Legal
Privacy Policy
Effective date: June 23, 2025 · Last updated: June 23, 2025
SPV.co operates in a regulated financial and securities environment. Because we process sensitive personal financial data and are subject to KYC/AML and securities law obligations, this policy is intentionally comprehensive. Please read it carefully.
1. Who We Are
SPV.co (“SPV.co,” “we,” “our,” or “us”) provides software infrastructure for the formation, management, and compliance of Special Purpose Vehicles and related investment structures. Our principal place of business is in the United States.
For privacy inquiries: [email protected]
For legal notices: [email protected]
2. Scope of This Policy
This Privacy Policy applies to all information collected through spv.co, app.spv.co, and any related subdomains, APIs, mobile applications, and investor portals operated by SPV.co (collectively, the “Platform”). It covers information about:
- Deal Sponsors — persons or entities who create and manage SPVs on the Platform.
- Investors — individuals who receive invitations and participate in SPVs.
- Visitors — anyone who accesses spv.co without a registered account.
This policy does not apply to third-party websites linked from our Platform. We are not responsible for the privacy practices of those third parties.
3. Information We Collect
3.1 Information You Provide Directly
Account Registration
- Full legal name, email address, phone number, and password
- Company name, title, and professional role
- Billing address and payment method information (processed by our payment processors; we do not store raw card numbers)
Know Your Customer (KYC) and Anti-Money Laundering (AML) Data
To comply with applicable securities laws and financial regulations, we collect and process the following identity and financial information from both sponsors and investors:
- Government-issued photo identification (passport, driver’s license, national ID)
- Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN) for U.S. persons; Tax Identification Number (TIN) or equivalent for non-U.S. persons
- Employer Identification Number (EIN) for entities
- Date of birth and residential address
- Accredited investor certification documentation, including income or net worth evidence (W-2s, tax returns, brokerage statements, CPA or attorney letters, or equivalent)
- Entity formation documents (operating agreements, certificates of formation, articles of incorporation) for non-individual investors
- Beneficial ownership information for entities (names, SSNs, and ownership percentages of individuals owning 25% or more)
- Source of funds declarations where required
Transaction and Investment Data
- Investment amounts, commitment levels, and wire transfer confirmations
- Bank account information (account number, routing number) used for subscription and distribution wires
- Signed subscription agreements, side letters, and offering documents
- Capital call and distribution records
- K-1 and other tax document data
Communications
- Messages you send to us via email, contact forms, or in-platform chat
- Support tickets and correspondence
- Survey responses and feedback
3.2 Information Collected Automatically
- Log data: IP address, browser type, operating system, referring URLs, pages viewed, time spent, and timestamps
- Device information: device identifiers, screen resolution, and hardware model
- Usage analytics: feature usage patterns, click paths, and session recordings (where disclosed separately)
- Cookies and similar technologies: session cookies (required for authentication), preference cookies, and analytics identifiers. See Section 10 for details.
3.3 Information from Third Parties
- Identity verification providers: results of government ID verification, liveness checks, and biometric data processing (if applicable under local law)
- AML and sanctions screening providers: results of checks against OFAC SDN lists, PEP databases, adverse media, and other financial crime watchlists
- Credit bureaus and financial data aggregators: where permitted and for the purpose of verifying financial status
- Other SPV sponsors: when a sponsor invites you as an investor, they share your name and email address with us to create your investor record
4. How We Use Your Information
4.1 To Provide the Platform
- Creating and managing your account and SPV entities
- Generating formation documents, subscription agreements, and operating agreements
- Facilitating investor onboarding and the subscription process
- Managing cap tables, tracking commitments, and processing distributions
- Preparing and delivering K-1s and other tax documents
4.2 Legal and Regulatory Compliance
- Conducting KYC and AML screening as required under the Bank Secrecy Act (BSA), FinCEN regulations, and applicable securities laws
- Verifying accredited investor status under SEC Rules 501 and 506
- Filing Form D and required Blue Sky notices with the SEC and state securities regulators
- Maintaining records as required by the Securities Exchange Act, Regulation D, and applicable state laws
- Responding to lawful requests from government authorities, including the SEC, FINRA, FinCEN, and law enforcement
- Detecting, preventing, and reporting potential fraud, money laundering, or terrorist financing
4.3 Platform Improvement
- Analyzing usage patterns to improve features and user experience
- Debugging technical issues
- Developing and testing new features
4.4 Communications
- Sending transactional notifications (investment confirmations, document signing requests, distribution notices)
- Providing customer support
- Sending product updates and, where you have opted in, marketing communications
5. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases:
- Contract performance: Processing necessary to provide the Platform services you have requested.
- Legal obligation: Processing required to comply with KYC/AML regulations, securities laws, and government reporting obligations.
- Legitimate interests: Fraud prevention, platform security, and improving our services, provided such interests are not overridden by your rights.
- Consent: Marketing communications, non-essential cookies, and certain biometric processing where required by local law. You may withdraw consent at any time.
6. How We Share Your Information
We do not sell your personal information. We may share your information in the following circumstances:
6.1 With Other Platform Participants
SPV sponsors can see the KYC status, commitment amount, and basic profile of investors in their SPV. Investors can see summary deal information provided by the sponsor. Full KYC documentation is accessible only to authorized personnel at SPV.co and, where required by law, to regulators.
6.2 Service Providers
We share data with vetted third parties who process it on our behalf under data processing agreements, including:
- Identity verification and KYC providers (e.g., government ID verification services)
- AML and sanctions screening providers
- Cloud infrastructure and hosting providers
- Payment processors and banking partners
- Email delivery and communication providers
- Analytics and error-monitoring services
- Legal and registered agent services involved in entity formation
6.3 Regulatory and Legal Disclosure
We may disclose your information when required by law, including to:
- The U.S. Securities and Exchange Commission (SEC) in connection with Form D and Blue Sky filings
- The Financial Crimes Enforcement Network (FinCEN) for Suspicious Activity Report (SAR) filing obligations
- State securities regulators
- Law enforcement agencies pursuant to valid legal process (subpoena, court order, or government request)
- Any regulatory body in jurisdictions where we operate
Where permitted by law, we will attempt to notify you before disclosing your information in response to legal process. In certain circumstances (e.g., national security requests or where notice is prohibited), we may be unable to do so.
6.4 Business Transfers
In the event of a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred to the successor entity. We will notify you via email or prominent Platform notice prior to any such transfer.
6.5 With Your Consent
We may share your information for any other purpose with your explicit consent.
7. International Data Transfers
SPV.co is headquartered in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States, which may not provide the same level of data protection as your home country.
For transfers from the EEA or UK, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms. You may request a copy of the relevant safeguards by contacting [email protected].
8. Data Retention
We retain personal information for as long as necessary to fulfill the purposes described in this policy, subject to longer retention where required by law:
- KYC and identity verification records: Minimum 5 years from the end of the business relationship, as required by the Bank Secrecy Act and related regulations. In some jurisdictions, up to 7 years.
- Securities offering records: Minimum 5 years from the completion of an offering, as required by SEC record-keeping rules.
- Transaction and financial records: 7 years from transaction date, or longer where required by tax law.
- Account information: For the life of your account, plus 5 years after account closure.
- Communications and support records: 3 years from the date of communication.
- Analytics data: Up to 26 months in identifiable form; retained indefinitely in aggregated, anonymized form.
Where retention is required for legal or regulatory compliance, we may be unable to fulfill deletion requests for the applicable retention period.
9. Data Security
We implement technical and organizational measures appropriate to the sensitivity of the data we process, including:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using AES-256 or equivalent
- Role-based access controls and least-privilege principles
- Multi-factor authentication for administrative access
- Regular penetration testing and security audits
- Vulnerability management and patch processes
- Incident response procedures with regulatory notification timelines
- Employee security training and background checks for personnel with access to sensitive data
No method of electronic transmission or storage is 100% secure. In the event of a data breach that is likely to result in harm to affected individuals, we will notify you and applicable regulators as required by law.
10. Cookies and Tracking Technologies
We use the following types of cookies and similar technologies:
- Strictly necessary cookies: Required for authentication, session management, and security. These cannot be disabled without breaking core Platform functionality.
- Functional cookies: Remember your preferences (e.g., language, display settings).
- Analytics cookies: Help us understand how users interact with the Platform (e.g., page views, feature usage). These may be disabled without affecting core functionality.
- Marketing cookies: Used on our marketing website (spv.co) to measure campaign effectiveness. Not used within the logged-in Platform.
You can manage cookie preferences through your browser settings or our cookie consent banner (where applicable). Note that disabling certain cookies may affect Platform functionality.
11. Your Privacy Rights
11.1 Rights for All Users
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete information.
- Opt-out of marketing: Unsubscribe from marketing emails at any time using the unsubscribe link or by emailing [email protected]. You will continue to receive transactional messages.
11.2 Additional Rights for EEA and UK Residents (GDPR)
- Right to erasure: Request deletion of your personal data, subject to our legal retention obligations.
- Right to restriction: Request that we restrict processing of your data in certain circumstances.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests, including profiling.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
11.3 California Residents (CCPA / CPRA)
California residents have the following rights:
- Right to know: Categories and specific pieces of personal information collected, disclosed, or “sold” in the preceding 12 months.
- Right to delete: Deletion of personal information, subject to legal exceptions.
- Right to correct: Correction of inaccurate personal information.
- Right to opt-out of sale or sharing: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
- Right to limit use of sensitive personal information: You may direct us to limit use of sensitive personal information (including government IDs and financial account numbers) to what is necessary to provide the Platform. Note: because such data is required for KYC/AML compliance, this right may be limited.
- Non-discrimination: We will not discriminate against you for exercising your privacy rights.
To submit a rights request, email [email protected]with the subject line “Privacy Rights Request.” We will verify your identity before processing your request. We will respond within 45 days (extendable by an additional 45 days where necessary, with notice).
12. Children’s Privacy
The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us at [email protected] and we will delete it promptly.
13. Third-Party Links
The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties and encourage you to review their privacy policies before providing any personal information.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by: (a) posting a notice on the Platform at least 30 days before the change takes effect; and (b) sending an email to the address associated with your account, if applicable.
Your continued use of the Platform after a material change becomes effective constitutes your acceptance of the updated policy. If you do not agree to a material change, you must stop using the Platform and may request account closure.
15. Contact Us
For any privacy-related questions, requests, or concerns:
- Email: [email protected]
- Legal notices: [email protected]
We aim to respond to all inquiries within 10 business days.