§ SUMMARY

The short version. For people who actually want it.

  • Marketing site (this site): no third-party analytics, no tracking cookies, no advertising pixels, no fingerprinting. Just server access logs, kept 30 days.
  • Verify endpoint: we don't log queries to identity. Rate-limit counters are kept 24 hours; we don't know who you are.
  • Custody data (sponsors): sponsor accounts and document metadata are processed under the Custody Services Agreement, encrypted at rest, retained as required by the contract.
  • Email: if you email us, we keep the thread to do the work. We don't add you to a marketing list. We don't sell, share, or rent your address.
  • Your rights: you can ask what we have, ask us to delete it, or ask us to correct it. We respond inside 30 days.

01Scope

This policy describes how Fund Base Camp LLC ("FBC", "we") collects and processes information in three contexts: the public marketing website at fundbasecamp.com (the "Marketing Site"), the public verification endpoint at /verify (the "Verification Endpoint"), and the custody service provided to sponsors under the Custody Services Agreement (the "Custody Service"). For a broader overview of how the custody workflow, verification process, and document infrastructure operate together, see how Fund Base Camp works.

Where the Custody Services Agreement governs (i.e., sponsor data and the documents under custody), that contract controls. The terms here are the public-facing summary and apply to anyone who visits the Marketing Site, queries the Verification Endpoint, or emails us. General use of the public website is also governed by the Fund Base Camp Terms.

02What we collect

The categories below are exhaustive — if a category isn't listed, we don't collect it. This includes public interactions with the document verification endpoint, which is intentionally designed to minimize retained user data.

Marketing Site Server access logs only. IP address, user agent, request path, response code, timestamp. Kept 30 days for security and operational debugging. No third-party analytics, no advertising pixels, no fingerprinting, no third-party tag managers.
Verification Endpoint Rate-limit counters and the transaction code submitted. The code is processed in memory to return the response and discarded — we do not retain a query log of which codes were verified, by whom, or when, beyond the rate-limit window. Rate-limit counters (per IP, per code) are kept 24 hours.
Email correspondence The email thread itself. If you email any FBC address, the thread is retained in our mail provider's system for the duration of the matter and a reasonable archival period thereafter. Names, email addresses, and message content are processed only to do the work the email is about.
Custody Service (sponsors) Sponsor account, document metadata, custody records. Governed by the Custody Services Agreement. Includes sponsor entity details, authorised users (name + email), API keys, ingested document content (encrypted at rest), document metadata, transaction codes, and CloudTrail logs. Retention is contractual.

03Why we collect it

  • Server access logs: operate the site, detect abuse, debug.
  • Rate-limit counters: prevent denial-of-service on the verification endpoint.
  • Email content: respond to inquiries, perform contracted services, maintain a business record.
  • Custody data: perform the custody service under the CSA. Sponsors comparing service tiers and operational scope can review the Fund Base Camp pricing structure.

We do not use any of this information to build advertising profiles, sell to third parties, train external models, or score you in any system. Additional details about encryption, infrastructure isolation, audit logging, and operational safeguards are documented in our security architecture overview.

04Cookies & tracking

The Marketing Site uses no cookies. No first-party analytics cookies, no third-party advertising cookies, no preference cookies, no consent banners (because there's nothing to consent to).

The sponsor dashboard, which is access-controlled and outside the scope of this public policy, uses essential session cookies necessary for authenticated access. Those are described in the dashboard's own privacy notice. Sponsors evaluating the platform can also review the sponsor infrastructure overview for operational and custody details.

05Who we share with

We do not sell, rent, lease, license, or otherwise transfer personal information to third parties for their independent use. The narrow exceptions are:

  • Subprocessors we engage to operate the service (mail provider, cloud infrastructure, identity provider, payment processor for billing). Reviewed at engagement and annually; SOC 2 or equivalent reports collected. Sponsors evaluating technical connectivity and operational dependencies can review our integration architecture and supported systems. Subprocessor list available to sponsors under NDA.
  • The independent CPA firm performing our annual Agreed-Upon Procedures, under a confidentiality agreement, limited to what the engagement requires.
  • Counsel and auditors we engage in connection with our own legal and financial affairs, under privilege or confidentiality.
  • Regulatory, legal, or law-enforcement requests where disclosure is required by law. We require valid process and notify the affected sponsor or contact unless we are legally prohibited from doing so.

06Retention

  • Server access logs: 30 days, then deleted.
  • Rate-limit counters: 24 hours, then deleted.
  • Email threads: active matter + reasonable archive (≈ 3 years), then deleted unless legally required to retain.
  • Custody data: as specified in the Custody Services Agreement. By default: duration of the contract + the regulatory retention period applicable to the underlying documents (typically 6–7 years).
  • CloudTrail / audit logs: 7 years, in immutable storage. These exist for security and the AUP engagement.

07Your rights

Regardless of jurisdiction, you can ask us:

  1. What personal information we have about you.
  2. To correct it if it is wrong.
  3. To delete it (subject to legal and contractual retention obligations).
  4. To stop processing it for a particular purpose.
  5. To provide it to you, or to another controller you nominate, in a portable format.

Email privacy@fundbasecamp.com. We respond within 30 days. We may need to verify your identity in proportion to the sensitivity of the request — we will explain what we need before asking for it.

If you are in the European Economic Area, the United Kingdom, California, Virginia, Colorado, or another jurisdiction with specific privacy rights, those rights apply on top of what's listed here. We will assume the most protective interpretation absent your specifying which framework governs.

08Security

The Marketing Site is served exclusively over TLS 1.3 with HSTS preloaded. Custody data is encrypted at rest with AES-256-GCM under KMS-managed keys, isolated per sponsor SPV. Every object access is logged via AWS CloudTrail. The full architecture and controls are documented at fundbasecamp.com/security, which is the authoritative description of FBC's security posture and should be read alongside this privacy policy.

09Children

The FBC service is provided to sponsors of private-market SPVs and the investors in those SPVs — counterparties that, by the nature of the underlying offerings, are not minors. We do not knowingly process personal information of anyone under 18. If you believe we have, email privacy@fundbasecamp.com and we will delete it.

10International data

FBC is a United States company and processes information in the United States. Where required by law (e.g., for EEA or UK data subjects), transfers are made under appropriate safeguards (Standard Contractual Clauses or equivalent). Sponsors with specific cross-border data residency requirements should raise them during CSA negotiation; we will accommodate where commercially reasonable. Additional background about the company and its operating model is available on the Fund Base Camp company overview page.

11Changes to this policy

If we change this policy materially, we will update the version and effective date at the top of the page, and (for sponsors under an active CSA) notify the named sponsor contact by email at least 30 days before the change takes effect. Non-material changes (clarifications, typo fixes) take effect on update. Related corporate disclosures, contractual references, and legal notices are maintained in the Fund Base Camp legal center.

12Contact

Privacy questions: privacy@fundbasecamp.com
Legal coordination: legal@fundbasecamp.com
Postal: see /contact.

Version 1.0
Effective 2026-05-22
Next review 2027-05-22 (annual)