Privacy Policy

1. Data Controller

The entity responsible for processing your personal data is:

Warren

Société par actions simplifiée (SAS)

Registered office: 19 rue du Quatre-Septembre, 75002 Paris

RCS: Paris 101 831 089

SIREN: 101 831 089

Warren acts as the data controller within the meaning of the EU General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Libertés).

Data Protection Contact

For all matters related to the protection of your personal data, you may contact our dedicated data protection team at:

privacy@warren.trade

2. Data We Collect

We collect only the data strictly necessary to provide our services and respond to your requests. Your data belongs to you — we will never sell it to third parties.

Identification Data

First name, last name, email address — collected when you request access, express interest in a deal, or contact us.

Investment Data

Company of interest, investment amount range, buy or sell interest type — collected through our expression of interest forms.

KYC & Compliance Data

Certified/qualified investor status, identity documents (passport, national ID), proof of address, source of funds, and any documentation required under applicable anti-money laundering (AML) and know-your-customer (KYC) regulations. This data is collected during the investor onboarding and subscription process.

Navigation & Technical Data

Browser type, device information, pages visited, referral source, geolocation (country/region level) — collected through Vercel Analytics. This tool is cookie-free and does not store any client identifier. Visitor counts are derived from anonymized, server-side hashes that rotate daily and cannot be linked back to an individual. Only aggregated, non-identifiable statistics are retained.

Communication Data

Messages, notes, and any information you voluntarily provide when contacting us or filling out forms on our website.

3. Legal Basis & Purposes

We process your personal data on the following legal grounds, in accordance with Article 6 of the GDPR:

4. Data Recipients

Your personal data may be shared with the following categories of recipients, strictly on a need-to-know basis:

• Warren team members — for processing your requests and managing the investor relationship.

• Legal partners — including Overlord, our legal counsel and subscription platform provider, for deal structuring, KYC verification, and compliance.

• Technical providers — Vercel (hosting and analytics), Supabase (database), and Contentful (content management), all operating under appropriate data protection agreements.

• Regulatory authorities — when required by applicable laws or regulations, including AML/KYC obligations.

We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes.

5. International Data Transfers

Some of our technical providers process data outside the European Economic Area (EEA). The following safeguards are in place:

Vercel Inc. (United States)

Website hosting and edge network. Vercel is certified under the EU-US Data Privacy Framework (DPF), providing an adequate level of data protection as recognized by the European Commission.

Supabase Inc. (United States)

Database and authentication services. Data is hosted on AWS infrastructure within the European Union (eu-west region). Supabase operates under Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework for any data that may transit through US-based systems.

Where neither an adequacy decision nor the EU-US DPF applies, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.

• Additional technical and organizational measures (encryption in transit and at rest, access controls, pseudonymization where appropriate).

6. Cookies & Local Storage

Our website is designed with a privacy-first approach. We do not use tracking cookies or any third-party advertising cookies.

Local Storage (Browser)

We use your browser's local storage (not cookies) to remember your theme preference (light/dark mode). This data never leaves your device and is not transmitted to our servers.

Privacy-Friendly Analytics

We use Vercel Analytics to understand how visitors interact with our website. Unlike most web analytics tools, Vercel Analytics does not use cookies, does not store any device or client identifier, and does not collect IP addresses. Visitor counts rely on aggregated, anonymized hashes that rotate daily on the server side. As a result, the analytics signal we get cannot be linked back to any individual visitor.

No Personal Data Sold or Shared

We do not sell, share, or transmit any personal data to advertisers or third-party marketing services. Vercel Analytics processes data on our behalf under a Data Processing Agreement and cannot be used by Warren to identify individual visitors.

7. Your Rights

In accordance with the GDPR and the French Data Protection Act, you have the following rights regarding your personal data:

Right of Access

Obtain a copy of the personal data we hold about you.

Right of Rectification

Request correction of inaccurate or incomplete data.

Right of Erasure

Request deletion of your data, subject to legal retention obligations.

Right to Restrict Processing

Request temporary limitation of processing in certain circumstances.

Right to Object

Object to the processing of your data based on legitimate interest.

Right to Data Portability

Receive your data in a structured, machine-readable format.

Right to Withdraw Consent

Withdraw consent at any time, without affecting prior processing.

Right to Lodge a Complaint

File a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at www.cnil.fr.

To exercise any of these rights, please contact our data protection team at privacy@warren.trade. We will respond to your request within 30 days.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS) and at rest, access controls limited to authorized personnel, regular security assessments of our systems and providers, and secure handling of KYC documents with restricted access.

9. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or applicable regulations. Any significant changes will be communicated through our website.

We encourage you to review this page periodically to stay informed about how we protect your data.

10. Contact Us

For any questions or requests regarding this Privacy Policy or the processing of your personal data, you may contact us at:

Warren — Data Protection

Email: privacy@warren.trade

Postal address: 19 rue du Quatre-Septembre, 75002 Paris

We are committed to responding to all data protection inquiries within 30 days of receipt.

Observability

We use Datadog (Datadog Inc., EU region) as a sub-processor to monitor the technical health of this website through Real User Monitoring and Synthetic Monitoring. When you accept cookies, Datadog stores a first-party session identifier in your browser so that we can correlate page views from the same visit and identify performance regressions. Form contents and directly identifiable information are not collected. You can refuse this collection at any time through the cookie banner displayed on your first visit. Telemetry is hosted on Datadog's EU infrastructure.