Privacy Policy

This Privacy Policy explains how [LEGAL ENTITY NAME] ("InvestAccess", "we", "us") collects, uses, shares, and protects personal data. InvestAccess is a marketing, technology, and services company. It is not a broker, dealer, placement agent, finder, or investment adviser, and it is not the issuer of any security. Nothing in this policy is investment, legal, tax, or accounting advice, and nothing here is an offer to sell or a solicitation of an offer to buy any security.

This policy covers the investaccess.com website, the forms we use to take inquiries and applications, the investor education newsletter, and the marketing and technology services we provide. It does not govern a client's own securities offering or a client's own website and systems, which the client runs under its own policies.

This is a draft pending review by qualified securities and marketing counsel, and it is not legal advice. Values shown in brackets are placeholders that counsel and the business finalize before publication.

We collect the information you enter into our forms and a small amount of technical data your browser sends when you use the site. The lists below cover both.

When you submit the lead or application form, for example on the contact page, we collect:

• Your email address, and your name and phone number if you provide them.
• Your company and your role.
• Your target raise range, your timeline, and the current status of your raise.
• Your main bottleneck in your own words, and your answers to the qualifying questions, stored as you enter them.
• A submission identifier created by your browser, which we use to avoid recording the same submission twice.

When you subscribe to the newsletter, we collect:

• Your email address, and your name if you provide it.
• The audience you chose (for example GP or LP) and the source of the signup, such as the page or campaign you came from.

On every form, we record your consent choices separately for email and for SMS. For a channel you opt into, we store that you agreed, the version of the consent wording you were shown, the time you agreed, and the IP address the request came from. For a channel you decline, we store only that you declined, with no timestamp and no IP address.

We capture marketing attribution with each submission so we can tell which campaign or page led to it. This includes the UTM parameters on the link you arrived through (source, medium, campaign, term, and content), the page that referred you, and the path you landed on.

If you accept analytics, our privacy-respecting analytics record aggregate data about visits and page views. The cookies and analytics section below explains this and how to control it.

We use the data we collect for the purposes below, and we do not use it for unrelated purposes without telling you.

• To respond to your inquiry, follow up about your request, and route you to the right next step.
• To deliver and operate the marketing and technology services, including the systems we build and run for clients.
• To run and measure our own marketing, including advertising campaigns and how they perform.
• To send the investor education newsletter to subscribers, and to send transactional email such as the double opt-in confirmation.
• To protect the forms and the site from spam, bots, and abuse.
• To meet our legal, tax, and recordkeeping obligations, and to enforce our terms.

We send marketing and newsletter email only to people who asked for it. Subscribing to the newsletter is double opt-in. When you sign up, we store your request as pending and email you a confirmation link. Clicking that link confirms your address and is the durable record of your email consent. If you never click it, you are not subscribed and you do not receive the newsletter.

Our commercial email follows CAN-SPAM. The sender and the subject line are accurate and not deceptive, and we do not use misleading headers. Every commercial message includes a valid physical postal address, [POSTAL ADDRESS], and a working unsubscribe link. When you unsubscribe, we honor the request promptly and stop sending commercial email to that address.

We send marketing SMS only after you give prior express written consent, and we record that consent separately from your email consent. Your consent covers the marketing and follow-up text messages described where you opted in. We do not send marketing SMS to anyone who did not agree to receive it.

Message frequency varies. Message and data rates may apply. Reply STOP to any message to opt out, and reply HELP for help. You can revoke your consent at any time, and we honor opt-out and revocation requests promptly.

When you visit the site, a consent banner asks whether you accept analytics, with two choices: Accept and Decline. We use privacy-respecting analytics (Vercel Analytics) to understand how visitors use the site, and none of it loads or runs until you accept. If you decline, the analytics stay off.

Where we run paid advertising campaigns, an advertising tag or pixel (for example the Meta pixel) may be used to measure those campaigns. Any such tag is subject to the same consent and does not fire before you accept. You control analytics through the banner's Accept and Decline choices, and you can clear or block cookies in your browser at any time.

We rely on a small set of service providers that process personal data on our behalf to run the website, operate the forms, and handle our email. Each one receives only what it needs for its role.

• Supabase: the database where records are stored. It is our source of truth and holds the form submissions, the consent records, and the attribution data.
• GoHighLevel: our CRM and marketing automation, reached by webhook. It receives contact details, tags, the consent record, and the attribution so we can follow up and run sequences.
• Resend: our email provider for transactional and newsletter email, including the double opt-in confirmation message.
• Meta: an advertising platform. We use it to run and measure paid advertising campaigns, including through its pixel where you have accepted.
• Vercel: our hosting provider, which also supplies the privacy-respecting analytics.
• Cloudflare Turnstile: bot and spam protection on the forms.
• Upstash: per-IP rate limiting on the form handlers, which limits abuse.

For our own marketing and for the investor education newsletter, InvestAccess is the controller of the personal data. We decide why and how it is processed, and this policy governs it.

When we process lead or audience data on behalf of a client, for example data collected through a system we build and run for that client, the client is the controller and InvestAccess acts as the processor under our agreement with the client. In that case the client's own privacy policy governs how the data is used, and you should contact the client about choices over it. Our contract with the client sets out these roles.

We share personal data in a few defined situations. We share it with the service providers listed above so they can perform their role in operating the site, the forms, and our communications. Where data was collected on a client's behalf, we make it available to that client as the controller of that data. We also disclose data where the law requires it, for example to respond to a lawful request or to protect our rights and the safety of others.

We do not sell your personal data.

We keep personal data for as long as we need it for the purposes described in this policy, and then for any additional period the law requires. Our standard retention period is [RETENTION PERIOD]. When data is no longer needed, we delete it or remove the details that identify you.

Consent records are kept as proof that consent was given, for as long as they may be needed to show compliance.

Depending on where you live, you may have rights over your personal data, including the right to access it, to correct it, to ask us to delete it, and to opt out of marketing. To make a request, email us at [CONTACT EMAIL], and we will respond as required by the law that applies to you. Where we process data as a processor for a client, we will route your request to the client or ask you to contact the client directly.

You can opt out of marketing without making a formal request. For SMS, reply STOP to any message. For email, use the unsubscribe link in any commercial message. For analytics, decline through the consent banner.

We use reasonable technical and organizational measures to protect personal data. These include strict access controls on the database where records are stored, and bot screening plus rate limiting on the forms that receive submissions.

No method of storage or transmission is perfectly secure, and we cannot promise absolute security. If you believe your data has been compromised, contact us using the details in the final section.

The site and the services are meant for businesses and professionals. They are not directed to children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has given us personal data, contact us and we will delete it.

We may update this policy as our practices, our service providers, or the law change. When we make a material change, we update the date at the top of the page, and where appropriate we provide additional notice. Please check this page from time to time.

If you have a question about this policy or about how we handle your data, email [CONTACT EMAIL], or write to us at [LEGAL ENTITY NAME], [POSTAL ADDRESS].