This Privacy Policy explains how Tabularum Inc. ("Tabularum", "we", "our") collects, uses, stores, and protects personal data in connection with our private capital markets platform, in accordance with the Cayman Islands Data Protection Act, 2017 ("DPA"), CIMA regulatory requirements, and the Anti-Money Laundering Regulations (as revised). It applies to all Cayman Islands-based users and users of Cayman-domiciled fund structures, including General Partners (GPs), Limited Partners (LPs), and their authorised representatives.
Tabularum Inc. is the data controller under Section 4 of the Cayman Islands Data Protection Act, 2017. We have appointed a Data Protection Officer (DPO). Contact our DPO at gaio@tabularum.com (subject: DPA Request) for any data protection enquiry or to exercise your rights. You may also contact the Ombudsman of the Cayman Islands, who serves as the Data Protection Authority.
Identity & KYC Verification: Full legal name, date of birth, nationality, passport or national ID, proof of address, beneficial ownership information (under the Beneficial Ownership Transparency Act 2023), source of funds and wealth documentation, and investor qualification documentation.
Account Data: Email address, phone number, professional title, hashed credentials, Tabularum Identity Number (TIN).
Financial & Investment Data: Capital commitments, subscription agreements, side letters, capital call and distribution records, portfolio data, NAV, and bank details where provided.
Platform Usage: Access logs, document view records, immutable audit trail entries, IP address, browser type, and session data (security only).
Communications: Messages and notices exchanged through the Platform.
Consent (Schedule 2, Condition 1): Where you have given consent to the processing for one or more specific purposes.
Contract (Schedule 2, Condition 2): Processing necessary for the performance of the Terms of Service.
Legal Obligation (Schedule 2, Condition 3): Compliance with AML Regulations, CIMA requirements, and the Proceeds of Crime Act.
Legitimate Interests (Schedule 2, Condition 6): Security monitoring, fraud prevention, Platform integrity, and immutable audit log maintenance, where not overridden by your interests or fundamental rights.
We use personal data to: onboard and verify identity (KYC under the AML Regulations); assign and maintain your TIN; facilitate GP-LP transaction management; issue capital calls and notices; fulfil investor qualification requirements; maintain CIMA regulatory reporting records; detect and prevent fraud; comply with sanctions screening obligations; maintain immutable audit trails; and respond to regulatory enquiries from CIMA, the FRA, or other Cayman Islands authorities.
We do not sell, rent, or trade personal data. We share only as follows: (a) within the Platform between GPs and LPs as necessary for Transactions; (b) with CIMA, the FRA, or other regulators pursuant to binding legal obligation under the AML Regulations, Proceeds of Crime Act, or the Confidential Information Disclosure Act (as revised); (c) with third-party data processors exclusively under contractual data protection obligations consistent with the DPA 2017; and (d) where required by a binding order of the Grand Court of the Cayman Islands.
Transfers of personal data outside the Cayman Islands are conducted solely in compliance with Section 17 of the DPA 2017. We ensure that the recipient country or territory provides an adequate level of data protection, or that appropriate safeguards (such as contractual clauses) are in place. You may request details of applicable transfer safeguards by contacting gaio@tabularum.com.
We retain data only as long as required by law or necessary for the purposes collected: KYC/AML records — 5 years from end of relationship (AML Regulations); CIMA-regulated fund records — 5 years after fund dissolution or transaction completion; platform security logs — 12 months; communications — duration of relationship plus 5 years. After retention periods expire, data is securely and irreversibly deleted or anonymised in accordance with the DPA 2017.
To exercise any right, contact gaio@tabularum.com. We will respond within 30 calendar days. We will not charge a fee for reasonable requests.
We implement appropriate technical and organisational measures under the DPA 2017 (Seventh Data Protection Principle), including: AES-256 encryption at rest; TLS 1.3 in transit; role-based access controls; multi-factor authentication; immutable timestamped audit logs; regular penetration testing and vulnerability assessments; and data minimisation practices. In the event of a personal data breach, we will notify the Ombudsman and affected individuals without undue delay where required by the DPA 2017.
We use only strictly necessary session cookies for authentication and security. We do not use advertising cookies, third-party tracking pixels, analytics resale, or cross-site tracking.
We retain personal data to fulfil CIMA record-keeping obligations, including: investor qualification records; fund registration and filing records; transaction records for a minimum of five (5) years after fund dissolution or transaction completion; and AML/CFT compliance records under the AML Regulations. These records are maintained in an immutable, non-alterable format and are accessible to CIMA on request.
We collect and retain KYC data as required by the Cayman Islands Anti-Money Laundering Regulations (as revised) and the Proceeds of Crime Act (as revised). Beneficial ownership information is collected, verified, and retained for five (5) years from the end of the business relationship, in accordance with the Beneficial Ownership Transparency Act 2023. We are legally obligated to file Suspicious Activity Reports (SARs) with the Cayman Islands Financial Reporting Authority (FRA) where we have reasonable grounds to suspect money laundering or terrorist financing. We cannot notify you if a SAR has been filed, as this would constitute "tipping off" under the Proceeds of Crime Act.
Our Platform is not directed at individuals under 18. If you believe we have inadvertently collected data from a minor, contact us immediately at gaio@tabularum.com. We will delete such data without delay in accordance with the DPA 2017.
Material changes to this Policy will be communicated by email at least 30 days before taking effect. This Policy is governed by the laws of the Cayman Islands. You retain the right to lodge a complaint with the Ombudsman of the Cayman Islands (Data Protection Authority) at any time.