Privacy Policy

1) Scope & Role

This Policy covers personal information we process when:

you or your delegates use our portal or communicate with us;
we coordinate with your counsel, title/escrow, lenders, trustees, insurers, managers, and other vendors;
we run diligence or operate an asset post-close.

We act as service provider/processor when working under your or your counsel's direction, and as a business/controller for our own operations (security, billing, compliance).

2) Data We Collect (minimal by design)

Identity & contact: name, role, email, phone, mailing address for service of notices.
Deal & entity data: entity names/EINs, manager/authorized signer info, trust details, title vesting preferences, bank confirmation artifacts (no account numbers stored in clear).
Regulatory artifacts: tax forms (W-9/W-8), BOI/FinCEN-related attestations, KYC/IDV results (when required by counterparties).
Operational data: mailing preferences, insurance/utility account metadata, property management contacts, vendor NDAs.
System metadata: IP address, device/user agent, timestamps, and audit logs for security.

We avoid special-category data (health, biometrics) and children's data. Do not send it to us.

3) Sources

Direct from you/your delegates; your counsel (including under Kovel arrangements, where applicable); counterparties (title/escrow, lender, insurer, manager); reputable diligence providers; and limited public records needed to perform the mandate.

4) How We Use Data

Deliver services: plan/structure wrappers, run negotiations and diligence, choreograph title/escrow, and shield post-close operations.
Compliance & risk: identity verification when required, sanctions screening, fraud prevention, tax/reporting obligations (e.g., FinCEN real-estate rules where applicable).
Security: access control, audit logs, incident detection, and integrity checks.
Operations: billing, account administration, and client support.

We do not sell personal information or use it for behavioral advertising.

5) Sharing (need-to-know only)

We share strictly to complete your mandate or comply with law:

Your team: counsel, family office, designated vendors.
Transaction parties: title/escrow, underwriters, lenders, trustees/registered agents, insurers, property managers, utilities—each on least-disclosure terms.
Service providers: secure hosting, email/SMS delivery, e-signature, IDV/KBA (only when required), all bound by DPAs and confidentiality.
Regulatory/legal: disclosures required by law, court order, or regulator; we narrowly scope and, where lawful, notify and challenge overbroad demands.

No public disclosures. No publicity.

6) Security (aligned to best practice)

Controls: role-based access, mandatory 2FA, short-TTL signed links, encryption in transit and at rest, key rotation, tamper-evident audit trails.
Governance: vendor risk review, change control, least-privilege, environment isolation, regular logging/alerting.
Incident response: investigate, contain, notify as required by applicable law.

No system is perfectly secure; we mitigate risk with layered controls.

7) Retention (minimal + defensible)

We retain only what we must:

Transaction records: typically 7 years (title/escrow, tax, audit).
Security logs: 12–24 months.
Portal accounts with no activity: purge or anonymize after 24 months.

We may preserve data under legal hold. On request, we will give you a retention schedule for your mandate.

8) Your Choices & Rights

Access/Correction/Deletion: request via the portal or ops@alpenecompany.com. We will respond within statutory timelines and honor deletions unless retention is legally required.
Agent requests: permitted with verifiable authorization.
No sale/sharing: we do not sell or "share" personal information for cross-context advertising.
Authorized disclosure list: upon request, we can provide a list of counterparties who received your information for your transaction.

California/Colorado/State Rights

If state privacy laws (e.g., CPRA, CPA, CTDPA, VCDPA) apply, you have rights to know, access, correct, delete, and obtain a portable copy, and to limit use of sensitive data (which we avoid). Appeals process available for denied requests.

EEA/UK Addendum (if applicable)

Legal bases: contract, legitimate interests (security, fraud prevention), legal obligation, and consent (for optional features). Transfers use SCCs or equivalent safeguards. Contact our DPO contact for details.

9) Cookies & Tracking

Portal: essential cookies only (auth/session).
Email: no tracking pixels in sensitive notices.
Analytics: if enabled on public pages, it is aggregate, IP-truncated, and not linked to client records.

10) Your Responsibilities

Provide only data we request; confirm you have authority to share it; keep your portal credentials and second factors secure; notify us of suspected compromise promptly.

11) Government & Legal Requests

We require valid legal process; we narrowly scope production; we notify affected clients unless prohibited; we seek protective orders where appropriate; we publish no "client lists."

12) Third-Party Links

We are not responsible for the privacy practices of sites/services we do not control (e.g., utility portals, insurer sites). Review their policies.

13) Children

Our services are not directed to children under 16, and we do not knowingly collect their data.

14) Changes to This Policy

We will post updates with a new "Effective date." Material changes affecting your rights will be announced in-portal and, where required, by email.

15) Contact

Privacy requests: ops@alpenecompany.com
Security reporting: ops@alpenecompany.com (PGP preferred; our key is published on the site)

16) Limitation & Relationship to Contracts

To the extent permitted by law, this Policy does not create any duty or liability beyond what is required by statute or our signed agreements with you. If there is a conflict between this Policy and a negotiated MSA/SOW/NDA, the contract governs.