Privacy Policy

Effective Date: February 17, 2026

This Privacy Policy (this "Policy") describes how Carnelian Ventures LLC, a Delaware limited liability company ("Company," "Carnelian," "we," "our," or "us"), collects, uses, discloses, and safeguards personal information in connection with your access to and use of our websites, platforms, applications, and services, including without limitation the Carnelian Compass platform, ESG Compass, DAF Compass, and all related tools and services (collectively, the "Services"). This Policy is incorporated into and made part of our Terms of Use.

The Company is headquartered at 295 Madison Avenue, New York, NY 10017.

BY ACCESSING OR USING THE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED IN THIS POLICY. IF YOU DO NOT AGREE WITH THIS POLICY, YOU MUST NOT ACCESS OR USE THE SERVICES.

ARTICLE I — INFORMATION WE COLLECT

Section 1.1. Information You Provide Directly.

We collect information that you voluntarily provide to us in connection with your use of the Services, including without limitation:

  1. Account and registration information, including your name, email address, telephone number, company name, job title, and professional credentials;
  2. Profile and preference data, including investment preferences, ESG priority weightings, portfolio composition, and customization settings;
  3. Financial information, including portfolio holdings, brokerage account data obtained through authorized integrations (such as Plaid or similar services), and billing and payment information processed through our payment processor (Stripe);
  4. Communication data, including the content of emails, messages, feedback, support inquiries, and other communications you send to or through the Services;
  5. User Content, including documents, reports, data uploads (including CSV portfolio imports), and other materials you submit to the Services; and
  6. Advisory engagement data, including operational, financial, organizational, and strategic information provided in connection with consulting or advisory services.

Section 1.2. Information Collected Automatically.

When you access or use the Services, we automatically collect certain information, including without limitation:

  1. Device and browser information, including IP address, browser type and version, operating system, device identifiers, and hardware settings;
  2. Usage data, including pages visited, features accessed, time spent on pages, clickstream data, search queries, and interaction patterns;
  3. Log data, including access times, referring and exit URLs, error logs, server performance data, and diagnostic information; and
  4. Approximate geographic location data based on IP address.

Section 1.3. Cookies and Tracking Technologies.

We use cookies, pixel tags, web beacons, and similar technologies to collect usage data, remember your preferences, analyze trends, administer the Services, and improve user experience. You may manage cookie preferences through your browser settings. Disabling certain cookies may limit your ability to use some features of the Services. For additional information, please refer to our Cookie Policy, available on our website.

Section 1.4. Information from Third Parties.

We may receive information about you from third-party sources, including:

  1. ESG data providers, public databases, and corporate disclosure repositories used to power our analytics;
  2. Brokerage firms and financial data aggregators (when you authorize account linking);
  3. Identity verification, fraud prevention, and credit reporting services; and
  4. Business partners, referral sources, marketing partners, and publicly available sources.

ARTICLE II — USE OF INFORMATION

We use the information we collect for the purposes set forth below. Where required by applicable law, we process personal information only where we have a lawful basis to do so.

Purpose Description
Service Delivery Providing, operating, maintaining, and improving the Services, including ESG analytics, platform features, and consulting engagements.
Personalization Customizing ESG scores, dashboards, recommendations, and reports based on your preferences, portfolio composition, and usage patterns.
Communication Sending transactional communications, service updates, security alerts, and, with your consent, marketing and promotional materials.
Analytics and Research Analyzing usage patterns and trends to improve the Services, develop new features, conduct ESG research, and generate aggregated market insights.
Security and Compliance Detecting and preventing fraud, enforcing our Terms, protecting the security and integrity of the Services, and complying with legal and regulatory obligations.
Billing and Payments Processing subscription payments, managing billing accounts, and providing invoices and receipts.
Aggregated Data Creating anonymized and aggregated datasets to improve ESG analytics, generate benchmarks, and produce market intelligence. No individual user is identifiable from aggregated data.

ARTICLE III — DISCLOSURE OF INFORMATION

The Company does not sell personal information. We may disclose your information in the following circumstances:

Section 3.1. Service Providers.

We disclose information to trusted third-party service providers who perform services on our behalf, including hosting, data storage, payment processing, customer support, email delivery, and analytics. Such providers are contractually obligated to use personal information solely for the purposes of providing services to the Company and in accordance with this Policy.

Section 3.2. Financial Data Integrations.

When you authorize connections to brokerage accounts, financial platforms, or wealth management systems, your financial data is transmitted to and received from such third-party providers in accordance with their respective terms of service and our data processing agreements.

Section 3.3. White-Label Partners.

If you access the Services through a white-label partner (such as a registered investment advisor or DAF sponsor), certain information may be disclosed to that partner to the extent necessary to provide the co-branded service. Such disclosures are governed by data processing agreements between the Company and the applicable partner.

Section 3.4. Legal and Regulatory Requirements.

We may disclose your information when required to do so by law, regulation, subpoena, court order, or other legal process, or when we have a good-faith belief that disclosure is reasonably necessary to: (a) comply with applicable law; (b) enforce our Terms of Use; (c) protect the rights, property, or safety of the Company, its users, or third parties; or (d) detect, prevent, or address fraud, security, or technical issues.

Section 3.5. Business Transfers.

In the event of a merger, acquisition, reorganization, dissolution, bankruptcy, or sale of all or substantially all of the Company's assets, your information may be transferred as part of such transaction. We will provide notice before your information becomes subject to a materially different privacy policy.

Section 3.6. With Your Consent.

We may disclose your information for any other purpose with your prior, express consent.

ARTICLE IV — DATA SECURITY

The Company implements commercially reasonable technical, administrative, and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include, without limitation:

  1. Encryption of data in transit using Transport Layer Security (TLS 1.2 or higher) and at rest using AES-256 encryption;
  2. Multi-factor authentication and single sign-on capabilities;
  3. SOC 2 Type II compliance framework with periodic third-party audits;
  4. Regular vulnerability assessments, penetration testing, and security audits;
  5. Role-based access controls restricting data access to authorized personnel on a need-to-know basis;
  6. Comprehensive audit logging of all data access and system modifications; and
  7. Documented incident response and breach notification procedures.

Notwithstanding the foregoing, no method of electronic transmission or data storage is completely secure, and the Company cannot guarantee the absolute security of your information.

ARTICLE V — DATA RETENTION

We retain personal information for as long as your account remains active or as necessary to provide the Services. We may also retain personal information as required to: (a) comply with applicable legal, regulatory, or accounting obligations; (b) resolve disputes; (c) enforce our agreements; or (d) pursue legitimate business purposes. When personal information is no longer required for any of the foregoing purposes, we shall securely delete or anonymize such information in accordance with our data retention schedule.

ARTICLE VI — YOUR RIGHTS AND CHOICES

Section 6.1. Right of Access.

You have the right to request access to the personal information we hold about you and to receive a copy thereof in a structured, commonly used, and machine-readable format.

Section 6.2. Right of Correction.

You have the right to request the correction of any inaccurate or incomplete personal information we hold about you.

Section 6.3. Right of Deletion.

You have the right to request the deletion of your personal information, subject to applicable legal exceptions, including information we are required to retain for compliance, legal, or contractual purposes.

Section 6.4. Right to Opt Out of Marketing.

You may opt out of receiving marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us at legal@carnelianventures.com. Opting out of marketing communications does not affect your receipt of transactional or service-related communications.

Section 6.5. Cookie Preferences.

You may manage cookie preferences through your browser settings or through our cookie consent management tool, if available on the Services.

Section 6.6. Do Not Track Signals.

The Services do not currently respond to "Do Not Track" browser signals. We will update this Policy if we adopt a "Do Not Track" standard in the future.

ARTICLE VII — CALIFORNIA PRIVACY RIGHTS

If you are a resident of the State of California, you have the following additional rights under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA):

  1. The right to know what categories and specific pieces of personal information we have collected, used, disclosed, and, if applicable, sold or shared;
  2. The right to request deletion of personal information we hold about you, subject to applicable exceptions;
  3. The right to opt out of the sale or sharing of personal information. The Company does not sell personal information as defined under the CCPA/CPRA;
  4. The right to non-discrimination for exercising your privacy rights under the CCPA/CPRA;
  5. The right to request correction of inaccurate personal information; and
  6. The right to limit the use and disclosure of sensitive personal information.

To exercise any of these rights, please submit a verifiable consumer request to legal@carnelianventures.com. We will verify your identity before fulfilling any request and will respond within the timeframes required by applicable law.

ARTICLE VIII — EUROPEAN AND INTERNATIONAL PRIVACY RIGHTS

Section 8.1. GDPR Rights.

If you are located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, you have additional rights under the General Data Protection Regulation ("GDPR") and applicable local data protection laws, including:

  1. The right to access, rectify, or erase your personal data;
  2. The right to restrict or object to the processing of your personal data;
  3. The right to data portability;
  4. The right to withdraw consent at any time, where processing is based on consent; and
  5. The right to lodge a complaint with a competent supervisory authority.

Section 8.2. Legal Bases for Processing.

Our legal bases for processing personal data include: (a) performance of a contract to which you are a party; (b) our legitimate interests, including improving the Services, ensuring security, and preventing fraud; (c) compliance with legal obligations; and (d) your consent, where applicable.

Section 8.3. International Data Transfers.

Your personal data may be transferred to and processed in the United States or other jurisdictions outside the EEA, UK, or Switzerland. For such transfers, we rely on Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Agreement, or other appropriate transfer mechanisms recognized under applicable law.

ARTICLE IX — CHILDREN'S PRIVACY

The Services are not directed to, and the Company does not knowingly collect personal information from, individuals under the age of eighteen (18). If we become aware that we have inadvertently collected personal information from a child under the age of 18, we will take commercially reasonable steps to delete such information promptly. If you believe that we have collected personal information from a child under 18, please contact us immediately at legal@carnelianventures.com.

ARTICLE X — THIRD-PARTY SERVICES AND LINKS

The Services may contain links to, or integrations with, third-party websites, platforms, applications, and services, including without limitation ESG data providers, financial platforms, and partner websites. This Policy does not govern such third-party services, and we are not responsible for their privacy practices, content, or security. We encourage you to review the privacy policies of any third-party services you access through the Services.

ARTICLE XI — ARTIFICIAL INTELLIGENCE AND AUTOMATED PROCESSING

The Carnelian Compass platform employs artificial intelligence, machine learning, and other automated processing technologies to generate scores, impact analytics, risk assessments, and recommendations. These automated processes analyze publicly available data, proprietary datasets, third-party data, and user-provided information. The Company does not make any solely automated decision that produces legal effects or similarly significant effects concerning you without providing an opportunity for human review. You have the right to request information about the logic involved in any automated processing and to request human intervention or review.

ARTICLE XII — AMENDMENTS TO THIS POLICY

The Company reserves the right to amend this Policy at any time. We will notify you of material changes by: (a) posting the updated Policy on our website with a revised effective date; and (b) where required by applicable law, sending written notice to the email address associated with your account not less than thirty (30) days before the amendments take effect. Your continued use of the Services after the updated Policy becomes effective constitutes your acceptance of the amended Policy.

ARTICLE XIII — CONTACT INFORMATION

If you have any questions, concerns, or requests regarding this Privacy Policy or the Company's data practices, or if you wish to exercise any of your rights described herein, please contact us at:

Carnelian Ventures LLC

Attn: Legal Department / Privacy Inquiries

295 Madison Avenue, New York, NY 10017

Email: legal@carnelianventures.com

For data protection inquiries originating from the EEA, UK, or Switzerland, you may also direct correspondence to the above address.