I. Introduction

Your privacy matters. This Privacy & Cookies Policy explains how AncoraOak Studio and its affiliates (collectively, AncoraOak Asset Management Inc., “AAM,” AncoraOak Advisors LLC, “we,” “us,” “our”) collect, use, disclose, and safeguard information when you access or use our websites, investor portal, data rooms, APIs, and related services (the “Services”).

By using the Services, you consent to this Policy. Capitalized terms not defined here have the meanings in our General Terms of Service.

This Policy is designed to meet transparency obligations under the GDPR, CCPA/CPRA, and similar privacy regimes.

It explains: who we are, your privacy rights, marketing preferences, what data we collect, how and why we use data, cookies and trackers, data sharing, retention, security, children’s privacy, links, integrations, and updates to this Policy.

II. Who we are and how to contact us

Controller:

AncoraOak Asset Management Inc. (and where applicable, AncoraOak Advisors LLC) is the controller of your personal data for the Services listed in this Policy.

Contact:

📧 Email: privacy@ancoraoak.studio

📍 Mail: AncoraOak Studio, Attn: Privacy, 150 King St W, Toronto, ON, Canada.

EU/UK representative:

We will appoint one where Article 27 GDPR/UK GDPR applies.

III. Your rights over your personal data

Depending on your jurisdiction, you may have the right to:

Access, correct, delete, or restrict your personal data

Object to processing

Request portability

Limit use/disclosure of Sensitive Personal Information (SPI)

Opt out of “sharing” for cross-context advertising

Withdraw consent at any time

We verify each request and respond within the required timeframes. If we decline, you may appeal via the contact above.

We do not discriminate against anyone for exercising these rights.

To exercise your rights, email us at privacy@ancoraoak.studio with the subject line “Privacy Request”, or use Account → Settings → Privacy.

IV. Marketing communications preferences

You may manage your marketing subscriptions via unsubscribe links, through Account → Email Settings, or by contacting us directly.

Transactional or service-related messages are not considered “marketing” and cannot generally be opted out of.

V. What personal data we collect

We collect data in three main ways:

Information you provide directly
Information from third-party sources
Information collected automatically (device, usage, cookies)

A. Information you provide directly

We may collect:

Identity data: Name, aliases, title, date/place of birth, government identifiers (where lawful), signatures, identity documents, photos.

Contact data: Personal or work addresses, email, phone numbers.

Professional background: Employment and education history, credentials, affiliations.

Online presence: Links to public profiles or personal websites you share.

Financial data: Bank or payment details processed via secure systems; wealth/asset attestations for eligibility verification.

Transaction data: Purchases, subscriptions, payments, and investment transactions made via our Services.
Investment data: Investor status, objectives, experience, prior investments, entities, beneficial owners, and tax information contained in KYC/subscription files.

Content data: Account profiles, messages, comments, uploads, and metadata (e.g., timestamps).

Marketing and communications data: Preferences, opt-in/out records, correspondence history.

Behavioral segments: Categories derived from how you interact with our site.

Technical data: IP address, approximate geolocation, device/browser info, OS, plugins, logs, and diagnostics.

B. Information from third-party sources

We may receive data from:

Identity and compliance providers: KYC/AML results, identity and sanctions checks.

Fund or administrative partners: Subscription status and investor records related to AOS-hosted vehicles.

Credit or reporting agencies: Identity, contact, and financial indicators.

Analytics or advertising partners: Pseudonymous identifiers, device/usage metrics, and interest segments.

Affiliates: Account or relationship context required to operate Services.

Data brokers or social media: Identity and contact details you have made public or consented to share.

We may also generate or receive aggregated or de-identified data that cannot identify you, unless re-linked.

We avoid processing “special categories” of personal data unless legally required (e.g., for identity verification). Sensitive Personal Information (SPI) is used only for limited lawful purposes such as compliance and security.

VI. How we use personal data and why

We use your data to:

Deliver, secure, and improve our Services

Operate investment and payment processes

Conduct research and development

Communicate service, security, and marketing information (where permitted)

Enforce terms and comply with legal obligations

Legal bases include contract performance, legitimate interests, consent (where obtained), and legal obligations.

VII. Cookies and other tracking technologies

We use cookies, pixels, local storage, and similar technologies for authentication, analytics, preferences, and (where applicable) advertising.

Categories of cookies:

Essential: Required for sign-in, security, and core functionality.

Functionality: Remember preferences and UX settings.

Analytics/Performance: Measure usage and improve the product.

Advertising/Targeting: Deliver or measure ads (if enabled).

Social Media: Enable sharing or embedded content.

You can manage cookies through your browser or device settings.

We honor cookie preferences where required by law but do not currently respond to “Do Not Track” signals.

If this changes, we will update this Policy.

VIII. Who we share personal data with

We may share your personal data with:

AOS affiliates - for platform operations and customer support.

Service providers - for hosting, storage, backups, KYC/compliance, payments, and administration.

Professional advisers - legal, audit, banking, insurance, and tax consultants.

Fund managers or vehicle operators - if you engage with investment vehicles.

Advertising and analytics partners - to measure campaigns (subject to opt-outs).

API or integration partners - for features you enable.

Regulators, authorities, or courts - for compliance and dispute resolution.

Corporate transactions - during mergers, financing, or reorganizations.

Researchers (under NDA) - for market or academic research.

Other users - when you choose to share data publicly.

If you ask us to delete your data, we’ll notify relevant third parties where possible.

IX. Data retention

We retain your data only as long as necessary to fulfill the purposes listed above, while your account is active, or as required by law. After that, data is securely deleted or de-identified.

X. International data transfers

We primarily operate from Canada and the United States, but may use subprocessors in other jurisdictions.

By using the Services, you consent to lawful cross-border transfers subject to appropriate safeguards (e.g., SCCs, adequacy decisions).

XI. Security

We implement administrative, technical, and physical safeguards aligned with industry standards (access control, encryption, monitoring, incident response).

While we take strong precautions, no system is completely secure.

XII. Children’s privacy

Our Services are not intended for children under 16. We do not knowingly collect data from them; if we do, we delete it promptly.

XIII. Links to other websites

Our Services may link to third-party sites. We are not responsible for their privacy practices or content. Please review their own policies.

XIV. Third-party applications (integrations)

If you connect third-party accounts (like Google, Microsoft, LinkedIn, GitHub), we only access minimal data needed for that feature—typically your name, email, and profile photo.

You may also allow read-only access to contacts, calendars, or files to use optional scheduling or file-sharing tools.

We store tokens securely, never your passwords. You can disconnect these integrations anytime via Account → Settings → Connected Apps or revoke access directly from the third-party account.

XV. Changes to this Policy

We may update this Policy periodically. Updates take effect upon posting.

Material changes will be highlighted or otherwise communicated where required by law.

Check the “Last Updated” date above for the most current version.

U.S. State Privacy Addendum

We do not “sell” personal data. You can opt out of data “sharing” for cross-context behavioral advertising.

Sensitive Personal Information (SPI) is used only for essential purposes (compliance, security, service delivery).

Your rights under applicable laws (CPRA, VCDPA, CPA, etc.) include:

Access and deletion

Correction

Portability

Opt-out of targeted advertising or profiling

Limiting SPI use

Appealing denied requests

Nevada residents may opt out of “sale” of data under NRS 603A by contacting privacy@ancoraoak.studio

EEA / UK / Canada Privacy Addendum

Legal bases: Contract, legitimate interests, consent, and legal obligations.

Transfers: When data is moved outside your jurisdiction, we use SCCs or other lawful mechanisms.

Your rights: Access, correction, deletion, restriction, portability, and the right to object.

You may also file complaints with your local data protection authority (e.g., via EDPB).

Under PIPEDA (Canada), you may access, correct, or withdraw consent (subject to legal limits). Commercial messages comply with CASL.

Cookie Details (plain-text summary)

We and our service providers use cookies and similar technologies for site functionality, analytics, and advertising (where applicable).

Here’s how they generally work:

Essential Cookies

Used to maintain sessions, protect against CSRF, and route traffic.

Examples: aos_session, aos_auth, aos_csrf.

Duration: Session up to 12 months.

Note: Blocking them may prevent login or break functionality.

Functionality Cookies

Store your preferences and consent selections.

Examples: consent_choice, cookie_preferences.

Duration: 6–24 months.

You can adjust settings anytime via Manage Cookies in your account.

Analytics and Performance Cookies

Help us measure and improve site usage:

Google Analytics (_ga, _gid, _gat): 24 hours–24 months; opt-out via https://tools.google.com/dlpage/gaoptout

PostHog (ph_*) and Amplitude (amplitude_id_*, amp_*): Product analytics and telemetry; retained 12–24 months.

FullStory (fs_uid): Session replay analytics; retained 12–24 months.

Advertising and Targeting Cookies

Used to measure or personalize ads (where enabled):

Google Ads (_gcl_au) — ~90 days; manage at adssettings.google.com

Facebook / Instagram (_fbp) — ~90 days; manage at facebook.com/adpreferences

Microsoft Bing (_uetsid, _uetvid) — 1 day–13 months; manage at about.ads.microsoft.com

LinkedIn (li_gc, bcookie, _guid) — 6–24 months; manage at linkedin.com/psettings/guest-controls/retargeting-opt-out

Social Media / Embedded Content

Cookies from embedded platforms like YouTube (YSC, VISITOR_INFO1_LIVE) enable playback and analytics.

Duration: Session–6 months.

Security / Edge Cookies

Used by infrastructure providers to detect bots and ensure uptime (e.g., __cf_bm).

Duration: About 30 minutes.

Cannot be disabled.

Cookie Management

Adjust your preferences in our cookie banner or account settings.

You can delete or block cookies in your browser (blocking essential cookies may affect sign-in).

Use industry tools: NAI, DAA, EDAA.

We recognize valid Global Privacy Control (GPC) signals.

We do not currently respond to “Do Not Track.”

Cookie lifetimes may refresh upon repeat visits to maintain your preferences. Material updates will be posted here and in the banner when required.

Summary of Personal Data & Sharing

Data we collect:

Identity, contact, financial, transaction, investment, technical, behavioral, content, and marketing preference data.

Who we share with:

Affiliates, service providers, advisers, fund operators, analytics/ads partners, integration partners, regulators, and if you choose other users.

We will notify you in case of any data breach as required by law.

Please check the “Last Updated” date for changes.