PRIVACY NOTICE

We collect personal information that you voluntarily provide to us when you express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us. We may collect personal data from the following persons:

1. Visitors to www.highridgeaviation.com (the “site”).
2. Visitors to our premises or visits by our employees or representatives to your premises.
3. Officers, directors, employees, professional advisors, consultants and other representatives of our investors, serviced entities, customers (including aircraft leasing and financing counterparties), suppliers, advisers and other service providers.
4. Regulators and government bodies, as well as officers, directors, employees, advisors and other representatives of the same.
5. In some cases, we process personal data relating to former employees and staff members. If you are a former staff member and want to know what data we still process about you, you should refer to the letter you received when leaving. If you no longer have your letter, please contact us using the details set out in the contact section.

The personal data we collect may include:

1. Identifiers: for example, name, postal address, email address, telephone number, employee ID.
2. Internet or other network activity: for example, browsing or search history, information regarding interaction with the sites, or related applications or advertisements, as well as online identifiers such as cookies.
3. Professional or work-related information: for example, your professional role, occupational history, business relationship with HRA, background and interests and any other personal data which may be incidentally processed if you contact us.
4. Identification information: i.e. information we need in order to identify you and complete necessary security checks where you visit one of our buildings; and
5. Onboarding information: For airlines, other aircraft leasing companies, service providers and any other entity or person that we enter into business with, we may also collect KYC/AML information about you in order to verify the identity, suitability, and risks involved with maintaining a business relationship.

1. Personal data that you give us. This is information about you that you provide by (among other things) filling in forms, signing up to our newsletters or events, giving us a business card or CV, information provided for on-boarding, or corresponding with us by telephone, post, email or otherwise.
2. Personal data that the website may collect about you. If you visit the HRA website, it will automatically collect some information about you and your visit, including internet or other network activity such as the Internet protocol (IP) address used to connect your device to the Internet and some other information such as your browser type and version and the pages on the site that you visit. The site may also download “cookies” to your device or place cookies onto your browser. For a description of the cookies we use on the site, please refer to our separate cookie statement.
3. Personal data that our other systems collect about you. If you exchange emails or other communications with us, our information technology systems may record details of those communications. Some of our premises have CCTV systems which may record audio and visual information about you if you visit our premises, for security and safety purposes; and
4. Personal data collected from other sources. We may collect some information from other sources. For example, if we have a business relationship with the organisation that you represent, your colleagues or other business contacts may give us information about you such as your contact details or details of your role in the relationship.

To the extent that you provide us with personal data of third parties, you agree and acknowledge that you have informed them of, and they have agreed to, our use, collection and disclosure of their personal data including the purposes of such use, collection and disclosure of personal data as set out in this notice.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

1. To operate, manage, develop and promote our business, and, in particular, our relationship with you or the organisation you represent, including general business administration, accountancy and audit services, and risk monitoring.
2. To operate, administer and improve our site and premises, including the protection of the security of our site and premises.
3. To protect our business from fraud, money-laundering, breach of confidence, theft of proprietary materials and other financial or business crimes.
4. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
5. To comply with our legal and regulatory obligations and bring and defend civil, regulatory and criminal claims; and
6. With your consent, to contact you with details of HRA’s business which we believe you will find relevant and interesting.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information:

1. Pursuing our legitimate interest or those of a third party. Under the EU GDPR, the lawful basis of such processing is Article 6(1)(f) of the EU GDPR (i.e. the processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests, fundamental rights and freedoms which require protection of personal data);
2. Complying with legal obligations. Under the EU GDPR, the lawful basis of such processing is Article 6(1)(c) of the EU GDPR (i.e. the processing is necessary to discharge a relevant legal or regulatory obligation to which we are subject); and
3. Performance of a contract. Under the EU GDPR, the lawful basis of such processing is Article 6(1)(b) of the EU GDPR (i.e. the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract).

Generally, we do not rely on consent as a legal basis for processing your personal data, although we will obtain your consent where your consent is otherwise required under applicable law. You have the right to withdraw your consent at any time by contacting us (see below).

We do not share your personal data with third parties for cross-context behavioural advertising, also known as targeted advertising.

We do not sell your personal information.

We do not envisage your personal data will undergo any automated decision making.

The legal basis for processing information may vary depending on our location or the purpose for processing information.

We may share information in specific situations described in this section and/or with the following third parties:

1. Other members of the HRA group of companies.
2. Third party services providers and contractors, including IT and communications service providers, law firms, accountants, auditors, administrators, reference providers, professional advisers, consultants and background and KYC/AML check providers. These third parties will be subject to confidentiality requirements, and they will only process your personal data as described in this notice (or as otherwise notified to you).
3. Governmental, judicial, or prosecution bodies, tax authorities, regulators and courts.
4. Third parties for the purposes of establishing, exercising or defending our legal rights.
5. Third parties in connection with investments in, or the sale of, our business or assets or an acquisition of our business (or a part of our business) by a third party; and
6. Your colleagues within the organisation that you represent.

Some recipients will process your personal data on our behalf as processor. Others will determine the purposes and means of processing of your personal data as controller and may be permitted to disclose your personal data to other parties in accordance with applicable law.

Sharing personal information may involve transferring personal data overseas. If you are dealing with us within the European Economic Area (the “EEA”) you should be aware that this may include transfers to countries outside the EEA. Some of these countries do not have similarly strict data privacy laws.

We will ensure that any such transfers are carried out in compliance with applicable law, including, where necessary, being governed by data transfer agreements (such as the European Commission approved model clauses), designed to ensure that your personal data is protected on terms approved for this purpose by the European Commission or as otherwise required under applicable law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). Subject to applicable law, we retain your information for (as the case may be):

1. As long as it is required for our legitimate purpose.
2. As long as it is required to perform our contractual obligations.
3. As long as we have your consent; or
4. Such period as is required or required by law or regulatory obligations which apply to us.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

We aim to protect your personal information through a system of organisational and technical security measures.

We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

In some regions, such as the European Economic Area (EEA), United Kingdom (UK), California and Canada, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time.

Applicable law may provide you with a number of legal rights in relation your personal data that we process. These rights may include:

1. A right to know what personal data we process and a right of access to such personal data.
2. The right to request any incomplete or inaccurate personal data be corrected.
3. The right to object to our processing of your personal data where we send you direct marketing.
4. The right to require us to delete your personal data and/or otherwise restrict our processing of your personal data in some circumstances.
5. The right to object to our processing of some or all of your personal data on grounds relating to your particular situation which are based on legitimate interests, at any time (and require such personal data to be deleted). If you object, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms or where it is necessary for the establishment, exercise or defence of legal rights; and
6. A “data portability” right to require us to transfer your personal data to you or to a new service provider in a structured, commonly used and machine-readable format.

If you wish to exercise any of the rights referred to above, please contact us using the details set out in the contact section below.

We review and verify data protection rights requests. We apply non-discriminatory principles when we action requests relating to your data, in accordance with applicable data protection laws and principles.

We exercise particular care when receiving a request to exercise these rights on your behalf by a third party. We will ensure that the third party is correctly authorised by you to receive the requested information on your behalf.

You also have the right, at any time, to lodge a complaint about our processing of your personal data with the relevant body regulating data protection in your country.

You should be aware that when you are on the websites, you could be directed to other websites that are beyond our control. There are links to other sites from the sites that may take you outside our service. We cannot guarantee that the privacy policies of these websites meet our standards. You should read the privacy notice of any new website you go to online.

California residents may also request certain information about our disclosure of personal data during the past 12 months, including information about the categories of information we process, the purpose of processing that data, the categories of recipients to which we disclose this information and the source of the information.

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information or if you have questions or comments about this notice, you may:

Email: notices@highridgeaviation.com

Post to: High Ridge Aviation Limited, Suite 4, Rineanna House, Shannon Free Zone, Shannon, Co. Clare, Ireland, V14 CA36.