Skip to Main Content

Privacy Policy

Updated November 4, 2025

Introduction

Cambridge Associates, LLC and its affiliates (collectively referred to as “Cambridge Associates”, “we”, “us”, or “our” herein) provide discretionary and non-discretionary portfolio management investment services, research and performance monitoring to nonprofit institutions, family offices, corporate and public pension funds, public authorities and sovereign wealth funds. Cambridge Associates and its employees place a high priority on protecting sensitive personal and financial information. We do not disclose clients’ confidential information, or that of former clients, except as permitted by you, required by law, or as otherwise detailed in this Privacy Policy.

This Privacy Policy describes what personal information we collect, how we use and share that information as data controllers, and your choices concerning our data practices. California residents should click here for additional information regarding their privacy rights. Residents of the European Union (“EU”), United Kingdom (“UK”) and Switzerland can find additional information regarding their rights below. The transfer of personal data of EU and Swiss residents to third countries are governed by the use of Standard Contractual Clauses where required. Residents of the People’s Republic of China (“China” or “PRC”) can find additional information regarding their rights below. The cross-border transfer of personal information of residents in China is governed by the Personal Information Protection Law of China (“PIPL”). Data Subjects in relation to our office in the Dubai International Financial Centre (DIFC), can find additional information here.

What Personal Information We Collect and From Where We Get It

We may collect personal information about you from your discussions and correspondence with us, from legal documents, from information you supply about your investments or portfolio, from your incoming wire transfers or invoice payments, and from applications and other forms completed by you on our website, online platforms, or other media or provided to us by your authorized representatives and other fiduciaries. We may also collect personal information from email correspondence, telephone calls, paper communications, social media, our own websites and online platforms, or when you subscribe to our newsletter, visit our offices, enquire about or request products, goods, services, or other information from us, provide products or services to us and attend trade events such as conferences or exhibitions. This information may include contact details, biographical data, income, transaction history, assets, risk tolerance, wire transfer instructions, banking details, AML/KYC history, and tax, identification, social security, and account numbers, as well as information on your investment assets.

For those visiting our websites, online platforms or engaging us through social media, we may collect information relating to IP addresses, social media handles and usernames. When you visit, use, and interact with the website, we and service providers acting on our behalf may use cookies and other tracking technologies to automatically receive certain information about your visit, use, or interactions. For example, we may monitor the number of people that visit the website, peak hours of visits, which page(s) are visited, the domains our visitors come from (e.g., google.com, yahoo.com, etc.), which browsers people use to access the website (e.g., Chrome, Firefox, Microsoft Internet Explorer, etc.), broad geographical information, and navigation pattern. For more information on how we use cookies, please see our Cookies Policy. Recipients of personal data are employees and third parties who have contractually agreed to provide similar technical and operational, security and privacy measures as Cambridge Associates.

For residents in China, please click here for the list of personal information collected and processed by us.

For data subjects in the DIFC, please click here for the list of personal information collected and processed by us.

How We Use Personal Information

We may use personal information for the following purposes:

  • To provide our portfolio management investment, research, and performance monitoring services;
  • To respond to your inquiries, comments, feedback, or questions;
  • To send administrative information to you, for example, information regarding our website or services and changes to our terms, conditions, and policies;
  • To analyze how you interact with our website;
  • To maintain and improve the content, functionality, and security of the website;
  • To deliver and measure the effectiveness of our advertisements and marketing communications;
  • To develop new products and services;
  • To prevent fraud, criminal activity, or misuses of our website and services, and to ensure the security of our IT systems, architecture, and networks;
  • To comply with legal obligations and legal process; and
  • To protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or other third parties.

Our Basis for Processing Your Personal Data

The following are some of the ways we may lawfully process your personal data [1]:

  • Consent: processing to which you have agreed;
  • Performance of a Contract: processing necessary for the performance of a contract to which you are a party, or for the taking of steps at your request with a view to entering into a contract;
  • Legal Obligation: processing necessary for us to comply with a statutory or regulatory obligation and
  • Legitimate Interests: processing necessary for the purposes of legitimate interests pursued by us except where our interests are overridden by your interests, fundamental rights, or freedoms such as; marketing activities, provided the use is proportionate, has a minimal privacy impact, and you would not be surprised or likely to object, or in cases in which we have performed a legitimate interest impact assessment.

Sharing and Disclosure of Personal Information

Unless expressly agreed otherwise, we may disclose the personal information described above to custodians, fund administrators, investment managers, venture capital and private equity fund managers, and other nonaffiliated companies or individuals, such as legal, audit, and tax advisors, in the manner and to the extent permitted by you or as required by law. We may also disclose the information described above to other nonaffiliated service providers, such as providers of reporting data, data storage and fund monitoring services for our everyday business purposes in supporting our provision of services. To the extent possible, we require third parties to respect the security of your data and to treat it in accordance with the law.

In connection with the aforementioned purposes, your personal information as described above may be passed on to affiliates within the Cambridge Associates Group to which services are outsourced or utilized. Outsourced services include, but are not limited to, administrative support, financial analysis and due diligence of financial products, support in the areas of Legal, Compliance and Human Capital.

For residents in China, please click here for the list of personal information we provided to third parties.

For data subjects in the DIFC, please refer to the section titled “Sharing and disclosure of your personal data and for which reasons’ below.

International Transfer of Personal Information

Cambridge Associates may send your personal information outside the jurisdiction from which it originated or was collected including countries that do not offer the same protection to your personal data originated or was collected. Where personal information is transferred or accessed outside of a specific jurisdiction, we require that appropriate safeguards are in place to comply with any applicable data protection regulations.

If you reside in the European Union, we rely on data transfer mechanisms such as standard contractual clauses approved by the European Commission (“Standard Contractual Clauses”) to transfer your personal data lawfully outside the European Economic Area (“EEA”). For the current list of adequacy decision countries, please click here.

For residents in China, we may need to transfer your personal information outside of China to overseas entities of Cambridge Associates and third parties for business operation, compliance and other purposes, to the extent permitted by the applicable laws and regulations. We will implement the relevant requirements and the appropriate mechanisms for cross-border data transfer where required by the applicable laws and regulations.

For data subjects in the DIFC, please refer to the section titled “Sharing and disclosure of your personal data and for which reasons” below.

Your Choices in Relation to Personal Information

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us. Depending on where you live, you may also have rights and choices which you can exercise with respect to the data we hold about you. If you are a California resident, please review the Additional Information for California Residents section below for information regarding your rights. Individuals residing in the EU, UK and Switzerland retain rights listed under the section: Rights Related to Personal Data. Individuals residing in China, please review the Additional Information for China Residents. If you are a data subject in the DIFC, please review the Additional Information for DIFC data subjects section below.

Retention and Destruction of Personal Information

We take reasonable steps to ensure the accuracy of the information we hold about you. We will not use your personal information unless it is (to our knowledge) accurate and up to date. We typically will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information, whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. When the purposes for which we have collected the data for have ended, we will retain and securely destroy your personal information in accordance with our policy, applicable laws and regulations.

Job Applicants

If you apply for a job at Cambridge Associates, or its affiliates, you will be asked to submit personal data such as your name, contact details, education information, work history and any other information that we consider relevant and necessary to your application or information that you choose to share with us. If you do not provide the requested information to us, we (or third parties acting on our behalf) may not be able to process your application.

We will use this information to assess your application and evaluate your suitability for the position applied for including documenting all feedback and interactions with you throughout the process.

We may also use your data to analyze and improve our internal recruitment processes and training programs and our communications about events and publications which we may consider be to be interest to you.

We may share your personal data with other companies within our group and external third parties including, without limitation, recruitment service providers, right to work agencies, background check providers, credit reference providers, IT system providers, professional bodies, previous employers and/or educational institutions, as necessary to process your application. The companies within our group and third parties may be located in a different country than your country of residence.

If you are offered a job at Cambridge Associates or its affiliates, we will process your information, as necessary to take steps to enter into an employment contract with you.

We will store your data in the United States of America.

We will keep your personal data from your last contact with us regarding job opportunities at Cambridge Associates. If you are offered employment with us or our affiliates, we will keep the personal data submitted and collected for the duration of your employment with us or for longer as required by law.

If you do not wish to be contacted regarding future opportunities or if you do not wish for us to process your data, please contact: privacy@cambridgeassociates.com.

Children

Our website and services are not directed to children who are under the age of 16. We do not knowingly collect personal information from children under the age of 16. We request that no such information be submitted to us. If you have reason to believe that a child under the age of 16 has provided personal information to us through the website or our services, please  contact us and we will endeavor to delete that information from our databases.

Links to Other Websites

The website may contain links to other websites not operated or controlled by us, including social media services (“Third Party Sites”). The information that you share with Third Party Sites will be governed by the specific privacy policies and terms of service of the Third-Party Sites and not by this Privacy Policy. By providing these links we do not imply that we endorse or have reviewed these sites. We do not bear any liability and responsibility for the content or your use of these sites. Please contact the Third-Party Sites directly for information on their privacy practices and policies.

Third Party Tracking and Do Not Track Signals

We and service providers acting on our behalf may use cookies or other tracking technologies on our website to collect certain information about your browsing activities over time and across different websites following your use of the website. Our website currently does not respond to “Do Not Track” (“DNT”) signals and operates as described in this Privacy Policy, whether or not a DNT signal is received. If we do respond to DNT signals in the future, we will update this Privacy Policy to describe how we do so. For more information on what data is collected and how we use cookies, please see our Cookies Policy.

Security

Unfortunately, the transmission of data over the internet is not completely secure. Although we will use our reasonable commercial efforts to implement and maintain technical and organizational measures, including but not limited to, encryption and access controls to protect your personal information against loss, misuse, unauthorized alterations or interception, we cannot guarantee its security. All clients who access performance data and other investment information from our website receive unique login and password identifiers, and it is your responsibility to protect your login information.

The EU General Data Protection Regulation (“GDPR”), UK GDPR and the Swiss Federal Data Protection Act, respectively, provide EU, UK and Swiss residents with specific rights regarding their personal information. This section describes your rights under the GDPR and the Swiss Federal Data Protection Act (as applicable). Subject to certain exceptions and exclusions, EU, and UK and Swiss residents have the following rights in relation to the personal information we collect:

  • the right to access information held about you
  • the right to object to processing that is likely to cause you damage or distress
  • the right to prevent processing for direct marketing purposes
  • the right to request restriction of processing of personal data concerning you or to object to such processing
  • the right to have information about you rectified, erased, or destroyed
  • the right to claim compensation for damages to you caused by a breach of law
  • the right to have your personal data transferred to another entity
  • the right to revoke the declaration of consent under data protection law
  • the right to information on safeguards, enforceable rights and effective legal remedies which are available regarding the transfer of personal data outside the EU
  • the right to complain to a data protection authority

Exercising Your Rights

EU, UK and Swiss residents can exercise the above privacy rights by emailing us at privacy@cambridgeassociates.com.

Please note that we will carry out reasonable identification checks to verify your identity before handling your request.

Additional Information for California Residents

In accordance with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act of 2023 (“CPRA”), this section is intended to inform California residents of (1) the personal information that we collect and how we disclose that information, and (2) the privacy rights California residents may have relating to their personal information and how those rights can be exercised.

Personal Information Collection and Disclosure

The following disclosures are intended to provide additional information about the collection and disclosure of personal information. Nothing in this section limits our ability to use or disclose information as described elsewhere in this Privacy Policy.

  • Categories of Personal Information Collected: In the past 12 months, we have collected the following categories of personal information, as described in greater detail in the “What Personal Information We Collect and From Where We Get It” section above:
    • Identification Information, such as your name, email address, phone number, physical address, zip code, biographical information, social security and other identification numbers, and online account information (e.g., username and password).
    • Online Activity Information, such your device identifier or IP address, the type of browser and device you are using, information about your device’s operating system, the actions you take on our website, and the names of referring and exit webpages. For more information on our collection of Online Activity Information, see our Cookies Policy.
    • Commercial and Financial Information, such as your transaction history, wire transfer instructions, banking details, account numbers, and information on your income, assets, and risk tolerance.
  • Sources of Personal Information: We collect the above categories of personal information from you, your authorized representatives and fiduciaries, our analytics providers and other service providers, and as otherwise described in the “What Personal Information We Collect and From Where We Get It” section above.
  • Purposes of Collection and Disclosure: We collect and disclose the above categories of Personal Information for the business and commercial purposes described in the “How We Use Personal Information” and “Sharing and Disclosure of Personal Information” sections above.
  • Categories of Personal Information Disclosed for a Business Purpose: In the past 12 months, we have disclosed for a business purpose all of the above categories of personal information to affiliates, service providers, custodians, fund administrators, investment managers, and other nonaffiliated companies or individuals as described in the “Sharing and Disclosure of Personal Information” section above.
  • Categories of Personal Information Sold: Cambridge Associates does not sell personal information.

California Consumer Privacy Act (“CCPA”) AND California Privacy Rights Act of 2023 (“CPRA”) Rights

The CCPA and CPRA provide California residents with specific rights regarding their personal information. This section describes your rights and explains how to exercise those rights. Subject to certain exceptions and exclusions, California consumers have the following rights in relation to the personal information we collect:

  • The right to to request that we delete and direct any service providers that have received that personal information to delete, the personal information that we have collected and retained.
  • The right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months.
  • The right to opt-out of the sales of your personal information. (Cambridge Associates does not sell your personal information.)
  • The right to correct inaccurate personal information.
  • The right to limit the use and disclosure of sensitive personal information.
  • The right not to receive discriminatory treatment for the exercise of the privacy rights conferred by the CCPA or CPRA.

Exercising Your Rights

California residents can exercise the above privacy rights by calling 1-888-834-5222 x2823 or emailing us at privacy@cambridgeassociates.com.

Additional Privacy Rights*

Our privacy practices are designed to comply with all applicable privacy laws and regulations including, but not limited to, the following:

United States of America: California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), Health Insurance Portability and Accountability Act (“HIPAA”), Gramm-Leach-Bliley Act (“GLBA”)

EU, UK, and Switzerland: General Data Protection Regulation (“GDPR”), German Federal Data Protection Act, UK General Data Protection Regulation (“UK GDPR”), Data Protection Act 2018, Swiss Federal Data Protection Act

Canada: Personal Information Protection and Electronic Documents Act (“PIPEDA”)

Dubai International Financial Centre: Data Protection Law No. 5 of 2020 (“DPL”)

Australia: Privacy Act 1988 (“Privacy Act”)

Singapore: Personal Data Protection Act (“PDPA”)

China: Personal Information Protection Law (“PIPL”), PRC Data Security Law and PRC Cybersecurity Law

*Please note that this list is not exhaustive and may not cover all the laws that could apply to your personal data. The applicability of these laws depends on various factors, including your location. We are committed to complying with all applicable laws protecting your privacy rights.

Additional Information for Swiss Residents

Cambridge Associates is a global organization with clients and operations around the world. As such, we collect and transfer personal data globally within Cambridge Associates and to our service providers as required. During the processing of certain personal data as described above, some personal data may be transferred to another country in Europe (Germany), the UK and other countries worldwide, in particular to countries where Cambridge Associates and/or Cambridge Associates’ service providers or their subcontractors (such as the United States of America) are located.

When transferring your personal data to another country, we will take appropriate measures to ensure that the data is protected and transferred in accordance with applicable legal requirements. In the event that personal data is transferred to a third country that does not have adequate data protection legislation, Cambridge Associates will implement appropriate safeguards to ensure an adequate level of data protection, in particular by implementing standard contractual clauses recognized by the competent authorities.

Additional Information for China Residents

As a data subject in China, you have the rights according to the PIPL and other applicable laws. We will try our best to support the exercise of your rights according to the law, but please be aware that your exercise of certain rights may affect the services we can offer or be subject to certain constraints. For example, if you withdraw your consent, we may not be able to provide the relevant services for you; if you would like to delete your personal information provided to us, but the retention period prescribed by the applicable laws and regulations has not expired, or it is technically difficult to delete the personal information, we will cease the Processing of the personal information, except for the storage and any necessary measure taken for security protection.

Prior to using our services, you have carefully read, fully understood and accepted this Privacy Policy. By accepting and consenting to this Privacy Policy, you have granted your consent, including the separate consent required under the PIPL (for example, the separate consent for transferring your personal information out of China and for providing your personal information to other data controllers), to authorize us to Process your personal information in accordance with this Privacy Policy

Verification: In order to protect your personal information from unauthorized access or deletion, we may require you to verify your credentials when you submit a request to know or delete Personal Information. If you do not have an account with us, or if we suspect fraudulent or malicious activity, we may ask you to provide additional personal information for verification. If we cannot verify your identity, we will not provide or delete your personal information.

Authorized Agents: You may submit a request to know or a request to delete your personal information through an authorized agent. If you do so, we may require the agent to present signed written permission to act on your behalf, and you may also be required to independently verify your identity with us and confirm that you have provided the agent permission to submit the request.

Exercising Your Rights: China residents can exercise the above privacy rights by emailing us at privacy@cambridgeassociates.com.

[1] See Article 6 with respect to GDPR as well as Articles 6 and 16 with respect to Federal Act on Data Protection (“FADP”).

Additional Information for Data Subjects in the DIFC

In compliance with Cambridge Associate (DIFC) Limited’s obligations as a Controller under the DIFC DPL, this section is intended to inform DIFC data subjects how we generally collect, hold, use and disclose personal data, your rights in relation to the personal data that we hold about you and the third parties to whom it may be disclosed. It is important that you read and retain this notice, together with any other Privacy Notice we may provide on specific occasions.

This Privacy Notice applies to the following individuals (“you”):

  • Our past, present and prospective customers;
  • Website users;
  • Anyone involved in any transaction or interaction with us, whether it is in your personal capacity or as a representative of a legal entity (for example, director, a company manager, agent, legal representative, operational staff, other authorized representative, etc.); and
  • Our advisors, consultants or secondees.

The Privacy Notice may form among other documents an integral part of the master agreement we have with you. However, it does not form part of any contract to provide services for which we have signed the contract with you.

If you provide us with personal data about someone else such as your emergency contact/next of kin or someone with whom you have business dealings, you must ensure that you are permitted to disclose that information to us.

This Notice does not form part of your contract of employment or engagement and may be amended from time to time in line with best practice and any changes in the law or applicable codes of practice.

Capitalized terms below are defined under the DIFC DPL.

Personal Data Processing

Personal Data means any information about an individual from which that person can be identified, directly or indirectly. It does not include data where the identity has been removed (anonymous data).

We collect your Personal Data from various sources, such as through our Cambridge Associates website, consent driven mailing lists for marketing purposes, and our interactions with you. We may also obtain Personal Data from other sources, background and/or identity checks or via cookies on our website.

For employees and candidates, we collect information via:

  • the information you submit during the course of our relationship with us e.g. when you apply for a position with us, join us as an employee, or make any amendments to your personal employment data held by us e.g. by notifying Human Capital (“HC”) in writing or verbally;
  • information collected automatically when you interact with and use company systems and resources such as device information, usage data.
  • when you communicate with us by telephone, email or other forms of electronic communication; in this respect, we may monitor, record and store any such communication;
  • we may also collect Personal Data about you from third parties such as previous employers, recruitment agencies, and background check providers.

What Personal Data We Collect About You

The Personal Data processed by Cambridge Associates in the DIFC depends on the purpose for such processing.

  • Clients, potential clients and other third parties that may interact with us:
    • As part of our due diligence and onboarding processes and to comply with ongoing legal obligations on anti-money laundering and counter terrorist financing, taxation, crime detection, crime prevention, investigation, the prevention of fraud, bribery, anti-corruption, tax evasion; we may process Personal Data such as name, signature, postal address, email address, date and place of birth, nationality, professional or employment related information, source of funds/wealth details, tax identification, signatures, other contact details, account numbers (or functional equivalent) and transaction details (including transactions with our affiliates), your tax or other government issued ID numbers, utility bills for the purposes of address verification, photographic identification and verification such as copies of your passport, passport number and driver’s license, information relating to your status as an ultimate beneficial owner of an entity, a politically exposed person or a designated individual on a sanctions list.
    • We may collect and process Personal Data relating to you in connection with our on-going relationship with you, such as via correspondence and calls, and in connection with the administration of our relationship with you. Telephone calls with you may be recorded for the purposes of record keeping, security and training.
    • We Process your Personal Data for the purpose of delivering a service to you, for the purpose of maintaining appropriate business records, including maintaining appropriate registers required under applicable law and regulation, for the purpose of quality control, data security, business and statistical analysis, market research, to meet our internal and external audit requirements, for the purpose of tracking fees and costs and for the purpose of customer service.
  • Website, applications and other social media platform visitors:
    • When you visit our website we automatically collect certain technical data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
      We also provide you with an option to accept, reject or manage cookies that may be dropped on your device while you navigate our website. Details of such cookies can be found in our Cookie Banner and Cookies Policy here.
    • We also invite you to contact us and, in this regard, we request your name, organization name and type country you are based in and work email address.
    • We process your social media platform account details when you connect with us there.
  • Attendance at our offices and events:
    • We also collect and process your name, contact details, image, in relation to your attendance at our offices or at an event or seminar organized by Cambridge Associates or our business partners.

Our website is not targeted, intended or expected to be of use to children. Apart from providing information for specific services or purposes, as directed by DIFC processes, user-provided contributions of content or contact information regarding or about children are expressly prohibited.

If you choose not to provide the Personal Data we request, we may not be able to provide you with the product or service you need.

  • Employees and candidates:

The Firm is required to keep and Process your Personal Data for employment purposes. The information that we hold, and Process will be used for management and administrative use only. We will keep and use your Personal Data to enable us to carry out our business and management of the employment relationship with you effectively, lawfully, and appropriately, during the recruitment stage, whilst you are employed by us and at the time your employment ends. This includes information that enables us to comply with the employment contract, any legal requirements, and for us to protect our legal position in the event of any legal proceedings.

If you do not provide this data, we may in some circumstances be unable to comply with our legal and regulatory obligations. Under such circumstances, we will inform you of the implications of that decision. For employment purposes we may collect the following:

  • personal details such as your name, address, date of birth, gender, marital status, emergency contact details, country of residence, next of kin and emergency contact information;
  • professional details such as your work contact details, CV, details of your qualifications, location of employment and workplace, employment history, certifications, biography, relevant experience and skills;
  • financial information such as salary, payroll records, your bank details and tax related details, DEWS, pension and benefits information;
  • recruitment information, including copies of right-to-work documentation, information required for the provision of medical insurance, employment references and other information included as part of the application process;
  • response to internal surveys and other internal communications;
  • identification documentation such as copies of your passport, driving license, national ID card, employment visa, or other documentation required by law (which may include your photograph);
  • HC-related records such as training, appraisals/performance assessments, annual leave, absence and time-keeping records, disciplinary, grievance or capability proceedings, references and background checks; and
  • details of your access to our premises and systems, software, websites, and applications including access, location data and communications data.

We make every effort to maintain the accuracy and completeness of your Personal Data which we store and to ensure all your Personal Data is up to date. However, you can assist us with this considerably by promptly contacting us if there are any changes to your Personal Data or if you become aware that we have inaccurate Personal Data relating to you.

Legal Basis for Processing

We only use your Personal Data under one of the following legal grounds:

  • To conclude and carry out a contract with you such as for clients where we collect information on suitability and information to fulfil our AML requirements, for employees/ candidates- to confirm your references, character and educational background and conducting background checks,
  • To comply with our legal obligations such as:
  • To comply with our obligations under applicable law and regulations, which may include laws and regulations outside your country of residence e.g. AML, employment (such as general business management, operations and planning including accounting and auditing; determining the terms on which you work with us, to check you are legally entitled to work in the UAE, recording compliance with employment law requirements, administration of payroll, DEWS, provision of training, sickness and absentee management, making decisions about salary, benefits, promotions, undertaking grievance and disciplinary procedures) and other laws and regulations;
    • to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence; and
    • to carry out anti-money laundering sanctions or Know Your Customer (“KYC”) checks as required by applicable laws and regulations.
  • For our legitimate business interests, the legitimate interests pursued by us in this regard include:
    • conducting our business in a responsible and commercially prudent manner and dealing with any disputes that may arise- such as for employees where we would monitor your use of our systems to ensure you comply with our internal polices, ensuring network and information security, recording training requirements, internal financial management, to consider your suitability for any of our current or future employee roles.
    • preventing, investigating or detecting theft, fraud or other criminal activity
    • pursuing our legitimate corporate and ethical, social, and governance responsibility;
    • to maintain good commercial relations with all our customers and other concerned parties e.g planning corporate events and activities;
    • to protect our rights, privacy, safety, property, or those of other persons;
    • for the purposes of a merger, sale, restructure, acquisition, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings);
    • Protect the legitimate interests of the employer or a third party, except where this is overridden by the interests or rights of the employee, examples of this would include where we collect personal data for security purposes or transfer information to the Group for administration purposes;
    • to protect our rights, users, systems and services;
  • When we have your consent;
  • To protect your right as an employee or another individual’s vital interests (for example, medical data during a health emergency, next of kin contact details);
  • Carry out a task in the public interest, or in exercising official authority vested in the employer; and

Employees family members / dependents are also covered under this notice to the extent they form part of the benefits under the employment contract.

Special Categories of Personal Data

“Special Categories” of particularly sensitive Personal Data require higher levels of protection. We have in place safeguards in compliance with the law. We are likely to Process Special Categories of Personal Data based on the following justifications where:

  • in limited circumstances, we have your explicit written consent;
  • it is necessary for performance of the contract you enter into with us;
  • it is necessary to comply with the law applicable to us in relation to anti-money laundering or counter-terrorist financing obligations or the prevention, detection, or prosecution of any crime; or
  • it is necessary for the compliance with specific requirements pursuant to laws applicable to us;
  • it is necessary for the purposes of carrying out the obligations of being your employer and to exercise our rights as your employer
  • vital interests;
  • it is necessary for the establishment, exercise or defense of legal claims; and
  • it is necessary for the purposes of complying with regulatory requirements relating to unlawful acts and dishonesty, malpractice or other seriously improper conduct.

We envisage that we may hold information about criminal convictions. We will only collect Personal Data about criminal convictions if it is appropriate and where we are legally able to do so. For example, when performing screening for anti-money laundering purposes or background checks for employment purposes. For employment purposes we may also collect certain special categories of personal data from you such as:

  • information about your health, including any medical conditions and health and sickness records;
  • information about your criminal convictions and offenses collected from background checks conducted at the beginning of your employment or engagement with us;
  • visa application details such as religion.

Less commonly, we may Process this type of Personal Data where it is needed in relation to legal claims, where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

For marketing purposes, we would not obtain Special Categories of Personal Data, however, if we do, we will issue a separate notice on how we would use the data.

Your Consent

In general, we do not rely on consent as our Processing reason and also would not require consent if we use Special Categories of your Personal Data in accordance with our written policy to carry out our legal obligations.

In limited circumstances, we may approach you for your written consent to allow us to Process certain particularly sensitive data. If we do so, we will provide you with full details of the Personal Data that we would like and the reason we need it so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your relationship with us that you agree to any request for consent from us.

Sharing and disclosure of your personal data and for which reasons

We do not and will not sell, rent out or trade your Personal Data. We will only disclose your Personal Data in the ways set out in this Notice. When we disclose Personal Data, we do so in accordance with the DIFC DPL and our internal security standards.

To comply with our regulatory obligations, we may disclose personal data to the relevant government, supervisory and judicial authorities such as:

  • Public authorities, regulators and supervisory bodies such as the financial sector supervisors in the countries in which we operate.
  • Tax authorities may require us to report customer assets or other personal data such as your name and contact details and other information about your organization, for this purpose, we may process your data such as your tax identification number or any other national identifier in accordance with applicable local law.
  • Judicial/investigative authorities such as the police, public prosecutors, courts and arbitration/mediation bodies on their express and legitimate request.

When we use third parties to carry out certain activities in the normal course of business, we may have to share Personal Data required for a particular task. For instance:

  • IT service providers who may provide application or infrastructure (such as cloud) services;
  • Marketing activities or events and managing customer communications;
  • Legal, auditing or other services provided by lawyers, notaries, trustees, Cambridge Associates’ auditors or other professional advisors e.g. insurance, payroll providers, systems providers, employee benefit providers, background check providers etc.;
  • Identifying, investigating, or preventing fraud or other misconduct by specialized companies.

We may also share Personal Data with Group entities within Cambridge Associates for administrative purposes. Personal Data in the form of ID documents, KYC data and financial information, recruitment of employment information may be shared with Group entities as a pre-contractual or contractual measure.

International Transfer of Personal Information

The third parties or Group entities may be located in a jurisdiction that does not have the same level of data protection as the DIFC. In such cases the third parties or Group entities will be required to abide by standard data protection clauses or the Personal Data transfer may be subject to a lawful derogation. You may ask us for further details of these safeguards, where required.

Companies acting on our behalf are required to keep your Personal Data confidential.

How we protect your Personal Data

We take our obligations to protect your Personal Data from unauthorized access, loss, misuse, modification or unauthorized disclosure seriously and as such we take reasonable steps to hold Personal Data securely in electronic or physical form.

Cambridge Associates have appropriate technical and organizational measures in place to safeguard your Personal Data. Once we receive your Personal Data, we will take reasonable steps to use technical measures to prevent unauthorized access, modification or disclosure, and take steps to protect the Personal Data we hold from interference, misuse, loss, unauthorized access, modification or unauthorized disclosure. Measures include but are not limited to role-based access controls, strict password protocols, training, encryption, data protection and information security policies and procedures. Some electronic communications through non-secure web platforms may not be secure, virus- free or successfully delivered. If you communicate with us using a non-secure web platform, you assume the risks that such communications between us may be intercepted, not received, delayed, corrupted or received by persons other than the intended recipient.

How long do we keep your Personal Data?

Cambridge Associates will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, compliance, accounting, or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we Process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. When we no longer need your personal data, we securely delete or destroy it or put it beyond further use. We have a Retention Policy which outlines the applicable periods.

DIFC Data Subject Rights

Under certain circumstances, and where the conditions specified in the DIFC DPL are met, by law, you have the right to:

  • Request access to your Personal Data. This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully Processing it.
  • Request rectification of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us to continue to Process it.
  • Right to be notified regarding rectification or erasure of Personal data or restriction of processing- unless it involves a disproportionate effort
  • Object to Processing of your Personal Data. You have the right to object to the processing of your personal data in certain circumstances.
  • Request the restriction of Processing of your Personal Data. This enables you to ask us to suspend the Processing of Personal Data about you, for example, if you want us to establish its accuracy or the reason for Processing it.
  • Data portability enables you to receive or request transfer of the data you have provided us in a structured, commonly used and machine-readable format.
  • Right to not to be discriminated against for exercising the rights mentioned above.

If you choose to exercise your rights, we may need to request specific Personal Data from you to help us confirm your identity and ensure your right to access the Personal Data (or to exercise any of your other rights). This security measure ensures that Personal Data is not disclosed to an unauthorized person.

You will not have to pay a fee to exercise your rights. However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances, where permitted by law.

Direct Marketing

We may use your Personal Data to offer you products and services that we believe may interest you. If you do not wish to receive marketing offers from us, you can let us know by emailing us at privacy@cambridgeassociates.comat any time. Note however that we have no control over the way social media sites target and market our paid advertising to its audience.

Changes

We may change the terms of this Privacy Policy from time to time. You may find a current version of this policy posted on our website at www.cambridgeassociates.com. We suggest you regularly check this Privacy Policy for any updates.

Affiliates

Contact Information

For further details about our privacy policy, please contact:

Sean F. Hanna
Chief Compliance Officer and Senior Counsel
115 Federal Street
Suite 2600
Boston, MA 02110

Tel.        617-457-7518
Fax        617-457-7501
email:    privacy@cambridgeassociates.com

DIFC Contact Information

Complaints, concerns and exercising your rights
If you have any queries about the contents of this Notice, wish to exercise any of your Data Subject rights, or would like to raise a complaint or comment under the DIFC DPL, please contact our Data Protection Officer via the following details:

difcdataprotection@cambridgeassociates.com
Cambridge Associates (DIFC) Limited
Level 15, Gate Building
Dubai International Financial Centre
Dubai, United Arab Emirates
+971 4 323 0800

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can escalate your complaint to the data protection supervisory authority via the details below:

DIFC Data Protection Commissioner Contact Details:
Dubai International Financial Centre Authority Level 14,
The Gate Building
+971 4 362 2222
commissioner@dp.difc.ae