This Privacy Policy explains how Tabularum Inc. ("Tabularum", "we", "our") collects, uses, stores, and protects personal data in connection with our private capital markets platform, in accordance with the Swiss Federal Act on Data Protection (FADP/nDSG), as revised and effective 1 September 2023, the Ordinance on Data Protection (DPO/VDSG), the Anti-Money Laundering Act (AMLA/GwG), and applicable guidance from the Federal Data Protection and Information Commissioner (FDPIC). It applies to all Switzerland-based users, including General Partners (GPs), Limited Partners (LPs), and their authorised representatives.
Tabularum Inc. is the controller (Verantwortlicher) as defined under Article 5(j) of the FADP. For any enquiries relating to data protection, please contact us at clara@tabularum.com (subject: Swiss Data Protection Request). As Tabularum is established outside Switzerland, we have designated a representative in Switzerland in accordance with FADP Art. 14. You may also lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch.
Identity & KYC Verification: Full legal name, date of birth, nationality, government-issued ID (Swiss passport or identity card), proof of address, beneficial ownership information (AMLA Art. 4), source of funds and wealth documentation, and investor categorisation.
Account Data: Email address, phone number, professional title, hashed credentials, Tabularum Identity Number (TIN).
Financial & Investment Data: Capital commitments, subscription agreements, side letters, capital call and distribution records, portfolio data, NAV, and bank details where provided.
Platform Usage: Access logs, document view records, immutable audit trail entries, IP address, browser type, and session data (security only).
Communications: Messages and notices exchanged through the Platform.
Under the revised FADP, processing of personal data is lawful unless it violates the personality rights of the data subject. The following justification grounds apply (FADP Art. 31):
Consent (Art. 6(6)): For optional features and where required for sensitive personal data — freely given, informed, and withdrawable at any time.
Contract (Art. 31(2)(a)): Processing in direct connection with a contract to which the data subject is party.
Overriding Private or Public Interest (Art. 31(2)(a)–(b)): Including compliance with legal obligations under AMLA, FINMA regulations, and the Federal Act on Collective Investment Schemes (CISA); security monitoring; fraud prevention; and maintenance of immutable audit logs.
Legal Obligation (Art. 31(1)): Where processing is required by Swiss federal or cantonal law, including AMLA, the Financial Market Infrastructure Act (FMIA), and FINMA circulars.
We use personal data to: onboard and verify identity (KYC under AMLA); assign and maintain your TIN; facilitate GP-LP transaction management; issue capital calls and notices; fulfil investor categorisation requirements; maintain FINMA record-keeping obligations; detect and prevent fraud; comply with Swiss and international sanctions screening obligations (including SECO sanctions); maintain immutable audit trails; and respond to regulatory enquiries from FINMA, the Money Laundering Reporting Office (MROS), or cantonal supervisory authorities.
We do not sell, rent, or trade personal data. We share only as follows: (a) within the Platform between GPs and LPs as necessary for Transactions; (b) with Swiss regulators (FINMA, MROS, SECO) pursuant to binding legal obligation under AMLA, FMIA, or CISA; (c) with third-party data processors exclusively under FADP Art. 9-compliant processing agreements, which require the processor to ensure data security equivalent to the controller and to process data only as instructed — a register of sub-processors is available on request; and (d) where required by a binding Swiss court order. Where personal data is disclosed to third parties, we ensure this does not violate the personality rights of the data subject (FADP Art. 30(2)).
Transfers of personal data outside Switzerland are conducted solely under FADP Articles 16–17. This requires that the recipient state ensures an adequate level of data protection as determined by the Federal Council and listed in Annex 1 to the DPO (VDSG). Where no adequacy determination exists, transfers are conducted under: (a) Standard Contractual Clauses (SCCs) recognised by the FDPIC; (b) binding corporate rules approved by the FDPIC; or (c) the explicit consent of the data subject after being informed of the risks (FADP Art. 17(1)). For transfers to the United States, we rely on the Swiss-US Data Privacy Framework where applicable. We conduct transfer impact assessments for all cross-border transfers. You may request a copy of applicable safeguards by contacting clara@tabularum.com.
We retain data only as long as required by law or necessary for the purposes collected: KYC/AML records — 10 years from end of relationship (AMLA Art. 7); FINMA transaction and regulatory records — 10 years (Swiss Code of Obligations Art. 958f); platform security logs — 12 months; communications — duration of relationship plus 10 years. After retention periods expire, data is securely and irreversibly deleted or anonymised in accordance with FADP Art. 6(4), which requires that personal data be destroyed or anonymised as soon as it is no longer needed for the purpose of processing.
To exercise any right, contact clara@tabularum.com. We will respond within 30 days (FADP Art. 25(5)). The right of access is provided free of charge; exceptions apply only under Article 25(6) where the request is manifestly unfounded or excessive. You may also enforce your rights before the competent Swiss courts (FADP Art. 32).
We implement appropriate technical and organisational measures under FADP Art. 8 and DPO (VDSG) Articles 1–5, including: AES-256 encryption at rest; TLS 1.3 in transit; role-based access controls; multi-factor authentication; immutable timestamped audit logs; regular penetration testing and vulnerability assessments; and data minimisation practices. In the event of a personal data breach likely to result in a high risk to the personality or fundamental rights of data subjects, we will notify the FDPIC as soon as possible (FADP Art. 24(1)) and affected individuals where necessary for their protection (FADP Art. 24(4)).
We use only strictly necessary session cookies for authentication and security. We do not use advertising cookies, third-party tracking pixels, analytics resale, or cross-site tracking. Under the Swiss Telecommunications Act (TCA/FMG) Art. 45c, we inform you of the use of cookies and their purpose. As we use only technically necessary cookies, no separate consent is required under Swiss law.
We retain personal data to fulfil record-keeping obligations under FINMA regulations and the Federal Act on Collective Investment Schemes (CISA/KAG), including: investor categorisation records (qualified investors under CISA Art. 10); suitability and appropriateness assessment records; transaction records for a minimum of ten (10) years (Swiss Code of Obligations Art. 958f); and conflicts of interest disclosures. These records are maintained in an immutable, non-alterable format and are accessible to FINMA on request.
We collect and retain KYC data as required by the Swiss Anti-Money Laundering Act (AMLA/GwG) and the Anti-Money Laundering Ordinance (AMLO-FINMA). Customer identification and verification of beneficial ownership are conducted under AMLA Articles 3–5 and the Agreement on the Swiss Banks' Code of Conduct with regard to the Exercise of Due Diligence (CDB). Records are retained for ten (10) years (AMLA Art. 7). We are legally obligated to file Suspicious Activity Reports with the Money Laundering Reporting Office Switzerland (MROS) where we have reasonable suspicion of money laundering or terrorist financing under AMLA Art. 9. We cannot notify you if a report has been filed, as this would constitute a breach of the reporting obligation and may constitute tipping off.
Under the revised FADP, profiling (Art. 5(f)) means any form of automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person. High-risk profiling (Art. 5(g)) means profiling that poses a high risk to the personality or fundamental rights of the data subject by linking data that allows an assessment of essential aspects of their personality. We do not engage in high-risk profiling. Where automated individual decisions are made that produce legal effects or significantly affect you (FADP Art. 21), you have the right to: (a) be informed that a decision has been made solely on the basis of automated processing; (b) express your views; and (c) request that the decision be reviewed by a natural person. Automated sanctions screening and AML monitoring are conducted pursuant to legal obligation and are not subject to the right of objection under Art. 21(3).
Material changes to this Policy will be communicated by email at least 30 days before taking effect. This Policy is governed by Swiss federal law. Any dispute arising from this Policy shall be subject to the exclusive jurisdiction of the Courts of Zurich, Switzerland. You retain the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at any time under FADP Art. 49, or to enforce your rights before the competent civil courts under FADP Art. 32.