GKP Capital Equity Marketplace

Privacy Policy

This Privacy Policy explains how GKP Capital ("we", "us", "our") collects, uses, discloses, and safeguards personal information when you visit our website or engage our services. We operate in the United States and comply with applicable federal and state data protection requirements as well as contractual obligations with custodians and service providers. This policy applies to information gathered through our website, intake and onboarding processes, transaction documentation, and communications related to trading, custody, and advisory engagements. Our practices are designed to protect sensitive personal and financial data while enabling necessary due diligence for KYC/AML, investor suitability checks, and transaction settlement. If you have questions about this policy or need to exercise a data subject right, contact our Data Protection Officer using the contact information in the Contact section below. This document describes the types of information we collect, legal bases for processing, how we share information, data retention, security measures, your rights, and how to lodge complaints or inquiries.

Information we collect

We collect information necessary to provide trading, custody, and advisory services and to meet regulatory obligations. Categories of information include identity data (full name, date of birth, government identification numbers), contact details (email, phone, postal address), firm and employment information, beneficial ownership information when required, and financial data such as account numbers or custody identifiers needed to settle transactions. We also collect documentation submitted during onboarding, including certificates, corporate authorizations, tax forms, and investor accreditation evidence. Technical data about website interactions (IP address, browser type, device information) is collected for security, fraud prevention, and service improvement. We may collect limited third-party data from verification services and publicly available registries to corroborate identity and compliance information. We use secure channels for document exchange when sensitive data must be transmitted and only retain access to the minimum data needed to perform our services and comply with legal and audit requirements.

How we use information and legal basis

We use personal information to provide and administer our services, to perform onboarding and compliance checks, and to execute and settle transactions through regulated custody partners. Processing purposes include verifying identity for KYC/AML compliance, assessing investor suitability where required, executing trade instructions, coordinating settlement, reconciling positions, issuing confirmations and statements, and responding to inquiries. We also use information for risk management, fraud detection, legal and regulatory reporting, and to maintain audit-ready records. The legal bases for processing include contract performance (to provide requested services), compliance with legal obligations (e.g., anti-money laundering, tax reporting), and our legitimate interests (such as security, fraud prevention, and service improvement) provided these do not override your rights. Where applicable, we will obtain consent for marketing communications and respect your choices. We may anonymize or pseudonymize data for analytics and product development so that it no longer identifies individuals.

Data retention, sharing, and international transfers

We retain personal data for the period necessary to fulfill the purposes outlined above and to satisfy legal, regulatory, and contractual obligations, typically for a minimum retention period required by financial regulators or tax authorities. Retention periods depend on jurisdiction and the nature of the records; where required we retain records for several years after account closure to support audits and potential investigations. We share information with service providers acting on our behalf such as custodians, settlement agents, identity verification providers, legal and tax advisors, and technology partners. Access is limited on a need-to-know basis and governed by contractual safeguards and data processing agreements. In some cases, data may be transferred to jurisdictions outside your home country to support custody, settlement, or advisory activities; when transfers occur we rely on appropriate protections such as standard contractual clauses or equivalent safeguards and, where necessary, client consent. We do not sell personal data to third parties.

Security measures and data protection

We implement administrative, technical, and physical safeguards to protect personal data. These measures include role-based access controls, encryption of data in transit and at rest, secure key management, multi-factor authentication for privileged access, and restricted access to production systems. Our custody partners and critical vendors are selected based on security posture and regulatory standing, and we maintain contractual assurance of their obligations to protect client data. We regularly review access logs, conduct periodic vulnerability assessments, and maintain incident response protocols to address potential breaches. In the unlikely event of a security incident affecting your data, we will follow applicable breach notification requirements and provide timely communication to affected parties as required by law. We also encourage clients to use secure channels for transmitting sensitive documents and to follow best practices for account access security on their side.

Your rights and choices

Depending on your jurisdiction, you may have rights regarding your personal data including access, correction, deletion where not restricted by retention obligations, restriction of processing, and portability. You can opt out of marketing communications at any time by using the unsubscribe mechanism in emails or by contacting us directly. For requests to access, correct, or delete your information, or to exercise other rights, please provide proof of identity and a description of your request to help us locate the records. We will respond within applicable legal timeframes and provide information on any limitations to fulfilling requests due to legal or regulatory obligations. If you are a resident of a jurisdiction with specific privacy laws, we will follow any additional local requirements applicable to regulated entities or financial firms. If you have unresolved concerns you may contact the appropriate supervisory authority in your country of residence after contacting us first so we can address the issue directly.

Contact, updates, and effective date

If you have questions about this Privacy Policy, wish to exercise your rights, or need to report a security concern, contact our Data Protection Officer at the address or phone number below. We may update this policy to reflect changes in laws, services, or business practices; material changes will be posted with an updated effective date. Our primary contact for privacy matters is: Data Protection Officer, GKP Capital, 125 Park Avenue, Suite 400, New York, NY 10017, United States; phone: +1 (212) 555-0198; email: [email protected]. Effective date: 2026-01-15. If you believe we have not complied with this policy or applicable law, please contact us and we will investigate promptly.