Privacy Notice — NextSpace Investor Portal
This Privacy Notice explains how NextSpace SCSp (the "Fund", or "we") collects, uses, and protects personal data of our investors and prospective investors when they use our Investor Relations Portal at investors.nextspace.it. It is provided in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR).
1. Data Controller
NextSpace SCSp — a Special Limited Partnership (Société en Commandite Spéciale) incorporated under the laws of Luxembourg, with registered office in Luxembourg.
General Partner: NextSpace GP S.à r.l., Luxembourg.
Contact for privacy matters: ir@nextspace.it
We have not appointed a designated Data Protection Officer (DPO), as the scale and nature of our processing activities do not currently meet the thresholds set out in Article 37 GDPR. All privacy-related communications should be addressed to the contact above.
2. Categories of Personal Data Collected
When you accept an invitation to the portal and during your relationship with the Fund, we process the following categories of personal data:
| Category | Examples |
|---|---|
| Account & Identity | Email, name, login timestamps, IP addresses, two-factor secret |
| Anagraphic & Documents | Legal name, date and place of birth, nationality, address, phone, Codice Fiscale or VAT number, ID document type/number/expiry |
| Investment Vehicle | For investors investing through a corporate vehicle: company name, VAT number, registered address, signing authority |
| KYC / AML | Verification status, risk rating, expiry date, PEP (Politically Exposed Person) status — Article 9 GDPR special category |
| Signed Documents | PDFs of subscription agreements, NDAs, KYC questionnaires, source-of-funds declarations, tax forms |
| Financial | Commitment amounts, capital call records, payment dates and statuses |
| Communications | Outbound emails sent to you (subject and date), notes recorded by IR team after calls/meetings |
| Behavioral / Audit | Login history, document downloads, OTP device-trust cookies, IP and user-agent logs |
3. Purposes and Legal Basis
We process your personal data for the following purposes, on the following legal bases:
- Performance of contract (Art. 6(1)(b) GDPR): managing your relationship with the Fund — providing portal access, processing capital calls, sending statements, recording commitments.
- Legal obligation (Art. 6(1)(c) GDPR): compliance with anti-money-laundering law (Italian Legislative Decree 231/2007 transposing EU AMLDs; Luxembourg AML/CFT framework). This includes customer due diligence, KYC verification, record-keeping, and reporting suspicious transactions.
- Legal obligation for tax reporting and corporate documentation (Italian and Luxembourgish tax law).
- Legitimate interest (Art. 6(1)(f) GDPR): security audit logs, fraud prevention, and ensuring portal integrity. We have assessed that our interests do not override your rights and freedoms.
- Explicit consent (Art. 9(2)(a) GDPR): processing of your PEP status, which constitutes a special category of data (data revealing political opinions). Consent is captured at portal onboarding and may be withdrawn (subject to AML obligations that may require continued retention).
4. Recipients of Your Data
Your personal data may be shared with:
- The General Partner of the Fund and its officers, employees, and authorised representatives
- The Fund's professional advisors, including legal counsel (Pedersoli, Dentons), tax advisors, and auditors
- Sub-processors engaged to operate the portal infrastructure — see the full list at /processors
- Competent regulatory and judicial authorities where required by law (e.g. UIF, CSSF, Garante per la Protezione dei Dati Personali, tax authorities)
5. International Transfers
Your personal data is currently processed within the European Union (Luxembourg, Italy, Germany, Finland) and is not transferred to third countries on a routine basis. Where any third-country transfer becomes necessary in the future (for example through US-based vendors), it will be subject to appropriate safeguards under Chapter V GDPR (Standard Contractual Clauses, adequacy decisions, or equivalent).
6. Retention
We retain your personal data for as long as necessary to fulfil the purposes set out above, in particular:
- KYC/AML records — for the duration of the investor relationship and for 10 years after its termination, as required by Italian Legislative Decree 231/2007 (Art. 31).
- Contractual records and signed documents — 10 years after the end of the relationship (statute of limitations for civil claims).
- Tax records — as required by applicable tax law (typically 10 years).
- Behavioral and audit logs — 12 months from the date of the event, unless required for ongoing security investigation.
- Email communications log — for the duration of the investor relationship.
Note: The retention obligations imposed by AML and tax law take precedence over Article 17 GDPR (right to erasure). A request to delete personal data covered by these legal retention obligations will normally be denied with a documented reason, while continuing to honour your other rights (access, rectification, restriction).
7. Your Rights
Under GDPR Articles 15-22 you have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectify inaccurate or incomplete data (Art. 16) — you can update most fields directly via your portal profile
- Erase data ("right to be forgotten", Art. 17) — subject to AML retention obligations
- Restrict processing in certain circumstances (Art. 18)
- Portability — receive your data in a structured, machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent for processing based on consent (Art. 7), without affecting the lawfulness of prior processing
You can exercise these rights at any time by visiting "My Data" in your portal, or by emailing ir@nextspace.it. We will respond within 30 days (extendable to 90 days for complex requests, with notification).
8. Security
We implement appropriate technical and organisational measures to protect your data, including:
- HTTPS/TLS for all data in transit
- Mandatory two-factor authentication for portal access
- Encrypted backups stored off-site with the decryption key held offline
- Rate limiting and account lockout to prevent brute-force attacks
- Audit logging of administrative actions and data access
- Watermarking of confidential documents downloaded from the portal
9. Data Breach
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and within 72 hours where feasible (Art. 33 GDPR). Where the breach is likely to result in a high risk, we will also notify you directly without undue delay (Art. 34).
10. Complaints
You have the right to lodge a complaint with a supervisory authority, in particular:
- Commission Nationale pour la Protection des Données (CNPD), Luxembourg — lead authority — cnpd.public.lu
- Garante per la Protezione dei Dati Personali, Italy — for Italian residents — garanteprivacy.it
11. Changes to This Notice
We may update this notice from time to time to reflect changes in our processing activities or applicable law. We will notify you by email of any material change. The "Last updated" date at the bottom of this page reflects the most recent revision.
An Italian translation of this notice is available on request to data subjects who are Italian residents, in accordance with the recommendations of the Italian Data Protection Authority. Email ir@nextspace.it.