Privacy Notice

1. Why Are You Seeing This Notice?

This privacy notice informs you about how AlterLegacy Sàrl and its affiliates (collectively, "AlterLegacy") process your personal data in connection with our website and digital platform.

We inform you of your rights under the European General Data Protection Regulation ("GDPR") (Regulation (EU) 2016/679) and the Luxembourg Law of 1 August 2018 organising the Commission Nationale pour la Protection des Données ("CNPD") and implementing the GDPR into Luxembourg law, as well as any other applicable data protection legislation. Personal data means any information relating to an identified or identifiable natural person, such as name, address, email address, date of birth, or financial data.

You may have provided, or may be required to provide, personal data to us in the context of requesting information about AlterLegacy, registering as a user of the AlterLegacy platform available at https://alterlegacy.com and any of its subdomains (the "Platform"), or otherwise interacting with us. The Platform is part of your contractual relationship with AlterLegacy Sàrl and, where applicable, any fund vehicle (each, a "Fund") that you choose to invest in through the Platform. This notice applies regardless of the device, browser, or interface used to access the Platform.

Throughout this notice, we use terms as defined by the GDPR, including: processing, profiling, pseudonymisation, controller, processor, recipient, third party, consent, supervisory authority and international organisation. Definitions can be found in Article 4 of the GDPR.

2. Who Is Responsible For Data Processing And Whom Can I Contact?

The entity responsible for the collection and processing of personal data within the European Union is:

AlterLegacy Sàrl

2, rue Siggy vu Lëtzebuerg

L-1933 Luxembourg

Grand Duchy of Luxembourg

privacy@alterlegacy.com

Where required by law, we will inform you when third parties process your personal data as independent controllers or when we act as joint controllers with other entities within the AlterLegacy group. You may contact our data protection officer at privacy@alterlegacy.com for any queries relating to the processing of your personal data.

3. What Sources And Data Do We Use?

We process personal data received directly from you in connection with your use of our website and Platform, and — where applicable — in the course of our business relationship with you.

Where you use our website on a purely informational basis, without registering or submitting any information, we collect only the technical data that your browser transmits to our server: IP address, date and time of the request, time zone offset relative to UTC, page or resource requested, HTTP status code, data volume transferred, referrer URL, browser type and version, operating system, device type, and language settings.

If you submit identity documents as part of our verification process, we process the personal data contained in those documents. We also receive your personal data when you contact us via form, email, or live chat, and through documentation completed when subscribing for an interest in an AlterLegacy fund vehicle. Data collected may include: name, address, email address, telephone number, date of birth, passport or other national identifier, employment information, income and wealth details, and investment portfolio information.

4. What Do We Process Your Data For And On What Legal Basis?

We process personal data in accordance with the GDPR and the Luxembourg Law of 1 August 2018. The purposes and legal bases for our processing activities are as follows:

Consent for contact (newsletters, marketing, account creation) — Consent, Art. 6(1)(a) GDPR. Consent may be withdrawn at any time.

Technically necessary cookies for Platform operation; non-essential cookies with consent via cookie banner — Legitimate interests, Art. 6(1)(f) GDPR; Consent, Art. 6(1)(a) GDPR; Luxembourg Law of 30 May 2005 on electronic communications.

Investor registration, contractual performance, and pre-contractual steps — Performance of a contract, Art. 6(1)(b) GDPR.

Recording of telephone and electronic communications relating to transactions (taping obligation) — Legal obligation, Art. 6(1)(c) GDPR; Art. 16(7) MiFID II; Luxembourg Law of 30 May 2018; Circular CSSF 17/662.

AML/KYC — identity verification, sanctions screening, counter-terrorism financing — Legal obligation, Art. 6(1)(c) GDPR; Luxembourg Law of 12 November 2004 on AML/CFT.

Job applications — candidate assessment and recruitment management — Pre-contractual measures, Art. 6(1)(b) GDPR; Legitimate interests, Art. 6(1)(f) GDPR.

IT security, protection against unlawful Platform use, legal claims — Legitimate interests, Art. 6(1)(f) GDPR.

Recording and promotion of events (in-person or online) — Legitimate interests, Art. 6(1)(f) GDPR; Consent, Art. 6(1)(a) GDPR.

Direct email marketing to existing clients for similar services; opt-out available at any time — Legitimate interests, Art. 6(1)(f) GDPR; Luxembourg Law of 14 August 2000.

5. Who Can Access My Data?

Within AlterLegacy, access to personal data is restricted to those departments and individuals who require such access to fulfil our contractual and regulatory obligations. We also engage data processors (Art. 28 GDPR) including IT service providers, hosting providers, identity verification providers, and professional advisors. Appropriate contractual, technical, and organisational safeguards are in place in each case.

5.1 Third Parties Involved In Fund Governance And Regulatory Activities

In order to fulfil its contractual and regulatory obligations, each Fund vehicle is supported by the following service providers, who may receive your personal data:

Fundequate Management S.à r.l.,

2, rue Siggy vu Lëtzebuerg,

L-1933 Luxembourg

— acting as external registered AIFM in accordance with Article 3(2) of the Luxembourg Law of 12 July 2013. See https://fundequate.com/privacy-policy.

CSSF and CNPD — Commission de Surveillance du Secteur Financier and Commission Nationale pour la Protection des Données, as well as other financial or tax authorities in EU member states in which AlterLegacy operates.

Fund managers and sponsors of the underlying target funds, together with any delegates and service providers engaged by them.

Distribution partners — private banks, wealth managers, and family offices.

External advisors — legal, tax, and compliance professionals engaged for regulatory, audit, or litigation purposes.

Financial institutions — depositary banks, payment service providers, transfer agents, and trustees.

6. How Long Will My Data Be Retained?

6.1 Access And Technical Log Data

Server log data is retained for a maximum of thirty (30) days for security purposes, after which it is deleted. Data required as evidence in connection with an ongoing investigation is retained until the matter is resolved.

6.2 Pre-Contractual And Contractual Data

Personal data is retained for the duration of our business relationship, including the pre-contractual phase.

6.3 Applicant Data

Applicant data is deleted within six (6) months of an unsuccessful application. Data retained for future vacancies requires express written consent and is deleted after three (3) years or upon withdrawal of consent.

6.4 Statutory Retention Obligations

AlterLegacy is subject to statutory retention obligations under Luxembourg law, including the Luxembourg Commercial Code, the Luxembourg Income Tax Law, and sector-specific legislation. Retention periods range from five (5) to ten (10) years depending on the applicable legal basis. Recordings of order-related communications are retained for five (5) years in accordance with the Luxembourg Law of 30 May 2018, or longer where required by the CSSF. AML/KYC identification data is retained for at least five (5) years from the end of the calendar year in which the customer relationship is terminated, in accordance with the Luxembourg Law of 12 November 2004.

6.5 Limitation Periods

Pursuant to Article 2262 of the Luxembourg Civil Code, the general limitation period is thirty (30) years, subject to specific statutory exceptions. Data retained in connection with data subject rights is held for the duration of the applicable limitation period and may be extended in the event of regulatory enquiries.

7. Are Data Transferred To A Third Country Or To An International Organisation?

Personal data is primarily processed within the European Union. Where transfers to third countries occur, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including adequacy decisions, EU Standard Contractual Clauses (SCCs), or certification schemes such as the EU-U.S. Data Privacy Framework. Upon request, a copy of applicable transfer mechanisms may be obtained by contacting our data protection officer.

8. What Are My Data Subject Rights?

You benefit from the following rights under the GDPR, exercisable by contacting us at privacy@alterlegacy.com:

Right of access (Art. 15 GDPR) — obtain confirmation of processing and receive a copy of your personal data.

Right to rectification (Art. 16 GDPR) — obtain correction of inaccurate data and completion of incomplete data.

Right to erasure (Art. 17 GDPR) — obtain deletion of your personal data, subject to the conditions in Art. 17 GDPR.

Right to restriction (Art. 18 GDPR) — request that processing be restricted in the circumstances set out in Art. 18(1) GDPR.

Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format and transmit it to another controller.

Right to withdraw consent — withdraw consent at any time without affecting the lawfulness of prior processing.

Right to object (Art. 21 GDPR) — object to processing based on Art. 6(1)(e) or (f) GDPR, including profiling.

You also have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD), 15, Boulevard du Jazz, L-4370 Belvaux — www.cnpd.lu. We would welcome the opportunity to address your concerns directly before any complaint is submitted.

9. Automated Decision-Making And Profiling

In the context of informational use of our website and standard contact through forms or email, we do not employ fully automated individual decision-making within the meaning of Article 22 GDPR. We do not currently engage in automated profiling for the purposes of evaluating personal aspects relating to your behaviour, preferences, or interests.

10. Is There An Obligation For Me To Provide Data?

The provision of technical data necessary for accessing our website is required for IT security and service delivery reasons. When contacting us via form or email, you are required to provide only the data necessary to process your request. In the context of a business relationship, you are required to provide the personal data necessary for its establishment, performance, and termination, as well as any data we are legally required to collect — including for AML/KYC purposes.

11. Registration

When creating an AlterLegacy account, we collect: first and last name, telephone number, email address, date of birth, nationality, and investment preferences. Registration is completed in two stages: following submission of the initial form, a confirmation email is sent. Upon confirmation, a detailed KYC/AML questionnaire is used to verify your identity, professional background, and investor status. We maintain a log of the registration process on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR.

12. Identification Process

AlterLegacy is required by law to verify the identity of its users and investors. We process: name, date of birth, residential address, email address, and telephone number, together with photographs of you and your identity document, taken via your device's camera as part of a digital identification procedure. Registration cannot be completed without this procedure; remote digital identification is required in accordance with applicable AML/KYC legislation.

13. Multi-Factor Authentication

AlterLegacy implements multi-factor authentication (MFA) to enhance account security. MFA verifies a user's identity through multiple independent verification steps. Neither AlterLegacy nor any of its affiliated entities stores user passwords at any time. All authentication credentials are managed using industry-standard encryption and hashing mechanisms.

14. Telephone And Video Call Recordings

AlterLegacy uses Google Meet for the recording and analysis of order-related telephone calls, video calls, and electronic communications with prospective and existing investors. This obligation derives from Art. 16(7) MiFID II, the Luxembourg Law of 30 May 2018 on markets in financial instruments, and Circular CSSF 17/662. The legal basis for recording is Art. 6(1)(c) GDPR; analysis is carried out on the basis of Art. 6(1)(b) GDPR. Data may be transferred to Google servers in the USA; Google LLC is certified under the EU-U.S. Data Privacy Framework.

15. Cookies And Similar Technologies

We and our service providers use cookies and similar technologies on our Platform. Technically necessary cookies are deployed on the basis of our legitimate interest in the proper functioning of the Platform. Non-essential cookies are used only with your express consent, provided via our cookie consent banner. You may configure your browser to restrict or refuse cookies; however, disabling certain cookies may impair Platform functionality.

16. Processing Of Personal Data Via External Online Services

The following third-party services are integrated into our Platform. Each processes personal data as described below, subject to your consent where applicable.

16.1 Google Analytics 4

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent: Google LLC, USA).

Subject to your consent, Google Analytics uses cookies to analyse Platform usage, including anonymised IP address, pages visited, referrer URL, session duration, and visit frequency. IP anonymisation is enabled by default. Google is certified under the EU-U.S. Data Privacy Framework; EU Standard Contractual Clauses have also been concluded.

Legal basis: Art. 6(1)(a) GDPR.

16.2 Google Ads And Tag Manager

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Subject to your consent, we use Google Ads for campaign measurement via conversion tracking cookies (valid 30 days) and Google Customer Match. Google Tag Manager manages script deployment and does not itself collect personal data.

Legal basis: Art. 6(1)(a) GDPR.

16.3 Google reCAPTCHA

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

We use reCAPTCHA to distinguish human interactions from automated bot activity on our forms. Data processed includes IP address, browser and device characteristics, language settings, and mouse movement patterns.

Legal basis: Art. 6(1)(f) GDPR; Art. 6(1)(a) GDPR.

16.4 Microsoft Clarity

Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA.

Microsoft Clarity enables us to understand user interaction through heatmaps, session recordings, and aggregate usage statistics. Form fields and sensitive data are masked and not recorded. Processing is based on your consent and may be withdrawn at any time via our cookie settings.

Legal basis: Art. 6(1)(a) GDPR.

16.5 LinkedIn Insight Tag

Provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

Subject to your consent, the LinkedIn Insight Tag enables campaign measurement and retargeting. Data is encrypted and anonymised within seven (7) days; anonymised data is deleted within ninety (90) days. Processing is subject to a joint controller arrangement pursuant to Art. 26 GDPR; see https://legal.linkedin.com/pages-joint-controller-addendum.

Legal basis: Art. 6(1)(a) GDPR; Art. 26 GDPR.

16.6 LiveChat

Provider: LiveChat, Inc., One International Place, Suite 1400, Boston, MA 02110, USA (EU entity: Text S.A., ul. Zwycięska 47, 53-033 Wrocław, Poland).

We use LiveChat to provide real-time customer support on our Platform. When you initiate a chat session, we process the following personal data: name (if provided), email address (if provided), IP address, browser type and version, operating system, device type, pages visited prior to the chat, the content of your messages, and any attachments shared. Chat transcripts may be retained for quality assurance and regulatory compliance purposes.

LiveChat may set cookies on your device to maintain session continuity and to identify returning users. Where chat content relates to an investment enquiry or transaction, it may also be subject to our taping and record-keeping obligations under the Luxembourg Law of 30 May 2018 and Circular CSSF 17/662. Data may be transferred to servers in the United States via EU Standard Contractual Clauses. For further information, see https://www.livechat.com/legal/privacy-policy/.

Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR; Art. 6(1)(c) GDPR where applicable.

16.7 Pipedrive

Provider: Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia (EU-based entity).

We use Pipedrive as our customer relationship management (CRM) platform to manage interactions with prospective and existing investors, wealth advisors, and other business contacts. Personal data stored in Pipedrive may include: name, email address, telephone number, company name, job title, investment preferences, correspondence history, and relationship notes. Access is restricted to authorised AlterLegacy personnel on a need-to-know basis.

Pipedrive is an EU-based entity and primarily processes data within the European Economic Area. Where data is transferred outside the EEA, Pipedrive relies on EU Standard Contractual Clauses. AlterLegacy has executed a Data Processing Agreement with Pipedrive in accordance with Art. 28 GDPR. For further information, see https://www.pipedrive.com/en/privacy.

Legal basis: Art. 6(1)(f) GDPR; Art. 6(1)(b) GDPR.

17. Our Social Media Presence

AlterLegacy maintains profiles on social media platforms to communicate with users and share information about our services. When you interact with our profiles, your data may be processed by the relevant platform provider — potentially outside the EU/EEA. We do not control the data processing activities of social media platforms and receive only aggregated, anonymised statistics about the use of our profiles.

Processing is based on your consent (Art. 6(1)(a) GDPR) where applicable, on the performance of a contract (Art. 6(1)(b) GDPR) for contract-related enquiries, and on our legitimate interests in corporate communication (Art. 6(1)(f) GDPR). We are present on the following platforms:

- LinkedIn — LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland — linkedin.com/legal/privacy-policy

- Instagram — Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland — instagram.com/privacy

- YouTube — Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland — policies.google.com/privacy

Are you wealth advisor?

Offer your clients exclusive private market projects they could not access alone. Luxembourg-structured, institutional-grade, fully digital.

Are you wealth advisor?
Let's talk

Interested in investments?

Access curated VC and PE funds structured under Luxembourg law. Transparent, AIFMD-compliant, and open to qualified EU investors from €50,000.

Start investing
Start investing
AboutInsightsFeaturesPricingContact
Privacy notice
Important Information
AlterLegacy does not provide investment advice or make recommendations. Nothing on this site should be considered as solicitation to invest. Investments in alternative assets — including Venture Capital and Venture Debt projects involve significant risk and are not suitable for all investors. You may lose all of your investment. Past performance is not indicative of future results, and there is no guarantee of returns or liquidity. Investors should carefully review all fund documentation and understand the associated risks before committing capital. These investments are generally illiquid and intended for long-term holding. They are not insured or guaranteed by any government or financial institution.