Privacy Policy
Version: v2_2025-08-27
Effective Date: August 27, 2025
This Privacy Policy explains how Crown & Oak Capital ("Crown & Oak," "we," "our," or "us") collects, uses, discloses, and protects information related to visitors and users of our websites and online forms, including crownandoakcapital.com and any pages that link to this Policy (the "Site").
1) Who We Are & Scope
Crown & Oak Capital is a private investment advisory and deal‑intelligence firm serving sophisticated and institutional investors.
This Policy covers information collected:
- Directly from you (e.g., contact forms, investor profile/intake questionnaires, meeting requests).
- Automatically via cookies and similar technologies when you use the Site.
- From third parties in the context of diligence, KYC/AML, or business development.
Offline & Contracted Services: Engagements governed by a signed agreement or a sector‑specific notice (e.g., GLBA) are covered by those documents. This website Policy does not replace any such notices.
2) Information We Collect
A. Information You Provide
- Identity & contact: name, company/organization, job title, work email, phone, address, preferred contact method.
- Investor profile data: investor type (e.g., Family Office, REIT), acquisition strategy, markets, asset classes, risk/return thresholds, equity check size, AUM ranges, leverage preferences, holding period, exit preferences, ESG priorities, deal‑breakers, notes.
- Scheduling & meetings: call requests, in‑person meeting preferences, availability windows.
- Communications: messages, attachments, feedback, and correspondence.
B. Information Collected Automatically
- Technical: IP address, device identifiers, browser type, operating system, referring/exit pages, time stamps, pages viewed, and approximate geolocation.
- Cookies/Tags: session cookies, preference cookies, analytics tags, and similar technologies. See Cookie Notice below.
C. Information From Third Parties
Public sources, data providers, social/business networks (e.g., LinkedIn), referral partners, and service providers supporting diligence, compliance, or outreach.
3) How We Use Information
- Operate the Site & deliver services: respond to inquiries, process investor intake, match opportunities to stated criteria, schedule and conduct consultations.
- Deal curation & communications: send opportunities that align with your profile; contact you about updates, events, and thought leadership; manage preferences.
- Improve & secure the Site: debugging, analytics, quality assurance, and security monitoring.
- Compliance & risk management: KYC/AML screens (where applicable), conflict checks, sanctions screening, recordkeeping.
- Legal & safety: enforce terms, protect rights, comply with subpoenas, court orders, or lawful requests.
Purpose limitation: we do not use personal information for materially different, unrelated, or incompatible purposes without obtaining your consent or identifying another lawful basis.
4) Legal Bases (EEA/UK only)
Where GDPR/UK GDPR applies, our processing relies on:
- Contractual necessity (responding to your requests, providing the Site/services).
- Legitimate interests (deal curation, security, analytics, proportionate B2B communications).
- Consent (cookie categories that are not strictly necessary; marketing where required).
- Legal obligation (tax, accounting, sanctions compliance).
Basis‑by‑Category Matrix (illustrative):
| Data Category | Contract | Legitimate Interests | Consent | Legal Obligation |
|---|---|---|---|---|
| Identity & Contact | ✔︎ | ✔︎ | – | ✔︎ (where required for compliance) |
| Investor Profile | ✔︎ (intake) | ✔︎ (matching) | ✔︎ (optional marketing) | – |
| Technical/Analytics | – | ✔︎ (security, basic analytics) | ✔︎ (non‑essential analytics) | – |
| Compliance/KYC | – | ✔︎ (risk mgmt) | – | ✔︎ |
5) How We Share Information
We do not sell personal information. We may disclose information to:
- Service providers/processors: hosting, cloud storage, email/SMS, forms/CRM, analytics, security (bound by contracts restricting use to our instructions). A current list of sub‑processors is available on request and will be published at
/legal/subprocessorsonce live. - Professional advisors: legal, audit, compliance, tax, insurers.
- Transaction counterparties: under NDA/CA during curated introductions or data‑room access, subject to confidentiality restrictions.
- Authorities: where required by law or to protect rights, security, or property.
- Corporate events: in connection with an investment, merger, acquisition, or reorganization.
6) Sensitive Personal Information
We may process investment‑profile data (e.g., AUM bands, strategy) that could be considered sensitive in certain jurisdictions. We restrict use to curation, diligence, and compliance and do not use such data to infer characteristics unrelated to investment suitability.
7) Data Retention
We retain information only as long as reasonably necessary for the purposes described:
- Website/contact inquiries: 24 months after last interaction.
- Investor profile records: 7 years after last transaction or 5 years after last activity (whichever is later), unless law requires longer.
- Compliance/KYC materials: 5–7 years (or as required by law).
- Cookie consent logs: 13 months.
- Server/security logs: up to 12 months.
- DSAR (privacy request) records: 5 years.
Deletion may be delayed in backups for limited periods.
8) Security
We employ administrative, technical, and physical safeguards proportionate to the sensitivity of the data, including encryption in transit and at rest, access controls, least‑privilege, MFA for administrator access, and logging/monitoring. No method is 100% secure; transmission is at your own risk. Where required by law, we will notify you and/or authorities of a data breach without undue delay.
9) International Transfers
We may transfer/process information outside your jurisdiction (e.g., to the U.S.). Where required, we rely on adequacy decisions or Standard Contractual Clauses (SCCs) with supplemental measures for EEA/UK data and, where appropriate, the UK IDTA/UK Addendum. For participating vendors, we may also rely on the EU‑U.S./UK‑U.S. Data Privacy Framework.
10) Your Privacy Rights
Subject to applicable law, you may request to access, correct, delete, or port your data and to restrict or object to certain processing (including direct marketing). Where processing is based on consent, you may withdraw consent at any time.
How to exercise your rights
Email kyle@crownandoakcapital.com with your request and the jurisdiction you reside in.
Verification: we may verify by matching your email/phone and, if needed, request limited documentation to confirm identity/authority (e.g., authorization for an agent).
Timelines: we aim to respond within 45 days; we may extend once by up to 45 days where reasonably necessary and will notify you of the reason.
Appeals: if we deny your request, reply “Appeal” to our decision email; we will respond within 45 days (or the shorter period required by your state law).
11) U.S. State Disclosures (CA/CO/CT/VA, etc.)
We do not sell or share personal information as defined under California law and do not engage in cross‑context behavioral advertising.
Opt‑out signals: We recognize Global Privacy Control (GPC) and Colorado’s Universal Opt‑Out Mechanism signals where applicable and treat them as opt‑outs of sale/share/targeted advertising.
We process sensitive personal information only for operational purposes you would reasonably expect (investment intake, compliance).
You may exercise rights via the methods in Your Privacy Rights.
12) Cookie Notice
We use cookies and similar technologies to operate the Site, remember preferences, and (with consent where required) understand aggregate usage.
Your controls
Manage cookies via your browser settings and, where presented, our cookie banner/manager.
We honor applicable consent requirements by region. We do not currently respond to legacy “Do Not Track,” but see Opt‑out signals above.
Representative Cookie Table (subject to change)
| Name | Purpose | Category | Provider | Expiry |
|---|---|---|---|---|
| session_id | Maintains session state and security | Strictly Necessary | First‑party | Session |
| consent_record | Stores your cookie preferences | Functional | First‑party | 12 months |
| locale | Remembers language/region | Functional | First‑party | 12 months |
| page_view_count | Counts page views for aggregate analytics | Analytics (consent‑based where required) | First‑party | 13 months |
| visit_id | Distinguishes visits for aggregate analytics | Analytics (consent‑based where required) | First‑party | 13 months |
A more detailed Cookie Table will be maintained at /legal/cookies once live.
13) Third‑Party Links & Embedded Content
The Site may link to external resources (e.g., calendar scheduling, market intel, data rooms). We are not responsible for third‑party privacy practices. Review those policies before submitting data.
14) Children’s Privacy
The Site is not intended for individuals under 16 (or the minimum age required in your jurisdiction). We do not knowingly collect such data. If you believe a minor has provided information, contact us to delete it.
SMS Communications
If you opt in to receive text messages from Crown & Oak Capital Advisors, we will use your phone number to send messages related to investment opportunities, meeting reminders, and account/portal notifications. Message frequency may vary. Message & data rates may apply. Reply STOP to opt out and HELP for help. SMS consent is not shared with third parties or affiliates other than service providers that send messages on our behalf (they may not use your number for their own purposes). See our SMS Terms & Conditions for details.
15) Changes to This Policy
We may update this Policy from time to time. The Effective Date above reflects the latest version. Material changes will be posted on this page and, where appropriate, notified to you.
16) Contact Us (Primary Contact)
Crown & Oak Capital
745 Fifth Avenue, 5th Floor, New York, NY 10151, USA
+1‑646‑964‑9686
Email: kyle@crownandoakcapital.com
Optional secondary: devin@crownandoakcapital.com
When contacting us to exercise rights, please specify your name, contact information, the request type, and the jurisdiction you reside in. Authorized agents may submit requests with valid authorization.
17) U.S. State Notice at Collection (CA‑style Summary)
Categories we collect: Identifiers (name, email, phone), professional info (company, title), commercial preferences (investment criteria), internet activity (Site usage), and limited inferences for investment curation.
Purposes: Site operation, investor intake/matching, security/compliance, communications, analytics.
Retention: See Section 7.
Disclosure: Service providers/processors; professional advisors; counterparties under NDA; authorities as required.
Sale/Share: No.
Sensitive data: Used only for limited operational purposes expected by you (intake/compliance).
Opt‑out signals: We recognize GPC and applicable universal opt‑out signals.
Contact: kyle@crownandoakcapital.com.
18) Jurisdiction‑Specific Addenda (If Applicable)
GDPR/UK GDPR Addendum: Details of SCCs, DPO/UK Rep (if appointed), and lawful basis mappings.
Virginia/Colorado/Connecticut/Utah Addendum: State‑specific definitions and opt‑out mechanisms (if any advertising/cross‑context sharing is introduced).
Nevada: We do not sell covered information as defined by Nevada law.
19) Financial‑Sector Note (Informational)
If we become a "financial institution" under GLBA due to the nature of client relationships, a separate GLBA Privacy Notice may apply to certain data. This website Policy is complementary and does not replace any required sectoral notices.
20) Automated Decision‑Making & Profiling
We do not make decisions based solely on automated processing that produce legal or similarly significant effects. Investment matching includes human review.
21) Plain‑English Summary
We collect what you give us (contact + investor preferences), what your browser shares (basic analytics), and what partners share during diligence. We use it to match you to opportunities, run the Site, and meet legal obligations. We don’t sell your data. You control your info—ask to see it, fix it, delete it, or limit it. Email kyle@crownandoakcapital.com anytime.