Legal

Privacy Policy

Effective date: June 23, 2025 · Last updated: June 23, 2025

1. Who We Are

Crowdfund.co (“Crowdfund.co,” “we,” “our,” or “us”) operates an online crowdfunding platform and related services at crowdfund.co. Our registered address and contact information are set out in Section 15.

2. Scope and Who This Policy Applies To

This Privacy Policy applies to three categories of individuals who interact with our Platform:

  • Issuers/Sponsors — companies and individuals raising capital through our platform.
  • Investors — individuals and entities investing through campaigns on the platform.
  • Visitors — anyone who browses our public website without an account.

By using the Platform, you consent to the practices described in this Policy.

3. Information We Collect

From Issuers/Sponsors:

  • Name, email, phone number, and business address;
  • Company formation documents and entity information;
  • Beneficial ownership information for KYC purposes;
  • Bank account information for fund receipt and distribution;
  • Financial statements and offering documents uploaded to the platform.

From Investors:

  • Full legal name, date of birth, address, email, and phone number;
  • Government-issued ID (passport, driver’s license) for identity verification;
  • Social Security Number or Tax Identification Number (TIN) for KYC and tax reporting;
  • Income and net worth information for investment limit verification (Reg CF) or accreditation verification (Reg D 506(c));
  • Beneficial ownership information for entity investors (LLCs, trusts, IRAs);
  • Bank account or payment card information for investment processing;
  • Accredited investor verification documents (financial statements, CPA letters).

From all users:

  • Usage data (pages visited, features used, session duration);
  • Device and browser information, IP address;
  • Communications sent to us via the platform or email.

4. Legal Basis for Processing (GDPR)

Where GDPR applies, we process personal data under these legal bases:

  • Contract performance (Art. 6(1)(b)) — to provide the platform services;
  • Legal obligation (Art. 6(1)(c)) — to comply with KYC, AML, and securities law requirements;
  • Legitimate interests (Art. 6(1)(f)) — for fraud prevention, platform security, and analytics;
  • Consent (Art. 6(1)(a)) — for marketing communications (where required).

5. How We Use Your Information

  • To provide, operate, and improve the Platform;
  • To verify identity and conduct KYC/AML screening as required by law;
  • To enforce Reg CF investment limits based on income/net worth;
  • To process payments, manage escrow, and distribute proceeds;
  • To prepare and facilitate regulatory filings (Form C, Form 1-A, Blue Sky notices);
  • To generate and deliver tax documents (1099s, K-1s);
  • To communicate about your account, campaigns, and distributions;
  • To detect and prevent fraud and unauthorized activity;
  • To comply with legal and regulatory obligations.

6. Sharing Your Information

We share personal data with:

  • Service providers — KYC/identity verification vendors, payment processors, escrow agents, cloud infrastructure, and analytics providers operating under data processing agreements;
  • Regulatory authorities — the SEC, FINRA, FinCEN, OFAC, and state securities regulators, as required by applicable law;
  • Escrow providers — third-party escrow agents holding investor funds as required for Reg CF compliance;
  • Transfer agents — for securities issuance and record-keeping under Reg A+ and other offerings;
  • Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to affected users;
  • Legal process — in response to valid subpoenas, court orders, or regulatory demands.

We do not sell personal data to third parties for their own marketing purposes.

7. Data Retention

We retain personal data for the period necessary to fulfill the purposes described above, subject to:

  • BSA/AML records: minimum 5 years from date of transaction (31 C.F.R. § 1020.430);
  • Reg CF records: minimum 5 years as required by SEC rules;
  • Reg A+ records: minimum 5 years from the date of the offering;
  • Tax records: minimum 7 years;
  • Account data: for the life of the account plus 5 years following closure.

8. Security

We implement administrative, technical, and physical safeguards including:

  • TLS 1.2+ encryption for data in transit;
  • AES-256 encryption for sensitive data at rest;
  • Role-based access controls and multi-factor authentication;
  • Regular penetration testing and vulnerability assessments;
  • Incident response procedures with breach notification protocols.

9. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential: authentication, session management, and security;
  • Functional: remembering preferences and settings;
  • Analytics: understanding platform usage (aggregated and anonymized);
  • Marketing: measuring the effectiveness of our advertising (with your consent where required).

You can manage cookies through your browser settings or our cookie preference center.

10. International Data Transfers

We are based in the United States. If you access the Platform from outside the U.S., your data will be transferred to and processed in the U.S. For transfers from the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Your Rights

Under GDPR (EEA residents): You have the right to access, correct, erase, restrict processing, data portability, and to object to processing (Arts. 15–22 GDPR). You may also lodge a complaint with your local data protection authority.

Under CCPA/CPRA (California residents): You have the right to know, delete, correct, opt out of sale/sharing, and to limit use of sensitive personal information. We do not discriminate against users who exercise these rights. To submit a request: [email protected].

Note: We may be required to retain certain data notwithstanding your request, to comply with regulatory obligations described in Section 7.

12. Children’s Privacy

The Platform is not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data, please contact us immediately.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated via email or prominent Platform notice at least 30 days before taking effect. Continued use after the effective date constitutes acceptance.

14. Contact

For privacy-related questions or to exercise your rights: