Privacy Policy

KXT Energy Limited ("KXT", "we", "us") is the data controller responsible for personal data processed through this website and investor portal. We are an alternative investment fund manager and infrastructure development company focused on African energy and infrastructure markets.

If you have questions about how we handle your data, contact us at: privacy@kxtenergy.com

We collect and process the following categories of personal data:

Identity & Contact Data — Full name, email address, job title, employing organisation, telephone number.

KYC & Due Diligence Data — Government-issued identification, proof of address, source-of-funds documentation, and beneficial ownership information collected to meet our anti-money laundering (AML) obligations under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017.

Investor Portal Data — Fund access records, document download activity, capital call acknowledgements, and NAV report access logs.

Technical Data — IP address, browser user-agent, session identifiers, login timestamps, and idle-session records collected for security and audit purposes.

Communications Data — Emails and enquiries submitted through our contact forms.

We rely on the following lawful bases under UK GDPR Article 6:

Legal obligation — KYC/AML screening, audit log retention, and document immutability requirements are mandated by financial regulation and are non-negotiable.

Contract performance — Processing necessary to operate investor portal accounts, process capital calls, and distribute fund documents.

Legitimate interests — Platform security, fraud prevention, concurrent session controls, and login audit logging, where these do not override your fundamental rights.

Consent — Marketing communications, where applicable. You may withdraw consent at any time.

Retention periods are set by regulatory obligation and internal policy:

| Data Category | Retention Period |
|---|---|
| Capital Call documents | 20 years from creation |
| NAV Reports | 20 years from creation |
| Legal agreements | 20 years from creation |
| Fund updates and ESG reports | 7 years from creation |
| Login and session audit logs | 2 years |
| KYC/AML records | 5 years from end of investor relationship |
| General correspondence | 3 years |

After the applicable period, data is securely and permanently deleted from our systems and cloud storage.

We do not sell personal data. We share data only with:

Infrastructure processors — Supabase Inc (authentication, database, and file storage, operating under EU Standard Contractual Clauses); Vercel Inc (application hosting); Resend Inc (transactional email delivery).

Regulatory authorities — The Financial Conduct Authority (FCA), HM Revenue & Customs, or law enforcement agencies where we are legally required to disclose.

Professional advisers — Legal counsel, auditors, and compliance consultants, under contractual confidentiality obligations.

All third-party processors are bound by data processing agreements and may only act on our documented instructions.

Some of our infrastructure processors operate servers in the United States and European Union. Where personal data is transferred outside the UK, we ensure adequate protections are in place through UK International Data Transfer Agreements (IDTAs) or equivalent Standard Contractual Clauses, as required by the UK GDPR.

Under UK GDPR you have the right to:

- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — request deletion where data is no longer necessary, subject to our legal retention obligations
- Portability — receive your data in a structured, machine-readable format
- Restriction — ask us to limit processing in certain circumstances
- Objection — object to processing based on legitimate interests

To exercise any right, email privacy@kxtenergy.com. We will respond within 30 days. Where we cannot fulfil a request due to a legal obligation (e.g. AML retention), we will explain why.

You may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We implement technical and organisational measures proportionate to the risk, including:

- Encrypted data in transit (TLS 1.2+) and at rest
- Role-based access control — investor data is strictly scoped to authorised fund access
- Immutable audit logs for all administrative actions and investor logins
- Automatic idle session expiry after 20 minutes of inactivity
- Concurrent session controls — only one active session permitted per user
- Soft-delete with retention enforcement — deleted documents are preserved for the regulatory period before permanent removal

This website uses strictly necessary cookies for session management and security. We do not use tracking or advertising cookies. No cookie consent banner is required for strictly necessary cookies under the Privacy and Electronic Communications Regulations (PECR).

We may update this policy to reflect changes in law or our practices. The effective date at the top of this page will be updated accordingly. Significant changes will be communicated to investor portal users by email.