How TABULARUM collects, uses, and protects your personal data across 26 jurisdictions.
This Privacy Policy explains how Tabularum Inc. ("Tabularum", "we", "our") collects, uses, stores, and protects personal data in connection with our private capital markets platform, in accordance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), UK GDPR, MiFID II, and AMLD6. It applies to all EU/EEA-based users, including General Partners (GPs), Limited Partners (LPs), and their authorised representatives.
Tabularum Inc. is the data controller under Article 4(7) GDPR. We have appointed a Data Protection Officer (DPO) as required under GDPR Art. 37. Contact our DPO at gaio@tabularum.com (subject: GDPR Request) for any data protection enquiry or to exercise your rights. You may also contact the supervisory authority in your EU/EEA member state.
Identity & KYC Verification: Full legal name, date of birth, nationality, government-issued ID, proof of address, beneficial ownership information (AMLD6 Art. 30–31), source of funds and wealth documentation, and investor categorisation (MiFID II Annex II).
Account Data: Email address, phone number, professional title, hashed credentials, Tabularum Identity Number (TIN).
Financial & Investment Data: Capital commitments, subscription agreements, side letters, capital call and distribution records, portfolio data, NAV, and bank details where provided.
Platform Usage: Access logs, document view records, immutable audit trail entries (MiFID II RTS 24), IP address, browser type, and session data (security only).
Communications: Messages and notices exchanged through the Platform.
Contract (Art. 6(1)(b)): Processing necessary to provide Platform services under the Terms of Service.
Legal Obligation (Art. 6(1)(c)): Compliance with AMLD6, MiFID II, AIFMD, eIDAS, and applicable national implementing legislation.
Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, Platform integrity, and immutable audit log maintenance, where not overridden by your interests.
Consent (Art. 6(1)(a)): For optional features only — freely given, specific, informed, and withdrawable at any time without detriment.
Where we process special category data (GDPR Art. 9), we rely on Art. 9(2)(g) (substantial public interest: AML/KYC obligations) or explicit consent (Art. 9(2)(a)) as applicable.
We use personal data to: onboard and verify identity (KYC under AMLD6); assign and maintain your TIN; facilitate GP-LP transaction management; issue capital calls and notices; fulfil MiFID II investor categorisation and suitability obligations; maintain AIFMD Annex IV reporting records; detect and prevent fraud; comply with EU sanctions screening obligations; maintain immutable audit trails under MiFID II RTS 24; and respond to regulatory enquiries from national competent authorities (NCAs), ESMA, or EBA.
We do not sell, rent, or trade personal data. We share only as follows: (a) within the Platform between GPs and LPs as necessary for Transactions; (b) with national regulators (NCAs, ESMA, EBA, FCA, national FIUs) pursuant to binding legal obligation under AMLD6 or MiFID II; (c) with third-party data processors exclusively under GDPR Art. 28-compliant Data Processing Agreements (DPAs) — a register of sub-processors is available on request; and (d) where required by a binding EU or national court order.
Transfers of personal data outside the EU/EEA are conducted solely under one of the following safeguards: (a) Standard Contractual Clauses (SCCs) as adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021; (b) an adequacy decision by the European Commission under GDPR Art. 45; or (c) another valid mechanism under GDPR Chapter V. We conduct Transfer Impact Assessments (TIAs) for all third-country transfers. You may request a copy of applicable SCCs by contacting gaio@tabularum.com.
We retain data only as long as required by law or necessary for the purposes collected: KYC/AML records — 5 years from end of relationship (AMLD5 Art. 40, applicable under AMLD6); MiFID II transaction and order records — 5 years (RTS 24); AIFMD Annex IV records — 5 years; platform security logs — 12 months; communications — duration of relationship plus 5 years. After retention periods expire, data is securely and irreversibly deleted or anonymised in accordance with GDPR Art. 5(1)(e).
To exercise any right, contact gaio@tabularum.com. We will respond within one calendar month (GDPR Art. 12). We will not charge a fee for reasonable requests. Automated decisions subject to Art. 22 review are available on request.
We implement appropriate technical and organisational measures under GDPR Art. 32, including: AES-256 encryption at rest; TLS 1.3 in transit; role-based access controls; multi-factor authentication; immutable timestamped audit logs; regular penetration testing and vulnerability assessments; and data minimisation practices. In the event of a personal data breach likely to risk your rights, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected individuals without undue delay (GDPR Art. 34) where required.
We use only strictly necessary session cookies for authentication and security under the ePrivacy Directive (2002/58/EC, as amended). We do not use advertising cookies, third-party tracking pixels, analytics resale, or cross-site tracking. No cookie consent banner is required as we do not deploy non-essential cookies. Our cookie usage is compliant with national implementations of the ePrivacy Directive across EU/EEA member states.
We retain personal data to fulfil MiFID II record-keeping obligations, including: client categorisation records (Art. 4 & Annex II); suitability assessment records (Art. 25(6) and Commission Delegated Regulation (EU) 2017/565, Art. 54–55); order and transaction records under RTS 24 for a minimum of five (5) years; and conflicts of interest disclosures (Art. 23). These records are maintained in an immutable, non-alterable format consistent with MiFID II requirements and are accessible to national competent authorities on request.
We collect and retain KYC data as required by the EU Sixth Anti-Money Laundering Directive (AMLD6, Directive (EU) 2018/843) and applicable national transpositions. Beneficial ownership information is collected and verified under AMLD5 Arts. 30–31 and retained for five (5) years. We are legally obligated to file Suspicious Activity Reports (SARs) with the relevant national Financial Intelligence Unit (FIU) where we have grounds to suspect money laundering or terrorist financing. We cannot notify you if a SAR has been filed, as this would constitute "tipping off" under AMLD6 Art. 39.
Our Platform is not directed at individuals under 18. If you believe we have inadvertently collected data from a minor, contact us immediately at gaio@tabularum.com. We will delete such data without delay in accordance with GDPR Art. 17.
Material changes to this Policy will be communicated by email at least 30 days before taking effect. This Policy is governed by EU law; where EU GDPR provisions conflict with any national law, GDPR takes precedence. UK users are protected under UK GDPR and the Data Protection Act 2018. You retain the right to lodge a complaint with your national supervisory authority at any time (GDPR Art. 77).