GDPR Data Protection Notice

Last Updated: 23 March 2026

Your Privacy Matters: AFA Management Sàrl is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Luxembourg data protection laws.

Legal Basis for Processing

We process your personal data based on the following legal grounds:

1. Contractual Necessity (GDPR Art. 6(1)(b))

Processing is necessary to perform our contract with you as an investor, including managing your investment subscription, providing portfolio information, and processing transactions.

2. Legal Obligation (GDPR Art. 6(1)(c))

We must process certain data to comply with legal obligations including:

  • Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements
  • Tax reporting obligations (FATCA, CRS, DAC6)
  • CSSF regulatory requirements and supervision
  • Financial record-keeping requirements under Luxembourg law

3. Legitimate Interests (GDPR Art. 6(1)(f))

We process data where necessary for our legitimate business interests, including:

  • Improving our platform and services
  • Ensuring platform security and preventing fraud
  • Customer service and support
  • Business analytics and reporting

4. Consent (GDPR Art. 6(1)(a))

Where required, we obtain your explicit consent for specific processing activities, such as marketing communications. You may withdraw consent at any time.

Data Protection Principles

We adhere to GDPR's core principles:

  • Lawfulness, Fairness, Transparency: We process data legally, fairly, and transparently
  • Purpose Limitation: Data is collected for specified, legitimate purposes only
  • Data Minimisation: We collect only data that is necessary for our purposes
  • Accuracy: We keep personal data accurate and up to date
  • Storage Limitation: Data is retained only as long as necessary
  • Integrity and Confidentiality: We implement appropriate security measures

Your Rights Under GDPR

📋 Right to Access (Art. 15)

You can request a copy of your personal data we hold

✏️ Right to Rectification (Art. 16)

You can request correction of inaccurate or incomplete data

🗑️ Right to Erasure (Art. 17)

You can request deletion of your data (subject to legal retention requirements)

⏸️ Right to Restriction (Art. 18)

You can request limitation of how we process your data

📤 Right to Data Portability (Art. 20)

You can receive your data in a structured, machine-readable format

🚫 Right to Object (Art. 21)

You can object to processing based on legitimate interests

🔄 Right to Withdraw Consent (Art. 7(3))

You can withdraw consent at any time where consent is the legal basis

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact our Data Protection Officer:

Data Protection Officer

AFA Management Sàrl

Email: [email protected]

We will respond to your request within 30 days as required by GDPR.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that pose high risks to your rights and freedoms, ensuring appropriate safeguards are in place.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the Luxembourg CNPD within 72 hours as required by GDPR Article 33 and 34.

Supervisory Authority

You have the right to lodge a complaint with the Luxembourg National Commission for Data Protection (CNPD):

Commission Nationale pour la Protection des Données (CNPD)

15, Boulevard du Jazz

L-4370 Belvaux

Luxembourg

Tel: +352 26 10 60 1

Website: cnpd.lu

← Back to Login