Notice to European Individuals

September 29, 2021

This Notice to European Individuals provided by Forge Global (“we,” “us,” or “our”) pursuant to the GDPR (as defined below), supplements our Privacy Policy and applies to the “personal data,” as defined in the GDPR, of natural persons located in the European Economic Area and the United Kingdom (collectively, “European Individuals,” and individually, “you,” or “your”). Any capitalized terms or other terms not defined herein shall have the meaning ascribed to them elsewhere in the Privacy Policy or, if not defined herein or elsewhere in the Privacy Policy, the GDPR. If you are not a European Individual, this Notice to European Individuals does not apply to you.

The term “European Economic Area” (or “EEA”) shall mean the then-current member states and member countries of the European Union and European Economic Area.

The term “GDPR” shall mean the General Data Protection Regulation 2016/679, the Privacy and Electronic Communications Directive 2002/58/EC, the UK Data Protection Act 2018, the UK General Data Protection Regulation as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, and the Privacy and Electronic Communications Regulations 2003, and any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of personal data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.

With respect to any combination of conflict between the provisions of this GDPR Privacy Notice and any other provision of the Privacy Policy, the GDPR Privacy Notice shall control only with respect to the personal data of European Individuals.

Controller Disclosure & Details: We are a data controller of personal data regarding the following categories of European Individuals: Prospective/current customers (collectively, “Customers”), business contacts at Customers, vendors, suppliers, or other third parties (“Business Contacts”), visitors to our Website (“Website Visitors”) and job applicants (“Job Applicants”) for the purposes and under the legal bases described in the table below. Please note that, in some cases, the categories of data subjects above may overlap (e.g., Customers, Business Contacts and Job Applicants using the Websites are also Website Visitors).

Data Subject Category Purpose & Legal Basis of Processing

Website Visitors

Information Security: We process contact information, server log information and information collected through cookies (such as your IP address, browser information, geolocation data, operating system, request date/time, user agent string, referral and exiting URL) in order to maintain an audit log of activities performed. We use this information pursuant to our legitimate interests in tracking Website usage, combating DDOS or other attacks, and removing or defending against malicious individuals or programs on the Websites. We may also process your contact information to comply with a legal obligation relating to how we manage our organization or our relationship with your organization.

Websites’ Operation and Improvement: We process server log information and information collected through cookies pursuant to our legitimate interest in operating and improving our Websites.

Audience Measurement and Retargeting: Pursuant to a Website Visitor’s consent, we use analytics cookies, and collect identifiers through such cookies (such as your IP address, browser information, pages viewed, time on each page, links clicked, operating system, request date/time, user agent string, referral and exiting URL), for purposes of audience measurement, analytics, audience reaction to the Websites’ content, and creating relevant Website Visitor experiences (such as based on their interaction with our Websites).

Customers

General Business Development and Management: We will process personal data pursuant to our legitimate interest in creating and managing our business relationships with European Individuals, including without limitation:

  • To respond to inquiries from European Individuals;
  • To provide European Individuals with information about our products and services; and
  • To provide European Individuals with research materials.

Direct Marketing: Generally, we send email marketing to European Individuals pursuant to their consent. In cases where a Customer buys, or enters into negotiation for the sale of, a product or service, email marketing may be sent to such Customer pursuant to our legitimate interest in sending marketing communications to such Customers in the context of such engagement.

Transaction Processing: We will process personal data as necessary to provide our Services (including the execution of Transactions for our Customers through our Services) in accordance with the performance of our contracts with our Customers, in order to take steps at a Customer’s and its representatives’ request prior to entering into such contracts, pursuant to our legitimate interest in authenticating Customers’ and their representatives’ identifies and fraud prevention, and to comply with our legal obligations in providing our Services.

Business Contacts

Vendor Business Development: When entering into vendor relationships with European Individuals, we will receive the personal information of contacts employed or otherwise associated with such vendors. We process such information in our legitimate interest in establishing and developing our vendor relationships and obtaining information about their products and services.

Job Applicants

Recruiting: We process personal data in furtherance of our legitimate interest in recruiting and considering European individuals for open employment opportunities with us, including to contact them about such opportunities.

EU Representative: Data Rep, 12 Northbrook Road, Dublin, D06 E8W5, Ireland; [email protected], quoting “Forge Global, Inc.” in the subject line. Online webform here.

UK Representative: Data Rep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom; [email protected], quoting “Forge Global, Inc.” in the subject line. Online webform here.

Recipients: Forge Global personnel shall receive and process your personal data for the purposes described herein. Such personal data may also be disclosed to the following categories recipients to effectuate the purposes described herein: lawyers, auditors, and other professional advisors, and third party providers of business-related services such as cloud storage, email marketing, customer relationship management systems, fraud prevention, travel and expense management, Website management and analytics databases.

We may also disclose personal data to third parties (including but not limited to affiliated broker-dealers, custodial organizations, financial institutions and payment providers) who provide us with services relating to administration, telecommunications, payment, clearing, audit, accounting, risk management, credit, legal, compliance, operations, sales and brokerage, marketing, relationship management, securities management, information technology, records and data storage, performance measurement and compilation and analysis in connection with our Services (including the execution of Transactions for our Customers through our Services).

We may also disclose personal data to our parent companies, subsidiaries, affiliates, joint ventures, or other companies under common control (“Affiliates”) to support the marketing and provision of the Websites and products and services. If we pass your personal data to one of our Affiliates so that it can respond to your inquiry if it relates to that Affiliate, that Affiliate will be using your personal data as a separate data controller for the purposes of the GDPR.

We may also disclose personal data to respond to claims of violation of third party rights or to enforce and protect our rights.

Retention: Except as set forth below, Forge Global shall retain your personal data while fulfilling the purposes for Processing as set forth in this GDPR Privacy Notice, and thereafter for a period no longer than seven (7) years, unless retention of your personal data for a longer period remains necessary to fulfill the purposes for the processing of such personal data as set forth in this GDPR Privacy Notice and/or to the extent you have (or demonstrate interest in) a continuing relationship with Forge Global. In some cases, we may have to retain data for a longer period to comply with our legal obligations (e.g., accounting, regulatory, finance, tax). Notwithstanding the foregoing, Forge Global shall retain personal data from unsuccessful Job Applicants for a period no longer than three (3) years from the date of collection of such personal data except where continued retention remains necessary to fulfill the purpose for which it was collected and processed, for consideration as a future hire, compliance with legal or regulatory requirements, or defense of legal or regulatory claims. Additionally, Forge Global shall not retain personal data we collect automatically from your browsers or device through server logs or cookies for a period longer than two (2) years from date of collection.

Your GDPR Rights: As a natural person, you have a right to: (i) request access to, correction, and/or erasure of your personal data; (ii) object to processing of your personal data; (iii) restrict processing of your personal data; (iv) request a copy of your personal data, or have a copy thereof sent to another controller, in a structured, commonly used and machine readable format under the right of data portability, and (v) withdraw your consent where consent is used as the legal basis for processing your personal data. You may exercise these rights and submit a GDPR complaint by contacting: [email protected] with the subject line “GDPR Privacy Notice.”

You also have the right to lodge a complaint about the processing of your personal data with a supervisory authority of the European state where you work or live or where any alleged infringement of data protection laws occurred. A list of most of the supervisory authorities can be found here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. The supervisory authority in the UK is the Information Commissioner’s Office (https://ico.org.uk/).

Objecting to Legitimate Interest/Direct Marketing: You may object to personal data processed pursuant to our legitimate interest. In such case, we will no longer process your personal data unless we can demonstrate appropriate, overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. You may also object at any time to processing of your personal data for direct marketing purposes by clicking “Unsubscribe” within an automated marketing email or by submitting your request to [email protected]lobal.com with the subject line “GDPR Privacy Notice” (the latter for instances where, for example, you would not like to receive follow-ups from our sales team). In such case, your personal data will no longer be used for that purpose.

Transfer of Personal Data outside of Europe: We may transfer your personal data outside the EEA or the UK when necessary to provide the Services. We will only transfer your personal data outside the EEA or the UK pursuant to applicable data protection laws, and will not make such a transfer unless: (i) we have signed EU Commission Standard Contractual Clauses with the recipient, (ii) the recipient is located in a country that has received an adequacy decision from the European Commission, or (iii) where a derogation under GDPR Article 49 or similar provision applies.

Disclosure to Public Authorities: Forge Data may be required to disclose personal data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

Corporate Restructuring: In the event of a merger, reorganization, dissolution, or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, would be transferred to the surviving entity in a merger or the acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such personal data as set forth in this Notice.

Updates to this Notice: If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this Notice, and the “Effective Date” at the top of this page will be updated accordingly.

How to Contact Us: Please reach out to [email protected] for any questions, complaints, or requests regarding this Notice; please include the subject line “Notice to European Individuals.”