Skip to content Skip to footer
Close

Privacy Policy

Effective Date: September 27, 2025
Last Updated: September 27, 2025
Version: 1.01

1. Introduction and Scope

1.1. Our Commitment to Your Privacy

AIM Investment Fund S.A. (“AIM,” “we,” “us”) is unequivocally committed to protecting the privacy and security of your personal data. We process personal data in strict accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and the Polish Act of 10 May 2018 on the Protection of Personal Data (the “Act”), alongside other applicable national and sectoral legislation governing the financial services industry in Poland.

This policy is founded on the core principles of data protection: lawfulness, fairness, and transparency. We are dedicated to being transparent about why we need your personal data and how we use it. 

1.2. Data Controller Information

For the purposes of the GDPR, AIM Investment Fund S.A. is the “Data Controller” of the personal data processed in accordance with this policy. This means we are responsible for deciding how we hold and use personal information about you.

  • Full Legal Name: AIM Investment Fund S.A.
  • Registered Address: Jana Pawła II 27, 00-867 Warsaw, Poland
  • Registration Court: District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division
  • Company Registration Number (KRS): 0001179767
  • NIP: 5833315173
  • REGON: 380822590
  • Share Capital: PLN 7,122,500.00, paid in full
  • Contact Email: contact@aimifsa.com

1.3. Data Protection Officer (DPO)

In accordance with our legal obligations under Article 37 of the GDPR, we have appointed a Data Protection Officer (DPO). The appointment of a DPO is mandatory for organisations like ours whose core activities involve the large-scale processing of sensitive data and/or the regular and systematic monitoring of individuals, which is inherent in the client due diligence and anti-money laundering (AML) processes within the financial sector. Our DPO is responsible for overseeing our compliance with data protection law.

Should you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact our DPO directly:

  • Email: contact@aimifsa.com
  • Postal Address: Jana Pawła II 27, 00-867 Warsaw, Poland (Please mark the envelope “For the attention of the Data Protection Officer”)

1.4. Scope of This Policy

This Privacy Policy applies to all natural persons (“Data Subjects”) whose personal data we process in the course of our business activities. This includes, but is not limited to:

  • Current, prospective, and former investors and clients.
  • Visitors to our website, aimifsa.com.
  • Current, prospective, and former employees, contractors, and interns.
  • Representatives, directors, and beneficial owners of our institutional clients.
  • Representatives of our business partners, suppliers, and third-party service providers.
  • Individuals whose personal data is provided to us in connection with our investment activities, such as directors, officers, or key personnel of portfolio companies or potential investment targets.

2. Key Definitions

To ensure this policy is clear and easy to understand, we use the following key terms as defined in Article 4 of the GDPR.

  • Personal Data: Any information relating to an identified or identifiable natural person (‘Data Subject’). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier (such as an IP address), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Processing: Any operation or set of operations which is performed on personal data, whether or not by automated means. This is an extremely broad term that includes collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction of data. It is crucial to understand that even the passive, long-term storage of data for compliance purposes constitutes “processing.” As a financial institution, we are legally required to retain certain investor records for many years after a business relationship has ended. By defining “Processing” so comprehensively, this policy clarifies that all GDPR protections, including robust security and eventual secure deletion, apply to your data throughout its entire lifecycle with us, not just when it is being actively used.
  • Data Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of this policy, this is AIM Investment Fund S.A..
  • Data Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. Examples include our fund administrator or our cloud hosting provider.
  • Data Subject: The identified or identifiable natural person to whom the personal data relates.
  • Lawful Basis for Processing: The legal justification required under Article 6 of the GDPR for any processing of personal data. The six potential lawful bases are: Consent, Performance of a Contract, Legal Obligation, Protection of Vital Interests, Performance of a Public Task, and Legitimate Interests.
  • European Economic Area (EEA): The Member States of the European Union, plus Iceland, Liechtenstein, and Norway.

3. Personal Data We Process, Purposes, and Lawful Bases

This section provides a detailed and transparent overview of the personal data we collect, why we collect it (the “purpose”), and the legal justification for doing so (the “lawful basis”). The choice of lawful basis is a critical legal determination that directly impacts your rights. For example, your right to withdraw consent is absolute for processing based on “Consent” (such as for marketing), whereas your right to have data erased does not apply where we process your data to comply with a “Legal Obligation” (such as for anti-money laundering checks). By clearly mapping each activity to its specific lawful basis, this policy provides the necessary foundation for you to understand and exercise your rights effectively.

3.1. For Our Investors and Clients (Prospective, Current, and Former)

We process your personal data to provide our investment services and to meet our stringent regulatory duties.

  • Categories of Personal Data Processed:
    • Identity Data: Full name, title, date and place of birth, nationality, gender, and copies of identification documents such as passports, national ID cards, or driving licences.
    • Contact Data: Residential and/or business address, personal and/or business email address, and telephone numbers.
    • Financial Data: Bank account details, source of wealth and source of funds information, investment history, assets, net worth, tax identification numbers (e.g., NIP, PESEL), and transaction records.
    • Due Diligence Data: Information required for Anti-Money Laundering (AML) and Know Your Customer (KYC) checks, including information regarding your status as a Politically Exposed Person (PEP), and, where permitted by Polish law for the financial sector, information about criminal convictions or offences.
    • Profile and Communications Data: Your investment objectives, risk tolerance profile, records of our correspondence and communications with you (including emails, meeting notes, and call recordings where applicable and legally permitted).
  • Purposes and Lawful Bases for Processing:
    • Purpose: To assess your application to invest and to onboard you as a client.
      • Lawful Basis: Necessary to take steps at your request prior to entering into a Contract.
    • Purpose: To perform our contractual obligations, including processing subscriptions and redemptions, managing your investment portfolio, and providing you with statements and reports.
      • Lawful Basis: Necessary for the Performance of a Contract to which you are a party.
    • Purpose: To comply with our extensive legal and regulatory obligations, including conducting AML/KYC due diligence, fraud prevention, tax reporting under regulations such as FATCA and CRS, and responding to binding requests from regulators (e.g., the Polish Financial Supervision Authority – KNF) or law enforcement.
      • Lawful Basis: Necessary for compliance with a Legal Obligation. This is a primary basis for much of our processing of investor data.
    • Purpose: For our legitimate business interests, such as managing our client relationships, conducting internal analysis to improve our services, managing risk, and defending or pursuing legal claims.
      • Lawful basis: Necessary for our Legitimate Interests, provided these are not overridden by your interests or fundamental rights and freedoms.

3.2. For Visitors to Our Website

When you visit aimifsa.com, we process a limited amount of personal data.

  • Categories of Personal Data Processed:
    • Technical Data: Internet Protocol (IP) address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other data about how you use our website, collected through cookies and similar technologies.
    • Contact Data: Your name, email address, company name, and the content of your message if you choose to submit an inquiry through our contact forms or subscribe to our newsletters.
  • Purposes and Lawful Bases for Processing:
    • Purpose: To administer, maintain, and secure our website and network systems.
      • Lawful Basis: Necessary for our Legitimate Interests in ensuring the proper functioning and security of our online presence.
    • Purpose: To analyze website traffic and user behaviour to improve our website’s functionality and user experience. This involves the use of non-essential analytics cookies.
      • Lawful Basis: Your Consent, which we obtain through our cookie consent banner before placing any non-essential cookies on your device.
    • Purpose: To respond to inquiries you submit via our contact forms.
      • Lawful Basis: Necessary for our Legitimate Interests in responding to your queries and engaging with potential clients or partners.
    • Purpose: To send you marketing communications, such as newsletters or market insights, where you have subscribed to receive them.
      • Lawful Basis: Your Consent, which must be freely given, specific, informed, and unambiguous (e.g., by actively ticking an opt-in box).

For more detailed information on our use of cookies, please see our separate Cookie Policy, which is accessible via a link on our website footer.

3.3. For Our Employees and Job Applicants

We process personal data for the purposes of recruitment and human resources management.

  • Categories of Personal Data Processed:
    • Identity and Contact Data: As detailed in Section 3.1.
    • Professional and Application Data: Curriculum vitae (CV), cover letter, employment history, educational background, qualifications, professional certifications, and references.
    • Financial and Administrative Data: Bank account details for payroll, tax identification numbers, social security information, and details of dependents for benefits administration.
    • Contractual and Performance Data: Employment contract, job title, salary information, performance reviews, disciplinary records, and training records.
    • Criminal Record Data: The Polish Labour Code grants employers in the financial and banking sector the explicit right to check criminal records for certain employees and applicants for positions that involve access to confidential data or high-risk decision-making. We will only process such data where it is strictly necessary and legally permissible for the specific role.
  • Purposes and Lawful Bases for Processing:
    • Purpose: To assess your suitability for a role and manage the recruitment process.
      • Lawful Basis: Necessary for our Legitimate Interests in recruiting qualified staff and necessary to take steps prior to entering into an employment Contract.
    • Purpose: To administer the employment relationship, including payroll, benefits, performance management, and providing access to company systems.
      • Lawful Basis: Necessary for the Performance of a Contract of employment.
    • Purpose: To comply with our legal obligations under Polish employment, social security, and tax law.
      • Lawful Basis: Necessary for compliance with a Legal Obligation.

3.4. For Our Business Partners and Service Providers

We process the personal data of individuals who work for our suppliers and other business partners.

  • Categories of Personal Data Processed:
    • Contact and Professional Data: Name, professional title, employer, work email address, and work telephone number of individual representatives.
    • Financial Data: Bank account details for processing payments for services rendered.
  • Purposes and Lawful Bases for Processing:
    • Purpose: To procure and pay for services, manage contracts, and maintain our business relationship.
      • Lawful Basis: Necessary for the Performance of a Contract with your employer and necessary for our Legitimate Interests in managing our supplier relationships.

Summary of Processing Activities

The GDPR’s principle of transparency requires that information be presented in a concise and accessible form. The following table provides an at-a-glance summary of our main data processing activities. 

Purpose of Processing Categories of Data Subjects Categories of Personal Data Processed Lawful Basis (GDPR Art. 6)
Client Onboarding & Due Diligence Prospective & Current Investors Identity, Contact, Financial, KYC/AML Data Legal Obligation; Performance of a Contract
Investment & Portfolio Management Current Investors Identity, Contact, Financial, Transactional Data Performance of a Contract; Legitimate Interests
Website Operation & Analytics Website Visitors Technical Data (IP Address, Cookie IDs), Contact Data Legitimate Interests; Consent
Marketing & Communications Prospects, Clients, Website Visitors Name, Email Address, Professional Title Consent
Employee & HR Administration Employees, Job Applicants Identity, Contact, Professional, Financial, Contractual Data Performance of a Contract; Legal Obligation
Supplier & Vendor Management Business Partners, Service Providers Contact Data, Financial Data Performance of a Contract; Legitimate Interests

4. How We Share Your Personal Data

We do not sell your personal data. We only share your personal data with third parties when it is necessary for the purposes outlined in Section 3 and where we have a lawful basis to do so. It is essential to distinguish between two categories of third parties: Data Processors and Third-Party Controllers. This distinction is critical under the GDPR as it defines the scope of our responsibility and liability. 

4.1. Sharing with Data Processors

We engage third-party service providers to perform certain functions on our behalf. These entities act as “Data Processors” and are only permitted to process your personal data in accordance with our explicit, documented instructions. We conduct thorough due diligence on all our processors to ensure they can provide sufficient guarantees to implement appropriate technical and organizational measures to protect your data. We have legally binding Data Processing Agreements (DPAs) in place with each processor, as required by Article 28 of the GDPR. These agreements obligate them to safeguard your data to the same high standards that we do.

Categories of our Data Processors include:

  • Fund Administrators and Transfer Agents, who assist with investor record-keeping and transaction processing.
  • Custodians and Depositaries, who are responsible for the safekeeping of fund assets.
  • IT and Cloud Service Providers, who provide data storage, customer relationship management (CRM) systems, and other essential technological infrastructure.
  • Payroll and HR service providers, who assist in managing our employee data.

4.2. Sharing with Third-Party Controllers

In some circumstances, we may share your personal data with third parties who act as independent “Data Controllers.” This means they determine the purposes and means of processing for themselves and are independently responsible for their own compliance with data protection laws.

Categories of Third-Party Controllers we may share data with include:

  • Legal and Professional Advisors: Our lawyers, auditors, and tax advisors, who require your data to provide us with professional services.
  • Regulatory and Government Bodies: We are legally obligated to share information with regulatory bodies such as the Polish Financial Supervision Authority (KNF), tax authorities (in Poland and abroad, under regimes like FATCA/CRS), law enforcement agencies, and the Polish data protection authority (Prezes Urzędu Ochrony Danych Osobowych – UODO), when required by law or a court order.
  • Financial Institutions: Banks, brokers, and other financial intermediaries involved in processing your transactions or holding assets on your behalf.

5. International Transfers of Personal Data

5.1. Our Approach to International Transfers

As a global investment fund, our operations may require the transfer of your personal data to countries outside the European Economic Area (EEA). We will only transfer your personal data outside the EEA if we are satisfied that the level of protection afforded to it by the GDPR is not undermined. This is a fundamental requirement of Chapter V of the GDPR, and we take this obligation very seriously.

5.2. Safeguards for International Transfers

To ensure the continued protection of your data, we will only conduct such transfers using one of the following legally recognized safeguards:

  • Adequacy Decisions: We may transfer your personal data to countries, territories, or international organisations that the European Commission has formally deemed to provide an “adequate” level of data protection. When a transfer is made to such a country, it is treated as if it were a transfer within the EEA, and no further specific safeguard is required.
  • Standard Contractual Clauses (SCCs): For transfers to countries that do not have an adequacy decision (such as the United States), our primary safeguard is the use of Standard Contractual Clauses. These are model data protection clauses that have been approved by the European Commission and are legally binding on both the data exporter (us) and the data importer.
  • Supplementary Measures and Transfer Impact Assessments (TIAs): Our compliance framework is not static; it evolves with legal precedent. Following the “Schrems II” judgment of the Court of Justice of the European Union, we understand that SCCs alone may not always be sufficient. Therefore, before transferring data using SCCs, we conduct a case-by-case Transfer Impact Assessment (TIA) to evaluate the laws and practices of the destination country, particularly concerning access to data by public authorities. Where the TIA identifies a risk to your data, we will implement appropriate supplementary measures (such as enhanced technical encryption or additional contractual obligations) to ensure your data receives a level of protection that is essentially equivalent to that within the EEA. This demonstrates our commitment to maintaining a current and robust compliance posture in response to significant legal developments.
  • Binding Corporate Rules (BCRs): If AIM becomes part of a corporate group that has adopted Binding Corporate Rules approved by a competent data protection authority, we may rely on these rules for intra-group transfers of personal data outside the EEA.
  • Derogations: In exceptional and limited circumstances, we may rely on a specific derogation under Article 49 of the GDPR, for example, where you have provided your explicit consent to a specific proposed transfer after being informed of the risks, or where the transfer is necessary for the performance of our contract with you. We will not rely on derogations for regular, systematic transfers of data.

6. Data Security

6.1. Our Security Commitment

We have a legal duty under Article 32 of the GDPR to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by our processing of your personal data. We take this duty extremely seriously. Our approach to security is risk-based, meaning the measures we implement are designed to be proportionate to the sensitivity of the data and the potential harm that could result from a data breach. 

6.2. Technical Measures

We have implemented a range of technical security controls to protect your personal data from unauthorized access, use, alteration, or destruction. These include:

  • Encryption: We use encryption technologies to protect your data both in transit (e.g., Secure Sockets Layer/Transport Layer Security (SSL/TLS) for all data transmitted to and from our website) and at rest (e.g., encryption of databases, servers, and backups).
  • Access Controls: We enforce the principle of “least privilege,” ensuring that our employees and contractors can only access the personal data that is strictly necessary for them to perform their job functions. Access is managed through unique user identifiers, strong password policies, and multi-factor authentication for critical systems. Access rights are reviewed and updated on a regular basis.
  • Network Security: Our corporate network is protected by enterprise-grade firewalls, intrusion detection and prevention systems, and regularly updated anti-malware and anti-virus software.
  • Pseudonymisation: Where feasible and appropriate, we may use pseudonymisation techniques to process personal data in such a way that it can no longer be attributed to a specific individual without the use of additional information, which is kept separately and securely.

6.3. Organisational Measures

Technology alone is not enough to secure data. We have implemented a framework of organizational measures to foster a culture of security and data protection. These include:

  • Policies and Procedures: We maintain a comprehensive suite of internal policies and procedures covering data protection, information security, and data handling. This includes a robust data breach incident response plan to ensure we can detect, investigate, and respond to any security incidents in a timely and compliant manner.
  • Staff Training: All our employees and relevant contractors are required to undergo regular and mandatory data protection and cybersecurity awareness training. This ensures they understand their responsibilities and are equipped to identify and respond to potential threats.
  • Confidentiality: All employees and contractors are bound by strict contractual duties of confidentiality regarding the personal data they may access.
  • Physical Security: We implement physical security measures to protect our premises and the equipment where personal data is stored. This includes controlled access to our offices and server rooms, and secure storage for physical documents.
  • Privacy by Design and by Default: We are committed to integrating data protection principles into the design of any new systems, services, or business processes from their inception. This means we consider the data protection implications of a project at the outset, rather than as an afterthought.

7. Data Retention

7.1. Our Retention Principle

In accordance with the GDPR’s “storage limitation” principle, we will not retain your personal data in an identifiable form for longer than is necessary to fulfil the purposes for which it was originally collected. This includes retaining data for the period necessary to satisfy any applicable legal, regulatory, tax, accounting, or reporting requirements.

7.2. Retention Periods

The specific period for which we retain your personal data depends on the purpose for which it is processed. We determine appropriate retention periods by considering the amount, nature, and sensitivity of the data, the purposes of processing, and, most critically, our legal and regulatory obligations. The longest and most rigid retention periods we apply are often dictated not by our business needs, but by external laws. This reality has a direct impact on your “right to erasure,” as we are legally prohibited from deleting certain data even if you request it.

  • Client and Investor Data: Personal data related to our investors, including KYC/AML documentation and transaction records, will be retained for the duration of the investment relationship. Following the termination of the relationship, we are required by Polish anti-money laundering legislation to retain this data for a period of 5 years. This period may be extended by regulatory authorities in specific circumstances.
  • Employee Data: Data relating to our employees is retained for the duration of their employment and for a subsequent period as required to comply with Polish labour, tax, and social security laws.
  • Unsuccessful Job Applicant Data: Data from unsuccessful applicants is typically retained for 6 months after the conclusion of the recruitment process to allow us to defend against any potential legal claims. We will only retain this data for longer if we have obtained your explicit consent to consider you for future opportunities.
  • Website and Marketing Data: Data collected for marketing purposes is retained until you withdraw your consent (e.g., by unsubscribing from our newsletter). Technical data from our website is retained for the period necessary for security and analytical purposes.

Once the applicable retention period has expired, we will securely and irreversibly destroy or anonymize your personal data in accordance with our internal policies.

8. Your Data Protection Rights

Under the GDPR, you have a number of important rights regarding your personal data. We are committed to upholding these rights.

8.1. Exercising Your Rights

You can exercise any of your rights by contacting our Data Protection Officer (DPO) using the contact details provided in Section 1.3 of this policy.

To protect your personal data from unauthorized access, we may need to request specific information from you to verify your identity before we can process your request. This is a crucial security measure.

We will respond to all legitimate requests within one month of receipt. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you within the first month and keep you updated.

There is no fee to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

The clear procedural details outlined here—the one-month timeline, identity verification, and potential for extensions—are not just for your information. They also serve as an internal service level agreement for our compliance function, ensuring we have the operational framework in place to handle your requests in a timely and legally compliant manner.

8.2. Your Rights Explained

You have the following rights in relation to your personal data:

  • The Right to be Informed: You have the right to be provided with clear, transparent, and easily understandable information about how we use your personal data and your rights. This is why we are providing you with the information in this Privacy Policy.
  • The Right of Access: You have the right to obtain confirmation as to whether or not we are processing personal data concerning you and, where that is the case, to receive a copy of your personal data, along with certain other information about the processing.
  • The Right to Rectification: You are entitled to have your personal data rectified if it is inaccurate or incomplete. We encourage you to keep us informed of any changes to your personal data during our relationship with you.
  • The Right to Erasure (‘Right to be Forgotten’): This enables you to request the deletion or removal of your personal data where there is no compelling reason for us to keep using it. This is not an absolute right and is subject to exceptions. For example, we cannot erase your data where we need to retain it to comply with a legal obligation (as explained in Section 7) or for the establishment, exercise, or defence of legal claims.
  • The Right to Restrict Processing: You have the right to ‘block’ or suppress further use of your personal data in certain circumstances. When processing is restricted, we can still store your personal data, but may not use it further.
  • The Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes across different services. This right only applies to personal data that you have provided to us, where the processing is based on your consent or for the performance of a contract, and when processing is carried out by automated means.
  • The Right to Object: You have the right to object to our processing of your personal data where it is based on our legitimate interests. We must then stop the processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms. You have an absolute and unconditional right to object to your personal data being processed for direct marketing purposes at any time.
  • Rights Related to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Please see Section 10 for our position on this.

9. Your Right to Lodge a Complaint

9.1. Our Supervisory Authority

While we hope to resolve any concerns you may have directly, you have the right to lodge a complaint with a data protection supervisory authority if you believe that our processing of your personal data infringes applicable data protection law.

As AIM Investment Fund S.A. is established in Poland, our lead supervisory authority is the Polish data protection authority. 

The contact details for our lead supervisory authority are:

  • Name (Polish): Prezes Urzędu Ochrony Danych Osobowych (UODO)
  • Name (English): President of the Personal Data Protection Office
  • Address: Stawki 2, 00-193 Warszawa, Poland
  • Website: https://uodo.gov.pl/en
  • Email: kancelaria@uodo.gov.pl
  • Telephone: +48 22 531 03 00

10. Automated Decision-Making and Profiling

AIM Investment Fund S.A. does not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. All significant decisions related to our investors, employees, and business operations involve human intervention.

11. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, or for other operational, legal, or regulatory reasons. The latest version of this policy will always be available on our website. We will notify you of any material changes where we are required to do so by law.

Please check the “Effective Date” and “Version” number at the top of this policy to see when it was last revised.