This Privacy Policy explains how Tabularum Inc. ("Tabularum", "we", "our") collects, uses, stores, and protects personal data in connection with our private capital markets platform, in accordance with the Personal Data (Privacy) Ordinance (Cap 486) ("PDPO") of the Hong Kong Special Administrative Region, guidelines issued by the Office of the Privacy Commissioner for Personal Data ("PCPD"), the Securities and Futures Ordinance (Cap 571) ("SFO"), and the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap 615) ("AMLO"). It applies to all Hong Kong-based users, including General Partners (GPs), Limited Partners (LPs), and their authorised representatives.
Tabularum Inc. is the data user as defined under Section 2 of the PDPO. Under the PDPO, "data user" refers to a person who, either alone or jointly with other persons, controls the collection, holding, processing, or use of personal data. For any enquiries relating to personal data privacy, please contact us at clara@tabularum.com (subject: Privacy Request). You may also lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) at www.pcpd.org.hk.
Identity & KYC Verification: Full legal name, date of birth, nationality, Hong Kong Identity Card (HKID) or passport, proof of address, beneficial ownership information (AMLO Sch. 2), source of funds and wealth documentation, and investor categorisation under the SFO.
Account Data: Email address, phone number, professional title, hashed credentials, Tabularum Identity Number (TIN).
Financial & Investment Data: Capital commitments, subscription agreements, side letters, capital call and distribution records, portfolio data, NAV, and bank details where provided.
Platform Usage: Access logs, document view records, immutable audit trail entries, IP address, browser type, and session data (security only).
Communications: Messages and notices exchanged through the Platform.
Directly Related Purpose (DPP1(1)): Personal data is collected for purposes directly related to the provision of Platform services, including onboarding, KYC verification, transaction management, and regulatory compliance. Under DPP1(1), data shall not be collected unless it is necessary for, or directly related to, a lawful purpose connected with a function or activity of the data user.
Legal & Regulatory Obligation: Compliance with the AMLO (Cap 615), SFO (Cap 571), SFC Code of Conduct, and other applicable Hong Kong legislation.
Prescribed Consent (DPP3): Where we intend to use data for a new purpose not directly related to the original collection purpose, we will obtain your prescribed consent under Section 2A of the PDPO before doing so. You may withdraw consent at any time by notifying us in writing.
Practicability (DPP1(2)): Before or at the time of collection, we will take all reasonably practicable steps to inform you of the purpose of collection and your rights under the PDPO, including your right to request access to and correction of personal data.
We use personal data to: onboard and verify identity (KYC under AMLO); assign and maintain your TIN; facilitate GP-LP transaction management; issue capital calls and notices; fulfil investor categorisation under the SFO; maintain SFC record-keeping obligations; detect and prevent fraud; comply with Hong Kong sanctions screening obligations; maintain immutable audit trails; and respond to regulatory enquiries from the SFC, Hong Kong Monetary Authority (HKMA), or the Joint Financial Intelligence Unit (JFIU).
We do not sell, rent, or trade personal data. We share only as follows: (a) within the Platform between GPs and LPs as necessary for Transactions; (b) with Hong Kong regulators (SFC, HKMA, JFIU, Companies Registry) pursuant to binding legal obligation under the AMLO or SFO; (c) with third-party data processors under written contractual arrangements that require the processor to comply with obligations equivalent to DPP2 and DPP4 of the PDPO; and (d) where required by a binding court order of the Courts of Hong Kong SAR. Where data is shared with a third party, we ensure it is limited to what is necessary for the specified purpose under DPP3.
Section 33 of the PDPO restricts the transfer of personal data to places outside Hong Kong except where certain conditions are met. Although Section 33 has not yet been brought into force, Tabularum voluntarily applies cross-border transfer safeguards consistent with the PCPD's Guidance on Personal Data Protection in Cross-border Data Transfer. Transfers are conducted only where: (a) the recipient jurisdiction provides a substantially similar level of data protection; (b) the data subject has given prescribed consent; or (c) a binding contractual arrangement ensures compliance with the Data Protection Principles. We conduct transfer risk assessments for all cross-border transfers and maintain a register of recipient jurisdictions available on request.
We retain data only as long as required by law or necessary for the purposes collected: KYC/AML records — 6 years from the date on which the business relationship ends or the transaction is completed (AMLO Sch. 2, s.22); SFC transaction records — 7 years (SFC Code of Conduct); platform security logs — 12 months; communications — duration of relationship plus 6 years. After retention periods expire, data is securely and irreversibly deleted or anonymised in accordance with DPP2(2) of the PDPO, which requires that personal data is not kept longer than is necessary for the fulfilment of the purpose for which it was collected.
To exercise any right, contact clara@tabularum.com. We will respond to data access and correction requests within 40 days as required under the PDPO. A reasonable fee may be charged for data access requests in accordance with Section 28 of the PDPO.
We implement appropriate security measures under DPP4 of the PDPO to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use. Measures include: AES-256 encryption at rest; TLS 1.3 in transit; role-based access controls; multi-factor authentication; immutable timestamped audit logs; regular penetration testing and vulnerability assessments; and data minimisation practices. In the event of a data breach, we will notify the PCPD and affected individuals in accordance with the PCPD's Guidance on Data Breach Handling and Giving of Breach Notifications.
We use only strictly necessary session cookies for authentication and security. We do not use advertising cookies, third-party tracking pixels, analytics resale, or cross-site tracking. Hong Kong does not currently impose a specific cookie consent requirement; however, we adopt a transparency-first approach and provide this disclosure in accordance with DPP5 (openness) of the PDPO.
We retain personal data to fulfil record-keeping obligations under the SFC Code of Conduct and the Securities and Futures (Keeping of Records) Rules (Cap 571O), including: client categorisation and professional investor records; suitability assessment records; order and transaction records for a minimum of seven (7) years; and conflicts of interest disclosures. These records are maintained in an immutable, non-alterable format and are accessible to the SFC on request.
We collect and retain KYC data as required by the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap 615) ("AMLO") and its subsidiary legislation. Customer due diligence records, including beneficial ownership information, are collected and verified under AMLO Schedule 2 and retained for six (6) years. We are legally obligated to file Suspicious Transaction Reports (STRs) with the Joint Financial Intelligence Unit (JFIU) where we have reasonable grounds to suspect money laundering or terrorist financing under the Drug Trafficking (Recovery of Proceeds) Ordinance (Cap 405) and the Organized and Serious Crimes Ordinance (Cap 455). We cannot notify you if an STR has been filed, as this would constitute "tipping off" under AMLO Section 25A(5).
Our Platform is not directed at individuals under 18. If you believe we have inadvertently collected data from a minor, contact us immediately at clara@tabularum.com. We will delete such data without delay.
Material changes to this Policy will be communicated by email at least 30 days before taking effect. This Policy is governed by the laws of the Hong Kong Special Administrative Region. Any dispute arising from this Policy shall be subject to the exclusive jurisdiction of the Courts of Hong Kong SAR. You retain the right to lodge a complaint with the Privacy Commissioner for Personal Data at any time under Section 37 of the PDPO.