What does REinfinite Ltd do?

REinfinite Ltd delivers biophilic and neuroarchitectural development across UK and European markets. The division manages development methodology and sources delivery partners across residential, commercial, mixed-use, and hospitality programmes. Biophilic design patterns and neuroarchitectural research set the measurable thresholds that govern how competing programme types share a site. All projects are ESG-benchmarked from design stage.

What is biophilic design and how does REinfinite Ltd apply it?

Every masterplan begins with an ecological baseline. Wilson's biophilia hypothesis established the premise: human wellbeing is inseparable from the natural systems that surround it. Stress recovery and attention restoration research provide the evidence base. Terrapin Bright Green's 14 patterns of biophilic design — including dynamic and diffuse light, prospect and refuge, material connection with nature — set measurable thresholds. Neuroarchitectural research (ANFA) translates those patterns into design criteria tested at each stage.

What is REinfinite Ltd's development methodology?

Development decisions at REinfinite Ltd follow a five-stage methodology: site selection, design integration, construction management, handover, and ecological integration. Each stage is governed by quantitative thresholds established at feasibility. Programmes that do not clear all three scenarios at the screening stage do not advance.

How does REinfinite Ltd approach construction delivery?

Precision delivery is a design philosophy, not a staffing model. Construction methodology is selected per-programme — modular fabrication, off-site manufacturing, traditional craft, or hybrid approaches are evaluated against site conditions and programme constraints. Deviation from forecast is tracked through structured reporting frameworks. The method follows the programme, not the other way around.

What types of assets does REinfinite Ltd develop?

REinfinite Ltd develops residential, commercial, mixed-use, and hospitality assets. Mixed-use development is governed by biophilic and neuroarchitectural principles — each condition tested against defined thresholds at design stage. Emerging capabilities include data centres and hospitality, where sector entry is conditional on measured demand tested against defined thresholds.

How does REinfinite Ltd integrate ESG into development?

ESG benchmarks are embedded from design stage through operation. Every material choice and system specification is evaluated against a thirty-year performance horizon. Post-occupancy monitoring tracks ESG performance, operational efficiency, and tenant wellbeing against design-stage targets. Post-occupancy data informs every subsequent project.

What is neuroarchitecture and how is it used by REinfinite Ltd?

Neuroarchitectural spatial planning is informed by ANFA (Academy of Neuroscience for Architecture) research. Biophilic and neuroarchitectural principles are embedded from concept — not applied after the fact. Daylight modelling informs orientation and floor plan geometry. Acoustic performance is resolved between programme types at design stage. Material lifecycle analysis evaluates every specification against long-term performance.

What is REinfinite Ltd's approach to lifecycle stewardship?

Completion is not the end of accountability. Every asset transitions through a structured handover into long-term stewardship. Performance benchmarks established at design stage become the monitoring framework for the operating life of the building. Every material choice and system specification is evaluated against a thirty-year performance horizon.

How does site selection work?

Every project begins with quantitative screening. Structural demand drivers, planning risk, supply-side constraints, and exit liquidity are modelled before capital is committed. If the thesis does not survive base case, downside, and severe downside scenarios, the opportunity does not advance.

Is REinfinite Ltd part of a larger group?

REinfinite Ltd is the Development & Construction division of REinfinite Group. The Group operates four divisions covering development, investment management, asset stewardship, and quantitative research. Full Group structure is available at reinfinitegroup.com.

Privacy Policy

REinfinite Ltd — Company No. 14911131

Registered in England & Wales

Last Updated: 01 April 2026

Part 1 — Data Protection Policy Wrapper

1. Definitions and Interpretation

1.1 In this Policy, the following terms shall have the meanings set out below:

“Data Protection Legislation” means, as applicable and in force from time to time: (a) the UK General Data Protection Regulation (as defined in section 3(10) of the Data Protection Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”); (b) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“EU GDPR”), to the extent applicable to processing of personal data of individuals in the European Economic Area; (c) the Data Protection Act 2018 (“DPA 2018”); (d) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (“PECR 2003”), as amended; and (e) the Data (Use and Access) Act 2025 (“DUAA 2025”), as amended or supplemented from time to time.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Data Subject” means an identified or identifiable natural person to whom personal data relates, as defined in Article 4(1) UK GDPR.

“EEA” means the European Economic Area, comprising the member states of the European Union together with Iceland, Liechtenstein, and Norway.

“Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) UK GDPR and the equivalent provision of the EU GDPR.

“Processing” means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction, as defined in Article 4(2) UK GDPR.

“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.

“Special Categories of Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation, as defined in Article 9(1) UK GDPR.

2. Obligations When Providing Personal Data About Third Parties

2.1 Where you provide REINFINITE LTD with personal data relating to another individual (including, without limitation, a joint investor, beneficial owner, authorised representative, or nominee), you confirm that:

(a) you have brought this Policy to the attention of that individual prior to providing their personal data to us;

(b) you have obtained any consent required, or are otherwise entitled, to disclose that individual’s personal data to us; and

(c) the individual is aware of and has accepted the manner in which REINFINITE LTD may use their personal data as described in this Policy.

2.2 REINFINITE LTD will provide the information required under Articles 13 and 14 UK GDPR (and, where applicable, EU GDPR) to individuals whose personal data we receive from third parties, save where an exemption applies under the Data Protection Legislation.

3. Data Subject Rights — General Obligations

3.1 REINFINITE LTD acknowledges and facilitates the exercise of Data Subject rights under: (i) Articles 15 to 21 UK GDPR (and, where applicable, the equivalent provisions of EU GDPR); and (ii) Articles 22A to 22D UK GDPR (as substituted by the Data (Use and Access) Act 2025, which replaced Article 22 UK GDPR — noting that Article 22 EU GDPR continues to apply for any processing subject to EU GDPR jurisdiction), including:

(a) the right of access (Article 15);

(b) the right to rectification (Article 16);

(d) the right to restriction of processing (Article 18);

(e) the right to data portability (Article 20);

(f) the right to object (Article 21);

(g) rights in relation to automated decision-making and profiling (Articles 22A to 22D UK GDPR, as substituted by the Data (Use and Access) Act 2025); and

(h) the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

3.2 Requests to exercise any of the above rights should be directed to the data protection contact at the contact details set out in §2 of Part 2 of this Policy. REINFINITE LTD will respond to all valid requests within one calendar month of receipt, save where the complexity or number of requests warrants an extension of up to two further months, in which case the data subject will be notified accordingly.

Part 2 — Privacy Policy

§1 About This Policy

1.1 This Privacy Policy (the “Policy”) sets out the basis on which REINFINITE LTD (“we”, “us”, “our”), a company incorporated in England and Wales with company number 14911131, collects, uses, stores, and otherwise processes personal data in connection with the website re-infinite.com and the services provided thereunder.

1.2 REINFINITE LTD is the sole Data Controller in respect of personal data processed through re-infinite.com and in connection with the services described in this Policy. REINFINITE LTD determines the purposes and means of such processing and is responsible for compliance with the Data Protection Legislation.

1.3 This Policy applies to all individuals whose personal data we process, including prospective and current investors, clients, website visitors, counterparties, and other persons with whom we interact in the course of our business.

1.4 This Policy should be read alongside any other notices or terms provided to you at the point of collection of your personal data. In the event of any conflict between this Policy and any such notice, the more specific notice shall prevail.

1.5 We encourage you to read this Policy carefully before using our website or services.

§2 How to Contact Us

2.1 REINFINITE LTD is the Data Controller for the purposes of the Data Protection Legislation.

2.2 Our registered address and principal place of business is:

REINFINITE LTD

164 New Cavendish Street, London W1W 6YT

England

2.3 All data protection enquiries, requests to exercise data subject rights, and complaints should be directed to our data protection contact by email at: compliance@re-infinite.com

2.4 We do not operate a dedicated telephone line for data protection enquiries. All communications should be submitted in writing to the email address set out at §2.3 above or to our registered address at §2.2 above.

§3 What Personal Data Do We Collect

3.1 We collect and process the following categories of personal data, depending on the nature of your relationship with us:

(a) Identity Data
Full name, date of birth, nationality, and, where required for anti-money laundering, counter-terrorist financing, or know-your-customer purposes (“AML/KYC”), copies of passport, national identity card, or other government-issued identification documents.

(b) Contact Data
Postal address, email address, and, where provided, telephone number.

(c) Professional Data
Job title, employer, professional qualifications, and capacity in which you engage with us (e.g. individual investor, corporate representative, financial adviser).

(d) Financial and Tax Data
Bank account details, investment amounts, tax identification numbers, national insurance numbers, and information required for compliance with the Foreign Account Tax Compliance Act (“FATCA”) and the Common Reporting Standard (“CRS”).

(e) Transaction Data
Records of investments made, distributions received, and other financial transactions conducted through or with us.

(f) Compliance Data
Information collected to satisfy our obligations under applicable AML, KYC, sanctions screening, and related regulatory requirements.

(g) Technical Data
IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other technology identifiers on the devices used to access re-infinite.com.

(h) Usage Data
Information about how you use our website and services, including pages visited, links clicked, and referral sources.

3.2 We do not intentionally collect Special Categories of Personal Data unless strictly necessary and with an appropriate legal basis. Where such data is collected, we will notify you separately.

3.3 Where you fail to provide personal data that we are required by law or contract to collect, we may be unable to provide the relevant services to you or to comply with our legal obligations.

§4 How Do We Use the Personal Data

4.1 We use the personal data we collect for the following purposes:

(a) Eligibility Assessment
To assess whether you are eligible to participate in investment opportunities or services offered by us, including verification of investor status and suitability.

(b) Participation and Onboarding
To process your application, execute agreements, and administer your participation in investment structures or services.

(c) Regulatory Reporting
To fulfil our reporting obligations under applicable law, including FATCA, CRS, AML legislation, and other statutory or regulatory requirements.

(d) Distributions and Payments
To process and administer distributions, redemptions, and other financial transactions to which you are entitled.

(e) Service Delivery
To provide, manage, and administer the services you have requested or to which you are entitled, including investor relations and portfolio reporting.

(f) Service Improvement
To analyse usage of our website and services in order to improve their functionality, content, and user experience.

(g) Marketing Communications
To send you information about our products, services, and investment opportunities where you have consented to receive such communications or where we have another lawful basis to do so.

(h) Legal Compliance
To comply with our legal and regulatory obligations, including obligations under the Data Protection Legislation, AML legislation, tax law, and applicable financial regulation.

(i) Defence of Legal Claims
To establish, exercise, or defend legal claims to which we are or may become a party.

§5 Legal Bases for Processing

5.1 We process personal data only where we have a lawful basis to do so under the Data Protection Legislation. The legal bases upon which we rely are as follows:

(a) Performance of a Contract (Article 6(1)(b) UK GDPR)
Processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. This basis applies to purposes §4.1(a), §4.1(b), §4.1(d), and §4.1(e) above.

(b) Legal Obligation (Article 6(1)(c) UK GDPR)
Processing is necessary for compliance with a legal obligation to which we are subject. This basis applies to purposes §4.1(c) and §4.1(h) above, including obligations under AML legislation, FATCA, CRS, and the DPA 2018.

(c) Consent (Article 6(1)(a) UK GDPR)
Where we rely on your consent as the legal basis for processing, including in relation to marketing communications under purpose §4.1(g) above, we will obtain your consent prior to processing. You may withdraw your consent at any time by contacting us at compliance@re-infinite.com. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to such withdrawal.

(d) Legitimate Interests (Article 6(1)(f) UK GDPR)
Where necessary for the purposes of our legitimate interests, provided that those interests are not overridden by the interests, rights, or freedoms of the Data Subject. This basis applies to: (i) the establishment, exercise, or defence of legal claims (§4.1(i)); and (ii) analysis of website usage for service improvement purposes (§4.1(f)), where such analysis is conducted in a manner that does not unduly prejudice Data Subjects. In each case we have assessed that our legitimate interests are proportionate and appropriate.

5.2 Where we process Special Categories of Personal Data, we will identify and rely upon an additional condition under Article 9(2) UK GDPR and will notify you accordingly.

§6 International Transfers of Personal Data

6.1 In the course of our business, we may transfer personal data to recipients located outside the United Kingdom and, where applicable, outside the EEA. We will only make such transfers where an appropriate safeguard or derogation applies under Chapter V UK GDPR (and, where applicable, Chapter V EU GDPR). The mechanisms upon which we rely include the following:

(a) Adequacy Decisions
Transfers to countries or territories in respect of which the Secretary of State (under UK GDPR) or the European Commission (under EU GDPR) has made an adequacy decision, confirming that the recipient country ensures an adequate level of protection for personal data.

(b) Binding Corporate Rules (“BCRs”)
Transfers to organisations that have implemented BCRs approved by a competent supervisory authority, providing appropriate safeguards for personal data transferred within a corporate group.

(c) EU–US Data Privacy Framework
Transfers to organisations in the United States of America that are certified under the EU–US Data Privacy Framework (“DPF”), adopted by the European Commission on 10 July 2023. For transfers from the United Kingdom, the UK Extension to the DPF (adopted by the UK Secretary of State in October 2023) provides an equivalent basis under UK GDPR.

(d) UK International Data Transfer Agreement and UK Addendum
Transfers made pursuant to an International Data Transfer Agreement (“IDTA”) issued by the Information Commissioner’s Office, or pursuant to the UK Addendum to the EU Standard Contractual Clauses (“UK Addendum”), as approved by the Secretary of State under section 119A DPA 2018, which provide appropriate safeguards for transfers of personal data from the United Kingdom to third countries.

(e) Contractual Necessity (Article 49(1)(b) UK GDPR — derogation)
In limited circumstances, where no other appropriate safeguard applies, transfers may be made where strictly necessary for the performance of a contract between you and us, or for the implementation of pre-contractual measures taken at your request. This derogation is used only for occasional, non-repetitive transfers.

(f) Legal Claims (Article 49(1)(e) UK GDPR — derogation)
In limited circumstances, where no other appropriate safeguard applies, transfers may be made where strictly necessary for the establishment, exercise, or defence of legal claims. This derogation is used only for occasional, non-repetitive transfers.

6.2 You may request further information regarding the specific safeguards applied to any international transfer of your personal data by contacting us at compliance@re-infinite.com.

§7 With Whom Do We Share Personal Data

7.1 We may share your personal data with the following categories of recipients, in each case only to the extent necessary for the relevant purpose and subject to appropriate contractual or legal protections:

(a) Service Providers and Processors
Third-party organisations engaged by us to provide services in connection with our business operations, including IT and technology service providers, cloud hosting providers, data analytics providers, legal advisers, accountants, auditors, and fund administrators. Such parties process personal data on our behalf and are bound by data processing agreements requiring them to process personal data only on our instructions and in accordance with the Data Protection Legislation.

(b) Group Members
Other entities within the REINFINITE GROUP LTD group of companies, where necessary for the administration of group operations, internal reporting, or the provision of services to you. Each group entity processes personal data in accordance with applicable Data Protection Legislation.

(c) Corporate Transactions
In the event of a merger, acquisition, reorganisation, or sale of all or part of our business or assets, personal data may be transferred to the relevant counterparty or successor entity, subject to appropriate confidentiality obligations.

(d) Regulatory and Legal Authorities
Competent regulatory authorities, law enforcement agencies, courts, and other public bodies where we are required or permitted to do so by applicable law, where necessary for the prevention and detection of fraud or other criminal activity, or where necessary for the establishment, exercise, or defence of legal claims.

7.2 We do not sell personal data to third parties. We do not share personal data with third parties for their own marketing purposes without your prior consent.

§8 Retention of Personal Data

8.1 We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable law.

8.2 In particular:

(a) Personal data collected for AML, KYC, and tax compliance purposes (including records required under HMRC guidance and applicable AML legislation) is retained for a minimum period of seven years following the end of the relevant investment relationship or transaction, in accordance with the requirements of the Proceeds of Crime Act 2002, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, and HMRC record-keeping requirements.

(b) Personal data processed for the purposes of FATCA and CRS reporting is retained for such periods as are required by the applicable statutory and regulatory frameworks.

(c) Personal data processed for marketing purposes is retained until the data subject withdraws consent or objects to processing, whichever is earlier.

(d) Personal data processed for other purposes is retained for such period as is necessary for those purposes, taking into account applicable limitation periods for legal claims and any other legal obligations.

8.3 Where we are required to retain personal data beyond the periods set out above by reason of a legal obligation, regulatory requirement, or ongoing legal proceedings, we will retain such data until the relevant obligation or proceedings are concluded.

8.4 Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised in accordance with our internal data management procedures.

§9 Your Data Subject Rights

9.1 Subject to the conditions and limitations set out in the Data Protection Legislation, you have the following rights in respect of your personal data:

(a) Right of Access (Article 15 UK GDPR)
The right to obtain confirmation as to whether we process personal data about you and, if so, to receive a copy of that personal data together with supplementary information about the processing.

(b) Right to Rectification (Article 16 UK GDPR)
The right to require us to correct inaccurate personal data and to complete incomplete personal data.

(c) Right to Erasure (Article 17 UK GDPR)
The right to require us to erase your personal data where the processing is no longer necessary, where you have withdrawn consent (and no other legal basis applies), where you have objected to processing and there are no overriding legitimate grounds, or where the personal data has been unlawfully processed.

(d) Right to Restriction of Processing (Article 18 UK GDPR)
The right to require us to restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data or where you have objected to processing pending verification of our grounds.

(e) Right to Data Portability (Article 20 UK GDPR)
The right to receive personal data that you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.

(f) Right to Object (Article 21 UK GDPR)
The right to object to processing of your personal data where we rely on a lawful basis other than consent, on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds which override your interests, rights, and freedoms, or unless processing is necessary for the establishment, exercise, or defence of legal claims.

(g) Rights in Relation to Automated Decision-Making (Articles 22A to 22D UK GDPR, as substituted by the Data (Use and Access) Act 2025)
The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, save where permitted by applicable law.

(h) Right to Withdraw Consent
Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time by contacting us at compliance@re-infinite.com. Withdrawal of consent does not affect the lawfulness of any processing carried out on the basis of consent prior to its withdrawal.

9.2 To exercise any of the rights set out in this §9, please submit a written request to our data protection contact at compliance@re-infinite.com or at our registered address set out in §2.2 above. We will respond to your request within one calendar month of receipt. Where the complexity or number of requests warrants an extension, we will notify you within one month of receipt and provide an explanation. In accordance with Article 12A UK GDPR (as inserted by the Data (Use and Access) Act 2025), the one-month response period is paused where we request clarification of the scope of your request or verification of your identity; the period resumes upon receipt of the required information.

9.3 We will not charge a fee for responding to a valid request unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act on the request, in accordance with Article 12(5) UK GDPR.

9.4 We may request proof of identity before processing a data subject rights request in order to verify that the request is made by or on behalf of the relevant data subject.

§10 Complaints

10.1 If you have a concern about the manner in which we process your personal data, we encourage you to contact our data protection contact in the first instance at compliance@re-infinite.com, so that we may seek to resolve the matter.

10.2 If you remain dissatisfied following our response, or if you do not wish to contact us directly, you have the right to lodge a complaint with the relevant supervisory authority:

(a) For data subjects in the United Kingdom: the Information Commissioner’s Office (“ICO”), which is the supervisory authority for data protection matters in the United Kingdom. The ICO can be contacted via its website at https://ico.org.uk, by telephone on 0303 123 1113, or by post at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

(b) For data subjects in the EEA: the competent supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. A list of EU supervisory authorities is available on the website of the European Data Protection Board at https://edpb.europa.eu.

10.3 The right to lodge a complaint does not affect any other administrative or judicial remedy available to you under applicable law.

10.4 In accordance with the Data (Use and Access) Act 2025, REINFINITE LTD has established a formal data protection complaints procedure. If you consider that your personal data has been processed in breach of applicable Data Protection Legislation, you may submit a complaint directly to us at compliance@re-infinite.com. We will:

(a) acknowledge receipt of your complaint within 30 days; and

(b) respond without undue delay, providing written reasons for any decision reached.

We encourage you to contact us in the first instance before escalating to a supervisory authority, so that we may seek to resolve your concern promptly.

§11 Changes to This Policy

11.1 We review this Policy periodically and may update it from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance.

11.2 The date on which this Policy was most recently updated is displayed at the top of this document as the “Last Updated” date. Where changes are material, we will use reasonable efforts to notify you using the contact details we hold for you or by posting a notice on re-infinite.com.

11.3 We encourage you to review this Policy periodically to remain informed of how we process your personal data.

§12 Data Protection Contact

12.1 REINFINITE LTD has designated a compliance contact responsible for data protection matters. All data subject rights requests, data breach reports, and general data protection enquiries should be directed to:

Data Protection Contact

REINFINITE LTD

164 New Cavendish Street, London W1W 6YT

Email: compliance@re-infinite.com

12.2 The designated contact is responsible for:

(a) monitoring REINFINITE LTD’s compliance with the Data Protection Legislation;

(b) providing advice and guidance on data protection obligations;

(d) overseeing the handling of data subject rights requests and data protection complaints.

12.3 Data protection matters are handled by the compliance function. There is no requirement under Article 37 UK GDPR to appoint a formal Data Protection Officer at this time; REINFINITE LTD will appoint one should its processing activities reach the thresholds specified in Article 37(1) UK GDPR.

§13 Personal Data Breach Notification

13.1 REINFINITE LTD maintains internal procedures for detecting, reporting, and investigating personal data breaches in accordance with Article 33 UK GDPR and Article 34 UK GDPR.

13.2 In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33(1) UK GDPR. Where notification is not made within 72 hours, we will provide the ICO with a reasoned explanation for the delay.

13.3 Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will notify the affected data subjects without undue delay, in accordance with Article 34 UK GDPR, unless one of the conditions set out in Article 34(3) UK GDPR applies.

13.4 All suspected or confirmed personal data breaches should be reported immediately to the data protection contact at compliance@re-infinite.com.

§14 Data Protection Impact Assessments

14.1 Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, REINFINITE LTD will carry out a Data Protection Impact Assessment (“DPIA”) prior to commencing such processing, in accordance with Article 35 UK GDPR.

14.2 DPIAs are conducted in respect of processing activities that involve, without limitation:

(a) systematic and extensive profiling with significant effects on individuals;

(b) large-scale processing of Special Categories of Personal Data; or

14.3 Where a DPIA indicates a high residual risk that cannot be mitigated, we will consult the ICO prior to commencing the relevant processing, in accordance with Article 36 UK GDPR.

14.4 A summary of any DPIA conducted in respect of processing activities that affect you is available upon request. Requests should be directed to the data protection contact at compliance@re-infinite.com. The provision of any DPIA documentation in response to such a request is subject to applicable exemptions and the Company’s discretion.

§15 Automated Decision-Making and Profiling

15.1 REINFINITE LTD does not currently carry out any processing that constitutes solely automated decision-making, including profiling, which produces legal or similarly significant effects concerning data subjects, within the meaning of Articles 22A to 22D UK GDPR (as substituted by the Data (Use and Access) Act 2025).

15.2 All decisions that materially affect data subjects are subject to human review and are not made solely by automated means.

15.3 Should we introduce any significant automated decision-making processes in the future, we will update this Policy accordingly, implement the mandatory safeguards required under Articles 22A to 22D UK GDPR (including informing affected data subjects and providing rights to make representations and request human review), and rely upon an appropriate lawful basis.

§16 Security Measures

16.1 REINFINITE LTD implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 UK GDPR.

16.2 The security measures we employ include, without limitation:

(a) Encryption and Secure Transmission: all data transmitted via re-infinite.com is protected using Secure Sockets Layer (“SSL”) / Transport Layer Security (“TLS”) encryption (HTTPS);

(b) Data Minimisation: we collect and retain only such personal data as is necessary for the specified purposes, in accordance with the principle of data minimisation under Article 5(1)(c) UK GDPR;

(c) Malware Detection: systems used to process personal data are protected by up-to-date malware detection and anti-virus software;

(d) Vulnerability Scanning: we conduct regular vulnerability scanning of our systems and infrastructure to identify and remediate security weaknesses;

(e) Web Application Firewall: a web application firewall (“WAF”) is deployed to protect re-infinite.com against common web-based threats and attacks; and

(f) Network Firewall: network-level firewall controls are maintained to restrict unauthorised access to our systems and data.

16.3 We also implement organisational measures including access controls limiting personal data to employees and contractors with a business need to know, staff training on data protection obligations, duties of confidentiality binding all persons with access to personal data, and contractual requirements imposed on third-party processors.

16.4 Notwithstanding the measures described above, no method of electronic transmission or storage is entirely secure. We cannot guarantee the absolute security of personal data transmitted to or from re-infinite.com. Any transmission of personal data is at your own risk.

16.5 Where we engage third-party processors, we require them to implement appropriate security measures commensurate with the nature of the personal data processed and the risks involved.

16.6 In the event of a suspected security incident, you should contact compliance@re-infinite.com without delay.

§17 Cookies and Tracking Technologies

17.1 Our website re-infinite.com may use cookies and similar tracking technologies to enhance user experience and to collect Technical Data and Usage Data as described in §3.1(g) and §3.1(h) above.

17.2 Further information regarding our use of cookies, including details of the cookies deployed and the options available to you to manage your cookie preferences, is set out in our Cookie Policy, available at https://re-infinite.com/cookies.

17.3 Analytics cookies are managed on an opt-out basis following the commencement of the Data (Use and Access) Act 2025, which exempts cookies used solely to collect aggregate statistics to improve a website from the prior consent requirement under PECR. Full details of the cookies used, their purposes, and how to opt out are set out in our Cookie Policy.

§18 Third-Party Sharing Restrictions

18.1 We do not share your personal data with any third party for that third party’s own purposes without your prior consent, save as expressly set out in this Policy or as required or permitted by applicable law.

18.2 Notwithstanding §18.1 above, we may share your personal data with your appointed independent financial adviser (“IFA”) or other professional adviser where:

(a) you have expressly authorised us to do so; or

(b) such sharing is necessary for the performance of services you have requested or for the administration of your investment, and you have been notified of such sharing.

18.3 Any third party with whom we share personal data pursuant to this §18 is required to process such data in accordance with the Data Protection Legislation and is subject to appropriate contractual obligations.

§19 Limitation of Liability

19.1 To the fullest extent permitted by applicable law, REINFINITE LTD’s liability arising from or in connection with this Policy is limited to its obligations under the Data Protection Legislation. Nothing in this Policy creates any right, remedy, or cause of action beyond those provided by applicable law.

19.2 Nothing in this Policy excludes or limits liability for death or personal injury caused by negligence, for fraud or fraudulent misrepresentation, or for any other liability that cannot be excluded or limited by applicable law.

§20 Governing Law and Jurisdiction

20.1 This Policy and any dispute arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales.

20.2 The courts of England and Wales shall have exclusive jurisdiction in relation to any dispute arising out of or in connection with this Policy.

§21 Policy Review

21.1 The compliance function aims to review this Policy at least once every 12 months to ensure that it remains accurate, complete, and compliant with applicable Data Protection Legislation and regulatory guidance.

21.2 The date on which this Policy was most recently reviewed and updated is displayed at the top of this document as the “Last Updated” date.

21.3 Where a review results in material changes to this Policy, we will notify affected data subjects in accordance with §11 above.

21.4 Any questions regarding this Policy or its application should be directed to the data protection contact at compliance@re-infinite.com.

This Policy is issued by REINFINITE LTD (Company No. 14911131), registered in England & Wales, whose registered office is at 164 New Cavendish Street, London W1W 6YT.