Privacy Policy

1. About Us

[SAVA P] (“we”, “our”, “us”) provides a whitelabel email communication and deal-sharing platform. The platform enables Clients (investment firms, groups, or entities) to manage secure, branded digital data rooms and communicate with their networks through integrated email campaigns.

Each Client operates within a separate, self-managed ecosystem, responsible for the creation, upload, and distribution of their own materials, including investment-related content.

We are not a marketing company, investment firm, or financial advisor. We do not provide, endorse, or validate any investment opportunities, marketing materials, financial products, or documents made available via the platform.

2. Scope of This Policy

This Privacy Policy applies to:

• Visitors to our website

• Clients and their authorized users

• Email recipients and end-users accessing data rooms, emails, or documents

• All processing conducted on our platform, including email communications and document hosting

We comply with:

• Australia’s Privacy Act 1988 (APPs)

• EU General Data Protection Regulation (GDPR)

• UK GDPR and Data Protection Act 2018

• United States privacy laws, including CAN-SPAM, CCPA, and other applicable state-level laws

3. Beta Software Disclaimer & Limitation of Liability

This platform is currently offered in a Beta testing phase, and as such, may contain bugs, incomplete features, or other operational limitations. While reasonable measures have been taken to secure user data and ensure platform stability, [Your Company Name] makes no guarantees as to uninterrupted functionality, full compliance with all jurisdiction-specific legal requirements, or freedom from vulnerabilities.

By using this Beta version, users acknowledge and accept that the platform is provided “as is” without warranties of any kind, whether express or implied. Users are solely responsible for the content they upload, the communications they send, and their own adherence to all applicable laws and regulatory obligations, including but not limited to privacy, anti-spam, consumer protection, data security, and financial services regulations in their respective jurisdictions.

[Your Company Name] expressly disclaims all liability arising from the actions of users or their affiliates, including misuse of the platform or violations of law. Continued use of the platform during Beta testing constitutes informed acceptance of these limitations.

4. Personal Data We Collect

We collect the following categories of personal data:

a.  From Clients & Authorized Users

• Full name, company, title
  
  
  

• Email address and phone number

• Login credentials

• Access activity (e.g. login timestamps, file access logs)

b. From Email Recipients & Data Room Viewers

• Name and email (as provided by Clients)

• IP address and browser/device metadata

• Email interaction data (opens, clicks, bounces, opt-outs)

• Document access logs (file views, timestamps)

Clients are solely responsible for ensuring they have lawful grounds to upload or distribute any personal data via our platform.

5. Platform Use: No Investment Advice or Offers

We provide technology infrastructure only. We do not operate as a broker-dealer, investment manager, financial advisor, underwriter, or distributor.

We do not:

• Verify, edit, or vet content uploaded by Clients

• Provide or imply investment advice, valuations, or endorsements

• Solicit or facilitate offers to buy or sell any financial product

• Participate in any capital raising, placement, or investment transaction

All investment-related information, including forecasts, memoranda, teasers, or term sheets, is uploaded and controlled by Clients. Clients must ensure their materials meet all applicable securities laws and disclosure requirements.

6. Whitelabel Structure and Responsibility

Our platform operates under a whitelabel model, meaning each Client controls their own environment, branding, and content. This includes:

• Managing data rooms

• Sending email communications

• Uploading documentation

• Managing access to their ecosystem

As such:

• Each Client is the Data Controller for the personal data they upload, email, or disclose via the platform

• We act solely as a Data Processor under their instruction

• Clients bear full legal responsibility for the content, accuracy, and legality of the information shared through the platform

7. Email Marketing – Responsibilities & Protections

We enable Clients to send emails and manage contact lists. We do not send email communications on our own behalf.

Client Obligations:

• Ensure valid consent or other legal basis for email distribution

• Include accurate sender information in each email

• Provide a functional unsubscribe link in all communications

• Comply with all applicable laws (CAN-SPAM, GDPR, PECR, Spam Act)

Platform Protections:

• Embedded unsubscribe mechanisms

• Monitoring of email performance (spam/bounce rate)

• Account suspension for abuse or violations

• Logging of all email activity and delivery metadata

8. Legal Bases for Processing

We process personal data based on:

• Contractual necessity (e.g. user login, service delivery)

• Consent (for recipients where required)

• Legitimate interests (security, audit, compliance)

• Legal obligation (e.g. fraud prevention, law enforcement requests)

9. How We Use Personal Data

We use data for the following purposes:

• Providing access to and securing the platform

• Delivering and tracking emails on behalf of Clients

• Logging access to documents and managing data room permissions

• Monitoring system integrity and detecting misuse

• Responding to lawful data requests and fulfilling legal duties

We do not use personal data for advertising, profiling, or resale.

10. Data Sharing and Disclosure

We may share data only under the following circumstances:

• Service providers (e.g. email delivery, hosting, analytics) under binding Data Processing Agreements

• Regulatory or legal requests, where required by law or court order

• Corporate transactions, such as mergers or acquisitions, subject to equivalent data protection obligations

We do not sell or license personal data to third parties.

11. Data Security

We implement best-practice security measures, including:

• TLS encryption for all data in transit

• Secure, access-controlled hosting environments

• End-to-end encryption of sensitive documents

• Two-factor authentication (2FA) for user access

• Continuous monitoring, patching, and risk audits

12. Data Retention

We retain data only as long as necessary for the intended purpose:

• Client account data: for the duration of the contract + up to 12 months

• Email metadata: up to 12 months for compliance

• Access logs: for platform security and audit trails

• Unsubscribed/bounced contacts: retained to enforce email suppression

Users can request deletion or correction at any time (see Section 14).

13. International Data Transfers

We operate across multiple jurisdictions and may transfer data internationally. All transfers comply with:

• GDPR Standard Contractual Clauses (SCCs)

• UK International Data Transfer Addendum

• Australia’s Privacy Principles

• US adequacy decisions or supplementary measures

14. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access your personal data

• Correct inaccurate data

• Request deletion

• Object to or restrict processing

• Withdraw consent

• Lodge a complaint with a Data Protection Authority (DPA)

For assistance, email us at [Insert Privacy Email].

15. Our Role as Data Processor

We are a Data Processor acting on behalf of our Clients. Clients act as Data Controllers and are responsible for:

• Obtaining lawful consent or justification for processing

• Ensuring investment materials and emails are accurate and lawful

• Responding to any data subject requests

• Ensuring compliance with applicable privacy and securities laws

We do not independently verify Client-uploaded data or documents.

16. Limitation of Liability for Investment Content

You acknowledge that we are not responsible for:

• Any investment decisions made based on documents accessed via our platform

• The accuracy, completeness, or legality of investment materials or communications

• Loss or damages resulting from reliance on data room content or communications

• Any regulatory or legal consequences faced by Clients or users due to non-compliance with investment or financial regulations

Clients must consult legal and compliance advisors before distributing any investment materials.

17. Contact Information

Privacy Officer

[Your Company Name]

[Company Address]

[Email Address]

[Phone Number]

18. Policy Updates

We may update this Privacy Policy to reflect changes in law or business practices. The current version will always be available at [Insert URL]. Continued use of the platform after updates indicates acceptance of the revised terms.

19. Regional Privacy Notices & Client Compliance Responsibilities

SAVA P provides a technology platform only and does not act as a data controller, investment advisor, marketer, or regulated financial service provider. Each subscribing Client is responsible for their own legal compliance. By using the platform, Clients agree that:

• They are the Data Controllers of any personal data uploaded, stored, or processed via the platform, including investor contact information, communications, or documents hosted in datarooms.

• SAVA P acts as a Data Processor, handling data strictly on the Client’s instructions, and only for the purposes of operating the platform and related services.

• Clients bear sole responsibility for ensuring their own compliance with applicable privacy, anti-spam, financial promotion, and data retention laws, including the lawful collection, use, and sharing of personal data.

Australia

Laws: Privacy Act 1988 (Cth), Spam Act 2003

Clients must:

• Obtain appropriate consent or lawful basis for data collection

• Provide privacy notices and unsubscribe options

• Retain only necessary data and securely delete or de-identify personal information when no longer needed

Note: While some records (e.g., tax documents) must be retained for 7 years, marketing lists and investor data must be held only as long as necessary for legitimate business or legal purposes. Clients are responsible for implementing appropriate data retention schedules.

More: oaic.gov.au

European Union (EU)

Laws: General Data Protection Regulation (GDPR)

Clients must:

• Identify and document a valid legal basis for processing personal data (e.g., consent, contract, legitimate interest)

• Provide transparent disclosures to data subjects

• Respond to requests for access, correction, erasure, and portability

• Conduct Data Protection Impact Assessments (DPIAs) where appropriate

• Ensure appropriate data retention policies and data minimization

SAVA P Responsibilities under GDPR:

• SAVA P acts solely as a Data Processor, and processing is governed by our Data Processing Addendum (DPA), which forms part of our Terms of Service

• Data may be transferred outside the EEA (e.g., to the United States) under approved Standard Contractual Clauses (SCCs) or equivalent safeguards

• Clients are informed of and consent to the use of subprocessors for hosting, communications, and infrastructure services (e.g., AWS, email delivery tools)

• In the event of a personal data breach, SAVA P will notify affected Clients without undue delay, enabling them to meet any regulatory obligations

Clients remain solely responsible for defining their legal basis, honoring data subject rights, ensuring data protection, and managing deletion or retention of all investor-related materials uploaded or sent via the platform.

More: edpb.europa.eu

United Kingdom (UK)

Laws: UK GDPR, Data Protection Act 2018

Requirements are substantially aligned with EU GDPR. Clients must:

• Lawfully process personal data and uphold all data subject rights

• Establish security controls and manage retention timelines

• Ensure third-country data transfers are appropriately safeguarded

More: ico.org.uk

United States

Laws: CAN-SPAM Act, California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and others

Clients must:

• Comply with applicable state privacy laws

• Include accurate sender identity and unsubscribe options (CAN-SPAM)

• Provide opt-out mechanisms and clear privacy disclosures (CCPA/CPRA)

• Avoid deceptive marketing practices

SAVA P does not monitor or review content distributed via the platform and assumes no liability for Client email compliance.

More: oag.ca.gov/privacy

Client Acknowledgement & Liability

By subscribing to and using SAVA P, Clients acknowledge and agree that:

• They are the sole Data Controllers for all personal data handled via the platform

• They are responsible for providing all legally required disclosures and managing the data protection rights of their users and investors

• They must implement their own data retention and deletion policies for contact lists, communications, and documents stored in datarooms

• They are responsible for ensuring that any investor contact information or deal-related documentation is stored, processed, and deleted in accordance with applicable law

• SAVA P is not liable for Client failure to comply with privacy, spam, or financial promotion regulations in any jurisdiction

Clients are strongly encouraged to seek legal counsel and conduct internal reviews to ensure their obligations are met under GDPR, CCPA, the Privacy Act 1988, Spam Act 2003, UK GDPR, and any other applicable laws.