WarrenWarren
Back to Home

Privacy Policy

Your data belongs to you. We are committed to transparency in how we collect, use, and protect your personal information.

Last updated: March 11, 2026

1. Data Controller

The entity responsible for processing your personal data is:

Warren

Société par actions simplifiée (SAS)

Registered office: 19 rue du Quatre-Septembre, 75002 Paris

RCS: Paris 101 831 089

SIREN: 101 831 089

Warren acts as the data controller within the meaning of the EU General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Libertés).

Data Protection Contact

For all matters related to the protection of your personal data, you may contact our dedicated data protection team at:

privacy@warren.trade

2. Data We Collect

We collect only the data strictly necessary to provide our services and respond to your requests. Your data belongs to you — we will never sell it to third parties.

Identification Data

First name, last name, email address — collected when you request access, express interest in a deal, or contact us.

Investment Data

Company of interest, investment amount range, buy or sell interest type — collected through our expression of interest forms.

KYC & Compliance Data

Certified/qualified investor status, identity documents (passport, national ID), proof of address, source of funds, and any documentation required under applicable anti-money laundering (AML) and know-your-customer (KYC) regulations. This data is collected during the investor onboarding and subscription process.

Navigation & Technical Data

Browser type, device information, pages visited, referral source, geolocation (country/region level) — collected through Google Analytics. This tool uses cookies to distinguish unique visitors and sessions. Google Analytics 4 anonymizes IP addresses by default for visitors in the European Economic Area. Only aggregated, non-identifiable statistics are retained.

Communication Data

Messages, notes, and any information you voluntarily provide when contacting us or filling out forms on our website.

3. Legal Basis & Purposes

We process your personal data on the following legal grounds, in accordance with Article 6 of the GDPR:

Purpose

Legal Basis

Retention

Processing access requests and expressions of interest

Pre-contractual measures (Art. 6.1.b)

Duration of the relationship + 5 years

KYC/AML identity verification and investor qualification

Legal obligation (Art. 6.1.c)

5 years after end of relationship

Processing certified investor status and financial eligibility

Legal obligation (Art. 6.1.c)

Duration of the relationship + 5 years

Investor communication and deal updates

Legitimate interest (Art. 6.1.f)

3 years from last contact

Legal and regulatory compliance (AML, tax reporting)

Legal obligation (Art. 6.1.c)

As required by applicable law

Website analytics and performance improvement

Legitimate interest (Art. 6.1.f)

24 hours (visitor session); aggregated statistics up to 1 month

4. Data Recipients

Your personal data may be shared with the following categories of recipients, strictly on a need-to-know basis:

  • Warren team members — for processing your requests and managing the investor relationship.

  • Legal partners — including Overlord, our legal counsel and subscription platform provider, for deal structuring, KYC verification, and compliance.

  • Technical providers — Vercel (hosting), Supabase (database), and analytics tools, all operating under appropriate data protection agreements.

  • Regulatory authorities — when required by applicable laws or regulations, including AML/KYC obligations.

We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes.

5. International Data Transfers

Some of our technical providers process data outside the European Economic Area (EEA). The following safeguards are in place:

Vercel Inc. (United States)

Website hosting and edge network. Vercel is certified under the EU-US Data Privacy Framework (DPF), providing an adequate level of data protection as recognized by the European Commission.

Supabase Inc. (United States)

Database and authentication services. Data is hosted on AWS infrastructure within the European Union (eu-west region). Supabase operates under Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework for any data that may transit through US-based systems.

Where neither an adequacy decision nor the EU-US DPF applies, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.

  • Additional technical and organizational measures (encryption in transit and at rest, access controls, pseudonymization where appropriate).

6. Cookies & Local Storage

Our website is designed with a privacy-first approach. We do not use tracking cookies or any third-party advertising cookies.

Local Storage (Browser)

We use your browser's local storage (not cookies) to remember your theme preference (light/dark mode) and your cookie consent choice. This data never leaves your device and is not transmitted to our servers.

Google Analytics

We use Google Analytics to understand how visitors interact with our website. This tool is industry-standard and helps us measure website traffic and user engagement patterns. Google Analytics uses cookies to distinguish unique visitors and sessions. Google Analytics 4 anonymizes IP addresses by default for visitors in the European Economic Area.

No Personal Data Sold or Shared

We do not sell, share, or transmit any personal data to advertisers or third-party marketing services. Google Analytics data is processed in accordance with Google's data processing terms and cannot be used by Warren to identify individual visitors.

7. Your Rights

In accordance with the GDPR and the French Data Protection Act, you have the following rights regarding your personal data:

Right of Access

Obtain a copy of the personal data we hold about you.

Right of Rectification

Request correction of inaccurate or incomplete data.

Right of Erasure

Request deletion of your data, subject to legal retention obligations.

Right to Restrict Processing

Request temporary limitation of processing in certain circumstances.

Right to Object

Object to the processing of your data based on legitimate interest.

Right to Data Portability

Receive your data in a structured, machine-readable format.

Right to Withdraw Consent

Withdraw consent at any time, without affecting prior processing.

Right to Lodge a Complaint

File a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at www.cnil.fr.

To exercise any of these rights, please contact our data protection team at privacy@warren.trade. We will respond to your request within 30 days.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS) and at rest, access controls limited to authorized personnel, regular security assessments of our systems and providers, and secure handling of KYC documents with restricted access.

9. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or applicable regulations. Any significant changes will be communicated through our website.

We encourage you to review this page periodically to stay informed about how we protect your data.

10. Contact Us

For any questions or requests regarding this Privacy Policy or the processing of your personal data, you may contact us at:

Warren — Data Protection

Email: privacy@warren.trade

Postal address: 19 rue du Quatre-Septembre, 75002 Paris

We are committed to responding to all data protection inquiries within 30 days of receipt.