Version 2 · Effective: April 27, 2026 · Published: April 27, 2026
Malcolm
This Privacy Policy explains how Malcolm Inc., a Delaware corporation ("Malcolm," "we," "us," or "our"), collects, uses, and discloses personal data when you use our AI-enabled fund management software and related services (the "Services").
Malcolm Inc. is the Data Controller of your personal data. Because our primary operations and customers are in the United Kingdom, we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Our appointed UK Representative for data protection matters is our subsidiary: Part Central Limited (22, 23 Albert Embankment, London SE17GG)
Privacy Contact: data@aimalcolm.com
We collect data strictly necessary to provide B2B fund management software to our clients.
Identity & Contact Data: Names, business email addresses, titles, and phone numbers of authorized users accessing our Services.
Financial & Portfolio Data: While our Services process corporate financial data, fund metrics, and portfolio company data, personal data embedded within these files (e.g., founder names, shareholder details) is processed by us strictly as a Data Processor on behalf of our clients (the Data Controllers).
Technical & Telemetry Data: IP addresses, login timestamps, browser types, and usage patterns regarding how users interact with our AI tools.
We process your personal data under the following lawful bases:
Performance of a Contract: To create user accounts, provide customer support, and deliver the core functionality of the software.
Legitimate Interests: To ensure system security, prevent fraud, and monitor software performance.
Legal Obligation: To comply with applicable tax, financial, or regulatory requirements.
Our core Services utilize artificial intelligence to analyze fund data.
No Unauthorized AI Training: We do not use your personal data or your proprietary fund data to train our foundational algorithmic models across our broader customer base without your explicit, separate consent. Your data remains siloed to your specific instance.
Automated Decision-Making: We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects on individuals under Article 22 of the UK GDPR.
Primary Storage: All primary databases and servers hosting customer data are physically located in London, United Kingdom, utilizing AWS enterprise-grade infrastructure.
International Access: As a Delaware corporation, our US-based personnel may require access to UK-hosted data for technical support, R&D, or administrative purposes. Any such access constitutes an international transfer. We safeguard these transfers using the UK Extension to the EU-US Data Privacy Framework (the "UK-US Data Bridge") or the UK International Data Transfer Agreement (IDTA).
We implement robust technical and organizational measures (including encryption in transit and at rest) to protect your data. We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, to provide the Services under our Master Services Agreement, or to comply with legal, accounting, or regulatory reporting requirements.
Under the UK GDPR, you have the right to:
Access the personal data we hold about you.
Correct any inaccurate or incomplete data.
Request Erasure of your data ("Right to be Forgotten").
Object to or restrict our processing of your data.
Request Data Portability to transfer your data to another service.
If you believe we have not processed your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk. However, we would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
To exercise any of these rights, please contact our UK Representative at the details provided in Section 1. We will respond to all legitimate requests within 30 days.
We may update this Privacy Policy from time to time to reflect changes in our AI technologies, legal obligations, or business practices. We will notify clients of material changes via email or an in-app notification.