Privacy Policy

1. Introduction and Scope

Anelio SAS ("Anelio", "we", "us", or "our"), a société par actions simplifiée organized under French law with registered office at [Address], is committed to protecting and respecting your privacy. This Privacy Policy ("Policy") describes how we collect, use, process, store, share, and protect personal information obtained through our website, mobile applications, and services (collectively, the "Platform").

This Policy applies to all users of our Platform, including visitors, prospective clients, registered users, and former clients. By accessing or using our Platform, you acknowledge that you have read, understood, and agree to be bound by this Policy and our Terms of Service. If you do not agree with this Policy, you must not access or use our Platform.

We process personal data in accordance with the European Union General Data Protection Regulation (EU) 2016/679 ("GDPR"), the French Data Protection Act (Loi Informatique et Libertés), and all applicable data protection legislation. As a data controller, we determine the purposes and means of processing your personal data.

2. Personal Data We Collect

2.1 Information you Provide Directly

We collect personal data that you voluntarily provide when you register for an account, use our services, or communicate with us. This includes: (a) Identity Data: full legal name, date of birth, nationality, identity document numbers (passport, national ID card), place of birth, and photographic identification; (b) Contact Data: residential address, postal address, email address, telephone numbers; (c) Financial Data: bank account details (IBAN, BIC/SWIFT), payment card information, transaction history, investment amounts, portfolio holdings, tax identification numbers (TIN), income information, source of funds declarations; (d) Profile Data: username, password, investment preferences, risk tolerance assessments, values alignment selections, communication preferences; (e) Verification Data: documents and information required for KYC and AML compliance, including proof of identity, proof of address, PEP declarations, and sanctions screening results.

2.2 Information Collected Automatically

When you access our Platform, we automatically collect: (a) Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution, time zone settings, geographic location data (derived from IP address), and referring website addresses; (b) Usage Data: pages visited, features accessed, time spent on pages, links clicked, transaction patterns, login times and frequency, error logs, and performance metrics; (c) Cookie Data: data collected through cookies, web beacons, and similar tracking technologies as described in our Cookie Policy.

2.3 Information from Third Parties

We may receive personal data from: (a) identity verification service providers and credit reference agencies for KYC/AML purposes; (b) payment processors and financial institutions; (c) fraud detection services; (d) marketing and analytics partners (with consent where required); (e) publicly available sources, including sanctions lists and PEP databases; (f) social media platforms if you connect your account.

3. Legal Bases and Purposes for Processing

Under GDPR Article 6, we process your personal data on the following legal bases: (a) Contractual Necessity (Article 6(1)(b)): Processing necessary for performing our contract with you, including account management, executing investment instructions, portfolio management and rebalancing, processing transactions, calculating fees, and providing customer support; (b) Legal Obligation (Article 6(1)(c)): Processing required to comply with legal and regulatory obligations, including KYC and AML requirements under French monetary and financial code and EU directives, tax reporting obligations (FATCA, CRS), compliance with court orders, maintaining records as required by law, and reporting to financial regulators; (c) Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, including fraud prevention, security monitoring, improving our Platform, conducting data analytics, direct marketing to existing clients (subject to opt-out), and protecting our rights; (d) Consent (Article 6(1)(a)): Where we have obtained your explicit consent, including marketing communications to prospective clients and optional data collection for enhanced features.

For sensitive personal data (special categories under GDPR Article 9), we rely on explicit consent or processing necessary for reasons of substantial public interest (regulatory compliance). you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share your personal data with the following categories of recipients, subject to appropriate safeguards: (a) Service Providers: Third-party service providers who process data on our behalf under contractual data processing agreements, including cloud hosting providers (AWS, Google Cloud), payment processors, identity verification and KYC/AML screening services, customer support platforms, email and communication service providers, and IT security providers; (b) Financial Partners: Custodians, brokers, and liquidity providers necessary to execute your investment instructions; (c) Regulatory and Law Enforcement: Financial regulators (ACPR, AMF), tax authorities, law enforcement agencies pursuant to valid legal process, and other governmental authorities when required by law; (d) Professional Advisors: Legal counsel, auditors, accountants, and consultants bound by confidentiality; (e) Business Transfers: In connection with any merger, acquisition, financing, sale of assets, or bankruptcy proceeding, subject to confidentiality commitments; (f) With Your Consent: Any other parties to whom you explicitly consent to disclosure.

All third-party service providers are required to maintain appropriate security measures and process personal data only as instructed by us and in compliance with applicable laws.

5. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) that may not provide equivalent data protection standards. Where we transfer personal data outside the EEA, we implement appropriate safeguards, including: (a) European Commission approved Standard Contractual Clauses (SCCs); (b) adequacy decisions recognizing certain jurisdictions as providing adequate protection; (c) binding corporate rules for intra-group transfers; (d) derogations for specific situations under GDPR Article 49 where applicable.

We conduct transfer impact assessments to ensure that transferred data receives protection essentially equivalent to that guaranteed within the EEA. you may request copies of the safeguards we use by contacting our Data Protection Officer.

6. Data Security Measures

We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction: (a) Encryption: All data in transit is encrypted using TLS 1.3 or higher; sensitive data at rest is encrypted using AES-256; (b) Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) for all system access, regular access reviews; (c) Network Security: Firewalls, intrusion detection and prevention systems (IDS/IPS), regular vulnerability scanning and penetration testing, DDoS protection; (d) Monitoring: 24/7 security monitoring and incident response, automated threat detection, comprehensive audit logging and SIEM integration; (e) Personnel Security: Background checks for employees with data access, mandatory security awareness training, confidentiality agreements; (f) Physical Security: Secure data center facilities with restricted access, environmental controls, and backup power systems.

Despite these measures, no method of transmission or storage is 100% secure. In the event of a personal data breach, we will comply with applicable breach notification requirements, including notifying affected individuals and supervisory authorities within 72 hours where required by law.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations: (a) Active Accounts: Personal data is retained for the duration of your account relationship; (b) Closed Accounts: Following account closure, identification and transaction data is retained for 5 years as required by French AML regulations (Article L. 561-12 of the Monetary and Financial Code); tax-related information is retained for the applicable statutory period under French tax law (typically 6 years); (c) Marketing Data: Prospective client data is retained for 3 years from last interaction, subject to earlier deletion upon request; (d) Legal Claims: Data may be retained longer if necessary to establish, exercise, or defend legal claims; (e) Aggregated/Anonymized Data: Data that has been fully anonymized may be retained indefinitely for analytical purposes.

We implement automated deletion processes and conduct regular data retention reviews to ensure compliance with these policies.

8. Your Data Protection Rights

Under the GDPR and French data protection law, you have the following rights: (a) Right of Access (Article 15): you may request confirmation of whether we process your personal data and obtain a copy of such data; (b) Right to Rectification (Article 16): you may request correction of inaccurate personal data and completion of incomplete data; (c) Right to Erasure ("Right to be Forgotten", Article 17): you may request deletion of your personal data where the data is no longer necessary, you withdraw consent, you object to processing and no overriding grounds exist, the data has been unlawfully processed, or erasure is required for compliance with a legal obligation (Note: This right does not apply where retention is necessary for compliance with legal obligations, establishment/defense of legal claims, or other exceptions under Article 17(3)); (d) Right to Restriction of Processing (Article 18): you may request that we limit processing in certain circumstances; (e) Right to Data Portability (Article 20): you may receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller; (f) Right to Object (Article 21): you may object to processing based on legitimate interests or for direct marketing; (g) Rights Related to Automated Decision-Making (Article 22): you have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you, except where necessary for contract performance, authorized by law, or based on explicit consent.

To exercise these rights, please contact our Data Protection Officer using the details in Section 12. We will respond within one month, extendable by two additional months for complex requests. you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) or your local supervisory authority if you believe we have violated your data protection rights.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our Platform. Cookies are small text files stored on your device. We use the following categories: (a) Strictly Necessary Cookies: Essential for Platform operation, including authentication, security, and basic functionality; (b) Performance Cookies: Collect anonymized information about Platform usage to improve performance; (c) Functional Cookies: Remember your preferences and provide enhanced features; (d) Targeting/Advertising Cookies: Track your browsing to deliver relevant advertisements (only with your consent).

you can control cookie settings through your browser preferences. Disabling certain cookies may limit Platform functionality. For detailed information, please refer to our separate Cookie Policy.

10. Children's Privacy

Our Platform is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor without appropriate parental consent, we will take steps to delete such information promptly. If you believe we have inadvertently collected data from a minor, please contact us immediately.

11. Changes to This Policy

We may update this Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. Material changes will be communicated via email to registered users and/or through a prominent notice on our Platform. The "Last Updated" date at the top of this Policy indicates when it was last revised. Continued use of our Platform after changes become effective constitutes acceptance of the revised Policy.

12. Contact Information and Data Protection Officer

For questions, concerns, or requests related to this Privacy Policy or our data processing practices, please contact:

Data Protection Officer

Anelio SAS

Email: privacy@anelio.io

Postal Address: [To be provided]

Telephone: [To be provided]

Supervisory Authority: Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France. Website: www.cnil.fr