Last Updated: April 2026
1. General Provisions
1.1. This Privacy Policy (hereinafter — "Policy") sets out the manner in which Merivo Fund (hereinafter — "Fund", "Platform"), incorporated in the British Virgin Islands as a BVI Incubator Fund and accessible at merivo.fund, collects, stores, processes, and protects the personal data of Platform users.
1.2. By using the Platform, you confirm that you have read this Policy and consent to the processing of your personal data in accordance with its terms.
1.3. This Policy has been developed in compliance with the European Union General Data Protection Regulation (GDPR, EU Regulation 2016/679) and applicable British Virgin Islands law.
1.4. The Fund acts as the data controller in respect of Users' personal data processed pursuant to this Policy.
2. Categories of Data Collected
2.1. During registration and use of the Platform, the Fund may collect the following categories of personal data:
Identity Data:
- full legal name;
- date of birth;
- nationality;
- identity document details (number, issuing authority, expiry date).
Contact Data:
- email address;
- telephone number (if provided);
- postal/residential address.
Financial Data:
- ERC20 wallet address;
- investment and transaction history;
- details of selected Investment Strategies;
- source of funds (for KYC/AML purposes).
Technical Data:
- IP address;
- browser and device information;
- session data and activity logs;
- cookie and similar tracking technology data.
KYC Documentation:
- copies of identity documents;
- proof of residential address documents;
- other documentation required for due diligence.
2.2. The Fund does not collect or process special categories of personal data (including racial or ethnic origin, health data, biometric data) without the User's explicit consent, except where expressly required by applicable law.
3. Purposes and Legal Bases for Processing
3.1. The Fund processes personal data for the following purposes and on the following legal bases:
| Purpose of Processing | Legal Basis | |-----------------------|-------------| | Account registration and management | Performance of contract (Art. 6(1)(b) GDPR) | | KYC/AML procedures | Compliance with legal obligation (Art. 6(1)(c) GDPR) | | Investment management and settlements | Performance of contract (Art. 6(1)(b) GDPR) | | Service and operational notifications | Performance of contract (Art. 6(1)(b) GDPR) | | Marketing and informational communications | Consent (Art. 6(1)(a) GDPR) | | Platform security and fraud prevention | Legitimate interest (Art. 6(1)(f) GDPR) | | Regulatory and legal compliance | Compliance with legal obligation (Art. 6(1)(c) GDPR) | | Dispute resolution and legal claims | Legitimate interest (Art. 6(1)(f) GDPR) |
4. Data Storage and Infrastructure
4.1. Users' personal data is stored on servers operated by Supabase Inc., located in European Union data centres in Frankfurt, Germany. This region ensures compliance with GDPR requirements regarding storage of data within the EU/EEA.
4.2. The Fund applies technical and organisational data protection measures including:
- encryption of data at rest (AES-256) and in transit (TLS 1.2+);
- role-based access control on a least-privilege basis;
- regular security audits;
- incident detection and response procedures.
4.3. Where personal data is transferred outside the EEA, the Fund ensures the application of appropriate safeguards in accordance with GDPR requirements (including Standard Contractual Clauses — SCCs).
5. Data Retention Periods
5.1. The Fund retains personal data for the following periods:
| Data Category | Retention Period | |---------------|-----------------| | Account data (active User) | For the duration of the account relationship | | KYC documentation | 5 years from the end of the relationship with the Fund | | Investment history and financial records | 7 years from the date of the last transaction | | Technical logs and activity records | 12 months | | Marketing communications data | Until consent is withdrawn |
5.2. Upon expiry of the applicable retention period, data is permanently deleted or anonymised, unless retention is required by applicable law or the Fund's legitimate interests in protecting legal claims.
6. Disclosure of Data to Third Parties
6.1. The Fund may disclose Users' personal data to the following categories of recipients:
Technical Service Providers (Data Processors):
- Supabase Inc. — data storage and database infrastructure;
- identity verification service providers (KYC providers);
- digital asset exchange service providers.
Competent Authorities:
- regulatory bodies, courts, and law enforcement agencies — strictly to the extent required by applicable law.
Professional Advisers:
- legal, audit, and consulting firms operating under confidentiality obligations.
6.2. The Fund does not sell, rent, or otherwise transfer Users' personal data to third parties for commercial purposes beyond those described in this Policy.
6.3. All data processors are subject to appropriate data processing agreements (DPAs) ensuring a level of personal data protection equivalent to that provided under this Policy.
7. Cookies and Similar Technologies
7.1. The Platform uses cookies and similar tracking technologies for the following purposes:
| Cookie Type | Purpose | Duration | |-------------|---------|----------| | Strictly necessary | Platform functionality, authentication, security | Session / 30 days | | Analytical | Platform usage analysis, functional improvement | Up to 12 months | | Functional | Saving User preferences | Up to 12 months |
7.2. Upon first visiting the Platform, the User is presented with the option to accept or decline non-essential cookies. The User may change their cookie preferences at any time through their browser settings.
7.3. Disabling strictly necessary cookies may result in the Platform functioning improperly.
8. Data Subject Rights
8.1. In accordance with GDPR and applicable law, Users have the following rights with respect to their personal data:
- Right of access — obtain a copy of personal data being processed and information about the conditions of processing.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — request deletion of personal data where grounds under Art. 17 GDPR apply.
- Right to restriction of processing — request restriction of processing in the circumstances set out in Art. 18 GDPR.
- Right to data portability — receive personal data in a structured, commonly used, and machine-readable format.
- Right to object — object to processing based on the Fund's legitimate interests.
- Right to withdraw consent — withdraw previously given consent to data processing at any time.
8.2. To exercise any of the above rights, please submit a request to [email protected]. The Fund will respond to your request within 30 days of receipt.
8.3. The exercise of certain rights may be restricted where processing is necessary for the Fund to comply with its legal obligations (including KYC/AML requirements).
8.4. Users have the right to lodge a complaint with a data protection supervisory authority in their country of residence.
9. Data Security
9.1. The Fund takes all reasonable technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration.
9.2. In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of Users, the Fund will notify affected Users within 72 hours of becoming aware of the breach.
10. Changes to the Privacy Policy
10.1. The Fund may update this Policy periodically. The updated version is published on the Platform with the date of the most recent revision.
10.2. In the event of material changes, the Fund will notify Users by email at least 14 days before the changes take effect.
11. Contact Information
For all inquiries relating to this Policy or to exercise your data subject rights, please contact:
Merivo Fund Data Protection Contact Email: [email protected] Website: merivo.fund