This Privacy Policy explains how Tabularum Inc. ("Tabularum", "we", "our") collects, uses, stores, and protects personal data in connection with our private capital markets platform, in accordance with the DIFC Data Protection Law, DIFC Law No. 5 of 2020 and the ADGM Data Protection Regulations 2021, as well as UAE Federal AML/CFT requirements. It applies to all DIFC and ADGM-based users, including General Partners (GPs), Limited Partners (LPs), and their authorised representatives.
Tabularum Inc. is the Controller under Article 13 of the DIFC Data Protection Law 2020 and under the ADGM Data Protection Regulations 2021. We have appointed a Data Protection Officer (DPO). Contact our DPO at gaio@tabularum.com (subject: Data Protection Request) for any data protection enquiry or to exercise your rights. You may also contact the DIFC Commissioner of Data Protection or the ADGM Registration Authority.
Identity & KYC Verification: Full legal name, date of birth, nationality, Emirates ID, passport, government-issued ID, proof of address, beneficial ownership information, source of funds and wealth documentation, and investor categorisation under DFSA COB or ADGM COBS.
Account Data: Email address, phone number, professional title, hashed credentials, Tabularum Identity Number (TIN).
Financial & Investment Data: Capital commitments, subscription agreements, side letters, capital call and distribution records, portfolio data, NAV, and bank details where provided.
Platform Usage: Access logs, document view records, immutable audit trail entries, IP address, browser type, and session data (security only).
Communications: Messages and notices exchanged through the Platform.
Contract (Art. 10(1)(b)): Processing necessary to provide Platform services under the Terms of Service.
Legal Obligation (Art. 10(1)(c)): Compliance with DFSA Rules, ADGM FSRA Rules, UAE Federal AML Law, and applicable regulatory requirements.
Legitimate Interests (Art. 10(1)(f)): Security monitoring, fraud prevention, Platform integrity, and immutable audit log maintenance, where not overridden by your interests or fundamental rights.
Consent (Art. 10(1)(a)): For optional features only — freely given, specific, informed, and withdrawable at any time without detriment.
Where we process special categories of personal data (DIFC DP Law Art. 11), we rely on explicit consent or processing necessary for compliance with legal obligations.
We use personal data to: onboard and verify identity (KYC under UAE AML Law and DFSA/ADGM AML Rules); assign and maintain your TIN; facilitate GP-LP transaction management; issue capital calls and notices; fulfil investor categorisation and suitability obligations under DFSA COB or ADGM COBS; maintain regulatory reporting records; detect and prevent fraud; comply with UAE, UN, and international sanctions screening obligations; maintain immutable audit trails; and respond to regulatory enquiries from DFSA, FSRA, the UAE FIU, or the Central Bank of the UAE.
We do not sell, rent, or trade personal data. We share only as follows: (a) within the Platform between GPs and LPs as necessary for Transactions; (b) with DFSA, FSRA, the UAE FIU, Central Bank of the UAE, or other regulators pursuant to binding legal obligation; (c) with third-party data processors exclusively under contractual data protection obligations compliant with the DIFC Data Protection Law (Art. 15) or ADGM Data Protection Regulations; and (d) where required by a binding order of the DIFC Courts, ADGM Courts, or UAE courts.
Transfers of personal data outside the DIFC or ADGM are conducted solely under the transfer mechanisms provided by the DIFC Data Protection Law (Part 7) or the ADGM Data Protection Regulations (Part 8). This includes: adequacy determinations by the Commissioner of Data Protection; standard contractual clauses or binding corporate rules; or where the data subject has explicitly consented to the transfer. We conduct transfer risk assessments for all cross-border transfers. You may request details of applicable transfer safeguards by contacting gaio@tabularum.com.
We retain data only as long as required by law or necessary for the purposes collected: KYC/AML records — 5 years from end of relationship (UAE Federal AML Law); DFSA transaction and client records — 6 years (DFSA GEN Rule 5.3); ADGM transaction records — 6 years; platform security logs — 12 months; communications — duration of relationship plus 5 years. After retention periods expire, data is securely and irreversibly deleted or anonymised in accordance with the applicable data protection law.
To exercise any right, contact gaio@tabularum.com. We will respond within 30 calendar days. We will not charge a fee for reasonable requests.
We implement appropriate technical and organisational measures under DIFC Data Protection Law Art. 28 and the ADGM Data Protection Regulations, including: AES-256 encryption at rest; TLS 1.3 in transit; role-based access controls; multi-factor authentication; immutable timestamped audit logs; regular penetration testing and vulnerability assessments; and data minimisation practices. In the event of a personal data breach, we will notify the Commissioner of Data Protection (DIFC) or the Registration Authority (ADGM) within 72 hours and affected individuals without undue delay where required.
We use only strictly necessary session cookies for authentication and security. We do not use advertising cookies, third-party tracking pixels, analytics resale, or cross-site tracking.
We retain personal data to fulfil DFSA and ADGM record-keeping obligations, including: client categorisation records under DFSA COB Rule 2.3 or ADGM COBS Rule 2.4; suitability assessment records under DFSA COB Rule 3.4 or ADGM COBS Rule 3.5; transaction records for a minimum of six (6) years under DFSA GEN Rule 5.3; and AML/CFT compliance records under the DFSA AML Module and ADGM AML Rules. These records are maintained in an immutable, non-alterable format and are accessible to DFSA or FSRA on request.
We collect and retain KYC data as required by UAE Federal Decree-Law No. 20 of 2018, the DFSA AML Module, and the ADGM AML and Sanctions Rules. Beneficial ownership information is collected, verified, and retained for five (5) years from the end of the business relationship. We are legally obligated to file Suspicious Activity Reports (SARs) with the UAE Financial Intelligence Unit (FIU) where we have reasonable grounds to suspect money laundering or terrorist financing. We cannot notify you if a SAR has been filed, as this would constitute "tipping off" under the UAE AML Law.
Our Platform is not directed at individuals under 18. If you believe we have inadvertently collected data from a minor, contact us immediately at gaio@tabularum.com. We will delete such data without delay.
Material changes to this Policy will be communicated by email at least 30 days before taking effect. This Policy is governed by the laws of the DIFC (for DIFC-based users) or the ADGM (for ADGM-based users). You retain the right to lodge a complaint with the DIFC Commissioner of Data Protection or the ADGM Registration Authority at any time.