This Privacy Policy explains how Tabularum Inc. ("Tabularum", "we", "our") collects, uses, stores, and protects personal data in connection with our private capital markets platform, in compliance with BVI regulatory requirements, the AML/CFT Code of Practice, and international data protection best practices. As the BVI does not currently have a comprehensive standalone data protection statute, Tabularum voluntarily applies standards consistent with the UK GDPR framework. It applies to all BVI-based users and users of BVI-domiciled fund structures, including General Partners (GPs), Limited Partners (LPs), and their authorised representatives.
Tabularum Inc. is the data controller for all personal data processed through the Platform in connection with BVI-based users and BVI-domiciled fund structures. Although the BVI does not currently mandate a Data Protection Officer, we have voluntarily appointed a DPO. Contact our DPO at gaio@tabularum.com (subject: Data Protection Request) for any data protection enquiry or to exercise your rights.
Identity & KYC Verification: Full legal name, date of birth, nationality, passport or national ID, proof of address, beneficial ownership information (under the BOSS Act 2017), source of funds and wealth documentation, and investor qualification documentation.
Account Data: Email address, phone number, professional title, hashed credentials, Tabularum Identity Number (TIN).
Financial & Investment Data: Capital commitments, subscription agreements, side letters, capital call and distribution records, portfolio data, NAV, and bank details where provided.
Platform Usage: Access logs, document view records, immutable audit trail entries, IP address, browser type, and session data (security only).
Communications: Messages and notices exchanged through the Platform.
Consent: Where you have given consent to the processing for one or more specific purposes.
Contractual Necessity: Processing necessary for the performance of the Terms of Service.
Legal Obligation: Compliance with the AML/CFT Code of Practice, SIBA, the Proceeds of Criminal Conduct Act, and BVI FSC requirements.
Legitimate Interests: Security monitoring, fraud prevention, Platform integrity, and immutable audit log maintenance, where not overridden by your interests or fundamental rights.
We use personal data to: onboard and verify identity (KYC under the AML/CFT Code of Practice); assign and maintain your TIN; facilitate GP-LP transaction management; issue capital calls and notices; fulfil investor qualification requirements under SIBA; maintain BVI FSC regulatory reporting records; detect and prevent fraud; comply with sanctions screening obligations; maintain immutable audit trails; and respond to regulatory enquiries from the BVI FSC, the FIA, or other BVI authorities.
We do not sell, rent, or trade personal data. We share only as follows: (a) within the Platform between GPs and LPs as necessary for Transactions; (b) with the BVI FSC, the FIA, or other regulators pursuant to binding legal obligation under SIBA, the Proceeds of Criminal Conduct Act, or the Financial Services Commission Act 2001; (c) with third-party data processors exclusively under contractual data protection obligations; and (d) where required by a binding order of the Eastern Caribbean Supreme Court (BVI Commercial Division). Data sharing is subject to the BVI common law duty of confidence and the Confidential Information Preservation Act.
Transfers of personal data outside the BVI are conducted under appropriate contractual safeguards consistent with international best practice. We ensure that recipient entities are bound by contractual obligations providing a standard of data protection comparable to UK GDPR standards. You may request details of applicable transfer safeguards by contacting gaio@tabularum.com.
We retain data only as long as required by law or necessary for the purposes collected: KYC/AML records — 5 years from end of relationship (AML/CFT Code of Practice); SIBA-regulated fund records — 5 years after fund dissolution or transaction completion; beneficial ownership records — 5 years (BOSS Act 2017); platform security logs — 12 months; communications — duration of relationship plus 5 years. After retention periods expire, data is securely and irreversibly deleted or anonymised.
These rights are provided voluntarily by Tabularum consistent with international best practice. To exercise any right, contact gaio@tabularum.com. We will respond within 30 calendar days.
We implement appropriate technical and organisational measures consistent with international best practice, including: AES-256 encryption at rest; TLS 1.3 in transit; role-based access controls; multi-factor authentication; immutable timestamped audit logs; regular penetration testing and vulnerability assessments; and data minimisation practices. In the event of a data breach, we will notify affected individuals without undue delay and report to the BVI FSC where the breach involves regulated fund data.
We use only strictly necessary session cookies for authentication and security. We do not use advertising cookies, third-party tracking pixels, analytics resale, or cross-site tracking.
We retain personal data to fulfil BVI FSC record-keeping obligations under SIBA and the BVI FSC Regulatory Code, including: investor qualification records; fund registration and filing records; transaction records for a minimum of five (5) years after fund dissolution or transaction completion; and AML/CFT compliance records under the AML/CFT Code of Practice. These records are maintained in an immutable, non-alterable format and are accessible to the BVI FSC on request.
We collect and retain KYC data as required by the BVI Anti-money Laundering and Terrorist Financing Code of Practice, 2008 (as amended), the Anti-money Laundering Regulations 2008 (as amended), and the Proceeds of Criminal Conduct Act 1997 (as amended). Beneficial ownership information is collected, verified, and retained for five (5) years from the end of the business relationship, consistent with the Beneficial Ownership Secure Search System Act 2017. We are legally obligated to file Suspicious Activity Reports (SARs) with the BVI Financial Investigation Agency (FIA) where we have reasonable grounds to suspect money laundering or terrorist financing. We cannot notify you if a SAR has been filed, as this would constitute "tipping off" under the Proceeds of Criminal Conduct Act.
Our Platform is not directed at individuals under 18. If you believe we have inadvertently collected data from a minor, contact us immediately at gaio@tabularum.com. We will delete such data without delay.
Material changes to this Policy will be communicated by email at least 30 days before taking effect. This Policy is governed by the laws of the British Virgin Islands.