CAMBIUM GLOBAL TIMBERLAND LIMITED

PRIVACY NOTICE

Cambium Global Timberland  Limited (incorporated in the Island of Jersey  as a closed-ended investment company limited by
shares with registered number 95719  as a closed-ended collective
investment scheme with the JFSC and the Shares are listed on the Alternative
Investment Market (“AIM”) a market of the London Stock Exchange  (the “Company“,
we“, “us” or “our“) is
committed to protecting the privacy of individuals whose data it processes (“you
or “your“).

Structure of this notice

This privacy notice is provided in a layered format so you
can click through to the section which relates to the information that we collect
about you below. [Alternatively you can download a pdf version of the privacy
notice here]

1.         IMPORTANT
INFORMATION AND WHO WE ARE

2.         CATEGORIES
OF DATA SUBJECTS

(A)        INVESTORS

(B)        VISITORS
TO OUR WEBSITE

3.         DISCLOSURES
OF YOUR PERSONAL DATA

4.         INTERNATIONAL
TRANSFERS

5.         DATA
SECURITY

6.         YOUR LEGAL
RIGHTS

7.         FURTHER
INFORMATION

1.         IMPORTANT
INFORMATION AND WHO WE ARE

Cambium Global Timberland  Limited (the “Company“,
we“, “us” or “our“) is
committed to protecting the privacy of individuals whose data it processes
(“you” or “your“) as a controller of data
relating to shareholders and/or potential investors in the Company.

This privacy notice aims to give you information on how the
Company collects and processes your personal data as a controller of data
supplied by shareholders and potential investors in connection with holdings
and/or investing in the Company including through your use of this website, by signing
up to our newsletter and/or by sending us correspondence.

In addition, it outlines your data protection rights under
the EU data protection regime introduced by the General Data Protection
Regulation (Regulation 2016/679) (the “GDPR“) and the Data Protection
(Jersey) Law, 2018 (the “New DPL“) (the GDPR and the New DPL
together constituting the “Data Protection Laws“).

This website is not intended for children and we do not
knowingly collect data relating to children.

Please contact the Company c/o Praxis Fund Services(Jersey)
Limited at Charter Place, 23/27 Seaton Place, St Helier, Jersey, JE1 1JY,
Channel Islands(marked for the attention of the The Data Protection Manager) or
by email to DPM.PF[email protected]if you have any queries in relation to the processing of your personal
data under this notice
. The Company may from time to time update this notice.
Please refer back to this page regularly to see any changes or updates to this notice.

2.         CATEGORIES
OF DATA SUBJECTS

(A)        INVESTORS

The following section of this notice sets out how the
Company, as controller of personal data supplied by, and collected in relation
to, shareholders and potential investors in the Company, will process such personal
data.

We may hold personal data about investors in the Company which
is provided to us by you directly as a result of your holding and/or investment
in the Company (by completing application forms, through our website, telephone
calls and/or corresponding with us) or which is provided to us by third parties
including [tax authorities, government and competent regulatory
authorities to whom we have regulatory obligations, publically available
directories and sources, background check providers and credit, fraud and
detection agencies and bankruptcy registers][1].
We may also process personal data about individuals that are connected
with you as an investor (for example directors, trustees, employees,
representatives, beneficiaries, shareholders, investors, clients, beneficial
owners or agents).

In connection with your holding and/or investment in the
Company, we may collect, store, and use the following categories of personal
information about you:

•           information
obtained from identification documentation (including name, former names,
title, gender, contact details, including address, telephone number, personal
email address, fax number, date and place of birth, nationality and national
identify numbers (where applicable));

•           employment
history, qualifications, professional memberships, income and personal wealth, and
details relating to your investment activity;

•           professional
references;

•           tax
status and tax identification numbers;

•           shareholder
reference number (SRN) (where applicable);

•           bank
account details, including bank name, account number and sort code;

•           power
of attorney details (where applicable);

•           other
information provided to conduct AML/CFT checks.

Your personal data may be processed by the Company or its
sub-processors (or any of their affiliates, agents, employees, delegates or
sub-contractors) for the following purposes:

(a)        to
provide you with information on the Company (including performance updates),
which is being carried out to pursue the Company’s legitimate interests;

(b)        to
allow us to administer and manage your holding in the Company (including fee
calculations and the payment of dividends) which are necessary for the Company
to comply with applicable laws and/or in its legitimate interest;

(c)        to
update and maintain records for the Company, including maintaining statutory
registers, which is necessary to comply with the Company’s legal obligations;

(d)        to
carry out anti-money laundering checks and other actions in an attempt to detect,
prevent, investigate and prosecute fraud and crime, which the Company considers
necessary for compliance with the Company’s legal obligations, for the performance
of a task being carried out in the public interest and/ or to pursue the Company’s
legitimate interests (including for the prevention of fraud, money laundering, sanctions,
terrorist financing, bribery, corruption and tax evasion);

(e)        to
prepare tax related information in order to report to tax authorities in
compliance with a legal obligation to which the Company is subject;

(f)         to
scan and monitor emails sent to us (including attachments) for viruses or
malicious software, to process and encrypt personal data to protect and manage email
traffic, and to store personal data on our systems to pursue our legitimate
interests including for document retention purposes; and

(g)        such
other actions as are necessary to manage the activities and/or to comply with
the legal obligations of the Company, including by processing instructions, [monitoring
and recording electronic communications (including telephone calls and emails)
for quality control, analysis and training purposes][2]
and enforcing or defending the rights and/or interests of the Company, in order
to comply with the Company’s legal obligations and/or to pursue the Company’s’ legitimate
interests.

Where such processing is being carried out on the basis
that it is necessary to pursue the Company’s legitimate interests, such
legitimate interests are not overridden by your interests, fundamental rights
or freedoms. Such processing may include the use of your personal data for the
purposes of sending you electronic marketing communications, in relation to
which you can at any time subscribe by following the instructions contained in
each marketing communication.

The Company does not anticipate being required to obtain
your consent for the processing of your personal data as listed above. If the
Company wishes to use your personal data for other purposes which do require
your consent, the Company will contact you to request this.

We will only retain your personal data for as long as
necessary to fulfil the purposes we collected it for, including for the
purposes of satisfying any legal, accounting, or reporting requirements. To
determine the appropriate retention period for personal data, we consider the
amount, nature, and sensitivity of the personal data, the potential risk of
harm from unauthorised use or disclosure of your personal data, the purposes
for which we process your personal data and whether we can achieve those purposes
through other means, and the applicable legal requirements. [Details of
retention periods for different aspects of your personal data are available in
our retention policy which you can request from us by contacting us at c/o
Praxis Fund Services (Jersey) Limited Charter Place, 23/27 Seaton Place,
St Helier, Jersey, JE1 1JY, Channel Islands (marked for the attention of the
The Data Protection Manager) or by email to  [email protected]

 (B)       VISITORS
TO OUR WEBSITE

The following section of this notice sets out how the
Company may process personal data (as a controller) about visitors to its
website.

We may collect, use, store and transfer different kinds of
personal data about you which you provide to us though our website: name, date
of birth, address, email address, telephone numbers, technical data (including
internet protocol (IP) address, your login data, browser type and version, time
zone setting and location, browser plug-in types and versions, operating system
and platform and other technology on the devices you use to access this
website, usage data (including information about how you use our website,
products and services, and marketing and communications preferences (including
your preferences in receiving marketing from us and your communication
preferences).

[We do not collect any sensitive personal data or special categories
of personal data about you through our website (this includes details about
your race or ethnicity, religious or philosophical beliefs, sex life, sexual
orientation, political opinions, trade union membership, information about your
health and genetic and biometric data). Nor do we collect any information about
criminal convictions and offences

We use different methods to collect data from and about
you including through:


direct interactions with you, including by filling in forms. This
includes personal data you provide when you subscribe to our publications
and/or request marketing to be sent to you.


Automated technologies or interactions. As you interact with our
website, we may automatically collect technical data about your equipment,
browsing actions and patterns. We collect this personal data by using cookies,
[server logs] and other similar technologies. Technical data from the following
parties:

(a)        analytics
providers such as Google based outside the EU;

 (b)       search
information providers https://support.cloudflare.com/hc/en-us/articles/200170156-What-does-the-Cloudflare-cfduid-cookie-do-

We will use your personal data in the following
circumstances: where it is necessary for our legitimate interests, or those of
a third party (including in relation to the sending of electronic marketing
communications) and where your interests and fundamental rights are not
overridden by those interests, or where we need to comply with a legal or
regulatory obligation.

Your personal data may be processed by the Company or its
sub-processors (or any of their affiliates, agents, employees, delegates or
sub-contractors) for the following purposes:

•           to
send you updates on the performance of the Company, newsletters, invitations to
events and other electronic marketing communications which we will do (a) on
the basis of our legitimate interests if you are an investor in the Company or
if we are sending electronic marketing communications to corporate subscriber
email addresses (eg [email protected]) or (b) with your consent;

•           to
use data analytics to improve our website, marketing, customer experiences on
the basis of our legitimate interests;

•           to
comply with legal or regulatory requirements;

•           to
scan and monitor emails sent to us (including attachments) for viruses or malicious
software, to process and encrypt personal data to protect and manage email
traffic, and to store personal data on our systems to pursue our legitimate
interests including for document retention purposes; and

•           such
other actions as are necessary to manage the activities of the Company,
including by processing instructions, [monitoring and recording electronic
communications (including telephone calls and emails) for quality control,
analysis and training purposes] and enforcing or defending the rights and/or
interests of the Company, in order to comply with their legal obligations
and/or to pursue their legitimate interests.

If we consider it necessary to obtain your consent in
relation to the use of your personal data (such as for sending emails to individuals
that have not invested in the Company), we will contact you to request this
consent. In such circumstances, we will provide you with full details of the
personal data that we would like and the reason we need it, so that you can
carefully consider whether you wish to consent. If you decide to provide your
consent, you have the right to withdraw your consent at any time, although that
will not affect the lawfulness of processes based on consent before its
withdrawal. To withdraw your consent or to opt out of receiving marketing
communications, please contact us at c/o Praxis Fund Services (Jersey)
Limited, Charter Place, 23/27 Seaton Place, St Helier, Jersey, JE1 1JY,
Channel Islands (marked for the attention of the The Data Protection
Manager) or by email to [email protected]or
following the unsubscribe instructions included in each electronic marketing
communication. Once we have received notification that you have
withdrawn your consent, we will no longer process your information for the
purpose or purposes you originally agreed to, unless we have another legitimate
basis for doing so in law.

We will only retain your personal data for as long as
necessary to fulfil the purposes we collected it for, including for the
purposes of satisfying any legal, accounting, or reporting requirements. To
determine the appropriate retention period for personal data, we consider the
amount, nature, and sensitivity of the personal data, the potential risk of
harm from unauthorised use or disclosure of your personal data, the purposes
for which we process your personal data and whether we can achieve those
purposes through other means, and the applicable legal requirements. [Details
of retention periods for different aspects of your personal data are available
in our retention policy which you can request from us by contacting us at c/o
Praxis Fund Services (Jersey) Limited, Charter Place, 23/27 Seaton
Place, St Helier, Jersey, JE1 1JY, Channel Islands (marked for the
attention of the The Data Protection Manager) or by email to [email protected].

Where the website provides links to other websites, the
Company is not responsible for the data protection/privacy/cookie usage
policies of such other websites, and you should check these policies on such
other websites if you have any concerns about them. If you use one of these
links to leave our website, you should note that we do not have any control
over that other website. Therefore, we cannot be responsible for the protection
and privacy of any information which you provide whilst visiting a linked
website and such websites are not governed by this notice. You should always
exercise caution and review the privacy policy applicable to the website in
question.

Cookies: A cookie is a small file which asks
permission to be placed on your computer. Once you agree, the file is added and
the cookie helps analyse web traffic or lets you know when you visit a
particular website. Cookies allow web applications to respond to you as an
individual. The web application can tailor its operations to your needs, likes
and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are
being used. This helps us analyse data about web page traffic and improve our
Website by tailoring it to the needs of users. We only use this information for
statistical analysis purposes.

Overall, cookies help us provide a better website by
enabling us to monitor which pages users find useful and which they don’t. A
cookie does not give us access to a user’s computer or any information about
them, other than the data they choose to share with us.

The browsers of most computers, smartphones and other
web–enabled devices are usually set up to accept cookies. If your browser
preferences allow it, you can configure your browser to accept all cookies,
reject all cookies, or notify you when cookies are set. Each browser is
different, so check the “Help” menu of your browser to learn about how to
change your cookie preferences.

However, please remember that cookies are often used to
enable and improve certain functions on our website. [If you choose to switch
certain cookies off, it will affect how our website works and you may not be
able to access all or parts of our website.] [3]

You can set your browser to refuse all or some browser
cookies, or to alert you when websites set or access cookies. If you disable or
refuse cookies, please note that some parts of this website may become
inaccessible or not function properly.

You can find more information about the
individual cookies that we use and the purposes for which we use them below:

 

 

 

Cookie

Cookie Name

Purpose

Google Analytics

utma

 

 

 

 

 

 

 

utmb

 

 

 

 

 

 

utmc

 

 

 

 

 

utmz

Used to distinguish users
and sessions. The cookie is created when the javascript library executes and
no existing utma cookies exists. The cookie is updated every time data is
sent to Google Analytics. [Duration 2 years from set/update]

Used to determine new
sessions/visits. The cookie is created when the javascript library executes
and no existing __utmb cookies exists. The cookie is updated every time data
is sent to Google Analytics. [Duration 30mins from set/update]

Not used in ga.js. Set for
interoperability with urchin.js. Historically, this cookie operated in
conjunction with the 
__utmb cookie
to determine whether the user was in a new session/visit. [Duration end of
browser session]

Stores the traffic source or
campaign that explains how the user reached your site. The cookie is created
when the javascript library executes and is updated every time data is sent
to Google Analytics. [Duration 6 months from set/update]

 

For further details on cookies (including how to turn them
off) can be found at www.allaboutcookies.org.

3.         DISCLOSURES
OF YOUR PERSONAL DATA

We will not disclose personal information we hold about
you to any third party except as set out below.

We may disclose your personal data to other members of our
group, to third parties who are providing services to us, including IT service
providers, processors of the Company (including the investment manager, printers,
registrars, administrators, depositaries, custodians) telephone service
providers, document storage providers, backup and disaster recovery service
providers and to tax authorities, appointed tax agents, appointed professional
advisers, including legal advisers and those providing shareholder related
services, stock brokers and market makers, Banks and other regulated financial
services providers, global payment service providers, technology service
providers used in the administration (including voting arrangements) of company
AGMs, EGMs and other statutory meetings, registry and depositary interest
service providers, corporate sponsored nominee service providers and their
authorised sub-processors.

We may also disclose personal data we hold to third
parties:

(a)        in
the event that we sell any business or assets, in which case we may disclose
personal data we hold about you to the prospective and actual buyer of such
business or assets; and/or

(b)        if
we are permitted by law to disclose your personal data to that third party or
are under a legal obligation to disclose your personal data to that third
party.

4.         INTERNATIONAL
TRANSFERS

The Company is a controller incorporated in Jersey and as
such will be bound to comply with the New DPL. As the Company will be processing
personal data of shareholders and potential investors who are in the European
Union, the Company will also be required to comply with the GDPR. The New DPL
substantially mirrors the requirements of the GDPR in relation to the
processing of personal data and it is hoped that Jersey’s existing adequacy
ruling by the European Commission for data protection purposes will be
unaffected or reconfirmed.

Some of the external service providers used by the Company
are based in jurisdictions outside of Jersey and the European Economic Area
(EEA) that are not deemed to have data protection frameworks that are
equivalent to those of the EEA or are not designated jurisdictions under Jersey
data protection legislation so their processing of your personal data will
involve a transfer of data outside the EEA.

Whenever your personal data is transferred out of the EEA
by us, we ensure a similar degree of protection is afforded to it by ensuring at
least one of the following safeguards is implemented:

•           We
will only transfer your personal data to countries that have been deemed to
provide an adequate level of protection for personal data by the European
Commission. For further details, see European Commission: Adequacy of the
protection of personal data in non-EU countries.

•           Where
we use certain service providers, we may use specific contracts approved by the
European Commission which give personal data the same protection it has in
Europe. For further details, see European Commission: Model contracts for the
transfer of personal data to third countries.

•           Where
we use providers based in the US, we may transfer data to them if they are part
of the Privacy Shield which requires them to provide similar protection to
personal data shared between the Europe and the US. For further details, see
European Commission: EU-US Privacy Shield.

Please contact us if you want further information on the
specific mechanism used when transferring your personal data out of the EEA.

 

 

5.         DATA
SECURITY

The Company has put in place measures to ensure the
security of the personal data it collects and stores about you. It will use its
reasonable endeavours to protect your personal data from unauthorised
disclosure and/or access, including through the use of network and database
security measures, but it cannot guarantee the security of any data it collects
and stores.

We have put in place appropriate security measures to
prevent your personal data from being accidentally lost, used or accessed in an
unauthorised way, altered or disclosed. In addition, we limit access to your
personal data to those employees, agents, contractors and other third parties
who have a business need to know. They will only process your personal data on
our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected
personal data breach and will notify you and any applicable regulator of a
breach where we are legally required to do so.

6.         YOUR
LEGAL RIGHTS

In certain
circumstances, by law you have the right to:

•           Request
access to your personal information (commonly known as a “data subject
access request”). This enables you to receive a copy of the personal
information we hold about you and to check that we are lawfully processing it.

•           Request
rectification (correction) of the personal information that we hold about you
without undue delay. This enables you to have any incomplete or inaccurate
information we hold about you corrected.

•           Request
erasure of your personal information without undue delay. This enables you to
ask us to delete or remove personal information where there is no good reason
for us continuing to process it. You also have the right to ask us to delete or
remove your personal information where you have exercised your right to object
to processing (see below).

•           Object
to processing of your personal information where we are relying on a legitimate
interest (or those of a third party) and there is something about your
particular situation which makes you want to object to processing on this
ground. You also have the right to object where we are processing your personal
information for direct marketing purposes.

•           Request
the restriction of processing of your personal information. This enables you to
ask us to suspend the processing of personal information about you, for example
if you want us to establish its accuracy or the reason for processing it.

•           Data
portability and to request the transfer of your personal information to another
party.

•           Receive
personal data in a structured, commonly used and machine-readable format.

•           Notification
of rectification, erasure and restrictions.

•           Withdraw
your consent. If we are processing your personal data on the basis of your consent,
you have the right to withdraw such consent at any time. Withdrawing your
consent will not affect the lawfulness of processes based on consent before its
withdrawal. To withdraw your consent or to opt out of receiving marketing
communications, please contact us at c/o Praxis Fund Services (Jersey)
Limited, Charter Place, 23/27 Seaton Place, St Helier, Jersey, JE1 1JY,
Channel Islands (marked for the attention of the The Data Protection
Manager) or by email to [email protected]or
follow the unsubscribe instructions included in each electronic marketing
communication. Once we have received notification that you have
withdrawn your consent, we will no longer process your information for the
purpose or purposes you originally agreed to, unless we have another legitimate
basis for doing so in law.

•           The
right to lodge a complaint and the right to judicial review in certain
situations.

If you wish to exercise any of the rights set out above, please
contact us in writing at c/o Praxis Fund Services (Jersey) Limited,
Charter Place, 23/27 Seaton Place, St Helier, Jersey, JE1 1JY, Channel Islands (marked
for the attention of the The Data Protection Manager) or by email to [email protected].

You will not have to pay a fee to access your personal
data (or to exercise any of the other rights). However, we may charge a
reasonable fee if your request is clearly unfounded, repetitive or excessive.
Alternatively, we may refuse to comply with your request in these
circumstances.

We may need to request specific information from you to
help us confirm your identity and ensure your right to access your personal
data (or to exercise any of your other rights). This is a security measure to
ensure that personal data is not disclosed to any person who has no right to
receive it. We may also contact you to ask you for further information in relation
to your request to speed up our response.

We try to respond to all legitimate requests within one
month. Occasionally it may take us longer than a month if your request is
particularly complex or you have made a number of requests. In this case, we
will notify you and keep you updated.

You have the right to make a complaint at any time to the Office
of the Information Commissioner Commissioner the Jersey supervisory authority
for data protection issues (https://oicjersey.org)/). We would, however,
appreciate the chance to deal with your concerns before you approach the ODPC
so please contact us in the first instance at our address given below.

7.         FURTHER
INFORMATION

If you have any queries about this notice or your personal
data, or you wish to submit an access request or raise a complaint about the
way your personal data has been handled, please do so in writing and address
this to us c/o Praxis Fund Services (Jersey) Limited, Charter Place, 23/27
Seaton Place, St Helier, Jersey, JE1 1JY, Channel Islands (marked for the
attention of the The Data Protection Manager) or by email to  [email protected]

Issues or concerns individuals have regarding their
personal data can also be brought to the attention of the ODPC. The details of
the ODPC are set out below.

The Office of the Information Commissioner

Office of
the Information Commissioner

4th Floor

1 Liberty
Place

St Helier

Jersey

JE2 3NY

Email: [email protected]

Telephone: +44 (0)1534 716530

Cambium Global Timberland Limited is incorporated in the
Island of Jersey under the Companies (Jersey) Law, 1991, as amended, as a close
ended investment company limited by shares with registered number 95719 and
registered as a registered closed-ended collective investment scheme with the JFSC.

Data Protection and Privacy Policy

December 2019

You can download a pdf version of the privacy
notice here