What is REinfinite Group?

REinfinite Group deploys institutional capital into UK and European real estate through closed-end funds, development, and quantitative research. The Group operates four divisions: Development & Construction (REinfinite Ltd), Investment Management (REinfinite Investment), Asset Stewardship (REinfinite Holdings), and Research & Analytics (InfiniVerde).

What investment sectors does REinfinite Group focus on?

The Group's current thesis spans residential, commercial, mixed-use, and hospitality assets across the UK and select European markets, with a developing position in data centre infrastructure. The focus is on sectors where structural undersupply creates durable pricing power.

How does REinfinite Group make investment decisions?

Every investment decision originates from quantitative analysis conducted through the Group's internal research platform. Statistical models evaluate structural demand drivers, supply-side constraints, planning risk, and exit liquidity before capital is committed. If the numbers do not work across base case, downside, and severe downside, the opportunity does not advance.

What fund structures does REinfinite Group offer?

REinfinite Investment deploys capital through closed-end fund vehicles. Strategies focus on value-add and opportunistic positions across residential, commercial, mixed-use, hospitality, and sustainable infrastructure. Fund vehicles employ conservative leverage, defined hold periods, and continuous monitoring against quantitative performance thresholds.

Who are REinfinite Group's target investors?

REinfinite Investment raises capital from institutional investors, family offices, sovereign wealth funds, private banks, and qualified private investors across US, EU, and Middle East corridors.

How does REinfinite Group ensure alignment with investors?

The governance framework does not distinguish between the Group and its investors. Performance is reviewed quarterly against the thresholds that approved the original allocation. When a threshold is breached, the matter is escalated without deferral. Hold periods are defined at entry.

What is REinfinite Group's approach to capital preservation?

Fund vehicles employ conservative leverage, defined hold periods, and continuous monitoring against quantitative performance thresholds. Capital preservation is a constraint, not a preference. Investment horizons reflect the asset class, not the fee cycle.

What role does InfiniVerde play within REinfinite Group?

InfiniVerde is the Group's proprietary research engine — a quantitative platform that processes structured and unstructured data across more than thirty markets, drawing on sovereign yield trajectories, monetary policy signals, trade flows, currency dynamics, and local planning intelligence. The platform underpins every investment decision the Group makes, from initial screening through ongoing asset monitoring to ESG benchmarking.

What are REinfinite Group's core principles?

The Group operates on four principles: People First — decisions made by reference to the people they affect; Quantitative Conviction — the analytical edge is structural, not circumstantial, every position modelled before capital is committed; Alignment by Design — the governance framework does not distinguish between the Group and its investors, alignment is structural not aspirational; and Respect for the Natural World — environmental factors are investment constraints, climate exposure and physical risk assessed at screening.

Where does REinfinite Group operate?

REinfinite Group operates across the United Kingdom and select European markets, serving institutional investors from the US, EU, and the Middle East. The Group is registered in England and Wales (Company No. 16095412).

Privacy Policy

REinfinite Group Ltd — Company No. 16095412

Registered in England & Wales

Last Updated: 01 April 2026

Part 1 — Data Protection Policy Wrapper

1. Definitions and Interpretation

1.1 In this Policy, the following terms have the meanings set out below:

“Data Protection Legislation” means, as applicable: the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018; the EU General Data Protection Regulation (Regulation (EU) 2016/679) (EU GDPR) to the extent it applies; the Data Protection Act 2018 (DPA 2018); the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003); the Data (Use and Access) Act 2025 (DUAA 2025); and any subordinate legislation, guidance, or codes of practice issued thereunder, each as amended or replaced from time to time.

“EEA” means the European Economic Area, comprising the member states of the European Union together with Iceland, Liechtenstein, and Norway.

“Data Subject” means an identified or identifiable natural person to whom personal data relates.

“Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) UK GDPR.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

“Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person which processes personal data on behalf of the Controller.

“Special Category Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

2. Obligations When Providing Personal Data About Third Parties

2.1 Where a Data Subject provides the Company with personal data relating to another individual (including, without limitation, a spouse, civil partner, dependant, nominee, or beneficial owner), the Data Subject is responsible for ensuring that the individual concerned is aware of the contents of this Policy and, where required, has provided any necessary consent to the disclosure and processing of their personal data.

2.2 The Company will process such third-party personal data in accordance with this Policy and the applicable Data Protection Legislation, including the information obligations set out in Articles 13 and 14 UK GDPR.

2.3 Where the Company collects personal data other than directly from the Data Subject, it will provide the information required under Article 14 UK GDPR within a reasonable period of obtaining the data and, in any event, no later than one month thereafter, unless an exemption applies.

3. Data Subject Rights — General Obligations

3.1 The Company facilitates the exercise of Data Subject rights under: (i) Articles 15 to 21 UK GDPR (and, where applicable, the equivalent provisions of EU GDPR); and (ii) Articles 22A to 22D UK GDPR (as substituted by the Data (Use and Access) Act 2025, which replaced Article 22 UK GDPR — noting that Article 22 EU GDPR continues to apply for any processing subject to EU GDPR jurisdiction), including the rights of access, rectification, erasure, restriction, portability, objection, and rights in relation to automated decision-making.

3.2 Requests to exercise any Data Subject right should be directed to the Company’s designated contact for data protection matters at compliance@reinfinitegroup.com. The Company will respond within one calendar month of receipt of a valid request, subject to any permitted extension under applicable Data Protection Legislation.

3.3 Where the Company acts as a Processor on behalf of a third-party Controller, it will promptly refer any Data Subject rights requests to the relevant Controller and will provide such assistance as is reasonably required to enable the Controller to fulfil its obligations.

Part 2 — Privacy Policy

§1 About This Policy

1.1 This Privacy Policy (the “Policy”) describes how REINFINITE GROUP LTD (registered in England & Wales, Company No. 16095412), trading as REinfinite Group (“the Company”, “we”, “us”, “our”), collects, uses, stores, and shares personal data in connection with the operation of its website at reinfinitegroup.com and the provision of its services.

1.2 The Company is the sole Data Controller in respect of personal data collected through reinfinitegroup.com and in connection with the services described herein.

1.3 This Policy is issued in accordance with the UK GDPR, the DPA 2018, and all other applicable Data Protection Legislation. It should be read alongside any supplementary privacy notices provided at the point of data collection.

1.4 This Policy applies to all Data Subjects whose personal data is processed by the Company, including prospective and current investors, clients, website visitors, and other individuals who interact with the Company.

1.5 The Company reserves the right to amend this Policy from time to time. Any material changes will be communicated in accordance with §11 below.

§2 How to Contact Us

2.1 The Company’s registered address and principal contact details for data protection matters are as follows:

REINFINITE GROUP LTD

164 New Cavendish Street, London W1W 6YT

England

2.2 For all data protection enquiries, including requests to exercise Data Subject rights, please contact:

Email: compliance@reinfinitegroup.com

2.3 The Company does not operate a dedicated telephone line for data protection enquiries. All requests should be submitted in writing to the email address set out above.

§3 What Personal Data Do We Collect

3.1 The Company collects and processes the following categories of personal data, depending on the nature of the relationship and the services provided:

(a) Identity and Contact Data
Full name; date of birth; residential and correspondence address; email address; nationality; country of residence or domicile; job title and employer details.

(b) Financial and Tax Data
Bank account details; tax identification numbers (including National Insurance number, US Taxpayer Identification Number, and equivalent identifiers in other jurisdictions); details of income, assets, and investment experience; information required for compliance with the Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS).

(c) Identity Verification and Anti-Money Laundering Data
Copies of passport, national identity card, or other government-issued identification documents; proof of address documentation; source of funds and source of wealth information; information collected in connection with Know Your Customer (KYC) and Anti-Money Laundering (AML) obligations.

(d) Investment and Transaction Data
Details of investment subscriptions, redemptions, distributions, and holdings; correspondence relating to investment decisions.

(e) Technical and Usage Data
IP address; browser type and version; device identifiers; pages visited on reinfinitegroup.com; time and date of access; referring URLs; cookie data, subject to the Company’s Cookie Policy.

(f) Communications Data
Records of correspondence, enquiries, and other communications between the Data Subject and the Company.

3.2 The Company does not knowingly collect Special Category Data unless strictly required by applicable law or with the explicit consent of the Data Subject.

3.3 Where the Company is required to collect personal data by law or under the terms of a contract, and the Data Subject fails to provide that data when requested, the Company may be unable to perform the contract or comply with its legal obligations. The Company will notify the Data Subject of this consequence at the relevant time.

§4 How Do We Use Personal Data

4.1 The Company processes personal data for the following purposes:

(a) Eligibility Assessment
To assess whether a prospective investor or client meets the eligibility criteria applicable to the Company’s investment products or services, including categorisation as a high-net-worth individual, sophisticated investor, or professional client under applicable legislation.

(b) Participation and Onboarding
To onboard investors and clients, execute subscription agreements and other contractual documentation, and administer participation in investment structures.

(c) Regulatory Reporting
To fulfil reporting obligations under FATCA, CRS, AML legislation, and other applicable regulatory frameworks, including the submission of required information to HMRC and other competent authorities.

(d) Distributions and Transactions
To process and administer distributions, redemptions, and other financial transactions in connection with investment products.

(e) Provision of Services
To deliver the services requested by the Data Subject, to respond to enquiries, and to manage the ongoing relationship between the Company and its investors and clients.

(f) Service Improvement
To analyse usage of reinfinitegroup.com and the Company’s services in order to improve functionality, user experience, and service quality.

(g) Marketing Communications
To send information about the Company’s products, services, and events where the Data Subject has provided consent or where the Company otherwise has a lawful basis to do so under applicable Data Protection Legislation. Data Subjects may opt out of marketing communications at any time by contacting compliance@reinfinitegroup.com.

(h) Legal and Regulatory Compliance
To comply with applicable legal and regulatory obligations, including AML, KYC, FATCA, CRS, tax reporting, and record-keeping requirements.

(i) Defence of Legal Claims
To establish, exercise, or defend legal claims in connection with the Company’s activities or the services it provides.

(j) Geographic Region Detection
We use a first-party cookie (iv-corridor) to determine the geographic region from which you access reinfinitegroup.com. This information is used solely to optimise content delivery and is not shared with third parties. The cookie is set by our hosting provider’s edge network and expires after 7 days. Further details are set out in our Cookie Policy at reinfinitegroup.com/cookies/.

§5 Legal Bases for Processing

5.1 The Company processes personal data on the following legal bases under Article 6 UK GDPR:

(a) Performance of a Contract (Article 6(1)(b))
Processing is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract. This basis applies to eligibility assessment, onboarding, participation, distributions, and the administration of investment products and services (§4.1(a), §4.1(b), §4.1(d), and §4.1(e)).

(b) Compliance with a Legal Obligation (Article 6(1)(c))
Processing is necessary for compliance with a legal obligation to which the Company is subject. This basis applies to AML, KYC, FATCA, CRS, tax reporting, and other regulatory obligations (§4.1(c) and §4.1(h)).

(c) Consent (Article 6(1)(a))
Where the Company relies on consent as the legal basis for processing, including in connection with certain marketing communications (§4.1(g)), the Data Subject’s consent will be obtained prior to processing. Data Subjects may withdraw consent at any time in accordance with §9.1(h) below.

(d) Legitimate Interests (Article 6(1)(f))
The Company may process personal data where necessary for the purposes of its legitimate interests, provided those interests are not overridden by the interests or fundamental rights and freedoms of the Data Subject. This basis applies to: (i) the establishment, exercise, or defence of legal claims (§4.1(i)); and (ii) analysis of website usage for service improvement purposes (§4.1(f)). In all such cases the Company has assessed that its legitimate interests are proportionate and do not unduly prejudice Data Subjects.

5.2 Where the Company processes Special Category Data, it will identify and rely upon an additional condition under Article 9(2) UK GDPR and will notify the Data Subject accordingly.

§6 International Transfers of Personal Data

6.1 The Company may transfer personal data to recipients located outside the United Kingdom or the EEA. Where such transfers occur, the Company takes reasonable steps to ensure that appropriate safeguards are in place in accordance with Chapter V UK GDPR and, where applicable, Chapter V EU GDPR. The transfer mechanisms used include the following:

(a) Adequacy Decisions
Transfers to countries or territories that have received an adequacy decision from the UK Secretary of State (under UK GDPR) or the European Commission (under EU GDPR), confirming that the recipient country provides an equivalent level of data protection.

(b) Binding Corporate Rules (BCRs)
Transfers to organisations that have adopted Binding Corporate Rules approved by a competent supervisory authority.

(c) EU–US Data Privacy Framework (DPF) and UK Extension
Transfers to US-based organisations that are certified under the EU–US Data Privacy Framework (adopted by the European Commission on 10 July 2023) or, for transfers from the United Kingdom, the UK Extension to the EU–US Data Privacy Framework (adopted by the UK Secretary of State in October 2023). Where transfers are made under the DPF or UK Extension, the Company periodically verifies the recipient’s certification status.

(d) UK International Data Transfer Agreement (IDTA) and UK Addendum to EU Standard Contractual Clauses
Transfers to third countries where the Company has entered into a UK International Data Transfer Agreement (IDTA) as approved by the Information Commissioner’s Office, or where the Company has incorporated the UK Addendum to the EU Standard Contractual Clauses (SCCs) as approved by the ICO under Section 119A DPA 2018.

(e) Contractual Necessity (Article 49(1)(b) UK GDPR — derogation)
In limited circumstances, where no other appropriate safeguard applies, transfers that are strictly necessary for the performance of a contract between the Data Subject and the Company, or for the implementation of pre-contractual measures taken at the request of the Data Subject. This derogation is used only for occasional, non-repetitive transfers.

(f) Legal Claims (Article 49(1)(e) UK GDPR — derogation)
In limited circumstances, where no other appropriate safeguard applies, transfers that are strictly necessary for the establishment, exercise, or defence of legal claims. This derogation is used only for occasional, non-repetitive transfers.

6.2 Data Subjects may request further information regarding the specific safeguards applicable to any international transfer by contacting compliance@reinfinitegroup.com.

§7 With Whom Do We Share Personal Data

7.1 The Company may share personal data with the following categories of recipients:

(a) Service Providers and Data Processors
Third-party organisations engaged by the Company to provide services on its behalf, including IT and hosting providers, fund administrators, legal and professional advisers, accountants, auditors, and compliance service providers. Such parties are engaged under written data processing agreements and are permitted to process personal data only in accordance with the Company’s instructions. Current principal data processors include: Vercel Inc (hosting infrastructure, United States); Google LLC (analytics via Google Analytics 4, United States); and Formspree Inc (contact form processing, United States). International transfers are protected by the UK Extension to the EU-US Data Privacy Framework.

(b) Group Members
Other entities within the REinfinite group of companies, where necessary for the purposes described in §4 above and subject to appropriate intra-group data sharing arrangements.

(c) Corporate Transactions
In connection with any merger, acquisition, restructuring, or sale of all or part of the Company’s business or assets, personal data may be disclosed to prospective or actual purchasers, subject to appropriate confidentiality obligations.

(d) Regulatory and Legal Authorities
Competent authorities, regulators, law enforcement agencies, courts, and other public bodies where the Company is required or permitted to do so by applicable law, including HMRC, the National Crime Agency (NCA), and other bodies with jurisdiction over AML, tax, and financial regulation, or where necessary for the prevention and detection of fraud or other criminal activity.

(e) Financial Advisers and Intermediaries
Where a Data Subject has engaged an independent financial adviser (IFA) or other authorised intermediary in connection with their investment, the Company may share relevant personal data with that adviser or intermediary, subject to the conditions set out in §18 below.

7.2 The Company does not sell personal data to third parties. The Company does not share personal data with third parties for their own marketing purposes without the prior consent of the Data Subject.

§8 Retention of Personal Data

8.1 The Company retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law or regulation.

8.2 In particular:

(a) Records relating to AML, KYC, and tax compliance — including identity verification documents and transaction records — are retained for a minimum of seven years following the end of the investment relationship, in accordance with the requirements of HMRC and applicable AML legislation.

(b) Where a legal claim has been brought or is reasonably anticipated, the Company will retain relevant personal data for such longer period as is necessary to establish, exercise, or defend that claim.

(c) Marketing data is retained until the Data Subject withdraws consent or objects to processing, whichever is earlier.

(d) Personal data processed for other purposes is retained for such period as is necessary for those purposes, taking into account applicable limitation periods for legal claims and any other legal obligations.

(e) Contact form submissions are retained for 24 months from the date of submission, after which they are permanently deleted.

8.3 Where the Company is required to retain personal data beyond the periods set out above by reason of a legal obligation, regulatory requirement, or ongoing legal proceedings, it will retain such data until the relevant obligation or proceedings are concluded.

8.4 At the end of the applicable retention period, personal data will be securely deleted or anonymised in accordance with the Company’s data retention and disposal procedures.

8.5 Data Subjects may request further information regarding the Company’s retention periods by contacting compliance@reinfinitegroup.com.

§9 Data Subject Rights

9.1 Under applicable Data Protection Legislation, Data Subjects have the following rights in respect of their personal data:

(a) Right of Access (Article 15 UK GDPR)
The right to obtain confirmation as to whether the Company processes personal data relating to the Data Subject and, if so, to receive a copy of that data together with supplementary information about the processing.

(b) Right to Rectification (Article 16 UK GDPR)
The right to require the Company to correct inaccurate personal data and to complete incomplete personal data without undue delay.

(c) Right to Erasure (Article 17 UK GDPR)
The right to request the deletion of personal data where it is no longer necessary for the purposes for which it was collected, where consent has been withdrawn and no other legal basis applies, or where the data has been unlawfully processed, subject to applicable exemptions.

(d) Right to Restriction of Processing (Article 18 UK GDPR)
The right to request that the Company restricts the processing of personal data in specified circumstances, including where the accuracy of the data is contested or where the Data Subject has objected to processing pending verification of the Company’s grounds.

(e) Right to Data Portability (Article 20 UK GDPR)
The right to receive personal data provided to the Company in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.

(f) Right to Object (Article 21 UK GDPR)
The right to object to the processing of personal data on grounds relating to the Data Subject’s particular situation, where processing is based on a lawful basis that permits objection. The Company will cease processing unless it can demonstrate compelling grounds that override the Data Subject’s interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.

(g) Rights in Relation to Automated Decision-Making (Articles 22A to 22D UK GDPR, as substituted by the Data (Use and Access) Act 2025)
The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. See §15 for further information.

(h) Right to Withdraw Consent
Where processing is based on consent, the Data Subject has the right to withdraw that consent at any time by contacting compliance@reinfinitegroup.com. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

9.2 To exercise any of the rights set out in this section, Data Subjects should submit a written request to compliance@reinfinitegroup.com. The Company will respond within one calendar month of receipt of a valid request. Where a request is complex or numerous requests have been received, the Company may extend this period by a further two months, in which case the Data Subject will be notified of the extension and the reasons for it within the initial one-month period. In accordance with Article 12A UK GDPR (as inserted by the Data (Use and Access) Act 2025), the one-month response period is paused where the Company requests clarification of the scope of the request or verification of the Data Subject’s identity; the period resumes upon receipt of the required information.

9.3 The Company will not charge a fee for responding to a Data Subject rights request unless the request is manifestly unfounded or excessive, in which case a reasonable fee may be charged or the request refused, in accordance with applicable Data Protection Legislation.

9.4 The Company may request proof of identity before processing a Data Subject rights request in order to verify that the request is made by or on behalf of the Data Subject concerned.

§10 Complaints

10.1 If a Data Subject considers that the Company has not complied with its obligations under applicable Data Protection Legislation, the Data Subject has the right to lodge a complaint with the relevant supervisory authority.

10.2 For Data Subjects located in the United Kingdom, the supervisory authority is:

Information Commissioner’s Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Website: https://ico.org.uk

Telephone: 0303 123 1113

10.3 The right to lodge a complaint does not affect any other administrative or judicial remedy available to the Data Subject under applicable law.

10.4 For Data Subjects located within the EEA, the right to lodge a complaint may be exercised with the supervisory authority in the EU member state of the Data Subject’s habitual residence, place of work, or the place of the alleged infringement. A list of EU supervisory authorities is available at https://edpb.europa.eu.

10.5 In accordance with the Data (Use and Access) Act 2025, the Company has established a formal data protection complaints procedure. Data Subjects who consider that their personal data has been handled in breach of applicable Data Protection Legislation may submit a complaint directly to the Company at compliance@reinfinitegroup.com. The Company will:

(a) acknowledge receipt of any complaint within 30 days; and

(b) respond to the complaint without undue delay and in any event within a reasonable period, providing reasons for any decision reached.

10.6 The Company encourages Data Subjects to raise concerns with the Company in the first instance before escalating to the ICO or another supervisory authority, so that issues may be resolved promptly where possible.

§11 Changes to This Policy

11.1 The Company aims to review this Policy at least once every twelve months and may update it from time to time to reflect changes in applicable law, regulatory guidance, or the Company’s data processing activities.

11.2 Where material changes are made to this Policy, the Company will use reasonable efforts to notify affected Data Subjects by email or by posting a prominent notice on reinfinitegroup.com, using the contact details held on record.

11.3 The “Last Updated” date at the top of this Policy indicates when it was most recently revised. Data Subjects are encouraged to review this Policy periodically.

§12 Data Protection Contact

12.1 The Company has designated a compliance contact responsible for data protection matters. All Data Subject rights requests, data breach reports, and general enquiries should be directed to:

Data Protection Contact

REINFINITE GROUP LTD

164 New Cavendish Street, London W1W 6YT

Email: compliance@reinfinitegroup.com

12.2 The designated contact is responsible for:

(a) monitoring the Company’s compliance with applicable Data Protection Legislation;

(b) providing advice and guidance on data protection obligations;

(c) acting as the primary point of contact for Data Subjects and supervisory authorities in relation to data protection matters;

(d) maintaining records of processing activities in accordance with Article 30 UK GDPR.

12.3 Data protection matters are handled by the compliance function. There is no requirement under Article 37 UK GDPR to appoint a formal Data Protection Officer at this time; the Company will appoint one should its processing activities reach the thresholds specified in Article 37(1) UK GDPR.

§13 Data Breach Notification

13.1 The Company maintains internal procedures for detecting, reporting, and investigating personal data breaches in accordance with Articles 33 and 34 UK GDPR.

13.2 Where the Company becomes aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, it will notify the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 UK GDPR. Where notification is not made within 72 hours, the Company will provide the reasons for the delay.

13.3 Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company will notify the affected Data Subjects without undue delay, in accordance with Article 34 UK GDPR, unless one of the exemptions set out in Article 34(3) applies.

13.4 All suspected or confirmed personal data breaches should be reported immediately to compliance@reinfinitegroup.com.

§14 Data Protection Impact Assessments

14.1 The Company carries out Data Protection Impact Assessments (DPIAs) in respect of processing activities that are likely to result in a high risk to the rights and freedoms of natural persons, in accordance with Article 35 UK GDPR and the ICO’s published guidance on DPIAs.

14.2 DPIAs are conducted prior to commencing any new high-risk processing activity and are reviewed periodically or whenever there is a material change to the relevant processing.

14.3 Where a DPIA indicates a high residual risk that cannot be mitigated, the Company will consult the ICO prior to commencing the relevant processing, in accordance with Article 36 UK GDPR.

14.4 Data Subjects or other interested parties may request further information regarding the Company’s DPIA process by contacting compliance@reinfinitegroup.com. The provision of any DPIA documentation in response to such a request is subject to applicable exemptions and the Company’s discretion.

§15 Automated Decision-Making and Profiling

15.1 The Company does not carry out automated decision-making, including profiling, that produces legal or similarly significant effects concerning Data Subjects, within the meaning of Articles 22A to 22D UK GDPR (as substituted by the Data (Use and Access) Act 2025, which replaced the original Article 22 with a revised regime).

15.2 All decisions that materially affect Data Subjects are subject to human review and are not made solely by automated means.

15.3 Should the Company introduce any significant automated decision-making processes in the future, it will update this Policy accordingly, implement the mandatory safeguards required under Articles 22A to 22D UK GDPR (including informing affected Data Subjects, providing the right to make representations, and enabling human review), and rely on an appropriate lawful basis.

§16 Security Measures

16.1 The Company implements appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure, in accordance with Article 32 UK GDPR.

16.2 The technical security measures employed by the Company include, without limitation:

(a) SSL/HTTPS encryption for all data transmitted via reinfinitegroup.com;

(b) Malware detection and anti-virus software on all systems used to process personal data;

(d) Web Application Firewall (WAF) to protect against common web-based threats;

(e) Network firewall controls to restrict unauthorised access to the Company’s systems;

(f) Minimal retention practices, ensuring that personal data is not held for longer than is necessary for the purposes for which it was collected.

16.3 The Company also implements organisational measures including access controls limiting personal data to employees and contractors with a business need to know, staff training on data protection obligations, duties of confidentiality binding all persons with access to personal data, and contractual requirements imposed on third-party processors.

16.4 No method of electronic transmission or storage is entirely secure. The Company cannot guarantee the absolute security of personal data transmitted to or from reinfinitegroup.com. Data Subjects transmit personal data at their own risk and are encouraged to take appropriate precautions.

16.5 In the event of a suspected security incident, Data Subjects should contact compliance@reinfinitegroup.com without delay.

§17 Cookies

17.1 The Company’s website at reinfinitegroup.com uses cookies and similar tracking technologies to enhance user experience and to collect Technical and Usage Data as described in §3.1(e) above.

17.2 Further information regarding the types of cookies used, their purposes, and how Data Subjects may manage their cookie preferences is set out in the Company’s Cookie Policy, available at https://reinfinitegroup.com/cookies.

17.3 Analytics cookies are managed on an opt-out basis following the commencement of the Data (Use and Access) Act 2025, which exempts cookies used solely to collect aggregate statistics to improve a website from the prior consent requirement under PECR. Full details of the cookies used, their purposes, and how to opt out are set out in the Company’s Cookie Policy.

§18 Third-Party Sharing

18.1 The Company will not share personal data with any third party without the consent of the Data Subject, save as expressly set out in this Policy or as required by applicable law.

18.2 Where a Data Subject has engaged an independent financial adviser (IFA), wealth manager, or other authorised intermediary in connection with their investment or the services provided by the Company, the Company may share relevant personal data with that adviser or intermediary for the purpose of facilitating the investment relationship and providing the services requested. Such sharing will be limited to the personal data reasonably necessary for those purposes.

18.3 The Company is not responsible for the privacy practices of third-party websites linked from reinfinitegroup.com. Data Subjects are advised to review the privacy policies of any third-party websites they visit.

§19 Limitation of Liability

19.1 To the fullest extent permitted by applicable law, the Company’s liability arising from or in connection with this Policy is limited to its obligations under the Data Protection Legislation. Nothing in this Policy creates any right, remedy, or cause of action beyond those provided by applicable law.

19.2 Nothing in this Policy excludes or limits liability for death or personal injury caused by negligence, for fraud or fraudulent misrepresentation, or for any other liability that cannot be excluded or limited by applicable law.

§20 Governing Law and Jurisdiction

20.1 This Policy and any dispute arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales.

20.2 The courts of England and Wales shall have exclusive jurisdiction in relation to any dispute arising out of or in connection with this Policy.

§21 Policy Review

21.1 The Company aims to review this Policy at least once every twelve months to ensure that it remains accurate, complete, and compliant with applicable Data Protection Legislation.

21.2 The “Last Updated” date displayed at the top of this Policy reflects the date on which it was most recently reviewed and, where applicable, revised.

21.3 Any questions regarding this Policy or the Company’s data protection practices should be directed to compliance@reinfinitegroup.com.

This Policy is issued by REINFINITE GROUP LTD (Company No. 16095412), registered in England & Wales, whose registered office is at 164 New Cavendish Street, London W1W 6YT.