Mushroom Management Limited Privacy Policy

1. Introduction

We are Mushroom Management Limited, a company incorporated in England and Wales with registration
number 10693088 whose registered office is at Sun Street, Tewkesbury, Gloucestershire, GL20 5NX (“we”,
“our”, “us”) and operate under the name Mushroom. Privacy and by extension the rights and obligations
associated with it, are essential in modern commercial business. At Mushroom we couldn’t agree more
and so we have drafted this Privacy Policy to demonstrate our commitment to ensuring your privacy. If
you have any questions about your personal information (Personal Data) please email us, or by writing to
us at FAO DPO, Mushroom Management Limited, Third Floor, The Library Building, Tewkesbury GL20
5NX.
We’re registered with the Information Commissioner’s Office under number: ZA262411
Our Data Protection Officer’s contact details are: rco@mushroombiz.co.uk
Please ensure that you read this Privacy Policy to learn about your rights, what information we collect,
how we use and protect it.

We comply with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018
(DPA2018).

2. What Mushroom is about

Mushroom collects, uses and is responsible for processing certain personal information about you, your
clients and your suppliers in order to perform business-process outsourced services to you. When
providing these services certain Personal Data may be exchanged. Personal Data is any information that
relates to an identified or identifiable individual. In this regard the GDPR applies across the European
Union (including in the United Kingdom) and we are responsible as the ‘controller’ of that personal
information for the purposes of those laws.

3. Personal Data we collect

3.1 The Personal Data that you provide directly to us will be apparent from the context in which you
provide the data. In particular:

3.1.1 When you register with us we collect your full name, email address, required account log-in
credentials and bank details.
3.1.2 When you fill-in our online form to contact our sales team, we collect your full name, chosen
email address, country, and anything else you tell us about your requirements.
3.1.3 When you respond to our emails or surveys we collect your email address, name and any
other information you choose to include in the body of your email or responses.
3.1.4 When you contact us by phone we will collect your name and any other information you
provide us.

3.2 You may also choose to submit information to us via other methods, including:

3.2.1 in response to marketing or other communications;
3.2.2 through social media or online forums;
3.2.3 through participation in an offer, program or promotion;
3.2.4 in connection with an actual or potential business relationship with us, or
3.2.5 by giving us your business card or contact details at trade shows or other events.

4. How we use your personal data

4.1 We rely upon a number of legal grounds to ensure that our use of your Personal Data is compliant
with applicable law. We use Personal Data to facilitate the business relationships we have with our
Users, to comply with our financial regulatory and other legal obligations, and to pursue our legitimate
business interests.

4.2 We use Personal Data to verify the identity of our Users in order to comply with fraud monitoring,
prevention and detection obligations, laws associated with the identification and reporting of illegal
and illicit activity such as AML (Anti-Money Laundering) and KYC (Know-Your-Customer) obligations,
and financial reporting obligations.

4.3 The following list sets out the business purposes that we have identified as legitimate. We:

    • 4.3.1 Monitor, prevent and detect fraud and unauthorised payment transactions;

4.3.2 Mitigate financial loss, claims, liabilities or other harm;

4.3.3 Respond to enquiries, send service notices and provide customer support;

4.3.4 Manage, operate and improve the performance of our Website and Services by understanding their effectiveness and optimizing our digital assets;

4.3.5 Conduct aggregate analysis and develop business intelligence that enables us to operate,
protect, make informed decisions, and report on the performance of our business;

4.3.6 Transmit Personal Data within our affiliates for internal administrative purposes.

4.4 We may send you email marketing communications about Mushroom services, invite you to
participate in our events or surveys, or otherwise communicate with you for marketing purposes,
provided that we do so in accordance with the consent requirements that are imposed by applicable
law. By consent requirements we mean that we have received your freely given, specific, informed
and unambiguous indication of your wishes by which you, by statement or by a clear affirmative action
(such as ticking an opt-in box) signify your agreement to the processing of Personal Data relating to
you.

4.5 When we collect your business contact details through our participation at trade shows or other
events, we may use the information to follow-up with you regarding an event, send you information
that you have requested on our products and services and, with your permission, include you on our
marketing information campaigns.

5. How We Disclose Personal Data

5.1 Mushroom does not sell or rent Personal Data to marketers or unaffiliated third parties. We share
your Personal Data with the following trusted entities:

5.1.1 We share Personal Data within Mushroom in order to provide our Services and for internal
administration purposes.

5.1.2 We share Personal Data with a limited number of our service providers. We authorize those
service providers to use or disclose the Personal Data only as necessary to perform services
on our behalf or comply with legal requirements. We require such service providers to
contractually commit to protecting the security and confidentiality of the Personal Data they
process on our behalf.

5.1.3 We share Personal Data with third party business partners when this is necessary to provide
our Services to our users. Examples of third parties to whom we may disclose Personal Data
for this purpose are payment method providers when we provide payment processing
services.

5.1.4 In the event that we enter into a merger, sale, joint venture, assignment, transfer, change of
control, or other disposition of all or any portion of our business, assets or stock, we may
share Personal Data with third parties for the purpose of facilitating and completing the
transaction.

5.1.5 We share Personal Data in order to comply with applicable law, or payment method rules; to
enforce our contractual rights; to protect the rights, privacy, safety and property of both
Mushroom, you and the companies we work with; to respond to requests from courts and
other public and government authorities.

6. How long your personal data will be kept

6.1 Mushroom shall retain the following information:

6.1.1 We retain information regarding sales, marketing and recruitment for a minimum of 3
months.

6.1.2 For retention periods relating to our services these are in strict accordance with our retention
guidelines which are available on request. Please email us.

7. Clients’ Rights and Choices

7.1 If you no longer want to receive marketing-related emails from us, you may opt-out via the
unsubscribe link included in such emails. We will try to comply with your request(s) as soon as
reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you important administrative messages that are required to provide you with our
Services.

7.2 If you would like to review, correct, or update Personal Data that you may have previously disclosed
to us, you can do so by signing in to your Mushroom account or by contacting us.

7.3 The GDPR has been very important in strengthening the rights of individuals and putting them first
and foremost in control of their data. This section helps explain your data protection rights. To submit
a Data Subject Access Request please email us.

7.3.1 Access – You can ask us to verify whether we are processing personal data about you, and if
so, to provide more specific information.

7.3.2 Correction – You can ask us to correct our records if you believe they contain incorrect or incomplete information about you.

7.3.3 Erasure – You can ask us to erase (delete) your personal data after you withdraw your consent to processing or when we no longer need it for the purpose for which it was originally collected.

7.3.4 Processing restrictions – You can ask us to temporarily restrict our processing of your
Personal Data if you contest its accuracy, prefer to restrict its use rather than having us erase it, or need us to preserve it for you to establish, exercise, or defend a legal claim. A temporary restriction may apply while verifying whether we have overriding legitimate grounds to process it. You can ask us to inform you before we lift a temporary processing restriction.

7.3.5 Data portability – In some circumstances, where you have provided personal data to us, you can ask us to transmit that personal data (in a structured, commonly used, and machine-readable format) directly to another company if this is technically feasible.

7.3.6 Automated Individual Decision-making – You can ask us to review any decisions made about you which we made solely based on automated processing, including profiling, that produced legal effects concerning you or similarly significantly affected you.

7.3.7 Right to Object to Direct Marketing including Profiling – You can object to our use of your Personal Data for direct marketing purposes, including profiling. We may need to keep some minimal information (such as your email address) to comply with your request to cease marketing to you.

7.3.8 Right to Withdraw Consent – You can withdraw consent that you have previously given to one or more specified purposes to process your Personal Data. This will not affect the lawfulness of any processing carried out before you withdrew your consent. It may mean we are not able to provide certain products or services to you and we will inform you if this is the case.

8. Security and Retention

8.1 We take all the steps necessary to ensure a level of security appropriate to the risk associated with the processing of Personal Data. We maintain organisational, technical and administrative measures designed to protect Personal Data within our organisation against unauthorised access, destruction, loss, alteration or misuse. Your Personal Data is only accessible to a limited number of personnel who need access to the information to perform their duties.
8.2 As with all technology companies, although we take steps to secure your information, we do not promise, and you should not expect, that your personal information will always remain secure.
8.3 We regularly monitor our systems for possible vulnerabilities and attacks and regularly review our information collection, storage and processing practices to update our physical, technical and organisational security measures.
8.4 We may suspend your use of all or part of the services without notice if we suspect or detect any breach of security. If you believe that your account or information is no longer secure, please notify us immediately

9. Where your Personal Data is located

9.1 All our servers are located at Data Centres located in Oxford, United Kingdom. We might transfer and store the data we collect from you somewhere outside the European Economic Area (‘EEA’). People who work for us or our suppliers outside the EEA might also process your data.

We may share data with organisations and countries that:
9.1.1 The European Commission say have adequate data protection.
9.1.2 We’ve agreed standard data protection clauses with.

10. Privacy Policy Updates

10.1 We may alter our Privacy Policy on a regular basis. Any changes are effective when we post the
revised Privacy Policy on the Services to the website. We may provide you with disclosures and
alerts regarding the Privacy Policy or Personal Data collected by posting them on our website and by contacting you through your account, email address and/or the physical address listed in your account.

11. Contact Us

11.1 You may contact Mushroom Management Limited by email or write to us at FAO DPO,
Mushroom Management Limited, Third Floor, The Library Building, Tewkesbury GL20 5NX.