Altium Fund – Osalux Group S.A.

Effective Date: 08 Dec 2025

Introduction

This Privacy Policy explains how Osalux Group S.A., a société anonyme registered and operating under the laws of Luxembourg, with registration number B207249 and registered office at 3 Boulevard Royal, L-2449 Luxembourg (the “Company”, “we”, “us”, “our”), processes personal data in connection with the operation and administration of Altium Fund and its website www.altium.fund (the “Website”).

We are committed to protecting personal data and ensuring compliance with applicable data-protection laws, including the EU General Data Protection Regulation (GDPR) and the Luxembourg Data Protection Act.

Data controller

Osalux Group S.A. acts as the data controller for all processing of personal data described in this Privacy Policy.

For any questions, requests, or concerns regarding data protection, please contact: contacts@altium.fund

Scope of this policy

This Privacy Policy applies to the following individuals (“data subjects”):

Any person whose personal data is processed in connection with the Company’s activities.

  • Investors and prospective investors (natural persons);
  • Representatives, beneficial owners, or authorised persons of institutional investors;
  • Website visitors and users submitting inquiries via the contact form;
  • Service providers, advisers, business partners, and professional contacts;

Legal basis & comliance

Personal data is processed in accordance with:
– GDPR (EU Regulation 2016/679);
– Luxembourg data-protection laws;
– Laws and regulations applicable to financial services, alternative investment funds, AML/CFT, FATCA, CRS, tax and regulatory reporting.
Processing is based on the following legal grounds:
(a) Performance of a contract or pre-contractual measures
For onboarding investors, evaluating subscription applications, executing transactions, maintaining investor accounts, and communicating in relation to contractual obligations.
(b) Compliance with legal and regulatory obligations
For identification, verification, AML/CFT requirements, ongoing due diligence, record-keeping, reporting to regulatory or tax authorities, fraud prevention, audit obligations, and any other duties arising under applicable Luxembourg/eu financial legislation.
(c) Legitimate interests
For internal administration, business continuity, IT and network security, prevention of irregularities, responding to inquiries from website visitors, and maintaining necessary business relationships. These interests are balanced against data-subject rights.
(d) Consent
Used only where required (e.g., for optional communications). Consent may be withdrawn at any time.

Categories of personal data collected

The Company collects and processes only the minimum data strictly necessary for defined purposes (“data minimisation”).
For Investors and Prospective Investors
– Identification data: name, date of birth, nationality, address;
– Official documents: passport/ID card details;
– Contact information: email, phone;
– Financial information: bank account data, payment instructions;
– Source of funds / wealth information (as required by AML/CFT law);
– Tax residency (e.g., FATCA/CRS requirements);
– Beneficial ownership and representative information (for entities);
– Any information necessary for KYC/AML checks, investor classification, due diligence.
For Website Users
– Name and email address provided voluntarily through the contact form;
– Basic technical data required for site operation (IP address, browser type).
Communications and Operational Data
– Emails, messages, and any records arising from interactions;
– Internal administrative documents and audit trails.

Purposes of processing

Personal data is processed for the following purposes:
Investor onboarding & contract performance
– Subscription processing;
– Identity confirmation and account creation;
– Execution of investment transactions and distributions.
Legal basis: Contract / pre-contractual necessity.
Regulatory & AML/CFT compliance
– KYC/AML verification, screening, monitoring, reporting;
– FATCA/CRS classifications and reporting;
– Regulatory filings with competent authorities.
Legal basis: Legal obligations.
Fund management & administration
– Accounting, auditing, reporting;
– Record-keeping, compliance oversight, risk management.
Legal basis: Legal obligation & legitimate interests.
Communications
– Responding to inquiries submitted through the website;
– Providing updates or required information to investors.
Legal basis: Contract (for investors) / Legitimate interest (for website users).
Security & business continuity
– Fraud prevention, IT security, access control.
Legal basis: Legitimate interests.

Sharing of personal data

Personal data may be shared only when necessary and in accordance with legal obligations, confidentiality requirements, and data-protection safeguards.
Recipients may include:
– Subsidiaries and affiliated entities within the Osalux Group;
– Fund service providers: administrators, transfer agents, custodians, banks;
– IT and communication service providers, hosting platforms and subcontractors;
– Legal, tax, compliance, and accounting advisers;
– Auditors and regulatory authorities (e.g., CSSF, FIU, tax authorities);
– Any entity to whom the Company is legally required to disclose information.
All recipients are bound by strict confidentiality and data-protection obligations.

International transfers

Personal data may be transferred outside the European Economic Area (EEA) solely under the conditions allowed by applicable law.
In accordance with GDPR Chapter V, the Company ensures that:
– the third country is subject to an adequacy decision, or
– Standard Contractual Clauses (SCCs) and appropriate additional safeguards are implemented, or
– another lawful transfer mechanism is used.
Before any transfer, the Company evaluates the recipient’s jurisdiction and implements appropriate organisational, contractual, and technical protections to maintain a level of protection equivalent to EU standards.

Data retention

Personal data is retained only as long as necessary or as required by law.

  • AML/CFT and investor due-diligence data: retained for 5 years following the termination of the business relationship, in accordance with Luxembourg AML law.
  • Accounting, financial, and commercial records: retained for 10 years under Luxembourg commercial and tax legislation.
  • Website contact inquiries: retained only for the time necessary to process the request.

Data that is no longer required is securely deleted or anonymised unless continued retention is required for legal claims or regulatory inquiries.

Security measures

We apply appropriate technical and organisational measures to protect personal data, including:

  • Access controls and password-protected systems;
  • Secure servers and encrypted communications;
  • Regular audits, monitoring, and risk assessments;
  • Confidentiality obligations for all personnel and contractors;
  • Staff training in data-protection and security practices;
  • Incident response procedures in case of data-breach risks.

These measures are continuously reviewed to ensure ongoing compliance and effectiveness.

Cookies

The Website currently does not use non-essential cookies or tracking technologies.

If cookies or similar technologies are introduced in the future:

  • A Cookie Notice will be published on the Website;
  • Users will be informed of the types and purposes of cookies;
  • Consent will be requested for non-essential cookies (analytics, marketing);
  • Users will be able to manage or withdraw their cookie preferences at any time.

Essential cookies necessary for operation of the Website may be used without consent, in accordance with applicable law.

Rights of data subjects

Under GDPR, data subjects have the right to access their personal data, rectify inaccurate or incomplete data, request erasure (“right to be forgotten”) when legally permissible, request restriction of processing, object to processing based on legitimate interests, request portability of their data (where applicable), withdraw consent at any time (where consent is relied upon) or lodge a complaint with the Luxembourg supervisory authority – Commission Nationale pour la Protection des Données (CNPD).

Requests may be submitted to contacts@altium.fund.

Changes to this privacy policy

The Company may update or amend this Privacy Policy at any time to reflect regulatory changes or operational adjustments. Any updated version will be published on the Website and, where appropriate, communicated to investors.