GDPR NOTICE

The General Data Protection Regulation (“GDPR”) applies to the processing of personal data by organizations established within the European Economic Area (“EEA”) and, in certain circumstances, to organizations outside the EEA where the processing relates to the offering of goods or services to individuals in the EEA or the monitoring of their behavior within the EEA.

The GDPR has two key purposes: (a) to set guidelines for the collection, processing and protection of personal data and (b) to give individuals certain rights in relation to their personal data, such as to access and correct it, request erasure or restriction, object to further processing, request portability, and withdraw consent where consent is relied upon.

This GDPR Disclosure is intended to ensure that clients, prospective clients or similar contacts or, where a client, prospective client or other similar contact is not an individual, the client’s, prospective client’s or similar contact’s individual directors, officers, employees and/or owners (“you”, or “your”) are aware of the categories of your personal data Broad Run Investment Management, LLC (the “firm”, “we”, “us” or “our”) may collect, how we collect it, what we use it for, the lawful bases on which we process it, with whom we share it, how long we retain it, and the rights you may have in accordance with the GDPR. Where the client, prospective client or similar contact is not an individual, please provide a copy of this GDPR Disclosure to those individual directors, officers, employees and/or owners whose personal data we may process.

“Personal data” means any information relating to you, but does not include data where you can no longer be identified from it, such as anonymized aggregated data.

Broad Run Investment Management, LLC is the data controller responsible for the personal data described in this GDPR Disclosure. A data controller is responsible for deciding how to hold and use personal data about you. We may process your personal data ourselves or through others acting as data processors on our behalf.

We may provide supplemental privacy notices on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your personal data. These supplemental notices should be read together with this GDPR Disclosure.

Controller contact details
Broad Run Investment Management, LLC
1530 Wilson Boulevard, Suite 530, Arlington, Virginia 22209
Privacy contact: Bryan H. Adkins, CCO
Email: badkins@broadrunllc.com | Phone: (703) 260-1260

EU/EEA representative
If we are required to appoint a representative in the EU/EEA under GDPR Article 27, we will identify that representative and provide contact details to you. We periodically review whether an EU/EEA representative is required based on the nature and extent of our processing of personal data relating to individuals in the EEA.

Your personal data
Personal data held by us or on our behalf may include:
  • Identification and contact information, such as name, address, email address, signature, nationality, country of residence, place of birth and date of birth;
  • Tax and regulatory information, such as tax identification, tax jurisdiction and regulatory status;
  • KYC/AML and due diligence information, such as passport number, source of funds, credit history, screening results and financial information in KYC documents;
  • Employment, professional and education information;
  • Financial, account and investment information, such as bank account details, investment activity and investment preferences; and
  • Communications information, such as correspondence records.
Why we may use your personal data
The purposes for which we may collect, store and use personal data about you and our “lawful basis” for processing such data are set out in the table below. Where we rely on legitimate interests, those interests may include managing client and prospective client relationships, assessing investment preferences, maintaining business records, managing risk, protecting legal rights, and operating our business effectively.
Purpose
Lawful basis for processing
Pre-investment steps, including eligibility, due diligence, and investment preferences.
Steps prior to contract; legal obligations; legitimate interests.
Business development and marketing, including direct electronic marketing where permitted.
Legitimate interests; consent where required for direct electronic marketing. You may opt out at any time by using the opt-out mechanisms that may be available in those messages or by contacting us at broadrun@broadrunllc.com.
Opening, managing and administering an account.
Performance of your contract.
AML, sanctions, fraud, bribery, corruption, tax evasion and related compliance checks.
Legal obligations and legitimate interests in compliance and risk management.
Reporting tax-related information to tax authorities.
Legal obligations.
Disclosing information to service providers, advisors, auditors, technology providers, regulators, tax authorities, counterparties and intermediaries.
Legal obligations; contract performance where relevant; legitimate interests.
Maintaining records and managing our business.
Legitimate interests and legal obligations where applicable.
Special categories of personal data
There are more limited bases for processing special category personal data. We do not intend to actively collect such data, but may hold it incidentally if you volunteer it or if legal/regulatory diligence materials contain it. Where we process special category personal data incidentally, we will do so only where permitted by law, including where necessary for legal claims, where you have manifestly made the data public, where processing is necessary for substantial public interest under applicable law, or where you have provided explicit consent, as applicable.

What if you do not provide the personal data requested?
Unless and until you decide to invest or otherwise engage in a business transaction with us, you are not required to provide any information. If you do not provide requested information, we may be limited or restricted in our ability to deal with you and may not be able to accept or retain you as a client where the information is required for anti-money laundering or other legal requirements.

Change of purpose
We will only use your personal data for the purposes for which we collected it unless we reasonably consider that another use is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.

How do we collect this information?
We typically collect personal data when you provide information to us or persons acting on our behalf in writing, electronically, or by phone. We may also receive personal information about you from public sources, information vendors, introducers, distributors or other intermediaries.

With whom will we share your information?
We may share your personal data where required by law, necessary to perform our contract with you, or where we have a legitimate interest. Recipients may include introducers, distributors, intermediaries, lawyers, bankers, auditors, insurers, regulators, tax authorities, trading counterparties, cloud service providers and other service providers. We may also share your personal data in connection with a possible sale or restructuring of the business, to comply with law or judicial process, or to protect our rights.

International transfers and data protection measures
Any transmission of your personal data by us or our duly authorized affiliates, delegates or service providers outside the EEA shall be in accordance with the conditions in the GDPR. Where required, we will use appropriate safeguards such as an adequacy decision, standard contractual clauses, or another transfer mechanism permitted by the GDPR. We and our duly authorized affiliates, delegates and service providers apply appropriate technical and organizational security measures designed to protect personal data from unauthorized access, loss, misuse, alteration, disclosure or destruction.

Personal data breach notification
We shall notify you of any personal data breach affecting you where required by the GDPR, including where the breach is likely to result in a high risk to your rights and freedoms.

Automated decision-making and profiling
We do not intend to make decisions about you based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. If this changes, we will provide additional information as required by the GDPR.

Our retention of your personal data
We will retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including legal, regulatory, accounting and reporting requirements and our legitimate interests in maintaining records. Generally, we will keep information relevant to our dealings with you for 7 years following the last date of activity. In some circumstances your personal data may be anonymized so that it can no longer be associated with you. Once no longer required, we will securely destroy your personal data in accordance with applicable laws and regulations.

Accuracy of information
It is important that the personal data we hold about you is accurate and current. Please let us know if your personal data changes during your relationship with us.

Your rights in relation to your information
You have rights which you can exercise under certain circumstances, including to request access, rectification, erasure, restriction of processing, objection to processing, transfer of your personal data to another party, and not to be subject to certain solely automated decisions. If you want to exercise one of these rights, please contact Bryan H. Adkins, CCO at badkins@broadrunllc.com.

Right to complain
You have the right to make a complaint at any time to a supervisory authority for data protection issues. You may contact the supervisory authority in the EEA member state of your habitual residence, place of work, or place of the alleged infringement.

Fees
You will not usually have to pay a fee to access your personal data or exercise rights. However, we may charge a reasonable fee or refuse to comply if your request is manifestly unfounded or excessive.

What we may need from you
We may need to request specific information from you to confirm your identity and ensure your right to access the information or exercise your rights.

Right to withdraw consent
Where you have provided consent for a specific processing purpose, you may withdraw that consent at any time by contacting Bryan H. Adkins, CCO at badkins@broadrunllc.com. Withdrawal will not affect the lawfulness of processing based on consent before withdrawal. After withdrawal, we will no longer process your information for that purpose unless we have an alternative legal basis for doing so.

************

If you have additional questions about this GDPR Disclosure, you may contact us at the office phone number below or via email to Bryan H. Adkins, CCO at  badkins@broadrunllc.com.

Broad Run Investment Management, LLC
1530 Wilson Boulevard | Suite 530 | Arlington, Virginia 22209
O: (703) 260‐1260 | F: (703) 574-4312 | www.broadrunllc.com

June 2026