Privacy Notice – Nestor Exchange

1. Who We Are

Data Controllers

Personal data is processed by entities within the Nestor Exchange group, acting either as independent controllers, joint controllers, or processors, depending on the context:

• Nestor Exchange OÜ (registry code 17303259, Tallinn, Estonia) – Parent company providing technology infrastructure, lifecycle governance services, and data processing platform for the Nestor group.
• Nestor Management Sàrl (RCS Luxembourg [INSERT], Luxembourg) – Luxembourg management company of the Nestor securitisation fund and its compartments, responsible for fund administration and investor relations.
• Asset Originators – Third-party companies that use Nestor infrastructure to structure and offer investment opportunities through dedicated compartments of the Nestor securitisation fund. Each originator acts as a joint controller with Nestor for data collected via their deal pages.

Contact & Data Protection

• Email: privacy@nestor.exchange
• Applicable Law: EU General Data Protection Regulation (GDPR), Estonian Data Protection Act, Luxembourg data protection law

Supervisory Authorities

• Estonia: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) – www.aki.ee
• Luxembourg: Commission Nationale pour la Protection des Données (CNPD) – www.cnpd.lu

2. What Data We Process

2.1 Data You Provide

Website visitors & waitlist:

Name, email, organization, role, country, investment interests, timeline, messages, and consent preferences.

Asset originators (B2B clients):

Company name, registration details, authorized representatives' contact details, UBO information, business documentation, and deal/project data.

Investors:

• Identity & contact: Full name, date and place of birth, nationality, residential address, email, phone number, copies of government-issued ID (passport, national ID card).
• Financial & investor qualifications: Investor type (retail/professional/institutional), accredited status, net worth, source of funds, source of wealth, employment/business information, investment experience.
• Investment activity: Deal interests, NDA signatures, subscription documents, investment amounts, payment instructions, wallet addresses (if tokenised), transaction history, position data per compartment.
• Due diligence: UBO declarations, corporate documents (for entities), PEP/sanctions screening results, AML/KYC documentation, tax identification numbers (TINs), FATCA/CRS self-certifications.

2.2 Data Collected Automatically

IP address, device type, browser type and version, operating system, pages viewed, time spent on pages, referrer URL, and clickstream data. Cookies and similar tracking technologies (see Section 8 below).

2.3 Data from Third Parties

• From asset originators: investor referrals and deal-specific information.
• From service providers: KYC/AML verification results, sanctions/PEP screening data, identity verification outputs, and payment confirmation.
• From brokers/placement agents: Investor qualification data, subscription documents, payment instructions.
• Publicly available: Business registries, corporate filings, news sources (for due diligence and compliance).

2.4 Sensitive Data

We do not intentionally collect special categories of personal data (racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, sexual orientation) unless required for regulatory compliance (e.g., PEP status, sanctions screening) and permitted by law.

3. Why We Use Your Data (Purposes & Legal Bases)

Right to object: Where we rely on legitimate interests, you have the right to object to processing on grounds relating to your particular situation (see Section 7).

4. Who We Share Data With

4.1 Within the Nestor Group

Data is shared between:

• Nestor Exchange OÜ (infra & lifecycle governance)
• Nestor Management Sàrl (fund management)
• Asset originators using the Nestor infrastructure (as joint controllers for their deal pages and investor relationships)

4.2 Service Providers (Processors)

We engage third-party processors under written contracts with appropriate data protection obligations:

• Fund administration & registry: Creatrust Luxembourg Sàrl.
• KYC/AML providers: Identity verification, sanctions/PEP screening, UBO checks, document verification services.
• Payment & banking: Payment processors, custodians (for wallets/tokens), banking partners.
• Technology & hosting: Cloud infrastructure (AWS, Google Cloud, Azure), database and storage services, CDN providers.
• Communications: Email service providers (e.g., SendGrid, Mailchimp), DocuSign (e-signature), and customer support tools.
• Analytics & monitoring: Website analytics (Google Analytics, Mixpanel), security monitoring, performance tools.

4.3 Brokers & Placement Agents

We share investor data with licensed EU and US brokers, placement agents, and investment banks engaged to distribute securities issued by the Nestor securitisation fund. These parties act as independent controllers and are subject to their own regulatory obligations.

4.4 Professional Advisers

Lawyers, auditors, tax advisers, and consultants (subject to professional confidentiality).

4.5 Authorities & Regulators

• Luxembourg CSSF (Commission de Surveillance du Secteur Financier) – fund supervision.
• Estonian Financial Supervision and Resolution Authority (Finantsinspektsioon) – platform oversight.
• Luxembourg FIU / Estonian FIU – suspicious activity reports.
• Tax authorities – FATCA/CRS reporting and tax compliance.
• Law enforcement – when required by law or court order.

4.6 Other Third Parties

• Auditors & valuers appointed for fund compartments.
• Legal counterparties in transactions (e.g., co-investors, where disclosed in deal documentation).
• Potential acquirers in case of corporate restructuring or sale of Nestor entities (subject to confidentiality and continuity of data protection obligations).

We do not sell personal data.

5. International Data Transfers

Some of our service providers and partners are located outside the European Economic Area (EEA), including in the United States.

Where data is transferred to countries without an adequacy decision from the European Commission, we rely on:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions (e.g., UK, Switzerland, where applicable).
• Additional safeguards such as encryption, access controls, and data minimization.

You may request a copy of the relevant transfer mechanisms by contacting privacy@nestor.exchange.

6. Data Retention

We retain personal data only as long as necessary for the purposes set out in this Notice and to comply with legal obligations:

• Investor data: Retained for the duration of the investment relationship plus 10 years after termination, as required by Luxembourg and Estonian AML and financial regulations.
• Platform accounts (non-investors): Retained for the duration of your account plus 3 years, unless longer retention is required for legal or regulatory purposes.
• Marketing data: Retained until you withdraw consent or opt out, plus a suppression period to honor your preferences.
• KYC/AML documentation: 5–10 years from the end of the relationship, depending on jurisdiction.
• Legal & compliance records: As required by applicable law, typically 5–10 years.

After the retention period, data is securely deleted or anonymized.

7. Your Rights

Under GDPR, you have the following rights:

To exercise your rights: Email privacy@nestor.exchange with the subject line "Privacy Request – [Your Name]" and specify your request. We will respond within one month (extendable by two months for complex requests).

Note: Some rights may be limited by legal obligations (e.g., we cannot delete data we are required to retain for AML compliance).

8. Cookies & Tracking Technologies

What we use

• Essential cookies: Necessary for platform functionality (authentication, security, load balancing). No consent required.
• Analytics cookies: Google Analytics, Mixpanel, etc. Used to understand usage patterns and improve the platform.
• Marketing cookies: Track campaign effectiveness and enable retargeting (where permitted).

Your choices

• In the EEA, consent is obtained via our cookie banner for non-essential cookies.
• You may change your cookie preferences at any time through the banner or in your browser settings.
• Turning off certain cookies may affect platform functionality.

9. Security

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption in transit (TLS) and at rest.
• Access controls and authentication (MFA where applicable).
• Regular security assessments, penetration testing, and audits.
• Incident response and breach notification procedures.

However, no method of electronic storage or transmission is 100% secure. We continuously review and improve our security practices.

10. Children

Our services are not intended for individuals under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@nestor.exchange.

11. Changes to This Notice

We may update this Privacy Notice periodically to reflect changes in our practices, legal requirements, or services. The "Last updated" date at the top indicates the current version.

Material changes will be communicated via:

• Notice on the platform
• Email to registered users (where appropriate)
• Prominent banner notification

Continued use of the platform after changes constitutes acceptance of the updated Notice.

12. Contact & Complaints

For privacy inquiries or to exercise your rights:

• Email: privacy@nestor.exchange
• Postal address: Nestor Exchange OÜ, Pikk 15, 10123 Tallinn, Estonia

To file a complaint with supervisory authorities:

• Estonia: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) – www.aki.ee
• Luxembourg: Commission Nationale pour la Protection des Données (CNPD) – www.cnpd.lu