Green Street Global Privacy Policy PDF

Summary

This PDF document outlines Green Street's global privacy policy. It details how the company collects, uses, and protects customer information. The policy covers various aspects of data handling, including geolocation, commercial, and other information.

Full Transcript

Global Privacy Policy

At Green Street, we understand our obligation to keep information about you secure and confidential. We will
inform you of our policies for collecting, using, securing, and sharing personally identifiable and/or nonpublic
personal information (“Customer Information”) the first time we do business and every year that you remain a
customer with us. Therefore, we maintain the following principles with respect to protecting your privacy:

▪ We are committed to protecting your privacy at all times;

▪ We do not sell or disclose any nonpublic personal information about you to anyone except as required
by law;

▪ We do not provide customer information to persons or organizations outside the affiliated companies
who are doing business on our behalf, for their own marketing purposes;

▪ We contractually require any person and/or organization providing products or services to customers
on our behalf to protect the confidentiality of Green Street customer information;

▪ We afford prospective and former customers of Green Street the same protections as existing
customers with respect to the use of personal information;

▪ We do not market to minors/children, our website is not intended for minors/children and we do not
knowingly collect data relating to minors/children.

Who We Are

Green Street Advisors, LLC together with our subsidiaries Green Street Advisors (UK) Ltd, Green Street Advisors
(Canada) Ltd., The Local Data Company Group Ltd., Locatus B.V., Locatus België B.V., and Delinian (IJGlobal) Ltd.,
collectively “Green Street” provide this privacy policy to supply you with details about how your information is
collected and used.

Green Street is a business subject to the California Consumer Privacy Act of 2018 (Cal.Civ.Code § 1798.100 et seq.
(“CCPA”), California Privacy Rights Act of 2020 (“CPRA”), the New York “Stop Hacks and Improve Electronic
Data Security Act of 2019 (N.Y. Gen. Bus. Laws § 899-bb( “SHIELD Act”), the Data Protection Act of 2018 and the
General Data Protection Regulation (Regulation 2016/679 of the European Parliament and the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC); General Data Protection Regulation (“GDPR”)
enacted by the United Kingdom, as applicable, the Personal Information Protection Law of China (2021), and/or
the General Law for the Protection of Personal Data of Brazil (Law 13.709), Brazilian General Data Protection Law
of 2020 (LGPD), Personal Information Protection and Electronic Documents Act ('PIPEDA') and all other
applicable Canadian provincial data privacy laws and any other applicable foreign, federal, state, or local data
protection, data privacy, data security, and privacy protection laws that Green Street may fall in scope as they
may be enacted or amended (collectively , the “Data Protection Laws”).

Information We Collect

Data collected by Green Street is limited to the information needed to provide the services contracted between
Green Street and the customer. If we need to use your personal data for an unrelated purpose, we will notify

Green Street 1
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
you and we will explain the legal basis which allows us to do so. Please note that we may process your personal
data without your knowledge or consent, in compliance with the above rules, where this is required or permitted
by law.

We collect and use various types of information we believe is necessary only to administer our business, and to
offer you the best possible customer service. Customer information we collect is categorized into the following
types:

▪ Geolocation data, such as regional IP addresses, are not used for tracking precise consumer location
and movements.

▪ Commercial Information such as purchase or licensing information, including products and services
purchased or licensed, obtained, or considered, or related histories or tendencies.

▪ Other general information we obtain about you that is not assembled for the purpose of opening an
account or offering certain products or services that you may request, such as demographic
information.

▪ Audio and visual data generated when you opt-in to video recordings. This is used for the purpose of
customer service, customer presentations and training. This is not used for identification.

▪ Inferences drawn from personal, or customer information is for Green Street commercial use only.
Green Street will make inferences based upon customer details as to which of our products may be
useful. We do not use automated decision-making technology.

▪ In the US, Green Street’s Advisory business is a California registered investment adviser regulated by
the Department of Financial Protection and Innovation. As a customer of our Advisory business, we are
required to obtain, verify, document and retain data that identifies each organization and those there
that utilize the regulated products and services. We will ask for the name of your entity, address, tax
identification number and other information that will allow us to identify you. We may also ask to see
your articles of incorporation, partnership agreement or other identifying documents. Please note, this
is for customers of our Advisory services only.

Personal data is data that relates to an identified or identifiable natural person, this means a human being.
Anonymous data, where you cannot find out who the data relates to, is not personal data.

Green Street may collect personal data from you, which can be split into the following different types:

(a) Identity Data, which includes your first name, last name, date of birth and gender.
(b) Contact Data, which includes your address, email address and telephone numbers.
(c) Financial Data, which includes your bank account and payment card details.
(d) Technical Data, which includes your IP address, your login data, and your browser type.
(e) Profile Data, which includes your username and password and survey responses.
(f) Transaction Data, which includes details about payments to and from you and other details of
products and services you have purchased from us.
(g) Marketing and Communications Data, which includes your preferences in receiving marketing from
us and our third parties and your communication preferences.
(h) Usage Data, which includes information about how you use our website, products, and services.

Personal data does not include:

▪ Publicly available information from government records.
▪ De-identified or aggregated consumer information.

Green Street 2
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
We may collect aggregated details about your use of the websites for the purposes of aggregate statistics or
reporting purposes. Aggregated data (usage details combined from a number of people’s data) may come from
your personal data but if it does not directly or indirectly reveal your identity, it is not considered personal data
and falls outside the scope of this Policy. For example, we may combine and analyze your use of the website to
work out the number of users accessing a specific feature. However, to the extent that the aggregated
information could still be considered personal data, we will continue to process it in accordance with this privacy
policy.

The recipients of this personal data include Green Street employees or those acting on its behalf under contract
as outlined in this policy. Data access is granted on a “need-to” basis as necessitated by job function.

We do not collect any special categories of personal data about you (this includes details about your race or
ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union
membership, information about your health and genetic and biometric data). Nor do we collect any information
about criminal convictions and offences.

How We Collect Personal Data

When you sign up for our services or communicate with us, you may choose to voluntarily give us certain
personal data. We use different methods to collect data from and about you, including when you fill out a form
or give us personal data via the phone, by post, online or by email or otherwise. Other instances where we may
collect personal data are when you:

(a) Visit our website or social media (e.g. through cookies);
(b) Create an account with us to use our online portal;
(c) Login to your account and utilize the various features;
(d) Sign up for our mailing list/newsletter or Events;
(e) Enquire about or order products or services through our website or via the phone, fax, email, post
or in person;
(f) Create an account on our website;
(g) Provide feedback;
(h) Fill in a form on our website; and/or
(i) Otherwise contact us.

Personal data may be collected by us and by our third-party service providers who assist us in operating the
website, including:

Google Analytics
We use Google Analytics to help analyze how visitors access our website. Google Analytics generates
statistical and other information about website use by means of cookies. Google will store this information.
If you do not want your website visit information reported by Google Analytics, you can install the Google
Analytics opt-out browser add-on. For more details on installing and uninstalling the add-on, please visit the
Google Analytics opt-out page at https://tools.google.com/dlpage/gaoptout.

We also use Google Enhanced Conversions to provide hashed statistics about the effectiveness of our
marketing campaigns. Visitors to our website can opt out of this along with any cookies via the website cookie
banner.

HubSpot
We use HubSpot to help track and analyze inbound marketing opportunities. In common with many
websites, when you read, browse, or download information from our public website, HubSpot’s system may
collect information such as the data and time of your visit, the pages accessed, and any information
downloaded. This information is used for sales analysis, client prospecting and marketing campaigns.

Green Street 3
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
 FullStory & Amplitude
We use telemetry software to provide the firm with a full session replay of a visitor’s interaction with our
website, such as the links clicked, mouse movements, and pages/products visited. We collect this information
to assist us in providing a better visitor experience.

Advanced Ads & Mail Chimp
For Green Street UK News advertising clients, website ad clicks are tracked using Advanced Ads. Mail Chimp
is used to track ad clicks in daily emails from UK News.

Office 365
Green Street utilizes Office365 email and Microsoft Teams to correspond with clients, provide our products
and services, education, and client support. These platforms also provide information and support to
potential clients. Email is archived by a contracted third-party service provider with limited access rights. Email
is reviewed by members of the Compliance team as required by regulatory authorities. Video recording via
Teams is authorized by all attendees prior to recording through an opt-in function. Video calls between
customers and Green Street sales staff are housed by a contracted third-party vendor and routinely used for
internal training purposes. Recorded video calls may be shared between Green Street affiliates located in the
U.S. and U.K.

Big Marker and Cvent
Green Street uses contracted vendors to sign-up and host Green Street events. Contact information and
consent is collected through forms on our website. Certain contact data such as generalized title and
company name may be utilized for obtaining sponsorships for future events.

Commercial property information we collect is categorized into the following types:

▪ Information from visitors to our website provided through online forms, such as building information,
sales transaction information, and related property or market information;

▪ Other commercial property information that is directly provided from a client for valuation purposes.

Once the commercial property information has been verified, it may be used in an anonymized fashion to
enhance our products/services.

We also use internal client information from Salesforce to help us increase the accuracy of our data product. This
information is for internal use only and used to supplement deed and tax record data we collect from other third-
party sources. This information is not published externally.

Please note, customers are not permitted to upload any PCI, PHI, PII or any sensitive information to our platform.
Whether done purposefully or inadvertently, Green Street is not responsible for this data.

Credit Card Processing

We use a credit card payment and processing service provider to receive certain payment processing data that
enables us to accept payment from purchasers/licensees of our products and services. Green Street does not
retain credit card information, please see the terms and conditions when purchasing through our on-line portal.

Choosing How We Use Your Personal Data

We understand that you trust us with your personal data, and we are committed to ensuring you can manage
the privacy and security of your personal data yourself. Therefore, we will only use your personal data when the
law allows us to. Most commonly, we will use your personal data in the following circumstances:

Green Street 4
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
 (a) Where we need to meet the contractual obligations we are about to enter into or have entered into
with you.
(b) Where it is necessary for our legitimate interests (or those of a third party) and your interests and
fundamental rights do not override those interests.
(c) Where we need to comply with a legal or regulatory obligation.

We have set out below a description of all the ways we plan to use your personal data, and which of the legal
bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data using more than one lawful ground depending on the specific
purpose for which we are using your data. Please contact us if you need details about the specific legal ground
we are relying on to process your personal data where more than one ground has been set out in the table
below.

Purpose/Activity Type of data Lawful basis for processing including
basis of legitimate interest

To register you as a new customer (a) Identity Performance of a contract with you

(b) Contact

To process your transactions including: (a) Identity (a) Performance of a contract with you

(a) Manage payments, fees and charges (b) Contact (b) Necessary for our legitimate interests (to
recover debts due to us)
(b) Collect and recover money owed (c) Financial
to us
(d) Transaction

(e) Marketing and Communications

To manage our relationship with you (a) Identity (a) Performance of a contract with you
which will include:
(b) Contact (b) Necessary to comply with a legal obligation
(a) Notifying you about changes to our
terms or privacy policy (c) Profile (c) Necessary for our legitimate interests (to keep
our records updated)

To administer and protect our business (a) Identity (a) Necessary for our legitimate interests (for
and this website (including running our business, provision of
troubleshooting, data analysis, testing, (b) Contact administration and IT services, network
system maintenance, support, reporting security, to prevent fraud and in the context of
and hosting of data) (c) Technical a business reorganisation or group
restructuring exercise)

(b) Necessary to comply with a legal obligation

To deliver relevant website content (a) Identity Necessary for our legitimate interests (to study
how customers use our products/services, to
(b) Contact develop them, to grow our business and to inform
our marketing strategy)
(c) Profile

(d) Usage

(e) Marketing and Communications

(f) Technical

Green Street 5
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
 To use data analytics to improve our (a) Technical Necessary for our legitimate interests (to define
website, products/services, marketing, types of customers for our products and services,
customer relationships and experiences (b) Usage to keep our website updated and relevant, to
develop our business and to inform our marketing
strategy)

To make suggestions and (a) Identity Necessary for our legitimate interests (to develop
recommendations to you about goods our products/services and grow our business)
or services that may be of interest to (b) Contact
you
(c) Technical

(d) Usage

(e) Profile

(f) Marketing and Communications

To allow you to use our online platform (a) Identity (a) Performance of a contract with you
and to manage your account
(b) Contact (b) Necessary for our legitimate interests (to study
how customers use our products/services, to
(c) Profile develop them and grow our business)

(d) Usage

(e) Marketing and Communications

(f) Technical

Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider
that we need to use it for another reason and that reason is compatible with the original purpose. If we need to
use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which
allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the
above rules, where this is required or permitted by law.

Use of Cookies

What are cookies?
Like many websites, our website may use ‘cookies’ from time to time. Cookies are small files saved to the user’s
computer’s hard drive that track, save and store information about the user’s interactions and usage of the
website. This allows the website, through its server, to provide the users with a tailored experience within this
website.

What do we use cookies for?
We may use cookies to remember personal settings you have chosen at our website. In no other context do we
use cookies to collect information that identifies you personally. Most of the cookies we set are automatically
deleted from your computer when you leave our website or shortly afterwards. We use anonymous session
cookies (short-term cookies that disappear when you close your browser) to help you navigate the website and
make the most of the features. If you log into the website, as a registered user your session cookie will also
contain your user ID so that we can check which services you are allowed to access.

Green Street 6
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
This website uses tracking software to monitor its visitors to better understand how they use it. This software is
provided by HubSpot, Amplitude, and FullStory which use first-party cookies to track visitor usage. The Green
Street News UK website utilizes Advanced Ads to track ad clicks for its advertising clients. The software will save
a cookie to your computer’s hard drive in order to track and monitor your engagement and usage of the website.

The default settings of browsers like Internet Explorer generally allow cookies, but users can easily erase cookies
from their hard-drive, block all cookies, or receive a warning before a cookie is stored. If you disable or refuse
cookies, please note that some parts of this website may become inaccessible or not function properly.
Therefore, should users wish to deny the use and saving of cookies from this website onto their computer’s hard
drive, they should take necessary steps within their web browser’s security settings to block all cookies from this
website and its external serving vendors.

Most of the cookies we set are automatically deleted from your computer when you leave our website or shortly
thereafter.

How long do we keep your personal data?

Data collected, used, and retained by Green Street is limited to the information needed to provide the products
and services contracted between Green Street and the customer. Consumer data is retained for six years per
DFPI and FCA regulatory books and records retention rules. We will keep the remainder of Green Street’s non-
regulated business data in line with the regulated business and follow the same retention period. Destruction
of PI records will promptly follow the retention period. Financial records may be kept indefinitely.

Product Feedback

Please note that feedback provided to Green Street regarding our products and services will be shared internally
to assist us in making improvements to those products and services. The information provided is housed
internally and is not anonymized. We will not share this feedback outside of our organization.

International Data Transfers

Green Street is a global organization, and your data may be transferred to or accessed globally in providing
products or services to you. Green Street may process your data outside of your country’s jurisdiction.
Specifically, we could transfer your data outside of the European Economic Area (EEA), to the United States
and/or the United Kingdom. When we share your data with anyone outside the EEA, where necessary, we put
in place the safeguards required by law to ensure that a consistent high level of protection travels with your
data. By providing Green Street with your contact data, you are consenting to the processing and transfer of
your data only for reasons stated in this privacy policy.

Our organization treats all customer data as confidential data and has information security and cyber security
policies and procedures in place to protect your data. Green Street adheres to the Data Privacy Framework of
the UK, EU, and Swiss (see Data Privacy Framework section below for further information). We will also sign a
Data Privacy Agreement (DPA) when requested under other data privacy laws where needed. If you would like
more information about the safeguards in place when transferring your data, please contact
[email protected].

Reasons We Share Information

We do not disclose your personal data without your permission, unless the disclosure is:

(a) In accordance with this privacy policy or any agreement you enter into with us;
(b) To our related companies (i.e. the GSA Group);
(c) To third parties to whom we may choose to sell, transfer, or merge parts of our business or our
assets;
(d) Required or authorized by law or for security reasons (including to prevent fraud).
Green Street 7
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
 (e) To third parties, including our third-party service providers, to whom we may disclose, or provide
access to, your personal data in connection with the purposes described in the table above.
(f) We may also share information with outside accountants, auditors, lawyers, and other outside
professional advisers to us, subject to confidentiality obligations.

We require all third parties to respect the security of your personal data and to treat it in accordance with the
law. We do not allow our third-party service providers to use your personal data for their own purposes and only
permit them to process your personal data for specified purposes and in accordance with our instructions.

Disclosing Information in Other Situations

Under certain circumstances, we may be required by law to disclose your personal information. Green Street
may also disclose personal information to protect its legal rights or to enforce our Customer Agreement. These
may include:

▪ A disclosure in connection with a subpoena or similar legal process;
▪ A fraud investigation;
▪ An audit or examination;
▪ An inspection by regulatory or self-regulatory authorities;

Data Subject Access Request (DSAR)

A DSAR is a formal inquiry made to a company by a data subject inquiring what of their personal information has
been collected, stored, and used.

Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. You
have:

▪ The right to know and access what personal information is collected, used, shared or sold
▪ The right to delete personal information held by businesses
▪ The right to request restriction of processing of your personal data
▪ The right to request the transfer of your personal data to you or to a third party
▪ The right to withdraw consent at any time where we are relying on consent to process your personal
data
▪ The right to object to processing
▪ The right to opt-out of the sale of personal information
▪ The right to non-discrimination
▪ The right to receive services on equal terms
▪ The right to correct inaccuracies
▪ The right to restrict sensitive personal information
▪ The right to opt-out of automated decision making
▪ The right of data portability

Green Street does not:

▪ Sell customer data
▪ Collect sensitive personal information as defined under CPRA
▪ Utilize automated decision-making
▪ Disclose share personal information to a “third party” as defined under CPRA
▪ Market or sell to minors

Green Street 8
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
US Federal law gives you the right to limit only:

▪ Sharing for affiliates’ everyday business purposes
▪ Affiliates from using your information to market to you
▪ Sharing for non-affiliates to market to you

State laws and individual companies may give you additional rights to limit sharing.

Formal Request

If you wish to exercise any of the rights set out above, please contact us ([email protected]). We
commit to giving you the ability to do all of the following:

UK and Europe:

▪ You can verify the details you have submitted to us by contacting our Legal and Compliance Team. Our
security procedures mean that we may request proof of identity before we reveal personal data. This is
a security measure to ensure that personal data is not disclosed to any person who has no right to
receive it. We may also contact you to ask you for further information in relation to your request to
speed up our response
▪ You can also contact us to change, correct, update or delete your personal data held by us at any time.
▪ You can request a readable copy of the personal data we hold on you at any time. To do this, please
contact us ([email protected]).

United States:

California consumers have the right to make a DSAR request to know, delete, and correct twice in a 12-month
period:

▪ To request how we collect and have used your personal information over the past 12 months.
▪ To request deletion of any personal information collected. Note, we may deny your request if retaining
the information is necessary to provide contractual service, comply with legal obligations, protect
against illegal activity, etc.
▪ To correct any inaccuracies

No fee is usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we
may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may
refuse to comply with your request in these circumstances.

Time limit to respond

UK and Europe - We try to respond to all legitimate requests within one month. Occasionally it may take us longer
than a month if your request is particularly complex or you have made a number of requests. In this case, we will
notify you and keep you updated.

United States - We will respond to a verifiable consumer written request within 45 days of its receipt. Send
requests to:

Green Street
Compliance
100 Bayview Circle, Suite 400
Newport Beach, CA 92660
Email [email protected]
Call us toll free 888-640-8780

Green Street 9
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
Once we receive and confirm your verifiable consumer request, we will disclose to you:

▪ The categories of personal information we collected about you.
▪ The categories of sources for the personal information we collected about you.
▪ Our business or commercial purpose for collecting that personal information.
▪ The specific pieces of personal information we collected about you (also called a data portability
request).

No discrimination will be brought against you for exercising these rights, including denial of service, quality of
service, or increase price of service.

Upon receipt of a request to delete personal information, a business must delete the information and direct any
service providers to delete the information from its records as well unless the business or service provider needs
the information to: (1) compute the transaction for which the personal information was collected, provide a
good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing
business relationship with the consumer, or otherwise perform a contract between the business and the
consumer; (2) detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or
prosecute those responsible for that activity; (3) debug to identify and repair errors existing intended
functionality; (4) exercise free speech, ensure the right of another consumer to exercise his/her right of free
speech, or exercise another right provided for by law; (5) comply with the California Electronic Communications
Privacy Act; (6) engage in public or peer-received scientific, historical, or statistical research in the public interest;
(7) to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on
the consumer’s relationship with the business; (8) comply with a legal obligation; (9) otherwise use the
consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the
consumer provided the information.

Information Security

Green Street has adopted an Information Security Policy as an aggregate of directives, regulations, rules, and
practices that describes how the company manages, protects, and distributes information. The security
infrastructure is assessed regularly with the goal to protect our customer, employee, and proprietary
information. The firm maintains appropriate technical and organizational measures, internal controls, and
information security routines intended to protect the data exporter’s personal data. Our third-party service
providers are contracted. We have robust training program and policies and procedure that include data privacy
and cyber security.

General Data Protection Regulation (GDPR)

For European clients who contract directly with Green Streets Advisors, LLC (A U.S. entity) and UK or European
clients that contract with Green Street Advisors UK Limited, we share your personal data within the GSA Group.
This will involve transferring your data outside the European Economic Area (EEA).

GDPR applies to organizations, including non-European data controllers and processors, to the extent that they
control or process personal data of individuals who are in the EU and/or the UK.

For the purposes of the GDPR, Green Street Advisors, with regard to relevant personal data are the data
processor, and the client is the data controller. “Personal data” has the meaning given in Article 4 of the GDPR
and relates only to personal data of which we are the data processor and in relation to which we are providing
services to our customers.

Green Street will provide the following with respect to the services we provide:

Green Street 10
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
 1. We will comply with our applicable obligations as a data processor under the GDPR, including those
requirements set out in Articles 28 (Processor), 29 (Processing under the authority of the controller or
processor), 31 (Cooperation with the supervisory authority) and 32 (Security of processing) of the GDPR.

2. We will notify you without undue delay after becoming aware of a relevant personal data breach and
provide reasonable assistance to you in your notification of that personal data breach to the relevant
supervisory authority and those data subjects affected as set out in Articles 33 (Notification of a
personal data breach to the supervisory authority) and 34 (Communication of a personal data breach
to the data subject) of the GDPR.

3. We will not disclose or use personal data except in accordance with your lawful instructions, to carry
out our obligations under, or as otherwise permitted pursuant to the terms of, our agreement(s) with
you and to comply with applicable law, including the GPDR.

4. We will only transfer personal data to our affiliates that have executed a data protection agreement
containing privacy and security terms that are materially similar to those contained herein.

Client contracts will be subject to model clauses which cover the following:

▪ Data exporter – Client, which purchases services from data importer and authorizes data importer to
process data exporter’s personal data for purposes of providing the services.
▪ Data importer – Green Street, which processes data exporter’s personal data upon the instruction of
the data exporter.
▪ Data subjects – Client employees

Categories of data - Business contact information

▪ Name
▪ Title
▪ Company Name
▪ Company Type
▪ Address
▪ Telephone Number
▪ Email Address
▪ Web Usage History

Processing operations - Processing will be undertaken to the extent necessary for data importer to provide
services to data exporter.

The data importer has implemented and will maintain appropriate technical and organizational measures,
internal controls, and information security routines intended to protect the data exporter’s personal data. Please
note, these procedures may also be applicable to data privacy regulations in other foreign jurisdictions. For
additional information please see the link below:
https://www.greenstreet.com/uploads/EuropeanPoliciesandDisclosures.pdf

If you would like to receive contractual clauses relevant to your relationship with us, please send a request to:
[email protected] or you may call us toll free 888-640-8780.

Data Privacy Framework (DPF)

Green Street Advisors, LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), and the UK
Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the
U.S. Department of Commerce. Green Street has certified to the U.S. Department of Commerce that it adheres
to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of
personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the
UK Extension to the EU-U.S. DPF. Green Street has certified to the U.S. Department of Commerce that it adheres
Green Street 11
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of
personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the
terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles
shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification,
please visit https://www.dataprivacyframework.gov/.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Green Street
commits to resolve DPF Principles-related complaints about our collection and use of your personal information.
EU, UK, Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance
on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Green Street
at:

Green Street
Compliance
100 Bayview Circle, Suite 400
Newport Beach, CA 92660
Email [email protected]
Call us toll free 888-640-8780

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Green Street
commits to cooperate and comply respectively with the advice of the panel established by the EU data
protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory
Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to
unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK
Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

The Federal Trade Commission has jurisdiction over Green Street’s compliance with the EU-U.S. Data Privacy
Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework
(Swiss-U.S. DPF). Green Street is subject to the investigatory and enforcement powers of the Federal Trade
Commission (FTC).

An Individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding
DPF compliance not resolved by any of the other DPF mechanisms. Additional information can be found in Annex
I located at: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2

Green Street may transfer personal information to third parties acting as a controller. Green Street shall remain
liable under the DPF Principles if personal information is processed in a manner inconsistent with the DPF
Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

For California Consumers - California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

We have described above our methods for collecting and using the information necessary to operate our
business and to provide the best possible customer service. In accordance with CCPA and CPRA, listed below are
the categories of personal information relating to California residents we collect and how the data is used.

▪ Personal Identifiers, Information we receive from you on forms or through email communication,
telephone or in-person interviews, such as your name, address, phone number and title. This
information is used to communicate with clients and potential clients.
▪ Personal identifiers, including those listed in California statutes, such as full name, contact names, alias,
address, unique personal identifier, online identifier IP address, email or account name. This also
includes email addresses for your company employees or contact persons that you provide to us. This
is needed to administer our business, to provide you with the best possible customer service and
personalize the research and website content you receive. We also use this information to notify you of
changes to our products or website along with any other relevant company updates. Customer records

Green Street 12
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
 and professional information such as name, signature, address, telephone number, job title, business
email address, that are used to bill for services, provide products and services, and customer contracts.
Company and employee names will also be used to run an OFAC search.
▪ Commercial Information such as purchase or licensing information, including products and services
purchased or licensed, obtained, or considered, or related histories or tendencies.
▪ Internet or other electronic network activity such as information from visitors to our website provided
through online forms, site visitor data and online information collecting devices such as “cookies.”
Green Street also collects and retains interactive user session data, such as pages visited and links
clicked, browsing and search history, or other interaction with our website and password-protected
library of data and products. This information is used to better understand your use of the site and
improve our products, services, and user experience.
▪ Geolocation data, such as regional IP addresses, are not used for tracking consumer location and
movements.
▪ Sensory data, Audio and visual data generated when you opt-in to video recordings. This is used for the
purpose of customer service, customer presentations and training. This is not used for identification.
▪ Professional or employment- related information, we track when a user moves companies to
deactivate their subscription and/or prospecting purposes.
▪ Inferences drawn from personal, or customer information is for Green Street commercial use only.
Green Street will make inferences based upon customer details as to which of our products may be
useful. We do not use any automated decision-making technology.

Green Street does not collect, or process customers’ sensitive data as defined under CPRA. Data collected by
Green Street is limited to the information needed to provide the services contracted between Green Street and
the customer.

Please see your rights under the CCPA/CCPR listed above under the heading Your Legal Rights and Data Subject
Access Request (DSAR)

Keeping Current with our Privacy Policy

Green Street will provide notice of our privacy policy annually, as long as you maintain an ongoing relationship
with us. If, at any time in the future, it is necessary to disclose any of your nonpublic personal information in a
way that is inconsistent with this policy, we will give you advance notice of the proposed change so that you may
have the opportunity to opt out of such disclosure. Additionally, since this policy may change from time to time,
you can always review our current policy by contacting us for a copy at: (949) 640 – 8780 or visiting our website
at www.greenstreet.com.

Contact Details

Robyn Francis, Chief Compliance Officer, and Data Protection Officer is responsible for the maintenance and
update of this privacy policy and Green Street’s data privacy efforts. Should you have any questions in relation
to this privacy policy, please contact Compliance in the US by email [email protected] or call us at
(949) 640-8780. Contact UK compliance at [email protected] or by calling our UK office at
+44 (0)203 793 7000. These contact details are that of the controller if Green Street should process in that
capacity.

Information Commissioner’s Office (ICO)
For more information or to make a complaint in the UK regarding your rights and data protection, please contact
your local supervisory authority at www.ico.org.uk

DataRep

Green Street processes the personal data of individuals in the European Union, European Economic Area and
Switzerland and has appointed DataRep as its Data Protection Representative for the purposes of GDPR and

Green Street 13
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
FADP. If you would like to raise a question to Green Street or otherwise exercise your rights in respect to your
personal data, you may contact DataRep for all regions by email at [email protected] quoting Green
Street Advisors (UK) Ltd in the subject line. You may also visit the DataRep website here:
www.datarep.com/datarequest.

Inquiries may also be mailed and addressed to DataRep at the following addresses:
DataRep (GDPR)
3rd and 4th Floor
Altmarkt 10 B/D
Dresden, 01067, Germany

DataRep (Swiss FADP)
Leutschenbachstrasse 95
ZURICH, 8050, Switzerland

DataRep
Rue des Colonies 11
Brussels, 1000, Belgium

*It is essential that you mark your letters for ‘DataRep’ and ensure that in the correspondence you refer to Green
Street Advisors (UK) Ltd.

** DataRep does not represent TA Associates and Welsh, Carson, Anderson & Stowe

It is important that the personal data we hold about you is accurate and current. Please keep us informed if
your personal data changes during your relationship with us.

Green Street Affiliated Companies

The following is a list of all companies affiliated with Green Street to which this policy applies:

▪ Green Street Advisors (UK) Limited
▪ TA Associates
▪ Welsh, Carson, Anderson & Stowe

Cyber Security

Green Street makes Cyber Security a top priority to ensure protection for both its customer information and
proprietary data. Our policy has been structured by considering risk, business operations, IT infrastructure and
critical information for the prevention of business breaches. Industry practices are followed as it relates to IT
processes and procedures for prevention and action plans. Recurring security tests are performed on IT
infrastructure and business dependencies to achieve maximum protection against threats. Testing is done by
external vendors to ensure the latest threats and vulnerabilities are evaluated against the business. Testing is
intrusive at all levels of hardware and software for both internal and external facing equipment. Green Street’s
staff also performs reviews of infrastructure on a scheduled basis. Real-time monitoring is in place for IT related
systems to ensure action can be taken promptly. Latest software releases and patches are applied to systems
as they become available. If a cyber-attack were to occur, our procedures are tailored to stop, contain, maintain
business operations, escalate to authorities and reevaluate security practices.

General Disclosure

While Green Street offers some regulated investment advisory services through its U.S. and U.K. companies,
the U.S. and Canada Research, Data, and Analytics, the U.K. Data products, and Green Street global News
products are not provided in the capacity of an investment advisor or a fiduciary. The organization maintains

Green Street 14
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
information barriers to ensure the independence of its non-regulated businesses from the regulated services
provided by Green Street.
____________________________________________________________________________________________

Advisory Disclosure

Green Street US Advisory is a California registered investment adviser regulated by the Department of Financial
Protection and Innovation. Green Street Advisors (UK) Ltd., is authorized and regulated by the Financial Conduct
Authority (FRN 482269). Services are only offered to clients or perspective clients where Green Street and its
advisory representatives are properly licensed or exempt from licensure.

Green Street, at times, assists Eastdil Secured, a real estate brokerage and investment bank, when Eastdil
Secured provides investment banking services to companies in Green Street’s Research coverage universe.
Green Street is never part of the underwriting syndicate or the selling group, but Green Street may receive
compensation from Eastdil Secured for consulting services that Green Street provides to Eastdil Secured related
to Eastdil Secured's investment banking services. Green Street does not control, have ownership in, or make any
business or investment decisions for, Eastdil Secured.

Green Street does not directly engage in investment banking, underwriting or advisory work with any of the
companies in our research coverage universe. However, Green Street’s investment advisory practice services
investors seeking to acquire interests in publicly traded companies. Green Street may provide such valuation
services to prospective acquirers of companies which are the subject(s) of Green Street’s research reports.

Important Information about Procedures for New Advisory Customers

To help the government fight the funding of terrorism and money laundering activities, along with Green Street’s
Customer Identification Program we are required to obtain, verify, and record information that identifies each
new customer.

What this means for you: the Advisory Services Group will ask for information that will allow us to identify you.
We will request articles of incorporation, a business license, partnership agreement or a W-9. We will also
compare your information against government contact lists such as the Office of Foreign Assets Control (OFAC).

ADV Part 2
Green Street’s Form ADV Part 2 is available in hard copy or electronic form upon request. Alternatively, you can
obtain a copy at http://adviserinfo.sec.gov under ‘Part 2 Brochures’.
____________________________________________________________________________________________

Complaints

If you have any complaints, please send them to:

Green Street
Attention: Compliance
100 Bayview Circle, Suite 400
Newport Beach, CA 92660
949-640-8780

Green Street 15
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
Conflicts of Interest Disclosure

Management of Conflicts of Interest: Conflicts of interest can seriously impinge the ability of Green Street
employees to do their job. In that spirit, Green Street adheres to the following policies regarding conflicts of
interest:

▪ Green Street employees are prohibited from actively trading the shares of any company in our coverage
universe.
▪ Green Street employees do not serve as officers or directors of any of our subject companies.
▪ Neither Green Street nor its employees/analysts receive any compensation from subject companies for
inclusion in our research.
▪ On occasion, Green Street analysts may be contacted by companies within the firm’s coverage universe
regarding potential employment opportunities. Additional disclosure will be made when appropriate.

A number of companies covered by Green Street research reports pay an annual fee to receive Green Street’s
research reports. Green Street may periodically solicit this business from the subject companies. In the
aggregate, annual fees for Green Street US and Green Street UK research reports received from subject
companies represent approximately 3% of each of Green Street US’s and Green Street UK's respective total
revenues.

Green Street publishes research reports covering issuers that may offer and sell securities in an initial or
secondary offering.

Green Street US generally prohibits research analysts from sending draft research reports to subject companies.
However, it should be presumed that the analyst(s) who authored this report has(/have) had discussions with
the subject company to ensure factual accuracy prior to publication and has(/have) had assistance from the
company in conducting due diligence, including visits to company sites and meetings with company
management and other representatives.

Green Street 16
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773
Business Continuity Policy

Green Street has developed a Business Continuity Plan to address how we will respond to events that could
significantly disrupt our business whether the disruption is due to weather, health or some other unforeseen
circumstance. Since the timing and impact of disasters and disruptions are unpredictable, we will be flexible in
our approach to actual events as they occur. With that in mind, we are providing you with this general
information on our Business Continuity Plan.

Contacting Us

During a significant business disruption, you can contact us via email or by phone at (949) 640-8780. Green
Street will also post relevant updates on its website www.greenstreet.com as information becomes available.

Our Business Continuity Plan

We plan to quickly recover and resume business operations after a significant business disruption and respond
by safeguarding our employees and property, making financial and operational assessments, protecting the
organization’s proprietary information, and allowing our customers access to our platform. In short, our
business continuity plan is designed to permit our organization to resume operations as quickly as possible, given
the scope and severity of the disruption.

Our business continuity plan addresses data backup and recovery, mission critical systems, financial/operational
assessments, regulatory reporting and alternative communications with customers, employees, regulators,
critical suppliers, and third-party service providers.

Varying Disruptions and Pandemics

Significant business disruptions can vary in their scope, such as an event that only impacts Green Street, a single
building housing one of our office locations, the business district where one of our offices may be located, a city
where we house a location, or the whole region. Within each of these areas, the severity of the disruption can
also vary from minimal to severe. If the disruption is localized to Green Street, we will operate remotely and
expect to resume business as soon as possible. If a disruption affects our business district, city, or region, our
employees will work remotely. In the event of a pandemic illness, Green Street will follow the guidelines set
forth by the CDC or other relevant authority regarding spread prevention, travel restrictions and alternative
working arrangements. If employees are ill or have been exposed to the specific virus (illness), they are required
to stay home and self-quarantine. The health of our employees is of the utmost importance and Green Street
will consider whether it is in their best interest to temporarily close any given location. Green Street’s Senior
Leadership Team will make these necessary determinations should this situation arise. In all situations, Green
Street will make IT infrastructure a top priority to support our staff that may need to work remotely for a
prolonged period.

For more information

If you have questions about our business continuity planning or need additional information regarding the plan
in its entirety, you may contact Robyn Francis, Chief Compliance Officer (949) 640-8780 or via email at
[email protected].

Please note that our Business Continuity Plan is subject to modification –updates will be posted as needed.

Green Street 17
100 Bayview Circle, Suite 400, Newport Beach, CA 92660
T 949.640.8780 F 949.640.1773