This Privacy Policy describes how HSBC Asset Management (India) Private Limited ("Company", "AMC", "we", "us", or "our") collects, receives, uses, processes, stores, discloses, and protects your personal data when you use our website at [www.assetmanagement.hsbc.co.in/en/redhex-sif] ("Website"), our mobile applications, chatbot, WhatsApp services, or any other platforms or services (collectively, the "Platform"), and when you submit information through physical application forms or other transactional documents.

This Privacy Policy is designed to comply with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and other applicable laws and regulations in India.

This Privacy Policy applies to investors in our Specialized Investment Fund (SIF) known as “RedHex SIF”. SIF is a category of investment product regulated by SEBI with a minimum investment threshold of INR 10 lakh across all investment strategies. Investments in SIF involve relatively higher risk including potential loss of capital, liquidity risk, and market volatility compared to regular mutual fund schemes.

By visiting our Website, using our Platform, or submitting your personal data to us, you acknowledge that you have read, understood, and consent to the collection, use, processing, and disclosure of your personal data as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Platform or provide your personal data to us.

This Privacy Policy should be read in conjunction with our Terms of Use, the Investment Strategy Information Document (ISID), Statement of Additional Information (SAI), and any other applicable terms and conditions.

Our Privacy Principles

Our business is built on trust between our customers and ourselves. To preserve the confidentiality of all information you provide us, we maintain the following privacy principles:

We only collect personal data that we believe to be relevant and required to understand your financial needs and to conduct our business.

We use your personal data to provide you with better customer services and products.

We may share your personal data with other group companies or agents only where permitted by applicable laws and regulations.

We will not disclose your personal data to any external organisation unless we have your consent or are required by prevailing laws and regulations.

We may be required to disclose your personal data to governmental or judicial bodies, agencies, or regulators, but we will only do so under proper legal authority.

We aim to keep your personal data accurate, complete, and up to date.

We maintain strict security systems designed to prevent unauthorised access to your personal data by anyone, including our staff.

All group companies, staff, and third parties with permitted access to your information are specifically required to observe our confidentiality obligations.

Definitions

For the purposes of this Privacy Policy:

Personal Data

"Personal Data" means any data about an individual who is identifiable by or in relation to such data. This includes, but is not limited to:

Identification information such as your full name, date of birth, gender, photograph, signature, and government-issued identification numbers (PAN, Aadhaar, passport number, etc.).

Contact information such as postal address, email address, and telephone numbers.

Financial information such as bank account details, credit or debit card details, income details, and investment-related information.

Employment-related information and compensation details.

Any other information that directly or indirectly, in combination with other information available to us, can help identify you.

Sensitive Personal Data

"Sensitive Personal Data" means Personal Data that reveals or relates to:

Financial information such as bank account numbers, credit card, debit card, or other payment instrument details.

Passwords and authentication information.

Medical records and health information.

Biometric data.

Any other information as may be prescribed under applicable law.

Provided that any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005, or any other law shall not be regarded as Sensitive Personal Data.

Data Principal

"Data Principal" means the individual to whom the Personal Data relates, and where such individual is a child, includes the parents or lawful guardian of such child.

Data Fiduciary

"Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of Personal Data. The Company acts as a Data Fiduciary with respect to Personal Data collected through its Platform and services.

What Personal Data We Collect

We may collect and process the following categories of Personal Data:

Information You Provide Directly

Information submitted through application forms (physical or electronic) for RedHex SIF investments, including identification documents, financial information, nominee details, and bank account information.

Information provided for account registration, including name, contact details, and authentication credentials.

Information provided through correspondence with us, including emails, letters, and call centre interactions.

Information provided through surveys, feedback forms, or promotional activities.

Information Collected Automatically

When you visit our Website or use our Platform, we may automatically collect certain information, including:

Technical information such as your IP address, browser type and version, operating system, device information, and time zone settings.

Information about your visit, including the pages you view, links you click, and your navigation patterns through the Website.

Information collected through cookies, web beacons, and similar technologies (see "Cookies and Similar Technologies" section below).

Information from Third Parties

We may receive Personal Data about you from third parties, including:

Our Registrar and Transfer Agent ("RTA") and other service providers.

Distributors, agents, and intermediaries through whom you invest in our investment strategies.

Credit information companies and identity verification agencies.

Publicly available sources and government databases.

Information Through Call Recordings

We may record telephone conversations at our call centres for quality control, training, and compliance purposes.

How We Use Your Personal Data

We may use your Personal Data for the following purposes:

Account and Portfolio Management

To process your applications for investment in our RedHex SIF investment strategies.

To provide and manage your portfolio(s) and our relationship with you.

To provide you with account statements, Consolidated Account Statements (CAS), transaction confirmations, and other communications about your investments.

To process your transaction requests, including purchases, redemptions, switches, and systematic investment or withdrawal plans.

To respond to your enquiries, complaints, and service requests.

Regulatory Compliance

To verify your identity and conduct Know Your Customer ("KYC") procedures as required by applicable laws and regulations.

To conduct anti-money laundering checks, fraud prevention, and detection of suspicious transactions.

To comply with reporting requirements to regulatory authorities, including the Securities and Exchange Board of India ("SEBI"), the Financial Intelligence Unit-India ("FIU-IND"), and other governmental or quasi-judicial bodies. For SIF investors, this includes compliance with Minimum Investment Threshold requirements.

To comply with tax reporting obligations, including the Foreign Account Tax Compliance Act ("FATCA") and Common Reporting Standard ("CRS").

Service Improvement and Analytics

To analyse usage patterns of the Platform and improve our services and facilities.

To conduct market research, project planning, and develop new products and services.

To troubleshoot problems and maintain the security and integrity of the Platform.

Communications

To send you administrative notices, alerts, advice, and notifications relevant to your use of our services and your investments.

To send you promotional and marketing communications about our investment strategies, services, and facilities (subject to your preferences and consent).

To communicate with you through our call centres, email, SMS, WhatsApp, or other channels.

Legal Purposes

To establish, exercise, or defend legal claims.

To comply with court orders, legal processes, and law enforcement requests.

To enforce our Terms of Use and other agreements.

Legal Basis for Processing

Under the DPDP Act and other applicable laws, we process your Personal Data on the following lawful grounds:

Consent

Where you have provided your free, specific, informed, unconditional, and unambiguous consent for us to process your Personal Data for specified purposes. You have the right to withdraw your consent at any time, subject to the consequences of such withdrawal as described in this Privacy Policy.

Contractual Necessity

Where processing is necessary for the performance of a contract to which you are a party, including the processing of your investment applications and management of your portfolio.

Legal Obligation

Where processing is necessary for compliance with a legal obligation to which the Company is subject, including regulatory reporting requirements and tax obligations.

Legitimate Interests

Where processing is necessary for our legitimate interests or those of a third party, provided such interests are not overridden by your rights and interests.

Cookies and Similar Technologies

What Are Cookies?

Cookies are small text files that are stored on your device (computer, mobile phone, or tablet) when you visit a website. They help websites remember information about your visit, which can make your next visit easier and the website more useful to you.

How We Use Cookies

We use cookies and similar technologies to:

Recognise you when you return to our Website.

Remember your preferences and settings.

Analyse how visitors use our Website, including the number of visitors and general usage patterns.

Improve the performance and functionality of our Website.

Provide secure access to your account.

Managing Cookies

You can control and manage cookies through your browser settings. You may choose to disable cookies; however, if you do so, you may be unable to access certain parts of our Website or certain features may not function properly.

Disclosure of Personal Data

We may disclose your Personal Data to the following categories of recipients:

Group Companies and Affiliates

We may share your Personal Data with our subsidiaries, affiliates, and other group companies for compliance, risk management, operational purposes, and to provide you with services.

Service Providers

We may share your Personal Data with our Registrar and Transfer Agent ("RTA"), custodians, payment processors, depositories, technology service providers, and other service providers who provide services to us in connection with the operation of our business. All service providers are required to maintain the confidentiality of such Personal Data and to use it only for the purposes authorised by us.

Intermediaries and Distributors

We may share your investment account and transaction details and other Personal Data with intermediaries and distributors whose AMFI Registration Number ("ARN") appears on your application.

Regulatory Authorities

We may disclose your Personal Data to Indian and foreign statutory, regulatory, judicial, or quasi-judicial authorities and agencies as required by applicable laws and regulations, including but not limited to SEBI, FIU-IND, tax authorities, the Reserve Bank of India, and the Association of Mutual Funds in India (AMFI).

Law Enforcement

We may disclose your Personal Data in response to lawful requests by law enforcement agencies, court orders, subpoenas, or similar legal processes.

Other Disclosures

We may disclose your Personal Data to protect our rights, property, or safety, or the rights, property, or safety of our users or others.

We may disclose your Personal Data in connection with a merger, acquisition, reorganisation, or sale of assets, in which case the acquiring entity will be subject to the terms of this Privacy Policy with respect to your Personal Data.

Data Transfers

Your Personal Data may be transferred to, stored, or processed in locations outside India by our group companies, affiliates, or service providers. When we transfer your Personal Data outside India, we will ensure that such transfers are made in compliance with the DPDP Act and other applicable laws, and that appropriate safeguards are in place to protect your Personal Data.

Data Retention

We will retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected, as set out in this Privacy Policy, or as required under any applicable law for the time being in force.

In determining the appropriate retention period, we consider:

The nature and sensitivity of the Personal Data.

The purposes for which we process your Personal Data.

Applicable legal, regulatory, and contractual requirements.

Applicable limitation periods for bringing legal claims.

When your Personal Data is no longer required, we will securely delete or anonymise it in accordance with our data retention policies and applicable laws.

Data Security

We implement appropriate technical and organisational security measures to protect your Personal Data against unauthorised access, alteration, disclosure, or destruction. Some key features of our information security programme include:

A dedicated Information Security Risk Team that designs, implements, and provides oversight to our information security programme.

Use of firewalls, encryption technologies (including 128-bit SSL encryption), and other security technologies to protect against internet intrusion and unauthorised access.

Access controls that ensure that only authorised employees who are trained in the proper handling of customer information have access to Sensitive Personal Data.

Regular reviews and audits of our security practices and systems.

Physical, electronic, and procedural safeguards to protect information against loss, misuse, damage, modification, and unauthorised access or disclosure.

Contractual obligations on service providers to maintain confidentiality and implement appropriate security measures.

Notwithstanding our security measures, no data transmission over the internet or electronic storage method is completely secure. While we strive to protect your Personal Data, we cannot guarantee its absolute security.

Your Rights Under the DPDP Act

Under the DPDP Act and other applicable laws, you have the following rights in relation to your Personal Data:

Right to Access

You have the right to obtain a summary of your Personal Data that we are processing and the processing activities undertaken by us with respect to such Personal Data. This includes access to your investment account information, portfolio holdings, and transaction history.

Right to Correction and Erasure

You have the right to request correction of inaccurate or misleading Personal Data, completion of incomplete Personal Data, and erasure of Personal Data that is no longer necessary for the purpose for which it was collected or processed.

Right to Grievance Redressal

You have the right to register a grievance with the Company regarding any act or omission relating to your Personal Data or the exercise of your rights. We will address your grievance within the time period specified under applicable law. You may also escalate unresolved complaints to SEBI via the SCORES portal or opt for online dispute resolution (ODR) mechanism in accordance with SEBI procedures.

Right to Nominate

You have the right to nominate another individual who shall, in the event of your death or incapacity, exercise your rights in respect of your Personal Data.

Right to Withdraw Consent

Where our processing of your Personal Data is based on your consent, you have the right to withdraw your consent at any time. Please note that withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent may also result in the Company being unable to provide certain services to you or process certain transactions.

Your Responsibilities

As a Data Principal, you have certain responsibilities under the DPDP Act, including:

Providing accurate and complete Personal Data and not suppressing any material information.

Not impersonating another person when providing Personal Data.

Providing authentic documents and information as may be required for verification purposes.

Informing us of any changes to your Personal Data to enable us to maintain accurate records.

Direct Marketing

We may use your Personal Data, such as your email address, mobile number, or postal address, to send you direct marketing communications about our investment strategies, services, and facilities.

We will not share your Personal Data with third parties for their direct marketing purposes without your express consent.

If you do not wish to receive marketing communications from us, you may opt out at any time by:

Clicking the "unsubscribe" link in any marketing email we send you.

Contacting us using the details provided in the "Contact Us" section below.

We will act on your request within thirty (30) days and ensure that you are excluded from future direct marketing communications at no cost to you.

Third-Party Websites and Services

Our Website may contain links to websites operated by third parties. These third-party websites have their own privacy policies, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party websites before providing any Personal Data to them.

Social Media

We may provide experiences on social media platforms that enable online sharing, communication, and collaboration among users. We may collect information you provide by interacting with us via social media, such as images, videos, or other information.

Any content you post on social media platforms is subject to the terms of use and privacy policies of those platforms. Please refer to them to better understand your rights and obligations regarding such content.

Mobile Applications

Our mobile applications ("Apps") allow you to access your investment details and other information using wireless or mobile devices. This Privacy Policy applies to any Personal Data that we collect through our Apps.

When using our Apps, please ensure that you download them only from trusted app stores such as the Apple App Store or Google Play Store to protect yourself from fraudulent applications.

Children's Personal Data

Our Platform is not intended for use by children below the age of eighteen (18) years. We do not knowingly collect Personal Data from children below eighteen (18) years of age without the consent of their parent or lawful guardian.

If you are a parent or guardian and believe that your child has provided Personal Data to us without your consent, please contact us using the details provided below, and we will take steps to delete such information.

Where Personal Data of a child is processed with the consent of their parent or lawful guardian, such processing shall be undertaken in accordance with the DPDP Act.

Breach of Data Security

Despite our best efforts, if any unauthorised person breaches our security control measures resulting in unauthorised access, data breach, hacking, or loss of data, we will take all necessary corrective measures to address the breach and notify affected individuals and the relevant authorities as required by applicable law.

However, the Company, its Trustees, Directors, Officers, Employees, or Affiliates cannot be held responsible for security breaches caused by factors beyond our reasonable control, including breaches by third parties or service providers, acts of God, war, terrorism, or other force majeure events.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the updated Privacy Policy on our Website with a revised effective date.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your Personal Data. Your continued use of our Platform after any changes to this Privacy Policy will constitute your acceptance of such changes.

Contact Us and Grievance Redressal

If you have any questions about this Privacy Policy, wish to exercise your rights, or have any grievances relating to the use or handling of your Personal Data, you may contact our Grievance Officer at:

Grievance Officer / Data Protection Officer: Name: Mr. Ankur Banthiya

Designation: Investor Relations Officer

Address: HSBC Mutual Fund, Unit No. 62, 1st Floor, Parade View, Rukmani Lakshmipathi Salai, Egmore, Chennai, Tamil Nadu-600008 India

Email: iromf@mutualfunds.hsbc.co.in

We will acknowledge your grievance and respond to it within the time period prescribed under applicable law.

If you are not satisfied with our response to your grievance, you may approach the Data Protection Board of India established under the DPDP Act.

Acknowledgement

By using our Platform or providing your Personal Data to us, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, processing, and disclosure of your Personal Data as described herein. Investments in Specialized Investment Fund involve relatively higher risk including potential loss of capital, liquidity risk, and market volatility. Please read all investment strategy related documents carefully before making the investment decision.

Effective Date: [28th April 2026]

Last Updated: [28th April 2026]