Website Data Protection Policy and Privacy Notice

Last updated: August 2025

Applies to: ancoraoak.studio and related private, invite-only portals

Related policies: Website Terms of Use · Cookie Policy

Contacts: [email protected] · [email protected] · [email protected]

1. Introduction

This website data protection policy and privacy notice (“Policy”) explains how AncoraOak Asset Management Inc. and its affiliates (“AncoraOak,” “we,” “us,” or “our”) collect, use, disclose, transfer, and safeguard personal information when you use ancoraoak.studio and any private, invite-only investor/advisor portals we operate (together, the “Websites”). For purposes of applicable data protection laws, AncoraOak acts as a controller of your Personal Data.

By using the Websites, you agree to this Policy, our Terms of Use, and our Cookie Policy. If you do not agree, please do not use the Websites.

2. Definitions

• “Personal Data” means information that directly or indirectly identifies a living individual (e.g., name, email, phone, address, identification numbers, online identifiers, location data, financial data), as well as opinions about, or intentions toward, an individual.

• “Sensitive Personal Data” means categories designated as sensitive under applicable law (e.g., special categories under GDPR; sensitive personal information under CPRA).

• “Websites” means ancoraoak.studio and any private, invite-only investor/advisor portals that link to this Policy (unless a different privacy notice is displayed).

3. The information we collect

A. Information you provide directly

• Contact & identity data: name, email, phone, country/region, employer/firm, title, and (where applicable) accreditation/professional-investor attestations.

• Account data: login credentials, role/permissions, preferences, audit logs.

• Application data: advisor/partner or founder/operator application details (CV/LinkedIn, expertise, availability, references).

• KYC/AML data (where required): government ID, date of birth, address, tax forms, beneficial ownership, sanctions/adverse-media results (via vetted vendors), and signatures.

• Participation & transaction data (where applicable): indications of interest, allocation preferences, subscription/governance documents, communications and notes relevant to diligence and participation.

• Event/RSVP data: attendance, dietary/access needs, consent choices (e.g., “no photo”), and (where used) NDA acceptance logs for private events or briefings.

• Research & validation input (optional): if you participate in interviews, surveys, testing, or program feedback, we may collect your responses; these are summarized or anonymized for internal reporting.

B. Information collected automatically

• Technical data: IP address, device identifiers, browser/OS, language, referring URLs.

• Usage data: pages viewed, time on page, clicks, scrolls, error logs, performance metrics.

• Portal telemetry (private portals only): session timing, permission changes, document access/download events, and consent/audit trails (for security/compliance).

• Cookies/SDKs: as described in our Cookie Policy.

C. Information from third parties

• Verification/compliance providers: identity, KYC/AML, sanctions and accreditation checks (U.S./Canada) where lawful and required.

• Operations vendors: analytics, CRM/marketing platforms, e-signature, data room, event platforms, and fund administration/custody/banking when necessary to deliver features you choose.

• Public sources: professional profiles or other publicly available records for diligence context.

• Cookies: See our Cookie Policy.

• Do Not Track: There is no industry standard for DNT; we do not currently respond to DNT signals. Third-party providers’ practices are governed by their privacy policies.

4. How we use your information (purposes & legal bases)

• Service delivery & account management — create/secure accounts, verify identity, operate private portals, process applications, and provide support.

• Legal bases: contract performance; legitimate interests; legal obligations (e.g., AML).

• Compliance & risk — eligibility checks (e.g., accreditation), KYC/AML, sanctions screening, conflicts reviews, audit trails, incident response.

• Legal bases: legal obligations; legitimate interests.

• Opportunity access & operations (where applicable) — display redacted opportunity briefs, collect signals of interest, manage allocations, route documents for e-signature, and send status updates.

• Legal bases: contract performance; legitimate interests.

• Programs & collaborations — evaluate and manage advisor/partner or founder/operator program participation; schedule reviews; track contributions/recognition per your preferences.

• Legal bases: contract performance; legitimate interests; consent where required.

• Events & salons — invite and manage private gatherings, coordinate venue security, and track consents (e.g., NDAs or no-photo preferences where applicable).

• Legal bases: legitimate interests; consent where required.

• Analytics & improvement — monitor performance, debug, prevent abuse, and improve content/UX.

• Legal bases: legitimate interests; consent for non-essential cookies.

• Communications & marketing — send transactional service messages; send newsletters or invitations (opt-in where required by law).

• Legal bases: legitimate interests; consent (EU/UK/Canada/AU anti-spam).

• Safety & enforcement — detect, prevent, and respond to fraud, misuse, violations of Terms, or legal requests.

• Legal bases: legitimate interests; legal obligations.

Where law requires consent for specific processing, we will seek it. You may withdraw consent at any time (this will not affect processing already performed).

5. Sharing of information

We do not sell Personal Data. We may share Personal Data with:

• Affiliates for operations consistent with this Policy.

• Service providers/processors (hosting/cloud, KYC/AML/identity, analytics, CRM/marketing, e-signature, data rooms, event platforms, security) under data-protection terms.

• Professional advisors (e.g., counsel, auditors) under confidentiality.

• Transactional counterparties (e.g., fund administrators, custodians, banks) solely as needed to execute choices you make.

• Authorities when required by law or to protect rights/safety.

• Corporate events (e.g., merger, acquisition, financing, or sale) subject to continued protection of Personal Data and applicable law.

We may publish de-identified/aggregated statistics (e.g., application counts, time-to-decision). We will not attempt to re-identify such data.

6. International transfers

We operate primarily from Canada and the United States, with infrastructure and providers that may process data globally. When transferring Personal Data from the EEA/UK/Switzerland, we use appropriate safeguards (e.g., EU Standard Contractual Clauses, UK Addendum) and implement supplementary measures where required.

7. Security

We employ administrative, technical, and physical safeguards appropriate to the sensitivity of the data and risks involved (e.g., access controls, least-privilege permissions, encryption in transit/at rest where appropriate, logging/monitoring, and audit trails for sensitive actions in private portals). No system is 100% secure. For private events, recording (if any) is disclosed and, where required, done with consent.

8. Retention

We retain Personal Data as needed for the purposes above and to satisfy legal, accounting, and compliance obligations (e.g., AML retention). Criteria include account activity, statutory requirements, and litigation holds. Materials gathered for research/validation are retained only as long as necessary for internal review and audit, then anonymized or deleted per policy and law.

9. Your rights & choices

EEA/UK/Swiss individuals — rights of access, rectification, erasure, restriction, portability, and objection; right to withdraw consent; right to lodge a complaint with a supervisory authority.

California (CCPA/CPRA) — rights to know/access, delete, correct, and limit certain uses; no sale/share of Personal Data; non-discrimination for exercising rights.

Canada (PIPEDA/CPPA if enacted) — access and correction rights.

To exercise rights, email [email protected] or [email protected]. We may need to verify your identity and will respond within applicable timeframes.

Marketing choices: Unsubscribe at any time via email links or by contacting us. Transactional/service communications will continue where necessary.

10. Processing for marketing (Canada & Australia anti-spam)

We comply with CASL (Canada) and Spam Act 2003 (Cth) (Australia). Where required, we seek consent before sending commercial electronic messages and include opt-out mechanisms. You may withdraw consent at any time; some communications necessary to enforce legal rights or provide services may still be sent as permitted by law.

11. California privacy rights (additional detail)

Within the last 12 months we may have collected the following categories: identifiers; commercial information; internet/electronic network activity; and inferences. We receive Personal Data primarily from you and our service providers (for verification or portal operations). We do not sell Personal Data or share it for cross-context behavioral advertising. You may exercise your CPRA rights by emailing [email protected]. Authorized agents may act on your behalf; we may request additional information to verify requests.

12. Children

The Websites are intended for adults 18+. We do not knowingly collect Personal Data from children under 18. If you believe a child provided Personal Data, contact [email protected] and we will delete it.

13. Links to other websites

The Websites may link to third-party sites. Their privacy practices are governed by their own policies; we are not responsible for their content or practices.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be posted with a new effective date. Your continued use after changes constitutes acceptance.

15. Contact us

AncoraOak Asset Management Inc.

Toronto, Ontario, Canada (principal place of business)

[email protected] · [email protected] · [email protected]