Privacy Policy

1. Introduction

OverCap UK Limited (trading as Secondaries.io) ("Secondaries.io," "we," "us," or "our") operates a technology platform for institutional participants in the LP-led secondary market and NAV lending ecosystem. This Privacy Policy describes how we collect, use, store, share, and protect personal data when you access or use our Platform.

This policy applies to all Users of the Platform, including Buyers, Sellers, General Partners, and NAV Lenders, as well as visitors to our website. By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

We are committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all other applicable data protection legislation.

2. Data Controller

The data controller responsible for processing your personal data is:

If you have any questions about how your personal data is processed, or wish to exercise your data subject rights, please contact us at the address above.

3. Personal Data We Collect

We collect personal data that you provide directly, data generated through your use of the Platform, and limited data from third-party sources.

3.1 Data You Provide

• Account Information: First name, last name, email address, job title, company/firm name, role (Buyer, Seller, GP, NAV Lender), and password (stored as a cryptographic hash, never in plaintext).
• Organization Information: Firm name, registered address, regulatory status, AUM or allocation range (if provided), and organizational structure.
• Professional Profile: LinkedIn profile data (if you choose to register via LinkedIn OAuth), professional history, and credentials.
• Transaction Data: Indications of interest, bid submissions, deal terms, fund position details, NAV figures, commitment amounts, and related correspondence conducted through the Platform.
• Documents: Files uploaded to Secure Rooms, including fund reports, financial statements, offering memoranda, and due diligence materials.
• Communications: Messages exchanged through Platform messaging features and support inquiries.
• Payment Information: Billing address and payment method details. Payment card data is processed by our payment provider (Stripe) and is not stored on our servers.

3.2 Data Generated Through Use

• Usage Data: Pages visited, features used, search queries, time spent on pages, and interaction patterns.
• Audit Logs: Document access records, login events, bid submissions, consent actions, and all platform interactions — with timestamps and user attribution.
• Device & Connection Data: IP address, browser type and version, operating system, device identifiers, and referring URLs.
• Session Data: Authentication tokens (encrypted JWT), session duration, and activity timestamps.

3.3 Data from Third Parties

• LinkedIn: If you register via LinkedIn OAuth, we receive your name, email address, profile photo, and headline as authorized by your LinkedIn privacy settings.
• Sanctions & Compliance Screening: We may verify User and Organization information against publicly available sanctions lists, beneficial ownership registries, and regulatory databases.

4. Lawful Basis for Processing

We process personal data on the following legal bases under UK GDPR:

Where processing is based on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. Details of these assessments are available upon request.

5. How We Use Your Data

1. Platform Operations: To create and manage your account, authenticate sessions, provide role-based access, facilitate transactions, and deliver Platform features.
2. Transaction Facilitation: To match counterparties, display relevant deal flow, enable bid submission and review, manage GP consent workflows, and coordinate Secure Room access.
3. Security & Integrity: To detect and prevent fraud, unauthorized access, and platform abuse. To maintain comprehensive audit trails of all platform activity.
4. Compliance: To satisfy AML/KYC obligations, screen against sanctions lists, and respond to lawful requests from regulatory authorities.
5. Platform Improvement: To analyze aggregated usage patterns, identify performance issues, and improve Platform features and user experience.
6. Market Intelligence: To produce anonymized and aggregated analytics, pricing benchmarks, and market trend data. No individually identifiable data is included in these products.
7. Billing: To process subscription payments, issue invoices, calculate facilitation fees, and manage payment disputes.
8. Communication: To send transactional notifications (deal updates, consent requests, system alerts), account-related communications, and service announcements.

6. Data Sharing & Disclosure

We do not sell personal data. We share personal data only in the following circumstances:

6.1 With Other Platform Users

Certain data is shared with counterparties as part of Platform functionality: your name, firm name, job title, and role are visible to counterparties you engage with on a deal. Fund position data and documents you upload to Secure Rooms are visible only to Users you explicitly authorize. Counterparty identity is protected until mutual consent to engage.

6.2 With Service Providers

We engage third-party service providers (sub-processors) to support Platform operations. These providers process data only on our instructions and are bound by data processing agreements. Current sub-processors include:

We maintain an up-to-date list of sub-processors and will notify Users of material changes with reasonable advance notice.

6.3 Legal & Regulatory Disclosure

We may disclose personal data where required by applicable law, regulation, legal process, or governmental request. We may also disclose data to: (a) enforce our Terms of Use, (b) protect the rights, property, or safety of Secondaries.io, our Users, or the public, (c) detect and prevent fraud or security incidents, or (d) comply with AML/KYC obligations and sanctions screening requirements.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of substantially all assets, personal data may be transferred to the acquiring entity. Users will be notified of any such transfer and any changes to this Privacy Policy.

7. International Data Transfers

Personal data is primarily stored and processed within the European Union (Frankfurt, Germany) and the United Kingdom. Where data is transferred to service providers outside the UK or EU/EEA, we ensure appropriate safeguards are in place, including:

• UK International Data Transfer Agreement (IDTA): UK-approved contractual protections for transfers to non-adequate countries.
• UK Extension to EU SCCs: Where applicable, the UK addendum to EU Standard Contractual Clauses.
• Adequacy Regulations: Where the UK Secretary of State has determined the receiving country provides adequate data protection.

Copies of the specific safeguards applied to international transfers are available upon request.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law:

When retention periods expire, personal data is securely deleted or irreversibly anonymized. Anonymized data that cannot be linked to any individual may be retained indefinitely for analytical purposes.

9. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption at Rest: All stored data encrypted with AES-256. Sensitive fields (authentication tokens, API keys) additionally encrypted at the application layer.
• Encryption in Transit: All communications secured with TLS 1.3. No unencrypted connections are accepted.
• Authentication: Encrypted JWT tokens (JWE) for session management. Passwords stored using BCrypt cryptographic hashing.
• Access Controls: Role-based access controls (RBAC) at the application level. Principle of least privilege applied to all internal systems.
• Audit Logging: Comprehensive audit trail of all data access, modifications, and platform actions with timestamps and user attribution.
• Infrastructure Security: Production servers hosted on dedicated infrastructure with SSH key authentication. Database connections require SSL with channel binding.
• Incident Response: Documented incident response procedures. Data breach notification to supervisory authorities within 72 hours per UK GDPR Art. 33, and to affected Users without undue delay per UK GDPR Art. 34.

10. Your Rights Under Data Protection Law

As a data subject, you have the following rights under the UK GDPR. To exercise any of these rights, contact us at privacy@secondaries.io. We will respond within thirty (30) days.

We will not charge a fee for exercising these rights, except where requests are manifestly unfounded or excessive. Identity verification may be required before processing requests.

11. Cookies & Similar Technologies

11.1 Essential Cookies (No Consent Required)

These cookies are strictly necessary for Platform operation and cannot be disabled:

• Authentication cookies: Encrypted session tokens (JWT) for maintaining your login state.
• Security cookies: CSRF protection tokens and rate-limiting identifiers.
• Preference cookies: Language, theme, and display settings.

11.2 Analytics Cookies (Consent Required)

We may use analytics tools to understand how the Platform is used. These cookies are only set with your explicit consent, which you may withdraw at any time. Analytics data is aggregated and does not identify individual Users.

11.3 No Advertising Cookies

We do not use advertising cookies, tracking pixels, or any third-party advertising technology. We do not serve ads or share data with advertising networks.

12. Automated Decision-Making

The Platform uses algorithmic matching to suggest relevant deal flow, counterparties, and financing opportunities based on your stated mandates and preferences. This matching is informational only — it does not produce legally binding decisions or restrict your access to Platform features.

Account approval and qualification decisions involve human review. No solely automated decision-making with legal or similarly significant effects is applied to Users under UK GDPR Art. 22.

13. Children's Privacy

The Platform is intended exclusively for institutional professionals. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected data from a minor, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or regulatory guidance. Material changes will be communicated via email to registered Users and through in-platform notification at least thirty (30) days before taking effect.

A version history of this Privacy Policy is maintained and accessible through the Platform. The "Effective Date" at the top of this document indicates the date of the most recent revision.

15. Contact Information