Privacy and Cookie Policy (with Data Processing Addendum)

Effective: December 28, 2025
Platform: msp.investments and related dashboards, pages, and tools (the "Platform")
Company: iGAcquire OÜ (registry code 17328489)
Registered address: Tööstuse tn 75-71, 10416 Tallinn, Estonia
Privacy contact: [email protected]
Legal contact: [email protected]

Part A. Privacy and Cookie Policy

1. Scope

This Privacy and Cookie Policy explains how we process personal data in connection with the Platform. It applies to:

• representatives of Buyers and Sellers who create accounts or use the Platform
• website visitors
• partners and referrers (where applicable)
• people who contact us (support, sales, legal, or privacy inquiries)

2. Controller

For processing described in Part A, iGAcquire OÜ is the data controller.

3. Personal data we collect

3.1 Data you provide

• Account data: name, work email, role, company name, jurisdiction, and profile details you choose to provide
• Authentication data: login identifiers and security information (we do not request your MFA recovery codes or passwords)
• Billing data: billing contact details, invoicing details, plan selection, tax details (where applicable), and payment status
• Communications: messages to support, emails, and other communications with us
• Partner data (if applicable): referral identifiers, payout details, and compliance confirmations

3.2 Data we collect automatically

• Usage data: pages viewed, features used, actions taken (for example NDA acceptance, access requests, downloads, dealroom activity)
• Device and log data: IP address, device identifiers, browser type, timestamps, security logs and audit logs
• Cookie and tracking data: cookie identifiers, analytics events, referral attribution parameters

3.3 Data received from others

• From other Users: a Seller may share limited personal data in deal materials; a Buyer may submit documents containing personal data
• From service providers: payment confirmations, fraud and risk signals, delivery confirmations

4. Why we process personal data (purposes and legal bases)

• Provide the Platform services (accounts, access control, messaging, document workflows, plan management). Legal basis: contract and legitimate interests.
• Billing and payments (invoicing, subscriptions, tax handling). Legal basis: contract and legal obligations.
• Security and abuse prevention (audit logs, access logs, fraud monitoring). Legal basis: legitimate interests and legal obligations.
• Compliance (sanctions and lawful requests, where applicable). Legal basis: legal obligations and legitimate interests.
• Support and communications (responding to requests, service notices). Legal basis: contract and legitimate interests.
• Improve the Platform (analytics, diagnostics, performance monitoring). Legal basis: legitimate interests and, where required, consent for cookies.
• Marketing (product updates). Legal basis: legitimate interests or consent, depending on jurisdiction and settings. You can opt out.
• Enforcement and legal claims (fee disputes, fraud, debt recovery, defending claims). Legal basis: legitimate interests and legal obligations.

5. How we share personal data

We may share personal data with:

• Other Users as a result of your actions and access settings (for example messaging, sharing documents, granting dealroom access).
• Service providers that help us operate the Platform (hosting, storage, email delivery, customer support tooling, analytics, security tooling, identity verification, e-signature, and payment processing).
• Escrow or settlement providers selected by Users for a Transaction, where necessary to coordinate closing instructions, invoices, or settlement details.
• Professional advisers (lawyers, auditors, accountants) where necessary for compliance or legal claims.
• Debt recovery and enforcement providers where necessary to pursue unpaid fees or fraud, using data minimisation.
• Authorities where required by law or to respond to lawful requests.

We do not sell personal data.

6. International transfers

We intend to process data primarily within the EEA. Where data is transferred outside the EEA (and, where relevant, outside the UK), we use appropriate safeguards required by law (for example EU Standard Contractual Clauses and, where applicable, the UK Addendum).

7. Data retention

We keep personal data only as long as needed for the purposes described above, including:

• account and billing records for the duration of your account and as required by law
• security and audit logs for a reasonable period to protect the Platform and investigate incidents
• deal activity logs for auditability and dispute handling

Seller-submitted deal materials containing personal data are handled under Part B (DPA) for deletion and retention logic.

8. Cookies and tracking

We use cookies and similar technologies for:

• strictly necessary functions (login sessions, security)
• analytics (Platform improvement)
• referral attribution (Partner Program tracking, where applicable)

Where required by law, we request consent for non-essential cookies. You can manage cookie preferences through the cookie banner or settings (if available).

9. Your rights

Depending on your jurisdiction, you may have rights to request access, rectification, deletion, restriction, portability, or to object to processing. You may also withdraw consent where processing is based on consent.

To exercise rights, contact [email protected]. We may need to verify your identity.

You may also lodge a complaint with your local supervisory authority. In Estonia, this is the Estonian Data Protection Inspectorate.

10. Security

We implement reasonable technical and organisational measures to protect personal data, including access controls, security logging, and encryption in transit. Users are responsible for safeguarding their credentials and for minimising sensitive personal data shared through the Platform.

11. Children

The Platform is intended for business users and is not directed to children. We do not knowingly collect personal data from children.

12. Updates

We may update this Policy from time to time by posting an updated version on the Platform and updating the effective date.

Part B. Data Processing Addendum (DPA)

1. Parties and roles

• Controller: the Seller that uploads or shares Seller materials containing personal data ("Seller Data")
• Processor: iGAcquire OÜ (registry code 17328489)

2. Processing details

• Subject matter: hosting and controlled sharing of Seller deal materials for MSP transactions
• Duration: for the term of Seller’s use of the Platform plus limited retention under Section 9
• Nature: storage, access control, viewing, transmission, deletion, and security logging
• Purpose: enable Sellers to share diligence materials with Buyers under access controls and confidentiality obligations
• Types of personal data: business contact details, limited employee information, and other personal data included in Seller materials at Seller’s discretion (subject to minimisation)
• Categories of data subjects: Seller personnel, Seller contractors, Seller customers and customer personnel (only where Seller shares such data), and other individuals included in Seller materials

3. Processor instructions

Seller instructs Processor to process Seller Data only as necessary to provide the Platform services and as documented by Seller’s use of the Platform features (uploading, granting access, restricting access, removing content). Processor will inform Seller if an instruction appears to infringe data protection law and is not required to follow unlawful instructions.

4. Confidentiality

Processor ensures that personnel authorised to process Seller Data are subject to confidentiality obligations and access Seller Data only on a need-to-know basis.

5. Security measures

Processor implements appropriate technical and organisational measures designed to protect Seller Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including access controls, encryption in transit, and security logging.

6. Sub-processors

Seller provides general authorisation for Processor to engage sub-processors for hosting, storage, email delivery, support tooling, analytics, security tooling, and e-signature. Processor will impose data protection obligations on sub-processors that are no less protective than those in this DPA. A current list (or categories) of sub-processors may be maintained at a Platform page (for example /subprocessors) or provided on request.

7. Assistance with data subject requests

Processor will provide reasonable assistance to Seller to fulfil data subject requests relating to Seller Data, to the extent Seller cannot fulfil requests using Platform tools. If Processor receives a request directly relating to Seller Data, Processor will notify Seller where lawful and will not respond except on Seller’s instructions or where required by law.

8. Personal data breach

Processor will notify Seller without undue delay after becoming aware of a personal data breach affecting Seller Data and will provide reasonably necessary information for Seller to meet breach notification obligations.

9. Return and deletion

Upon Seller request or account termination, Processor will delete Seller Data within a reasonable period, unless retention is required by law or needed for the establishment, exercise, or defence of legal claims. Seller Data may remain in routine backups for a limited period, provided it is not readily accessible and remains protected until deleted under the backup cycle.

10. Audits and information

Processor will make available information reasonably necessary to demonstrate compliance with this DPA and will allow audits limited to this DPA scope, subject to reasonable advance notice, confidentiality, protection of other customers’ data, and reasonable frequency (no more than once per 12 months unless required due to a confirmed incident or regulatory request). Seller bears its audit costs and may be required to reimburse Processor’s reasonable support costs where permitted by law.

11. International transfers

If Seller Data is transferred outside the EEA (or outside the UK where applicable), Processor will ensure appropriate safeguards are in place as required by law.

12. MSP-specific minimisation and prohibited data

Seller must not upload data that is not necessary for evaluating the Transaction. Seller must not upload or share through the Platform:

• passwords, MFA recovery codes, API keys, access tokens, RMM or PSA admin credentials, VPN configurations, or any live privileged access
• payment card data, government IDs, or authentication secrets
• protected health information or special category data unless strictly necessary, lawful, and appropriately safeguarded
• bulk customer ticket exports, raw logs, backups, or inventories containing personal data unless minimised and redacted

Seller remains responsible for determining whether Seller Data may be disclosed to Buyers under Seller’s customer contracts, confidentiality obligations, and applicable law.

13. Buyer role

When Seller shares personal data with a Buyer through the Platform, the Buyer becomes an independent controller for that data and is responsible for its own compliance obligations.

14. Liability and precedence

The liability provisions in the Terms of Service apply to this DPA except where prohibited by applicable law. If there is a conflict between this DPA and the Terms regarding data processing obligations, this DPA controls for those obligations.

Questions: [email protected]