites, online platforms or engaging us through social media, we may collect information relating to IP addresses, social media handles and usernames. When you visit, use, and interact with the website, we and service providers acting on our behalf may use cookies and other tracking technologies to automatically receive certain information about your visit, use, or interactions. For example, we may monitor the number of people that visit the website, peak hours of visits, which page(s) are visited, the domains our visitors come from (e.g., google.com, yahoo.com, etc.), which browsers people use to access the website (e.g., Chrome, Firefox, Microsoft Internet Explorer, etc.), broad geographical information, and navigation pattern. For more information on how we use cookies, please see our Cookies Policy. Recipients of personal data are employees and third parties who have contractually agreed to provide similar technical and operational, security and privacy measures as Cambridge Associates.
How We Use Personal Information
We may use personal information for the following purposes:
- To provide our portfolio management investment, research, and performance monitoring services;
- To respond to your inquiries, comments, feedback, or questions;
- To send administrative information to you, for example, information regarding our website or services and changes to our terms, conditions, and policies;
- To analyze how you interact with our website;
- To maintain and improve the content, functionality, and security of the website;
- To deliver and measure the effectiveness of our advertisements and marketing communications;
- To develop new products and services;
- To prevent fraud, criminal activity, or misuses of our website and services, and to ensure the security of our IT systems, architecture, and networks;
- To comply with legal obligations and legal process; and
- To protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or other third parties.
Our Basis for Processing Your Personal Data
The following are some of the ways we may lawfully process your personal data [1]:
- Consent: processing to which you have agreed;
- Performance of a Contract: processing necessary for the performance of a contract to which you are a party, or for the taking of steps at your request with a view to entering into a contract;
- Legal Obligation: processing necessary for us to comply with a statutory or regulatory obligation and
- Legitimate Interests: processing necessary for the purposes of legitimate interests pursued by us except where our interests are overridden by your interests, fundamental rights, or freedoms such as; marketing activities, provided the use is proportionate, has a minimal privacy impact, and you would not be surprised or likely to object, or in cases in which we have performed a legitimate interest impact assessment.
Sharing and Disclosure of Personal Information
Unless expressly agreed otherwise, we may disclose the personal information described above to custodians, fund administrators, investment managers, venture capital and private equity fund managers, and other nonaffiliated companies or individuals, such as legal, audit, and tax advisors, in the manner and to the extent permitted by you or as required by law. We may also disclose the information described above to other nonaffiliated service providers, such as providers of reporting data, data storage and fund monitoring services for our everyday business purposes in supporting our provision of services. To the extent possible, we require third parties to respect the security of your data and to treat it in accordance with the law.
International Transfer of Personal Information
Cambridge Associates may send your personal information outside the jurisdiction from which it originated or was collected. Where personal information is transferred or accessed outside of a specific jurisdiction, we require that appropriate safeguards are in place to comply with any applicable data protection regulations.
Your Choices in Relation to Personal Information
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us. Depending on where you live, you may also have rights and choices which you can exercise with respect to the data we hold about you. If you are a California resident, please review the Additional Information for California Residents section below for information regarding your rights. Individuals residing in the European Union and United Kingdom retain rights listed under the section.
Retention and Destruction of Personal Information
We take reasonable steps to ensure the accuracy of the information we hold about you. We will not use your personal information unless it is (to our knowledge) accurate and up to date. We typically will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information, whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. When the purposes for which we have collected the data for have ended, we will retain and securely destroy your personal information in accordance with our policy, applicable laws and regulations.
Children
Our website and services are not directed to children who are under the age of 16. We do not knowingly collect personal information from children under the age of 16. If you have reason to believe that a child under the age of 16 has provided personal information to us through the website or our services, please contact us and we will endeavor to delete that information from our databases.
Links to Other Websites
The website may contain links to other websites not operated or controlled by us, including social media services (“Third Party Sites”). The information that you share with Third Party Sites will be governed by the specific privacy policies and terms of service of the Third-Party Sites and not by this Privacy Policy. By providing these links we do not imply that we endorse or have reviewed these sites. Please contact the Third-Party Sites directly for information on their privacy practices and policies.
Third Party Tracking and Do Not Track Signals
We and service providers acting on our behalf may use cookies or other tracking technologies on our website to collect certain information about your browsing activities over time and across different websites following your use of the website. Our website currently does not respond to “Do Not Track” (“DNT”) signals and operates as described in this Privacy Policy, whether or not a DNT signal is received. If we do respond to DNT signals in the future, we will update this Privacy Policy to describe how we do so. For more information on how we use cookies, please see our Cookies Policy.
Security
Unfortunately, the transmission of data over the internet is not completely secure. Although we will use our reasonable commercial efforts to protect your personal information against loss, misuse, unauthorized alterations or interception, we cannot guarantee its security. All clients who access performance data and other investment information from our website receive unique login and password identifiers, and it is your responsibility to protect your login information.
Rights Related To Personal Data
The EU GDPR, UK GDPR and the Swiss Federal Data Protection Act, respectively, provide EU, UK and Swiss residents with specific rights regarding their personal information. This section describes your rights under the GDPR and the Swiss Federal Data Protection Act (as applicable). Subject to certain exceptions and exclusions, EU, and UK and Swiss residents have the following rights in relation to the personal information we collect:
- the right to access information held about you
- the right to object to processing that is likely to cause you damage or distress
- the right to prevent processing for direct marketing purposes
- the right to request restriction of processing of personal data concerning you or to object to such processing
- the right to have information about you rectified, erased, or destroyed
- the right to claim compensation for damages to you caused by a breach of law
- the right to have your personal data transferred to another entity
- the right to revoke the declaration of consent under data protection law
- the right to information on safeguards, enforceable rights and effective legal remedies which are available regarding the transfer of personal data outside the EU
- the right to complain to a data protection authority
Additional Information for California Residents
In accordance with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act of 2023 (“CPRA”), this section is intended to inform California residents of (1) the personal information that we collect and how we disclose that information, and (2) the privacy rights California residents may have relating to their personal information and how those rights can be exercised.
Personal Information Collection and Disclosure
The following disclosures are intended to provide additional information about the collection and disclosure of personal information. Nothing in this section limits our ability to use or disclose information as described elsewhere in this Privacy Policy.
- Categories of Personal Information Collected: In the past 12 months, we have collected the following categories of personal information, as described in greater detail in the “What Personal Information We Collect and From Where We Get It” section above:
- Identification Information, such as your name, email address, phone number, physical address, zip code, biographical information, social security and other identification numbers, and online account information (e.g., username and password).
- Online Activity Information, such your device identifier or IP address, the type of browser and device you are using, information about your device’s operating system, the actions you take on our website, and the names of referring and exit webpages. For more information on our collection of Online Activity Information, see our Cookies Policy.
- Commercial and Financial Information, such as your transaction history, wire transfer instructions, banking details, account numbers, and information on your income, assets, and risk tolerance.
- Sources of Personal Information: We collect the above categories of personal information from you, your authorized representatives and fiduciaries, our analytics providers and other service providers, and as otherwise described in the “What Personal Information We Collect and From Where We Get It” section above.
- Purposes of Collection and Disclosure: We collect and disclose the above categories of Personal Information for the business and commercial purposes described in the “How We Use Personal Information” and “Sharing and Disclosure of Personal Information” sections above.
- Categories of Personal Information Disclosed for a Business Purpose: In the past 12 months, we have disclosed for a business purpose all of the above categories of personal information to affiliates, service providers, custodians, fund administrators, investment managers, and other nonaffiliated companies or individuals as described in the “Sharing and Disclosure of Personal Information” section above.
- Categories of Personal Information Sold: Cambridge Associates does not sell personal information.
California Consumer Privacy Act (“CCPA”) AND California Privacy Rights Act of 2023 (“CPRA”) Rights
The CCPA and CPRA provide California residents with specific rights regarding their personal information. This section describes your rights and explains how to exercise those rights. Subject to certain exceptions and exclusions, California consumers have the following rights in relation to the personal information we collect:
- The right to request that we delete and direct any service providers that have received that personal information to delete, the personal information that we have collected and retained.
- The right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months.
- The right to opt-out of the sales of your personal information. (Cambridge Associates does not sell your personal information.)
- The right to correct inaccurate personal information.
- The right to limit the use and disclosure of sensitive personal information.
- The right not to receive discriminatory treatment for the exercise of the privacy rights conferred by the CCPA or CPRA.
Exercising Your Rights: California residents can exercise the above privacy rights by calling 1-888-834-5222 x2823 or emailing us at privacy@cambridgeassociates.com.
Additional Privacy Rights*
Our privacy practices are designed to comply with all applicable privacy laws and regulations including, but not limited to, the following:
United States: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA)
European Union, UK, and Switzerland: General Data Protection Regulation (GDPR), German Federal Data Protection Act, UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, Swiss Federal Data Protection Act
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
Australia: Privacy Act 1988 (Privacy Act)
Singapore: Personal Data Protection Act (PDPA)
China: Personal Information Protection Law (PIPL), PRC Data Security Law and PRC Cybersecurity Law
*Please note that this list is not exhaustive and may not cover all the laws that could apply to your personal data. The applicability of these laws depends on various factors, including your location. We are committed to complying with all applicable laws protecting your privacy rights.
Additional Information for China Residents
As a data subject in China, you have the rights according to the PIPL and other applicable laws. We will try our best to support the exercise of your rights according to the law, but please be aware that your exercise of certain rights may affect the services we can offer or be subject to certain constraints. For example, if you withdraw your consent, we may not be able to provide the relevant services for you; if you would like to delete your personal information provided to us, but the retention period prescribed by the applicable laws and regulations has not expired, or it is technically difficult to delete the personal information, we will cease the Processing of the personal information, except for the storage and any necessary measure taken for security protection.
Prior to using our services, you have carefully read, fully understood and accepted this Privacy Policy. By accepting and consenting to this Privacy Policy, you have granted your consent, including the separate consent required under the PIPL, to authorize us to Process your personal information in accordance with this Privacy Policy
Verification: In order to protect your personal information from unauthorized access or deletion, we may require you to verify your credentials when you submit a request to know or delete Personal Information. If you do not have an account with us, or if we suspect fraudulent or malicious activity, we may ask you to provide additional personal information for verification. If we cannot verify your identity, we will not provide or delete your personal information.
Authorized Agents: You may submit a request to know or a request to delete your personal information through an authorized agent. If you do so, we may require the agent to present signed written permission to act on your behalf, and you may also be required to independently verify your identity with us and confirm that you have provided the agent permission to submit the request.
[1] See Article 6 with respect to GDPR.
Changes
We may change the terms of this Privacy Policy from time to time. You may find a current version of this policy posted on our website at www.cambridgeassociates.com.
Affiliates
Contact Information
For further details about our privacy policy, please contact:
Sean F. Hanna
Chief Compliance Officer and Senior Counsel
115 Federal Street
Suite 2600
Boston, MA 02110
Tel. 617-457-7518
Fax 617-457-7501
email: privacy@cambridgeassociates.com