This Privacy Policy outlines in detail how AlterLegacy (“AlterLegacy”, “we”, “our” or “us”) collects, uses, discloses, and protects personal data obtained through our digital platform, communications, and services available at https://alterlegacy.com. Our operations are grounded in the highest standards of data protection and confidentiality, and we strictly adhere to the General Data Protection Regulation (“GDPR”) as well as relevant data protection laws applicable in Luxembourg and throughout the European Union. This policy is designed to provide you with a clear understanding of our data practices, your rights, and the safeguards we implement to protect your personal information.
AlterLegacy is a next-generation digital investment platform tailored for private investors, wealth advisors, legal professionals, and family offices seeking access to carefully selected Venture Capital, Real Estate, and Distressed Debt investment opportunities. We work in close collaboration with regulated Alternative Investment Fund Managers (AIFMs), custodians, legal entities, and compliance partners to ensure that the investment process remains secure, compliant, and aligned with regulatory expectations.
We act as the Data Controller of the personal data we collect and determine how and why your data is processed in the context of our services. This means we are responsible for ensuring your data is treated lawfully, fairly, and transparently.
Data Controller:
AlterLegacy
2 Siggy vu Lëtzebuerg, L-2661 Luxembourg
Email: info@alterlegacy.com
If you have any questions about this policy, our data protection practices, or your rights, please do not hesitate to contact us.
AlterLegacy processes various categories of personal data depending on the nature of your interaction with us. We aim to collect only the minimum amount of information necessary to fulfil our legal and business obligations while delivering a secure and effective platform experience.
We may collect:
Identification Data: This includes your full name, nationality, date and place of birth, personal ID number, signature, and official identification documents (e.g., passport, national ID, driver’s license).
Contact Information: Personal or professional email address, telephone number, and residential or business address.
Professional and Regulatory Credentials: Company name, job title, professional license or certification number, investor classification (e.g., professional investor, high-net-worth individual).
Financial and Investment Profile: Source and proof of funds, bank account details, tax residency and identification number, income range, investment history, risk tolerance, declared objectives, and preferences.
Compliance Documentation: Information collected for Know Your Customer (KYC), Anti-Money Laundering (AML), and suitability checks, including answers to risk assessments and scanned documents.
Digital Interaction Data: IP address, unique device identifiers, login information, browser specifications, access times, geolocation, and logs collected automatically through your use of the website and digital platform.
Communication Records: Email correspondence, call logs, Microsoft Teams interactions, meeting notes, and transcripts of support inquiries.
We may also collect personal data indirectly via regulated intermediaries or partners who act on your behalf or facilitate your onboarding.
We obtain personal data through the following channels:
Direct collection: When you register an account, fill out onboarding forms, complete investment transactions, or engage with us via Teams, phone, or email.
Automated collection: Through cookies, analytics tools, session recordings, and server logs that capture interaction and behavior data when you browse our site.
Third-party input: From authorized wealth advisors, lawyers, accountants, and other representatives acting under your instruction.
External databases: For identity validation, sanction screening, and compliance verification against public registries and financial crime databases.
All data is collected and processed lawfully, with full respect for your rights and freedoms.
We only process your personal data when we have a lawful basis to do so under the GDPR. Depending on your relationship with us, we rely on one or more of the following legal bases:
Performance of a Contract: To take steps before entering into a contract with you or to fulfil an existing agreement, such as processing your investments.
Compliance with Legal Obligations: To meet our duties under financial regulation, AML/KYC laws, tax laws, and investor protection legislation.
Legitimate Interest: For internal reporting, risk management, fraud prevention, IT security, service improvement, and analytics — always balanced against your privacy rights.
Consent: Where required, for marketing communications, use of non-essential cookies, or onboarding led by third parties.
We use your personal data for the following specific purposes:
Verifying identity and assessing eligibility to invest or partner with AlterLegacy
Fulfilling onboarding, regulatory, and compliance procedures
Facilitating access to private investment opportunities and completing transactions
Monitoring portfolio performance and issuing client reports
Managing contracts and maintaining accurate business records
Responding to questions, resolving complaints, or handling disputes
Developing, improving, and securing our digital platform
Ensuring legal compliance with EU and Luxembourg regulatory bodies
We may share your personal data with the following categories of recipients to deliver services and meet compliance obligations:
Affiliates and group entities involved in platform operations, business continuity, and client support.
Regulated financial institutions such as AIFMs, custodian banks, and fund administrators responsible for managing fund structures and transactions.
Professional services firms providing legal advice, tax guidance, compliance expertise, and audit services.
Technology and infrastructure providers, including Pipedrive for CRM, Microsoft Teams for communications, cloud hosting services, cybersecurity vendors, and digital identity verification platforms.
AlterLegacy partners, including trusted commercial and distribution partners, who collaborate with us to deliver investment services or develop joint offerings, provided that such sharing is necessary and subject to appropriate confidentiality and data protection agreements.
Public authorities such as tax offices, financial regulators (e.g., CSSF), law enforcement, or courts, where disclosure is mandated by law.
We require all third-party recipients to enter into data processing agreements that oblige them to uphold GDPR standards and to process your personal data only in accordance with our instructions.
Affiliates and group entities involved in platform operations, business continuity, and client support.
Regulated financial institutions such as AIFMs, custodian banks, and fund administrators responsible for managing fund structures and transactions.
Professional services firms providing legal advice, tax guidance, compliance expertise, and audit services.
Technology and infrastructure providers, including Pipedrive for CRM, Microsoft Teams for communications, cloud hosting services, cybersecurity vendors, and digital identity verification platforms.
Public authorities such as tax offices, financial regulators (e.g., CSSF), law enforcement, or courts, where disclosure is mandated by law.
We require all third-party recipients to enter into data processing agreements that oblige them to uphold GDPR standards and to process your personal data only in accordance with our instructions.
In some cases, your personal data may be transferred to or processed in countries outside the European Economic Area (EEA). These jurisdictions may not provide the same level of data protection as the EU.
To ensure your data remains protected, we take one or more of the following measures:
Transferring data only to jurisdictions with a valid adequacy decision from the European Commission
Using Standard Contractual Clauses (SCCs) as approved by the European Commission
Implementing supplementary technical and organizational safeguards, such as encryption and limited access rights
Conducting risk assessments and data transfer impact assessments when appropriate
You may request additional information or copies of the applicable safeguards by contacting us directly.
We retain personal data only for as long as it is necessary to fulfil the purposes described in this Privacy Policy or as required by applicable law. The exact retention period depends on the type of data and regulatory requirements:
KYC and due diligence data: Retained for 10 years after the end of the client relationship, in accordance with AML laws
Investment and account records: Retained for a minimum of 5 years for tax, audit, and reporting purposes
Communication logs: Retained for 3 to 5 years to support compliance and conflict resolution
Website data (cookies, logs): Retained according to your browser preferences and cookie settings (typically 6–24 months)
After the retention period expires, data is securely deleted, anonymized, or archived in compliance with legal obligations.
Under the GDPR, you have comprehensive rights in relation to your personal data. These include:
Right to Access: You can request confirmation of whether we process your data and receive a copy.
Right to Rectification: You may request corrections to inaccurate, outdated, or incomplete information.
Right to Erasure (Right to be Forgotten): You may ask for your data to be deleted where it is no longer necessary, or you have withdrawn consent.
Right to Restrict Processing: You can request a pause on processing while a dispute or verification is underway.
Right to Object: You may object to processing based on our legitimate interests or for direct marketing.
Right to Data Portability: You can receive your data in a structured, machine-readable format and have it transferred to another provider.
Right to Withdraw Consent: If we rely on your consent, you may withdraw it at any time.
Right to Lodge a Complaint: You may file a complaint with the Luxembourg Data Protection Authority (CNPD) if you believe your rights have been infringed.
We respond to all valid requests within one calendar month, extendable by two months where necessary, as permitted by the GDPR.
We take the protection of your data very seriously and have implemented multiple layers of security to prevent unauthorized access, loss, or misuse of personal information. These include:
Encryption of data in transit and at rest using industry standards
Access restrictions and authentication protocols (e.g., multi-factor authentication)
Firewalls, intrusion detection systems, and anti-malware protections
Physical security controls in data centres and backup locations
Routine monitoring, vulnerability scanning, and penetration testing
Staff training programs and internal data protection policies
While no system can be 100% secure, we strive to continuously assess and enhance our security posture.
Our platform uses cookies and similar technologies to optimize user experience, measure engagement, and personalise content. Cookies are small text files stored on your device by your browser.
We use the following types of cookies:
Essential Cookies: Required for core functionality, such as session management and account security.
Performance Cookies: Collect anonymous information to analyze site performance and improve usability.
Functional Cookies: Store preferences such as language or region.
Marketing Cookies: Track visitor behaviour for advertising purposes (only used with consent).
You can change your cookie settings at any time using our cookie banner or your browser preferences.
We use services like Google Analytics to monitor website traffic, which helps us understand how visitors interact with our content. Data collected is anonymized and used for aggregate insights.
We reserve the right to amend or update this Privacy Policy at any time to reflect changes in legal requirements, operational needs, or technology. All updates will be published on our website, and where changes are material, we will notify you directly via email or through the platform.
You are encouraged to periodically review this policy to stay informed about how we collect and use your personal data.