Introduction
GCF IPO is a platform operated under the GCF brand by GCF Group · GCF Treuwert Ltd. (together “GCF”, “we”, “us”) for qualified investors reviewing private-market allocations. This privacy policy explains what personal data we collect, why we collect it, the legal bases on which we rely, how long we retain it, with whom we share it, and the rights available to you.
By registering for the investor portal or submitting an allocation request, you confirm that you have read this policy and understand the processing described below, subject to applicable law in your jurisdiction.
Who is responsible for your data
The data controller for platform onboarding and account operations is the GCF group entity that contracts with you. Custody and account services are delivered through regulated partner banks, which act as independent controllers for the banking records they hold.
Privacy and data-protection enquiries can be sent to compliance@gcf-ipo.com.
Data we collect
We collect only the information required to operate a regulated private-markets workflow:
- Identity and contact details provided at registration (name, date of birth, nationality, email, phone, residential address).
- KYC, AML, and source-of-funds / source-of-wealth documentation submitted for eligibility and enhanced due diligence.
- Investor-status and accreditation evidence where an offering requires it.
- Order, deposit, payment, settlement, and holding records tied to a specific reference.
- Wallet and bank details you use to fund your account or receive distributions.
- Technical logs such as IP address, device and browser type, session identifiers, and audit timestamps.
- Communications you send to support or compliance regarding your account or holdings.
Legal bases for processing
Where data-protection law (such as the GDPR) applies, we rely on the following legal bases:
- Performance of a contract — to operate your account, process allocations, and deliver documents.
- Legal obligation — to meet anti-money-laundering, counter-terrorist-financing, sanctions, tax, and record-keeping duties.
- Legitimate interests — to secure the platform, prevent fraud and abuse, and improve reliability, balanced against your rights.
- Consent — for optional analytics or marketing, which you may withdraw at any time.
How we use your data
We process personal data for defined purposes and do not sell investor data to third parties.
- Verifying investor eligibility and completing identity verification, sanctions, and PEP screening.
- Executing, reconciling, and documenting deposit, allocation, and settlement activity.
- Delivering subscription agreements, risk disclosures, receipts, and portal archives.
- Meeting anti-money-laundering, sanctions, and record-keeping obligations.
- Detecting, investigating, and preventing fraud, abuse, and security incidents.
- Responding to lawful requests from regulators, banks, or courts where required.
Sharing and processors
We share personal data only with parties that help us operate the platform lawfully, each bound by confidentiality and data-processing terms:
- Regulated partner banks and payment providers used for custody and settlement.
- Identity-verification and sanctions/PEP-screening providers used for KYC/AML.
- Cloud infrastructure and authentication providers (for example, Google Firebase) that host the platform and investor records.
- Transactional email and document-delivery providers used to send confirmations and receipts.
- Professional advisers, auditors, and regulators where required by law or to protect our legal rights.
How we protect your data
We apply technical and organisational measures appropriate to the sensitivity of the data, including encryption in transit, access controls, HttpOnly signed session cookies, least-privilege administrative access, and audit logging. Identity documents are held in access-controlled storage with time-limited URLs, and wallet-pool secrets are encrypted at rest with keys held outside the database.
No system is perfectly secure. You are responsible for safeguarding your sign-in credentials and for using a trusted device.
Retention
Transaction and compliance records are retained for at least ten (10) years from the date of the relevant event unless a longer period is required by regulation. Inactive account data is retained for up to seven (7) years before secure deletion, subject to outstanding legal holds.
Identity documents are stored in encrypted storage with time-limited access. Database records hold metadata and references only.
Your rights
Depending on your jurisdiction, you may request access, correction, restriction, portability, or erasure of personal data, and you may object to certain processing. Erasure or objection requests may be declined where retention is required for compliance, dispute resolution, or an open allocation.
Submit privacy requests to compliance@gcf-ipo.com. We respond within the timeframe required by applicable law, and you may lodge a complaint with your local data-protection authority.
Automated checks
Onboarding uses automated identity, sanctions, and PEP screening to flag cases for human review. We do not make solely automated decisions that produce legal or similarly significant effects without human involvement; flagged cases are reviewed by our compliance team.
International transfers
Where data is processed outside your country of residence, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms approved under applicable data-protection law.
No use by minors
The platform is intended only for qualified or accredited investors who are adults. We do not knowingly collect data from anyone under the age of majority in their jurisdiction.
Breach notification
If a personal-data breach is likely to result in a risk to your rights, we will notify the relevant authority and, where required, affected investors without undue delay, in line with applicable law.
Policy updates
We may update this policy to reflect regulatory or product changes. Material updates are communicated through the investor portal or by email where required. The effective date at the top of this page reflects the latest revision.