Last updated · 14 May 2026

Data Retention Policy

This Policy describes how long ArtVault Inc. ("ArtVault", "we", "us") retains personal data, transaction records, and supporting documentation collected through artvault.fund and our related services. It supplements our Privacy Policy. Retention periods are set by reference to the legitimate business purpose for which data was collected and to applicable legal, regulatory, tax, and audit requirements.

1. Principles

1.1 Purpose limitation

We retain personal data only for purposes identified at the point of collection or for compatible secondary purposes consistent with those original purposes.

1.2 Minimum necessary

Retention periods are set at the minimum necessary to meet the relevant purpose. Where business or legal needs are satisfied, data is deleted, anonymised, or otherwise rendered no longer identifiable.

1.3 Secure deletion

Records reaching the end of their retention period are deleted, anonymised, or destroyed using commercially reasonable methods. Backups containing the affected records are purged on the next scheduled rotation following deletion of the primary record.

2. Retention by Category

2.1 KYC and KYB records

Identity-verification documents, beneficial-ownership records, sanctions and PEP screening results, and source-of-funds documentation are retained for seven (7) years after the end of the customer or counterparty relationship, consistent with the U.S. Bank Secrecy Act and FinCEN customer-due-diligence recordkeeping requirements (31 C.F.R. Part 1010) and equivalent foreign laws.

2.2 Appraisals and loan files

Collateral appraisals, condition reports, executed loan agreements, security agreements, UCC filings, custody and insurance records, payment ledgers, and default and remedy correspondence are retained for seven (7) years after loan payoff, charge-off, or final disposition of the collateral.

2.3 Investor records

Subscription documents, accreditation evidence, side letters, capital-call and distribution records, and tax forms (W-9, W-8 series, K-1, 1099) are retained for seven (7) years after the investor's exit, consistent with SEC Investment Advisers Act Rule 204-2 and U.S. federal tax recordkeeping rules.

2.4 Financial and accounting records

General ledger entries, bank statements, wire confirmations, audit work papers, and financial statements are retained for seven (7) years from the close of the relevant fiscal year.

2.5 Communications

Emails, call recordings, meeting notes, and other business communications not otherwise included above are retained for three (3) years from the date of the communication. Communications tied to a specific loan, investor, or KYC file are retained for the longer of (a) this period or (b) the retention period for the underlying file.

2.6 Marketing and contact preferences

Marketing-list opt-ins, contact preferences, and records of consent withdrawal are retained until the subscriber withdraws consent, plus a minimum proof-of-consent record kept for the period required by applicable law.

2.7 Web logs and analytics

IP address, browser, device, and aggregate analytics data collected automatically through the Services are retained for twenty-four (24) months from collection, unless tied to a customer or investor file (in which case the file's retention period applies).

3. Legal Hold

If we become aware of actual or threatened litigation, a regulatory inquiry, a subpoena, or any other legal hold, the records within the scope of that hold are retained until the hold is lifted, regardless of the standard periods above. Counsel oversees the scope and release of any legal hold.

4. Deletion Process

4.1 Primary systems

At the end of the applicable retention period, records are deleted or anonymised in the primary production systems by automated process or by case-by-case manual workflow where automation is not practical.

4.2 Backups and archives

Backups are retained on a rolling basis. Records deleted from production are purged from backups on the next scheduled rotation; backups are not used to re-create deleted records other than to recover from an operational incident.

4.3 Third parties

Where third-party service providers process personal data on our behalf, we contract for deletion or return of such data at the end of the engagement or earlier on request, subject to their legal retention obligations.

5. Changes

We may update this Policy from time to time. The "Last updated" date above reflects the most recent revision. Where required by law, we will notify affected individuals of material changes.

6. Contact

Questions about retention or requests relating to specific records: info@artvault.fund.