Effective: April 16, 2026

Privacy Policy

Your trust is our most valuable asset. This policy outlines exactly how Voluntas Long Term Capital Limited collects, uses, and protects your information, grounded in formalized legal bases and international data protection standards.

SECTION 1: Legal Bases for Processing

We do not process your personal data without a clear legal justification. Our processing activities are grounded in the following legal bases:

  • Consent: Where you have given us clear and explicit permission to process your data for a specific purpose (e.g., biometrics or direct marketing).
  • Performance of a Contract: When processing is necessary to provide the services you have requested or to fulfill our contractual obligations to you.
  • Legitimate Interests: When processing is necessary for our legitimate business interests, such as fraud prevention, network security, and service optimization, provided these do not override your fundamental rights.
  • Legal Obligation: When we are required to process data to comply with statutory or regulatory requirements.

SECTION 2: Data Privacy Notice

Your data is important to us. We comply with the laws of the jurisdictions in which we operate, including Singapore (PDPA) and other applicable jurisdictions, and we are committed to protecting your privacy internationally.

A. Strict Handling of Biometric Data

We may collect biometric data (such as voiceprints and facial recognition features) only under the following strict conditions:

  • Explicit Opt-in: We require your separate, affirmative, and explicit consent before activating any biometric collection.
  • Purpose Limitation: This data is used solely for identity verification and high-security access control.
  • Storage & Deletion: Biometric data is stored in an encrypted, non-reconstructable format. It is automatically deleted when it is no longer necessary for the original purpose or upon your request (unless retention is mandated by law).

B. Use of Your Data

We use your data to:

  • Assess you for and provide our wealth and health advisory services.
  • Manage our business and comply with internal risk management policies.
  • Design and improve our services and marketing.
  • Comply with legal, tax, and regulatory requirements in our operating jurisdictions and overseas.
  • Detect and prevent financial crimes.

C. Cross-Border Data Transfers

Data may be transferred to and stored in jurisdictions outside of your country of residence, including jurisdictions where our AI and cloud sub-processors operate (see Section 3 for the full list of named processors). We ensure that any such transfers meet the "comparable protection" standards required by the Singapore PDPA and other international frameworks, utilizing Standard Contractual Clauses (SCCs) or equivalent legal mechanisms. Each sub-processor is contractually bound to uphold equivalent data protection obligations.

D. Data Retention & Safeguards

We formalize our commitment to your data through structured safeguards:

  • Retention Period: We store your data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with applicable legal, tax, or regulatory requirements. When no longer needed, data is securely erased or anonymized.
  • Security Protocols: We implement multi-layered physical, electronic, and procedural safeguards, including end-to-end encryption, regular security audits, and strict access controls.

E. Enforceable User Rights

We provide clear mechanisms for you to exercise your rights under international data protection laws:

  • Right of Access & Portability: You may request a copy of your personal data in a structured, commonly used format.
  • Right to Rectification: You may request the correction of inaccurate or incomplete information.
  • Right to Erasure: You may request the permanent deletion of your data when it is no longer necessary for its original purpose or when you withdraw consent.
  • Right to Withdraw Consent: You may revoke your consent for specific processing activities at any time via the app settings or by contacting us.

If you wish to exercise any of these rights, please contact our Data Protection Officer. We will respond to your request within the statutory timelines applicable in your jurisdiction.

F. United States Residents

While U.S. federal law varies, we strive to meet the transparency standards required by state laws such as the CCPA/CPRA. We do not "sell" your personal information to third parties for monetary consideration. We share information only as described in this policy for business purposes. Residents of certain states may have additional rights, including the right to opt-out of the sharing of personal information for cross-context behavioral advertising.

G. Children’s Privacy

Our Services are not intended for children. We do not knowingly collect personal data from children under the age of 18 (or the legal age in your jurisdiction). If we learn that we have collected personal data from a child without verified parental consent, we will take steps to delete that information as quickly as possible.

H. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track the activity on our Service and hold certain information. Cookies are files with a small amount of data which may include an anonymous unique identifier. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

I. Contact Us

For any questions, data access requests, or to update your preferences, please contact our Data Protection Officer at:

Email: support@voluntasltcapital.com

SECTION 3: Third-Party Processors (Sub-Processors)

To deliver our services, we engage the following third-party processors. Each receives only the data necessary for its designated function, and each is contractually bound — through Data Processing Agreements (DPAs) that incorporate Standard Contractual Clauses (SCCs) or equivalent mechanisms — to apply data protection standards equivalent to those required under the Singapore PDPA and other applicable frameworks.

Processor Purpose Data Received Protection Basis
OpenAI, L.L.C.
United States
openai.com/policies/privacy-policy		 OpenAI powers the AI reasoning, conversational processing, and knowledge extraction within the ARC application. When you interact with ARC's assistant, your queries are processed by OpenAI's models to generate responses. OpenAI receives the text content of your queries and the conversation history necessary to maintain context. No biometric data, financial account credentials, or government-issued identification numbers are transmitted to OpenAI. OpenAI processes data under a Data Processing Agreement that incorporates Standard Contractual Clauses for transfers to the United States. OpenAI is contractually bound to equivalent data protection obligations and does not use data submitted via the API to train its models without a separate agreement.
ElevenLabs, Inc.
United States
elevenlabs.io/privacy		 ElevenLabs provides the voice synthesis (text-to-speech) and voice transcription (speech-to-text) capabilities that power ARC's voice interface, allowing you to speak to and hear responses from the application. ElevenLabs receives audio input captured during voice sessions for transcription, and text content intended to be converted into spoken responses. Voice data is processed transiently and is not retained by ElevenLabs beyond the duration of the API request unless you separately opt into ElevenLabs' own consumer services. ElevenLabs processes data under a Data Processing Agreement incorporating Standard Contractual Clauses. ElevenLabs is contractually bound to apply equivalent data protection obligations to all data it processes on our behalf.
Google Cloud (Google LLC)
United States
cloud.google.com/security/privacy		 Google Cloud provides the underlying cloud infrastructure, storage, and backend services that host and operate the ARC platform. All application data at rest and in transit is processed within Google Cloud's environment. Google Cloud receives encrypted application data, operational logs, and the user account information necessary to run and maintain the service. Data is stored in encrypted form and Google does not access it for its own purposes. Google Cloud processes data under Google's Data Processing Addendum, which incorporates Standard Contractual Clauses and commits Google to equivalent data protection standards. Google Cloud is certified under ISO 27001 and other internationally recognised security frameworks, with regional data residency options available.

We do not sell your personal data to any of these processors or to any other third party. We do not share your data with advertising networks, data brokers, or any entity outside the sub-processors listed above (except where required by law or with your explicit consent). We review our sub-processor list on an ongoing basis and will update this section if processors are added or removed.