PRIVACY POLICY

FINISSIMO CAPITAL LLC

Version 2.0
Effective Date: September 1, 2025
Last Modified: September 1, 2025

ARTICLE I: GENERAL PROVISIONS AND SCOPE

Section 1.1: Data Controller Identification

Finissimo Capital LLC, a Delaware limited liability company ("Finissimo Capital," "Company," "we," "us," or "our"), having its principal place of business at 8 The Green, Dover, Delaware 19901, United States of America, serves as the data controller for all personal information processed through our website located at https://www.finissi.com (the "Website"). For purposes of applicable data protection legislation, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable privacy frameworks, Finissimo Capital LLC assumes full responsibility for the processing activities described herein.

Section 1.2: Voluntary Compliance Framework

While Finissimo Capital LLC operates as a non-regulated private investment entity holding company not subject to mandatory licensing requirements under federal securities laws, we voluntarily adopt and maintain compliance standards consistent with those applicable to regulated financial institutions. This commitment encompasses adherence to best practices derived from Know Your Customer ("KYC") and Anti-Money Laundering ("AML") protocols, Securities and Exchange Commission ("SEC") guidance, Financial Industry Regulatory Authority ("FINRA") standards where applicable, and international data protection frameworks including ISO 27001 and SOC 2 Type II certification standards.

Section 1.3: Acceptance and Modification

By accessing, browsing, or otherwise utilizing the Website, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service. We reserve the right to modify this Privacy Policy at our sole discretion. Material changes will be communicated through prominent notice on the Website at least thirty (30) days prior to the effective date of such modifications. Your continued use of the Website following the posting of changes constitutes your acceptance of such changes.

ARTICLE II: INFORMATION COLLECTION PRACTICES

Section 2.1: Categories of Personal Information Collected

We collect and process the following categories of personal information through various means and for specified purposes:

Directly Provided Information encompasses all data voluntarily submitted by users through our Website interfaces, including but not limited to: full legal name, professional title and organizational affiliation, business contact information including primary and secondary email addresses, direct dial and mobile telephone numbers, business mailing address, professional biography and curriculum vitae, LinkedIn profile and other professional networking information, and any additional information provided through free-text fields in our contact forms or correspondence.

Automatically Collected Information includes technical data gathered through automated means during your interaction with our Website, comprising: Internet Protocol (IP) addresses and derived geolocation data, browser type, version, and language settings, operating system and platform information, uniform resource locator (URL) clickstream data including referring and exit pages, pages viewed and interaction patterns, timestamps and duration of page visits, search queries entered on our Website, and unique device identifiers including mobile device advertising identifiers where applicable.

Professional Verification Information may be collected when you express interest in our services or seek to establish a business relationship, including: professional licensing and certification information, educational background and credentials, employment history and verification, professional references, and publicly available information from professional databases and business intelligence platforms.

Financial and Transactional Information collected solely for legitimate business purposes and subject to enhanced security measures, including: accredited investor status verification documentation, proof of funds or assets under management representations, tax identification numbers for regulatory reporting purposes, banking information for transaction processing where applicable, and investment interest and preference data.

Cookie and Tracking Technology Data as further detailed in Article VII of this Policy, encompassing: essential cookies required for Website functionality, performance and analytics cookies, functionality and preference cookies, and third-party integration cookies subject to separate consent.

Section 2.2: Sources of Personal Information

Personal information is obtained through multiple channels including: direct collection through Website interfaces and forms, automatic collection via server logs and analytics tools, third-party business intelligence and verification services, publicly available sources including professional directories and regulatory databases, and referrals from existing clients or professional networks with appropriate consent.

Section 2.3: Sensitive Personal Information

We do not intentionally collect special categories of personal data as defined under GDPR Article 9, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying individuals, health data, or data concerning sex life or sexual orientation. Should such information be inadvertently provided, it will be promptly deleted unless retention is required by applicable law.

ARTICLE III: LAWFUL BASES AND PURPOSES OF PROCESSING

Section 3.1: Legal Bases for Processing

We process personal information only where we have identified appropriate lawful bases under applicable data protection legislation:

Legitimate Interests form the primary basis for most processing activities, subject to careful balancing tests ensuring that our interests do not override your fundamental rights and freedoms. Such legitimate interests include: operating, maintaining, and improving our Website and services, ensuring network and information security, preventing fraud and unauthorized access, conducting business development and relationship management activities, performing internal analytics and business intelligence, and managing legal claims and compliance obligations.

Contractual Necessity applies where processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into such contract, including: responding to inquiries regarding our services, conducting due diligence for potential business relationships, facilitating investment transactions where applicable, and providing requested information or services.

Legal Obligations require certain processing activities to comply with applicable laws and regulations, including: maintaining records for tax and accounting purposes, responding to lawful requests from law enforcement or regulatory authorities, complying with court orders and legal process, and fulfilling anti-money laundering and know-your-customer obligations where applicable.

Consent serves as the basis for certain optional processing activities, including: marketing communications and newsletters, use of optional cookies and tracking technologies, and sharing of information with third parties beyond what is necessary for service provision.

Vital Interests may necessitate processing in rare circumstances to protect vital interests of you or another natural person where you are physically or legally incapable of giving consent.

Section 3.2: Purpose Specification

Personal information is processed exclusively for the following specified purposes, with clear mapping between data categories and processing purposes:

Service Delivery and Operations utilizing contact and professional information to respond to inquiries and provide requested information, facilitate business relationships and potential transactions, maintain and improve Website functionality and user experience, and provide customer support and relationship management.

Security and Fraud Prevention employing technical and access data to detect, prevent, and investigate security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, ensure the security and integrity of our systems and data, and maintain audit logs for compliance and forensic purposes.

Legal and Regulatory Compliance processing necessary information to comply with applicable laws, regulations, and legal process, respond to governmental and regulatory inquiries, establish, exercise, or defend legal claims, and maintain records as required by applicable retention requirements.

Business Intelligence and Analytics analyzing aggregated and anonymized data to understand Website usage patterns and improve user experience, conduct market research and business development activities, develop and improve our services and offerings, and generate internal reports and business insights.

Marketing and Communications with appropriate consent or legitimate interest basis to send newsletters, updates, and relevant business communications, provide information about our services and investment opportunities where permitted, and manage your communication preferences and opt-out requests.

ARTICLE IV: DATA SHARING AND DISCLOSURE

Section 4.1: Categories of Recipients

We maintain strict controls over the sharing of personal information and disclose such information only to the following categories of recipients under specified circumstances:

Professional Service Providers operating under strict confidentiality obligations and data processing agreements, including: technology infrastructure and hosting providers maintaining SOC 2 Type II certification, cybersecurity and information security consultants, legal counsel and compliance advisors, accounting and audit firms, and business intelligence and verification service providers.

Regulatory and Governmental Authorities where required by applicable law or legal process, including: federal, state, and local regulatory agencies with jurisdiction over our activities, law enforcement agencies pursuant to valid legal process, courts and tribunals in connection with legal proceedings, and tax authorities for reporting and compliance purposes.

Corporate Transaction Parties in connection with potential or actual corporate transactions, including: prospective acquirers, merger partners, or investors conducting due diligence, successor entities following a merger, acquisition, or restructuring, professional advisors representing transaction parties under appropriate confidentiality agreements, and escrow agents and other transaction facilitators.

Third Parties with Consent only where you have provided explicit consent for such sharing, including: business partners for joint service delivery, referral partners under appropriate agreements, and other parties you specifically authorize.

Section 4.2: International Data Transfers

Given the global nature of our operations, personal information may be transferred to and processed in countries outside your jurisdiction of residence, including the United States and other countries that may not provide the same level of data protection as your home jurisdiction.

For transfers from the European Economic Area, United Kingdom, or Switzerland, we implement appropriate safeguards including: reliance on adequacy decisions where available, implementation of Standard Contractual Clauses approved by the European Commission, obtaining explicit consent for specific transfers where appropriate, and implementing supplementary technical and organizational measures as required following the Schrems II decision.

We conduct transfer impact assessments for all systematic international data transfers and maintain records of such assessments available for regulatory review upon request.

ARTICLE V: DATA SECURITY AND BREACH NOTIFICATION

Section 5.1: Technical and Organizational Measures

We implement comprehensive technical and organizational security measures designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures include but are not limited to:

Technical Safeguards comprising encryption of data in transit using TLS 1.3 or higher protocols, encryption of sensitive data at rest using AES-256 encryption standards, multi-factor authentication for all administrative access, regular security patches and vulnerability management, intrusion detection and prevention systems, comprehensive logging and monitoring systems, and regular penetration testing and security assessments.

Organizational Safeguards including strict access controls based on principle of least privilege, comprehensive employee training on data protection and security, confidentiality agreements with all personnel having access to personal information, formal incident response and disaster recovery procedures, vendor management and third-party risk assessment programs, and regular security audits and compliance assessments.

Section 5.2: Breach Notification Procedures

In the event of a personal data breach, we maintain comprehensive incident response procedures consistent with GDPR Article 33 and applicable state breach notification laws. We commit to notifying affected individuals without undue delay and in no event later than seventy-two (72) hours after becoming aware of a breach that poses a risk to individuals' rights and freedoms. Notifications will include the nature and scope of the breach, categories and approximate number of individuals affected, likely consequences of the breach, measures taken or proposed to address the breach, and contact information for our Data Protection Officer or privacy team.

ARTICLE VI: INDIVIDUAL RIGHTS AND REMEDIES

Section 6.1: Rights Under Applicable Law

We recognize and facilitate the exercise of all rights granted under applicable data protection legislation, including:

Right of Access enabling you to obtain confirmation of whether we process your personal information and to receive a copy of such information along with supplementary information about the processing.

Right to Rectification allowing you to request correction of inaccurate personal information and completion of incomplete personal information.

Right to Erasure permitting you to request deletion of your personal information under certain circumstances, subject to legal retention requirements and other applicable exemptions.

Right to Restriction of Processing enabling you to request temporary suspension of processing under specified conditions.

Right to Data Portability allowing you to receive your personal information in a structured, commonly used, and machine-readable format and to transmit it to another controller where technically feasible.

Right to Object permitting you to object to processing based on legitimate interests, direct marketing, or processing for research and statistical purposes.

Rights Related to Automated Decision-Making including the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

Right to Withdraw Consent where processing is based on consent, allowing you to withdraw such consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Section 6.2: Exercise of Rights

To exercise any of these rights, you may submit a request to privacy@finissi.com or through our dedicated privacy portal. We will respond to valid requests within thirty (30) days of receipt, subject to extension by an additional sixty (60) days where necessary considering the complexity and number of requests. We may request additional information necessary to verify your identity and ensure the security of personal information. We will not discriminate against you for exercising your privacy rights.

Section 6.3: Complaints and Remedies

If you believe our processing of your personal information violates applicable data protection laws, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction. For European Economic Area residents, this includes your local data protection authority. We encourage you to contact us first at privacy@finissi.com to allow us to address your concerns directly.

ARTICLE VII: COOKIE POLICY AND TRACKING TECHNOLOGIES

Section 7.1: Categories of Cookies

Our Website utilizes the following categories of cookies and similar tracking technologies:

Strictly Necessary Cookies essential for Website operation and security, including session management cookies, security tokens, and load balancing cookies. These cookies cannot be disabled without materially impacting Website functionality.

Performance and Analytics Cookies used to understand Website usage patterns and improve performance, including Google Analytics with IP anonymization enabled, internal analytics cookies, and error tracking cookies. These cookies are subject to opt-in consent in jurisdictions requiring such consent.

Functionality Cookies enabling enhanced features and personalization, including language and region preferences, user interface customization settings, and form auto-fill functionality. Users may disable these cookies with potential impact on user experience.

Targeting and Advertising Cookies currently not utilized on our Website, but this policy will be updated should such cookies be implemented in the future.

Section 7.2: Cookie Consent and Management

We implement a comprehensive cookie consent management platform compliant with the EU ePrivacy Directive and similar regulations. Upon first visit to our Website from applicable jurisdictions, you will be presented with granular options to accept or reject non-essential cookie categories. You may modify your cookie preferences at any time through our cookie settings interface or by contacting privacy@finissi.com. We honor Global Privacy Control and similar browser-based opt-out signals where technically feasible.

ARTICLE VIII: DATA RETENTION AND DELETION

Section 8.1: Retention Periods

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, plus any additional period required by applicable law or to establish, exercise, or defend legal claims. Specific retention periods include:

Transactional Records including investment documentation and financial records retained for seven (7) years following the conclusion of the business relationship or transaction in accordance with applicable tax and financial regulations.

Communication Records including email correspondence and meeting notes retained for six (6) years unless longer retention is required for legal or compliance purposes.

Website Analytics Data retained in identifiable form for no more than twenty-four (24) months, after which it is aggregated or anonymized.

Marketing Lists updated annually with inactive contacts removed after three (3) years of non-engagement unless explicit consent for longer retention is obtained.

Security Logs retained for twelve (12) months for security and forensic purposes unless longer retention is required in connection with an investigation or legal proceeding.

Section 8.2: Deletion and Anonymization Procedures

Upon expiration of applicable retention periods or valid deletion requests, we implement secure deletion procedures including cryptographic erasure for encrypted data, physical destruction of paper records, and anonymization where complete deletion is not feasible. We maintain deletion logs documenting compliance with retention schedules and deletion requests.

ARTICLE IX: SPECIFIC JURISDICTIONAL PROVISIONS

Section 9.1: California Residents

California residents have additional rights under the CCPA/CPRA, including the right to know categories and specific pieces of personal information collected, disclosed, or sold, the right to request deletion subject to applicable exceptions, the right to opt-out of sale or sharing (noting that we do not sell personal information), the right to correct inaccurate information, the right to limit use and disclosure of sensitive personal information, and the right to non-discrimination for exercising privacy rights. To exercise these rights, California residents may submit requests to privacy@finissi.com. We may require verification of identity including matching information provided with information we maintain.

Section 9.2: European Economic Area, United Kingdom, and Switzerland

For individuals in these jurisdictions, we comply with GDPR and equivalent national legislation. Our EU Representative for GDPR Article 27 purposes is EU@finissi.com. We participate in appropriate data transfer mechanisms and maintain records of processing activities available for supervisory authority inspection.

Section 9.3: Other Jurisdictions

We acknowledge and comply with applicable data protection laws in all jurisdictions where we conduct business, including but not limited to Brazil's LGPD, Canada's PIPEDA, and emerging privacy frameworks in other jurisdictions.

ARTICLE X: CHILDREN'S PRIVACY

Our Website and services are not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under eighteen (18), we will take immediate steps to delete such information unless retention is required by law. Parents or guardians who believe we may have collected information from their child should contact us immediately at privacy@finissi.com.

ARTICLE XI: THIRD-PARTY LINKS AND SERVICES

Our Website may contain hyperlinks to third-party websites, applications, or services that are not operated or controlled by Finissimo Capital LLC. This Privacy Policy does not apply to such third-party services, and we assume no responsibility for the privacy practices or content of third-party sites. We encourage you to review the privacy policies of any third-party services before providing personal information.

ARTICLE XII: DATA PROTECTION OFFICER

While not statutorily required to designate a Data Protection Officer, we have appointed a privacy officer responsible for overseeing our data protection strategy and compliance. You may contact our privacy team at:

Email: privacy@finissi.com

For optimal response time, we encourage electronic communication. All privacy inquiries will receive acknowledgment within two (2) business days and substantive response within thirty (30) days.

ARTICLE XIII: GOVERNING LAW AND DISPUTE RESOLUTION

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law provisions, except where superseded by applicable federal law or the mandatory provisions of other applicable data protection legislation. Any disputes arising under this Privacy Policy shall be subject to the exclusive jurisdiction of the state and federal courts located in Delaware, except where prohibited by applicable law.

ARTICLE XIV: SEVERABILITY AND ENTIRE AGREEMENT

If any provision of this Privacy Policy is held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not be affected or impaired. This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and Finissimo Capital LLC regarding the collection, use, and disclosure of personal information through our Website.

ARTICLE XV: CONTACT INFORMATION

For all privacy-related inquiries, requests, or concerns, please contact:

Finissimo Capital LLC
Attention: Privacy Officer
Email: privacy@finissi.com
Website: https://www.finissi.com

We are committed to resolving privacy concerns and will make every reasonable effort to address inquiries promptly and transparently.

Document Control:
Version: 2.0
Effective Date: September 1, 2025
Last Review: September 1, 2025
Next Scheduled Review: December 1, 2025

© 2025 Finissimo Capital LLC. All rights reserved.