Your privacy matters. This Privacy & Cookies Policy explains how AncoraOak Studio and its affiliates (collectively, AncoraOak Asset Management Inc., “AAM,” AncoraOak Advisors LLC, “we,” “us,” “our”) collect, use, disclose, and safeguard information when you access or use our websites, investor portal, data rooms, APIs, and related services (the “Services”).
By using the Services, you consent to this Policy. Capitalized terms not defined here have the meanings in our General Terms of Service.
This Policy is designed to meet transparency obligations under the GDPR, CCPA/CPRA, and similar privacy regimes.
It explains: who we are, your privacy rights, marketing preferences, what data we collect, how and why we use data, cookies and trackers, data sharing, retention, security, children’s privacy, links, integrations, and updates to this Policy.
Controller:
AncoraOak Asset Management Inc. (and where applicable, AncoraOak Advisors LLC) is the controller of your personal data for the Services listed in this Policy.
Contact:
📧 Email: privacy@ancoraoak.studio
📍 Mail: AncoraOak Studio, Attn: Privacy, 150 King St W, Toronto, ON, Canada.
EU/UK representative:
We will appoint one where Article 27 GDPR/UK GDPR applies.
Depending on your jurisdiction, you may have the right to:
Access, correct, delete, or restrict your personal data
Object to processing
Request portability
Limit use/disclosure of Sensitive Personal Information (SPI)
Opt out of “sharing” for cross-context advertising
Withdraw consent at any time
We verify each request and respond within the required timeframes. If we decline, you may appeal via the contact above.
We do not discriminate against anyone for exercising these rights.
To exercise your rights, email us at privacy@ancoraoak.studio with the subject line “Privacy Request”, or use Account → Settings → Privacy.
You may manage your marketing subscriptions via unsubscribe links, through Account → Email Settings, or by contacting us directly.
Transactional or service-related messages are not considered “marketing” and cannot generally be opted out of.
We collect data in three main ways:
We may collect:
Identity data: Name, aliases, title, date/place of birth, government identifiers (where lawful), signatures, identity documents, photos.
Contact data: Personal or work addresses, email, phone numbers.
Professional background: Employment and education history, credentials, affiliations.
Online presence: Links to public profiles or personal websites you share.
**Financial data: **Bank or payment details processed via secure systems; wealth/asset attestations for eligibility verification.
**Transaction data: **Purchases, subscriptions, payments, and investment transactions made via our Services.
**Investment data: **Investor status, objectives, experience, prior investments, entities, beneficial owners, and tax information contained in KYC/subscription files.
Content data: Account profiles, messages, comments, uploads, and metadata (e.g., timestamps).
**Marketing and communications data: **Preferences, opt-in/out records, correspondence history.
Behavioral segments: Categories derived from how you interact with our site.
**Technical data: **IP address, approximate geolocation, device/browser info, OS, plugins, logs, and diagnostics.
We may receive data from:
**Identity and compliance providers: **KYC/AML results, identity and sanctions checks.
Fund or administrative partners: Subscription status and investor records related to AOS-hosted vehicles.
Credit or reporting agencies: Identity, contact, and financial indicators.
Analytics or advertising partners: Pseudonymous identifiers, device/usage metrics, and interest segments.
Affiliates: Account or relationship context required to operate Services.
Data brokers or social media: Identity and contact details you have made public or consented to share.
We may also generate or receive aggregated or de-identified data that cannot identify you, unless re-linked.
We avoid processing “special categories” of personal data unless legally required (e.g., for identity verification). Sensitive Personal Information (SPI) is used only for limited lawful purposes such as compliance and security.
We use your data to:
Deliver, secure, and improve our Services
Operate investment and payment processes
Conduct research and development
Communicate service, security, and marketing information (where permitted)
Enforce terms and comply with legal obligations
Legal bases include contract performance, legitimate interests, consent (where obtained), and legal obligations.
We use cookies, pixels, local storage, and similar technologies for authentication, analytics, preferences, and (where applicable) advertising.
Categories of cookies:
Essential: Required for sign-in, security, and core functionality.
Functionality: Remember preferences and UX settings.
**Analytics/Performance: **Measure usage and improve the product.
**Advertising/Targeting: **Deliver or measure ads (if enabled).
**Social Media: **Enable sharing or embedded content.
You can manage cookies through your browser or device settings.
We honor cookie preferences where required by law but do not currently respond to “Do Not Track” signals.
If this changes, we will update this Policy.
We may share your personal data with:
AOS affiliates - for platform operations and customer support.
Service providers - for hosting, storage, backups, KYC/compliance, payments, and administration.
Professional advisers - legal, audit, banking, insurance, and tax consultants.
Fund managers or vehicle operators - if you engage with investment vehicles.
Advertising and analytics partners - to measure campaigns (subject to opt-outs).
API or integration partners - for features you enable.
Regulators, authorities, or courts - for compliance and dispute resolution.
Corporate transactions - during mergers, financing, or reorganizations.
Researchers (under NDA) - for market or academic research.
Other users - when you choose to share data publicly.
If you ask us to delete your data, we’ll notify relevant third parties where possible.
We retain your data only as long as necessary to fulfill the purposes listed above, while your account is active, or as required by law. After that, data is securely deleted or de-identified.
We primarily operate from Canada and the United States, but may use subprocessors in other jurisdictions.
By using the Services, you consent to lawful cross-border transfers subject to appropriate safeguards (e.g., SCCs, adequacy decisions).
We implement administrative, technical, and physical safeguards aligned with industry standards (access control, encryption, monitoring, incident response).
While we take strong precautions, no system is completely secure.
Our Services are not intended for children under 16. We do not knowingly collect data from them; if we do, we delete it promptly.
Our Services may link to third-party sites. We are not responsible for their privacy practices or content. Please review their own policies.
If you connect third-party accounts (like Google, Microsoft, LinkedIn, GitHub), we only access minimal data needed for that feature—typically your name, email, and profile photo.
You may also allow read-only access to contacts, calendars, or files to use optional scheduling or file-sharing tools.
We store tokens securely, never your passwords. You can disconnect these integrations anytime via Account → Settings → Connected Apps or revoke access directly from the third-party account.
We may update this Policy periodically. Updates take effect upon posting.
Material changes will be highlighted or otherwise communicated where required by law.
Check the “Last Updated” date above for the most current version.
We do not “sell” personal data. You can opt out of data “sharing” for cross-context behavioral advertising.
Sensitive Personal Information (SPI) is used only for essential purposes (compliance, security, service delivery).
Your rights under applicable laws (CPRA, VCDPA, CPA, etc.) include:
Access and deletion
Correction
Portability
Opt-out of targeted advertising or profiling
Limiting SPI use
Appealing denied requests
Nevada residents may opt out of “sale” of data under NRS 603A by contacting privacy@ancoraoak.studio
Legal bases: Contract, legitimate interests, consent, and legal obligations.
Transfers: When data is moved outside your jurisdiction, we use SCCs or other lawful mechanisms.
**Your rights: **Access, correction, deletion, restriction, portability, and the right to object.
You may also file complaints with your local data protection authority (e.g., via EDPB).
Under PIPEDA (Canada), you may access, correct, or withdraw consent (subject to legal limits). Commercial messages comply with CASL.
We and our service providers use cookies and similar technologies for site functionality, analytics, and advertising (where applicable).
Here’s how they generally work:
Used to maintain sessions, protect against CSRF, and route traffic.
Examples: aos_session, aos_auth, aos_csrf.
Duration: Session up to 12 months.
Note: Blocking them may prevent login or break functionality.
Store your preferences and consent selections.
Examples: consent_choice, cookie_preferences.
Duration: 6–24 months.
You can adjust settings anytime via Manage Cookies in your account.
Help us measure and improve site usage:
Google Analytics (_ga, _gid, _gat): 24 hours–24 months; opt-out via https://tools.google.com/dlpage/gaoptout
PostHog (ph_) and Amplitude (amplitude_id_, amp_*): Product analytics and telemetry; retained 12–24 months.
FullStory (fs_uid): Session replay analytics; retained 12–24 months.
Used to measure or personalize ads (where enabled):
Google Ads (_gcl_au) — ~90 days; manage at adssettings.google.com
Facebook / Instagram (_fbp) — ~90 days; manage at facebook.com/adpreferences
Microsoft Bing (_uetsid, _uetvid) — 1 day–13 months; manage at about.ads.microsoft.com
LinkedIn (li_gc, bcookie, _guid) — 6–24 months; manage at linkedin.com/psettings/guest-controls/retargeting-opt-out
Cookies from embedded platforms like YouTube (YSC, VISITOR_INFO1_LIVE) enable playback and analytics.
Duration: Session–6 months.
Used by infrastructure providers to detect bots and ensure uptime (e.g., __cf_bm).
Duration: About 30 minutes.
Cannot be disabled.
Adjust your preferences in our cookie banner or account settings.
You can delete or block cookies in your browser (blocking essential cookies may affect sign-in).
Use industry tools: NAI, DAA, EDAA.
We recognize valid Global Privacy Control (GPC) signals.
We do not currently respond to “Do Not Track.”
Cookie lifetimes may refresh upon repeat visits to maintain your preferences. Material updates will be posted here and in the banner when required.
Data we collect:
Who we share with:
We will notify you in case of any data breach as required by law.
Please check the “Last Updated” date for changes.
