This Privacy Policy explains how Tabularum Inc. ("Tabularum", "we", "our") collects, uses, stores, and protects personal data in connection with our private capital markets platform, in accordance with the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021 ("DPR 2021"), the ADGM Financial Services Regulatory Authority (FSRA) Rulebook, and the ADGM Anti-Money Laundering and Sanctions Rules and Guidance. It applies to all ADGM-based users, including General Partners (GPs), Limited Partners (LPs), and their authorised representatives.
Tabularum Inc. is the controller as defined under Section 6 of the ADGM Data Protection Regulations 2021. We have designated a data protection contact as recommended under the DPR 2021. Contact us at clara@tabularum.com (subject: ADGM Data Protection Request) for any data protection enquiry or to exercise your rights. You may also contact the ADGM Registration Authority, which oversees the DPR 2021, at www.adgm.com.
Identity & KYC Verification: Full legal name, date of birth, nationality, government-issued ID (Emirates ID or passport), proof of address, beneficial ownership information, source of funds and wealth documentation, and investor categorisation under the FSRA Rulebook.
Account Data: Email address, phone number, professional title, hashed credentials, Tabularum Identity Number (TIN).
Financial & Investment Data: Capital commitments, subscription agreements, side letters, capital call and distribution records, portfolio data, NAV, and bank details where provided.
Platform Usage: Access logs, document view records, immutable audit trail entries, IP address, browser type, and session data (security only).
Communications: Messages and notices exchanged through the Platform.
Contract (s.9(b)): Processing necessary to perform a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.
Legal Obligation (s.9(c)): Compliance with a legal obligation to which the controller is subject under ADGM law, including the FSRA Rulebook, AML/CFT Rules, and ADGM Companies Regulations 2020.
Legitimate Interests (s.9(f)): Processing necessary for the purposes of the legitimate interests pursued by the controller, including security monitoring, fraud prevention, Platform integrity, and immutable audit log maintenance, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Consent (s.9(a)): For optional features only — freely given, specific, informed, and unambiguous, and withdrawable at any time without detriment.
Where we process special categories of personal data (DPR 2021 s.10), we rely on the applicable conditions under Section 10, including substantial public interest (AML/KYC obligations) or explicit consent as applicable.
We use personal data to: onboard and verify identity (KYC under ADGM AML/CFT Rules); assign and maintain your TIN; facilitate GP-LP transaction management; issue capital calls and notices; fulfil investor categorisation under the FSRA Rulebook; maintain regulatory record-keeping obligations; detect and prevent fraud; comply with ADGM and UAE sanctions screening obligations; maintain immutable audit trails; and respond to regulatory enquiries from the FSRA, ADGM Registration Authority, or relevant UAE federal authorities.
We do not sell, rent, or trade personal data. We share only as follows: (a) within the Platform between GPs and LPs as necessary for Transactions; (b) with ADGM regulators (FSRA, Registration Authority) and UAE federal authorities pursuant to binding legal obligation; (c) with third-party data processors exclusively under DPR 2021 Section 18-compliant data processing agreements, which require the processor to implement appropriate technical and organisational measures and to process data only on the controller's documented instructions — a register of sub-processors is available on request; and (d) where required by a binding order of the ADGM Courts or UAE federal courts.
Transfers of personal data outside ADGM are conducted solely under Part 7 of the DPR 2021. This requires that the recipient jurisdiction ensures an adequate level of data protection as determined by the Registration Authority, or that appropriate safeguards are in place, including: (a) binding corporate rules approved by the Registration Authority; (b) standard data protection clauses adopted or approved by the Registration Authority; or (c) the explicit consent of the data subject after being informed of the risks. We conduct transfer impact assessments for all cross-border transfers. You may request a copy of applicable transfer safeguards by contacting clara@tabularum.com.
We retain data only as long as required by law or necessary for the purposes collected: KYC/AML records — 5 years from end of relationship (ADGM AML/CFT Rules); FSRA transaction and regulatory records — 6 years; platform security logs — 12 months; communications — duration of relationship plus 5 years. After retention periods expire, data is securely and irreversibly deleted or anonymised in accordance with DPR 2021 Section 7(1)(e), which provides that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.
To exercise any right, contact clara@tabularum.com. We will respond within one calendar month (DPR 2021 s.21). We will not charge a fee for reasonable requests. Decisions based solely on automated processing (DPR 2021 s.29) are subject to review on request.
We implement appropriate technical and organisational measures under DPR 2021 Section 17, including: AES-256 encryption at rest; TLS 1.3 in transit; role-based access controls; multi-factor authentication; immutable timestamped audit logs; regular penetration testing and vulnerability assessments; and data minimisation practices. In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, we will notify the ADGM Registration Authority within 72 hours (DPR 2021 s.19) and affected individuals without undue delay (DPR 2021 s.20) where required.
We use only strictly necessary session cookies for authentication and security. We do not use advertising cookies, third-party tracking pixels, analytics resale, or cross-site tracking. Our cookie usage is consistent with the data minimisation principle under DPR 2021 Section 7(1)(c).
We retain personal data to fulfil record-keeping obligations under the FSRA Conduct of Business Rulebook (COBS), including: client categorisation records; suitability and appropriateness assessment records; order and transaction records for a minimum of six (6) years; and conflicts of interest disclosures. These records are maintained in an immutable, non-alterable format consistent with FSRA requirements and are accessible to the FSRA on request.
We collect and retain KYC data as required by the ADGM Anti-Money Laundering and Sanctions Rules and Guidance ("AML Rules"), Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations, and Cabinet Decision No. 10 of 2019. Customer due diligence records, including beneficial ownership information, are collected and verified in accordance with the AML Rules and retained for five (5) years. We are legally obligated to file Suspicious Activity Reports (SARs) with the UAE Financial Intelligence Unit (FIU) where we have reasonable grounds to suspect money laundering or terrorist financing. We cannot notify you if a SAR has been filed, as this would constitute "tipping off" under the AML Rules.
Our Platform is not directed at individuals under 18. If you believe we have inadvertently collected data from a minor, contact us immediately at clara@tabularum.com. We will delete such data without delay in accordance with DPR 2021 Section 24.
Material changes to this Policy will be communicated by email at least 30 days before taking effect. This Policy is governed by the laws of Abu Dhabi Global Market. Any dispute arising from this Policy shall be subject to the exclusive jurisdiction of the ADGM Courts. You retain the right to lodge a complaint with the ADGM Registration Authority at any time under DPR 2021 Section 30.