Legal

Privacy Policy

Jurisdiction: US · Version 1.0 · Effective 10 March 2026

SEC Reg S-P (17 CFR 248)

BSA / FinCEN

CCPA / CPRA

GLBA

SEC Rules 17a-4 / 17a-5

OFAC

Contents

1. Privacy Officer & Contact
2. Data We Collect
3. Legal Basis for Processing
4. How We Use Your Data
5. Data Sharing & Disclosure
6. Data Retention
7. Your Privacy Rights
8. Security & Safeguards
9. Cookies & Online Tracking
10. SEC Reg S-P Compliance
11. BSA / FinCEN Obligations
12. California Residents (CCPA/CPRA)
13. Children's Privacy
14. Changes & Governing Law

This Privacy Policy describes how Tabularum Inc. ("Tabularum", "we", "our") collects, uses, stores, and protects personal information in connection with our private capital markets platform, in accordance with SEC Regulation S-P, the Bank Secrecy Act (BSA), the California Consumer Privacy Act (CCPA), and applicable US federal and state privacy law. It applies to all US-based users, including General Partners (GPs), Limited Partners (LPs), and their authorised representatives.

1. Privacy Officer & Contact Reg S-P

Tabularum's Privacy Officer is responsible for overseeing this Policy and handling privacy-related enquiries under SEC Regulation S-P (17 CFR Part 248). Contact us at gaio@tabularum.com for any privacy request, to exercise your rights, or to raise a concern. California residents may also contact us using the methods in Section 12.

2. Information We Collect

Identity & KYC/AML Verification: Full legal name, date of birth, government-issued photo ID (passport, driver's licence), Social Security Number or EIN (for accreditation and tax purposes), proof of address, beneficial ownership information (FinCEN CDD Rule, 31 CFR §1010.230), source of funds documentation, and accredited investor verification documentation under SEC Rule 501.

Account & Professional Data: Email address, phone number, professional title, firm name, hashed login credentials, and Tabularum Identity Number (TIN).

Financial & Investment Data: Capital commitments, subscription agreements, side letters, capital call and distribution records, portfolio and NAV data, bank details, and tax forms (W-9 / W-8BEN where applicable).

Platform Usage Logs: Access logs, document view records, immutable audit trail entries (SEC Rules 17a-4/17a-5), IP address, browser type, and session data (security monitoring only).

Communications: Messages and notices exchanged through the Platform between GPs and LPs.

3. Legal Basis for Processing BSA · Advisers Act

Contractual Necessity: Processing required to provide Platform services under our Terms of Service and any executed service or subscription agreement.

Legal Obligation: Compliance with BSA/FinCEN CDD requirements, OFAC sanctions screening, SEC Regulation S-P, SEC Rules 17a-4 and 17a-5, Investment Advisers Act of 1940, and applicable state securities laws (Blue Sky Laws).

Legitimate Business Interest: Security monitoring, fraud detection, Platform integrity, immutable audit log maintenance, and investor accreditation verification under SEC Rule 506(c).

Consent: For optional Platform features only — withdrawable at any time without affecting your account status.

4. How We Use Your Information

We use personal information to: verify identity and accreditation status (KYC/AML under BSA and SEC Regulation D); assign and maintain your TIN; facilitate GP-LP capital transaction management; process capital calls, distributions, and fund communications; maintain books and records under SEC Rules 17a-4 and 17a-5; support investor accreditation re-verification under SEC Rule 506(e); screen for OFAC and FinCEN sanctions; detect and prevent fraud and financial crime; comply with Form D and Blue Sky filing obligations; prepare and deliver Reg S-P annual privacy notices; and respond to requests from the SEC, FINRA, state regulators, or FinCEN.

5. Data Sharing & Disclosure Reg S-P · GLBA

We do not sell, rent, or trade personal information. Consistent with SEC Regulation S-P and the Gramm-Leach-Bliley Act (GLBA), we share nonpublic personal information only as follows: (a) within the Platform between GPs and LPs as necessary for Transactions; (b) with the SEC, FINRA, FinCEN, OFAC, state securities regulators, or law enforcement pursuant to a binding legal obligation or lawful request; (c) with third-party service providers acting as our agents under written confidentiality agreements that restrict use to performing services for us; and (d) as required to complete a Transaction or in connection with a business transfer or merger, subject to confidentiality protections.

We provide annual notice of our privacy practices as required by Regulation S-P. You have the right to opt out of any disclosure to non-affiliated third parties for marketing purposes — we do not make such disclosures, but you may record your preference at gaio@tabularum.com.

6. Data Retention BSA · SEC 17a-4

We retain records only for as long as required by law: BSA/FinCEN KYC and AML records — 5 years from end of relationship (31 U.S.C. §5318(g)); SEC transaction and audit records — 7 years (SEC Rule 17a-4(b)), the first two years in an accessible main office location; investor accreditation verification records — 5 years (SEC Rule 506(e)); Investment Advisers Act books and records — 5 years (Rule 204-2); communications — duration of relationship plus 5 years; Platform security logs — 12 months. After applicable retention periods expire, data is securely deleted or de-identified. Electronic records are maintained in non-rewritable, non-erasable format as required by SEC Rule 17a-4(f).

7. Your Privacy Rights Reg S-P · CCPA

Reg S-P

Privacy Notice

Receive clear notice of our privacy practices at account opening and annually.

Reg S-P

Opt-Out

Opt out of non-affiliated third-party disclosures for marketing (we do not make these).

CCPA/CPRA

Right to Know

Request disclosure of what personal information we have collected and how it is used.

CCPA/CPRA

Right to Delete

Request deletion of personal information, subject to legal retention obligations.

CCPA/CPRA

Right to Correct

Request correction of inaccurate personal information we hold.

CCPA/CPRA

No Sale

We do not sell or share your personal information for cross-context behavioural advertising.

CCPA/CPRA

Limit Sensitive Info

Request limitation on use of sensitive personal information to necessary purposes.

All Users

Non-Discrimination

We will not discriminate against you for exercising any privacy right.

To exercise any right, contact gaio@tabularum.com. We will acknowledge requests within 10 business days and respond within 45 days (CCPA/CPRA). We may verify your identity before processing requests. Authorised agents may submit requests on your behalf with written authorisation.

8. Security & Safeguards Reg S-P · GLBA

We maintain a written information security program consistent with the SEC Safeguards Rule (Regulation S-P, 17 CFR §248.30) and the GLBA Safeguards Rule (16 CFR Part 314), implementing: AES-256 encryption at rest and TLS 1.3 in transit; role-based access controls and multi-factor authentication; immutable, time-stamped audit logs maintained in non-rewritable electronic storage (SEC Rule 17a-4(f)); regular penetration testing and vulnerability assessments; a written incident response plan; and annual security training for personnel with access to customer data. In the event of a breach of customer financial information, we will notify affected customers and the SEC as required by Regulation S-P.

9. Cookies & Online Tracking CAN-SPAM

We use only strictly necessary session cookies for authentication and Platform security. We do not use third-party advertising cookies, tracking pixels, or behavioural analytics. We do not respond to browser "Do Not Track" signals as we do not engage in cross-site tracking. All email communications comply with the CAN-SPAM Act (15 U.S.C. §7701 et seq.) — each commercial email includes a clear unsubscribe mechanism and our postal address.

10. SEC Regulation S-P Compliance 17 CFR Part 248

Tabularum provides this Policy as the initial privacy notice required under Regulation S-P (17 CFR §248.4) for customers of registered investment advisers using the Platform. An updated notice will be provided annually or when material changes occur. This Policy describes: the categories of nonpublic personal information we collect; the categories of third parties to whom we disclose such information; our policies for protecting the confidentiality and security of customer information; and your right to opt out of disclosures to non-affiliated third parties (we make no such disclosures for marketing). Records of privacy notices are retained under SEC Rule 204-2.

11. BSA / FinCEN Obligations BSA · FinCEN CDD

We collect and retain KYC/AML data as required by the Bank Secrecy Act (31 U.S.C. §5311 et seq.) and FinCEN's Customer Due Diligence Rule (31 CFR §1010.230). Beneficial ownership information is collected for all legal entity customers (identifying individuals owning ≥ 25%). We are legally required to file Suspicious Activity Reports (SARs) with FinCEN (31 CFR §1020.320) and Currency Transaction Reports (CTRs) where applicable. Federal law prohibits us from notifying you if a SAR has been filed. We screen all users against OFAC's Specially Designated Nationals (SDN) list and other applicable US sanctions lists prior to and during the account relationship.

12. California Residents CCPA / CPRA

California residents have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Civil Code §1798.100 et seq. In the preceding 12 months, Tabularum has collected the categories of personal information described in Section 2 for the purposes described in Section 4. We have not sold or shared personal information for cross-context behavioural advertising. Sensitive personal information (including government ID numbers and financial account details) is used solely to provide Platform services and comply with legal obligations.

To submit a CCPA/CPRA request: email gaio@tabularum.com with subject "CCPA Request". We will verify your identity and respond within 45 days. You may designate an authorised agent by providing written authorisation. We will not deny, charge different prices for, or provide a different quality of service based on your exercise of CCPA/CPRA rights.

13. Children's Privacy COPPA

Our Platform is not directed at individuals under 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a person under 18, contact us immediately at gaio@tabularum.com and we will delete such information promptly in compliance with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §6501 et seq.

14. Changes & Governing Law Delaware Law

We will provide notice of material changes to this Policy as required by Regulation S-P — by email and on the Platform, at least 30 days before taking effect for registered investment adviser customers. This Policy is governed by the laws of the State of Delaware and applicable US federal law. State-specific rights (including California CCPA/CPRA) apply to residents of those states regardless of this choice of law.

Privacy Officer: gaio@tabularum.com — subject: Privacy Request or CCPA Request.
General enquiries: gaio@tabularum.com.