This Privacy Policy explains how Tabularum Inc. ("Tabularum", "we", "our") collects, uses, stores, and protects personal data in connection with our private capital markets platform, in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), FCA rules, and the Money Laundering Regulations 2017 (MLR 2017). It applies to all United Kingdom-based users, including General Partners (GPs), Limited Partners (LPs), and their authorised representatives.
Tabularum Inc. is the data controller under Article 4(7) UK GDPR. We have appointed a Data Protection Officer (DPO) as required under UK GDPR Art. 37 and DPA 2018 s. 69. Contact our DPO at gaio@tabularum.com (subject: UK GDPR Request) for any data protection enquiry or to exercise your rights. You may also contact the Information Commissioner's Office (ICO) at ico.org.uk or by telephone at 0303 123 1113.
Identity & KYC Verification: Full legal name, date of birth, nationality, government-issued ID, proof of address, beneficial ownership information (MLR 2017 Regs. 5 and 28), source of funds and wealth documentation, and investor categorisation (FCA COBS 3).
Account Data: Email address, phone number, professional title, hashed credentials, Tabularum Identity Number (TIN).
Financial & Investment Data: Capital commitments, subscription agreements, side letters, capital call and distribution records, portfolio data, NAV, and bank details where provided.
Platform Usage: Access logs, document view records, immutable audit trail entries (FCA SYSC 9), IP address, browser type, and session data (security only).
Communications: Messages and notices exchanged through the Platform.
Contract (Art. 6(1)(b)): Processing necessary to provide Platform services under the Terms of Service.
Legal Obligation (Art. 6(1)(c)): Compliance with MLR 2017, FCA rules (COBS, SYSC, FUND), UK AIFMD, UK eIDAS, and applicable UK legislation.
Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, Platform integrity, and immutable audit log maintenance, where not overridden by your interests.
Consent (Art. 6(1)(a)): For optional features only — freely given, specific, informed, and withdrawable at any time without detriment.
Where we process special category data (UK GDPR Art. 9), we rely on Art. 9(2)(g) (substantial public interest: AML/KYC obligations) as supplemented by DPA 2018 Schedule 1, Part 2, or explicit consent (Art. 9(2)(a)) as applicable.
We use personal data to: onboard and verify identity (KYC under MLR 2017); assign and maintain your TIN; facilitate GP-LP transaction management; issue capital calls and notices; fulfil FCA investor categorisation and suitability obligations (COBS 3, COBS 9); maintain UK AIFMD Annex IV reporting records; detect and prevent fraud; comply with UK sanctions screening obligations (OFSI Consolidated List); maintain immutable audit trails under FCA SYSC 9; and respond to regulatory enquiries from the FCA, NCA, or other competent UK authorities.
We do not sell, rent, or trade personal data. We share only as follows: (a) within the Platform between GPs and LPs as necessary for Transactions; (b) with UK regulators (FCA, NCA, HMRC, ICO) pursuant to binding legal obligation under MLR 2017 or FCA rules; (c) with third-party data processors exclusively under UK GDPR Art. 28-compliant Data Processing Agreements (DPAs) — a register of sub-processors is available on request; and (d) where required by a binding UK court order.
Transfers of personal data outside the United Kingdom are conducted solely under one of the following safeguards: (a) the UK International Data Transfer Agreement (IDTA) as approved by the ICO and laid before Parliament under s. 119A DPA 2018; (b) the UK Addendum to EU Standard Contractual Clauses (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022); (c) an adequacy regulation made by the Secretary of State under UK GDPR Art. 45; or (d) another valid mechanism under UK GDPR Chapter V. We conduct Transfer Risk Assessments (TRAs) for all third-country transfers in accordance with ICO guidance. You may request a copy of applicable transfer agreements by contacting gaio@tabularum.com.
We retain data only as long as required by law or necessary for the purposes collected: KYC/AML records — 5 years from end of relationship (MLR 2017 Reg. 40); FCA transaction and order records — 5 years (SYSC 9); UK AIFMD Annex IV records — 5 years; platform security logs — 12 months; communications — duration of relationship plus 5 years. After retention periods expire, data is securely and irreversibly deleted or anonymised in accordance with UK GDPR Art. 5(1)(e).
To exercise any right, contact gaio@tabularum.com. We will respond within one calendar month (UK GDPR Art. 12). We will not charge a fee for reasonable requests. Automated decisions subject to Art. 22 review are available on request. You may also contact the ICO directly at ico.org.uk/make-a-complaint.
We implement appropriate technical and organisational measures under UK GDPR Art. 32, including: AES-256 encryption at rest; TLS 1.3 in transit; role-based access controls; multi-factor authentication; immutable timestamped audit logs; regular penetration testing and vulnerability assessments; and data minimisation practices. In the event of a personal data breach likely to risk your rights, we will notify the Information Commissioner's Office (ICO) within 72 hours (UK GDPR Art. 33) and affected individuals without undue delay (UK GDPR Art. 34) where required.
We use only strictly necessary session cookies for authentication and security under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended. We do not use advertising cookies, third-party tracking pixels, analytics resale, or cross-site tracking. No cookie consent banner is required as we do not deploy non-essential cookies. Our cookie usage is compliant with PECR and ICO guidance on the use of cookies and similar technologies.
We retain personal data to fulfil FCA record-keeping obligations, including: client categorisation records (COBS 3); suitability assessment records (COBS 9.4); order and transaction records under SYSC 9 for a minimum of five (5) years; and conflicts of interest disclosures (SYSC 10). These records are maintained in an immutable, non-alterable format consistent with FCA requirements and are accessible to the FCA on request.
We collect and retain KYC data as required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended). Beneficial ownership information is collected and verified under MLR 2017 Regs. 5 and 28 and retained for five (5) years (Reg. 40). We are legally obligated to file Suspicious Activity Reports (SARs) with the National Crime Agency (NCA) under the Proceeds of Crime Act 2002 (POCA) where we have grounds to suspect money laundering or terrorist financing. We cannot notify you if a SAR has been filed, as this would constitute "tipping off" under POCA s. 333A.
Our Platform is not directed at individuals under 18. If you believe we have inadvertently collected data from a minor, contact us immediately at gaio@tabularum.com. We will delete such data without delay in accordance with UK GDPR Art. 17. We also comply with the ICO's Age Appropriate Design Code (Children's Code) to the extent applicable.
Material changes to this Policy will be communicated by email at least 30 days before taking effect. This Policy is governed by the laws of England and Wales. The UK GDPR, as supplemented by the Data Protection Act 2018, governs all personal data processing described herein. You retain the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time (UK GDPR Art. 77).