Skip to main content

Privacy Policy

Effective Date: May 1, 2026 · Last Updated: May 1, 2026

Our Commitment to Privacy

Ethical Capital LLC (“Ethical Capital,” “we,” “us,” or “our”) is committed to protecting the privacy and confidentiality of our clients’ personal and financial information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our client portal, submit information through online forms, or engage our investment advisory services.

This policy is designed to comply with the Gramm-Leach-Bliley Act (GLBA), the FTC Privacy Rule (16 C.F.R. §313), the FTC Safeguards Rule (16 C.F.R. §314), the Investment Advisers Act of 1940, Utah state securities regulations, and applicable federal and state privacy laws. For visitors and clients located in the European Economic Area, the United Kingdom, or Switzerland, the section below titled “Notice for Visitors and Clients in the EEA, United Kingdom, or Switzerland” provides the additional information required by Articles 13 and 14 of the General Data Protection Regulation, the UK GDPR, and the Swiss Federal Act on Data Protection.

Information We Collect

Personal Information

When you engage our services, use our website, or interact with our client portal, we may collect:

Identity information: Name, address, phone number, email address, and date of birth. Social Security numbers are entered directly by clients into Altruist Financial LLC (our qualified custodian) for account-opening purposes; Ethical Capital does not collect, receive, or store Social Security numbers.

Financial information: Investment accounts, income, net worth, investment objectives, and risk tolerance.

Professional information: Employment details, employer information, and professional designations.

Communication records: Records of phone calls, emails, meetings, and messages sent through our website or client portal.

Website and portal usage data: IP address, browser type, device information, operating system, pages visited, time spent on site, referring URLs, login timestamps, session duration, and actions taken within the client portal.

Authentication data: Login credentials, multi-factor authentication information, and, if you use social login (such as Google or Apple), the identity information those providers share with us (typically your name, email address, and profile image). We do not receive or store your password from any third-party identity provider.

Form submissions: Information you provide through forms on our website, including contact forms, onboarding questionnaires, and other intake forms.

Community notes: Content you submit as community notes on our research pages, along with associated metadata (submission timestamp, display name).

How We Collect Information

Directly from you: Through forms hosted on our website, through our client portal, through our electronic signature platform, through community note submissions, and through consultations, emails, phone calls, and other ongoing communications.

From identity providers: If you choose to authenticate using a third-party identity provider (such as Google or Apple), we receive limited profile information from that provider to verify your identity and grant portal access. We receive only the information you authorize the provider to share, and we do not request or receive access to your contacts, files, or other account data held by the provider.

From other third parties: With your consent, from custodians, other financial advisors, or service providers.

Automatically: Through cookies, analytics tools, and server logs when you visit our website or use the client portal.

Public sources: Information available in public records or databases.

How We Use Your Information

Primary Uses

Investment management: To provide personalized investment advice and portfolio management services.

Account administration: To open accounts, process transactions, maintain records, and coordinate with custodians.

Client portal operations: To authenticate your identity (including via social login), display relevant account and relationship information, deliver documents, and facilitate secure communication.

Communication: To respond to inquiries, provide ongoing service, and deliver documents electronically (with your consent).

Compliance and recordkeeping: To meet regulatory requirements, maintain required records under SEC Rule 204-2 (as incorporated by the Utah Division of Securities), archive communications, and conduct required reporting.

Service improvement: To enhance our services, improve website and portal functionality, and develop new offerings.

Security: To detect, prevent, and respond to fraud, unauthorized access, or other security threats, including monitoring portal access patterns and authentication attempts.

Research operations: To maintain and update our exclusion database, conduct ethical screening research, and publish educational content about our methodology.

We process your information based on: contractual necessity (to fulfill our advisory agreement with you), legal obligation (to comply with securities regulations and other legal requirements), legitimate interest (to operate our business, maintain security, and improve our services), and consent (for marketing communications, social login, and certain website features).

Information Sharing and Disclosure

Categories of Service Providers

We may share your nonpublic personal information with the following categories of service providers, each of which is contractually required to maintain the confidentiality of your information under 16 C.F.R. §313.13:

Qualified custodians: Altruist Financial LLC and Charles Schwab & Co., Inc. hold client assets and process transactions on our behalf.

Electronic signature provider: We use an electronic signature platform to execute advisory agreements and related documents. This provider processes client names, email addresses, and the content of documents you sign.

Technology and data hosting providers: We use cloud-based infrastructure and database services to securely store and process client information, maintain our client portal, and operate our website. These providers maintain physical and logical security controls and process data on our behalf under contractual confidentiality obligations.

Identity providers: If you use social login, your chosen identity provider (such as Google or Apple) transmits limited profile information to us for authentication purposes. We do not share your financial or account information back to these providers.

Analytics providers: We use analytics services to understand how visitors use our website and client portal. These services collect information about browsing behavior, which may include IP addresses and device identifiers. See “Cookies and Tracking” below for more detail.

AI and data processing vendors: We use artificial intelligence tools that may process client nonpublic personal information in connection with our operations. These currently include Google Workspace (Google LLC) for business communications and document processing, Anthropic for AI-assisted drafting and analysis, Cloudflare Workers AI for inbound and outbound business email classification and prioritization, and DeepInfra for research-related embeddings, voicemail transcription, and other data processing. We may engage other AI vendors from time to time without notice; current vendors are disclosed on request to privacy@ethicic.com. All such providers maintain SOC 2 certification and are contractually required to maintain confidentiality and to process data solely as directed by us. PII is redacted from prompts where feasible. No client communication is sent automatically without human review.

Voice and telephony providers: Vonage operates the firm’s business phone line and voicemail service. Calls and voicemails are recorded and stored in Cloudflare R2 object storage and transmitted to DeepInfra (Voxtral model) for AI-based transcription. ElevenLabs provides the pre-generated, AI-synthesized voicemail greeting; no caller audio is sent to ElevenLabs.

Newsletter and transactional email provider: Resend (Resend, Inc.) processes outbound newsletter and transactional email; recipient email addresses, send/open/click metadata, and any personalization fields are processed under contractual confidentiality obligations.

Application infrastructure: Supabase, Inc. hosts our primary application database (US-only configuration, AWS us-west-2). Cloudflare, Inc. provides the website CDN, R2 object storage (signed agreements, meeting and call recordings), Workers compute, and Durable Objects. Hetzner Online GmbH (Nuremberg, Germany) hosts our backtest analytics database, vector search index, and CI runner under a written Data Processing Agreement; details on cross-border transfers are in “International Data Transfers” below.

We use artificial intelligence tools to transcribe and analyze client meeting recordings, telephone calls, and voicemails for the purpose of maintaining accurate records and improving service. These tools process audio recordings and their transcripts, which may contain nonpublic personal information including your name, financial details, and investment objectives. Providers of these tools are contractually required to maintain confidentiality and to process data solely on our behalf.

Vendor list last reviewed: May 1, 2026.

Professional advisors: Your CPA, attorney, or other advisors, with your consent.

We Do Not

We do not sell personal information to third parties. We do not share information for marketing purposes without consent. We do not provide information to unrelated parties for their commercial use. We do not disclose information unless required by law or with your explicit consent.

Disclosures Required by Law

We may disclose your information to regulatory authorities when required by law or regulation, and in response to court orders or legal process. We may also disclose information in connection with a merger, acquisition, or sale of assets, in which case we will notify affected clients.

Data Security

Security Measures

We implement comprehensive security measures to protect your information:

Encryption: All data transmitted through our website and client portal is encrypted using SSL/TLS. Sensitive data is encrypted at rest in our database systems.

Access controls: Strict access limitations based on job function and need-to-know. Client portal access requires unique credentials and multi-factor authentication.

Infrastructure security: Our website and data systems are hosted on infrastructure with enterprise-grade physical and network security controls. We maintain security configurations and access controls on all systems under our management.

Authentication security: If you use social login, authentication is handled by the identity provider using industry-standard OAuth 2.0 protocols. We receive only an authentication token and authorized profile information; we never see or store your identity provider password.

Regular updates: Security systems and software are regularly updated and patched.

Vendor security: We require service providers with access to client information to maintain appropriate security measures and undergo periodic review.

Data Retention

We retain personal information for as long as necessary to provide ongoing advisory services, comply with legal and regulatory requirements (including the recordkeeping requirements of SEC Rule 204-2 as incorporated by the Utah Division of Securities), resolve disputes, and enforce agreements.

Records are generally retained for a minimum of five years after account closure, with the first two years in an easily accessible format, or longer as required by law. Electronically signed documents and their associated audit trails are retained for the same period, independently of any third-party platform. Portal activity logs are retained for five years. Website analytics data is retained in aggregate form and is not linked to individual client identities after 26 months.

If you use social login and subsequently disconnect your identity provider account, we retain any information previously received from the provider for the same periods described above, but we will no longer receive updated information from the provider.

Data Breach Notification

If we discover unauthorized acquisition of unencrypted customer information affecting 500 or more consumers, we will notify the Federal Trade Commission as soon as possible and no later than 30 days after discovery, as required by the FTC Safeguards Rule (16 C.F.R. §314.4(j), effective May 13, 2024). We will notify affected individuals and the Utah Attorney General as required by the Utah Data Breach Notification Act (Utah Code §13-44-101 et seq.) and any other applicable state law. We will also coordinate with our qualified custodians and other affected service providers as required.

Your Rights and Choices

Access and Correction

You have the right to access the personal information we maintain about you, request correction of inaccurate information, and update your contact preferences and communication settings. You may exercise these rights by contacting us using the information provided below.

Electronic Delivery Preferences

If you have consented to electronic delivery of records, you may withdraw that consent at any time as described in your Consent to Use Electronic Signatures and Electronic Records. Withdrawal of consent will not affect the validity of records previously delivered electronically.

Social Login

If you authenticate using a third-party identity provider, you may revoke our access at any time by disconnecting the integration in your identity provider’s account settings or by contacting us to request an alternative authentication method. Revoking social login access does not delete information previously received from the provider.

Marketing Communications

You may opt out of marketing emails by clicking unsubscribe links or by contacting us directly. You will continue to receive service-related communications as necessary for the administration of your advisory relationship.

Data Portability

Upon reasonable request, we can provide your information in a structured, commonly used format to facilitate transfer to another adviser.

Website and Portal Privacy

Cookies and Tracking

Our website uses cookies and similar technologies to remember your preferences and settings, analyze website traffic and usage patterns, improve website functionality and user experience, authenticate client portal sessions (including social login sessions), and provide personalized content when appropriate.

We use analytics services to understand how visitors interact with our website. These services may collect information such as your IP address, browser type, pages visited, and time spent on specific pages. This information is used in aggregate to improve our website and is not used to identify individual visitors for marketing purposes.

You may control cookie preferences through your browser settings. Disabling cookies may affect website functionality, including the ability to log into the client portal.

Portfolio Scanner and Lead Capture

When you use the Portfolio Scanner without an account, we set a first-party cookie that expires after 90 days to count your scans for rate-limiting purposes. After your free scans are used, we ask for an email address to continue. You may decline; we will not retain the email if you do not consent to marketing. The email gate also applies to research CSV downloads, with one-click revocation through the unsubscribe link in any email we send you.

Client Portal Data

When you use the client portal, we collect additional information including login timestamps and authentication method used (direct login or social login provider), session duration, IP addresses used to access the portal, pages and features accessed within the portal, and documents viewed or downloaded. This information is collected for security monitoring, compliance recordkeeping, and service improvement purposes and is treated as nonpublic personal information under GLBA.

Our website and client portal may contain links to external sites, including our qualified custodian(s) and, if you use social login, your identity provider. We are not responsible for the privacy practices of external websites and encourage you to review their privacy policies. When you navigate to a third-party site, including through the client portal, you are leaving our website and your interactions with that platform are governed by its own terms and privacy policy.

Special Protections

Financial Information

We provide additional protections for financial account information and maintain compliance with the Gramm-Leach-Bliley Act and the FTC Safeguards Rule (16 C.F.R. §314).

Investment Preferences

Information about your values-based investment criteria is treated as confidential client information subject to our highest privacy standards.

Children’s Privacy

As a firm policy stricter than the federal Children’s Online Privacy Protection Act (COPPA, 16 C.F.R. §312, which applies to children under 13), our services are not directed to individuals under 18 years of age, and we do not knowingly collect personal information from anyone under 18. If you become aware that a person under 18 has provided personal information to us, please contact us immediately.

Notice for Visitors and Clients in the EEA, United Kingdom, or Switzerland

This section provides the additional information required by Articles 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK GDPR, and the Swiss Federal Act on Data Protection (“FADP”). It supplements, and does not replace, the rest of this Privacy Policy. To the extent of any conflict between this section and any other section, this section controls for individuals located in the EEA, the UK, or Switzerland.

Controller of Your Personal Data

The controller of your personal data, within the meaning of GDPR Article 4(7), is:

Ethical Capital LLC Provo, UT, United States Phone: +1 347 625 9000 Email: privacy@ethicic.com

We have not appointed a Data Protection Officer because we are not subject to the appointment criteria in GDPR Article 37(1). All data protection inquiries should be directed to our Privacy Officer at the address above.

We have not appointed an Article 27 representative in the EU or UK because our processing of EEA and UK personal data is occasional, does not include large-scale processing of special categories of data, and is unlikely to result in a risk to the rights and freedoms of data subjects. We will appoint a representative if and when our processing activities require one.

Categories of Personal Data and Sources

We process the categories of personal data described above in “Information We Collect,” obtained directly from you, from identity providers if you use social login, from custodians and other professionals you authorize, from cookies and analytics tools, and from public sources.

Purposes and Legal Bases (GDPR Article 6)

PurposeLegal basis
Negotiate, enter into, and perform an investment advisory agreementContract — Art. 6(1)(b)
Authenticate access to the client portal (including via Google or Apple sign-in)Contract — Art. 6(1)(b)
Comply with U.S. recordkeeping requirements (SEC Rule 204-2 as adopted by Utah), tax law, and AML rulesLegal obligation — Art. 6(1)(c)
Maintain the security of our website, portal, phone system, and infrastructureLegitimate interests — Art. 6(1)(f)
Operate ethical-screening research and publish the methodologyLegitimate interests — Art. 6(1)(f)
Send marketing emails and our newsletterConsent — Art. 6(1)(a)
Record telephone calls and meetingsConsent — Art. 6(1)(a), supplemented by legitimate interests for recordkeeping

We do not process special categories of personal data within the meaning of Article 9 and ask that you not provide such information to us.

Our Legitimate Interests

Where we rely on legitimate interests as a legal basis, those interests are: protecting our information systems against unauthorized access; preventing fraud and securities-law violations; conducting and publishing investment research that supports our advisory business; and accurately memorializing client communications. We have considered the rights and freedoms of data subjects in each case and will not process personal data on this basis where those rights override our interests. You may object to processing on this basis at any time as described under “Your Rights” below.

Recipients and Categories of Recipients

We disclose personal data to the categories of recipients identified in “Information Sharing and Disclosure” above, and to the named providers listed in “International Data Transfers.” We do not sell personal data, and we do not use it for cross-context behavioral advertising.

International Transfers

See “International Data Transfers” below for details about transfers outside the EEA, UK, or Switzerland and the safeguards we apply.

Retention

We retain personal data for the periods described in “Data Retention” above. Specifically:

  • Records of advisory relationships: at least five years after account closure (SEC Rule 204-2);
  • Communications and electronic-signature audit trails: same five-year minimum;
  • Website analytics: 26 months in aggregate form;
  • Marketing-only contact records (no advisory relationship): until you unsubscribe, plus a suppression list maintained indefinitely to honor your opt-out;
  • Server and security logs: 90 days hot, then archived for up to seven years for security-incident investigation.

Your Rights

If you are located in the EEA, the UK, or Switzerland, you have the following rights, subject to the conditions and exceptions in the GDPR, UK GDPR, and FADP:

  • Access (Art. 15) — confirmation of whether we process your personal data and a copy of it;
  • Rectification (Art. 16) — correction of inaccurate or incomplete data;
  • Erasure (Art. 17) — deletion in defined circumstances, subject to our legal obligation to retain records under SEC Rule 204-2 and similar rules;
  • Restriction of processing (Art. 18);
  • Data portability (Art. 20) — receipt of data you provided in a structured, commonly used, machine-readable format;
  • Objection (Art. 21) — objection to processing based on legitimate interests, including profiling, and an absolute right to object to direct marketing;
  • Withdrawal of consent (Art. 7(3)) — without affecting the lawfulness of processing carried out before withdrawal;
  • Right not to be subject to solely automated decision-making (Art. 22) — we do not make decisions producing legal or similarly significant effects based solely on automated processing.

To exercise any of these rights, contact us at privacy@ethicic.com. We will respond within one month, extendable by two further months for complex requests, and will not charge a fee unless your request is manifestly unfounded or excessive. We may need to verify your identity before fulfilling a request.

Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or place of the alleged infringement. A list of EEA supervisory authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en. For the United Kingdom, the supervisory authority is the Information Commissioner’s Office. For Switzerland, it is the Federal Data Protection and Information Commissioner. We would, however, appreciate the opportunity to address your concerns before you contact a supervisory authority — please email privacy@ethicic.com first.

Whether Provision of Data Is Required

Provision of identity, contact, financial, and tax data is a contractual and statutory requirement to enter into an advisory relationship; without it we cannot open accounts, comply with U.S. recordkeeping rules, or provide investment advice. Provision of marketing or analytics data is voluntary, and you may decline without affecting your ability to receive advisory services.

Automated Decision-Making and Profiling

We do not engage in automated decision-making within the meaning of GDPR Article 22. Investment recommendations are reviewed and approved by a human investment adviser representative.

International Data Transfers

We are a U.S. investment adviser and primarily serve U.S. clients. However, some of our infrastructure operates outside the United States, and some website visitors and prospective clients are located in the European Economic Area (EEA), the United Kingdom, or Switzerland. This section describes our cross-border data flows and the safeguards in place.

Where Data Is Processed

ProviderFunctionLocation of processing
Supabase, Inc.Primary application database (client records, communications log)United States (AWS us-west-2)
Cloudflare, Inc.Website, CDN, R2 object storage (signed agreements, meeting recordings)Multi-region (primary U.S.)
Google LLC (Workspace)Email, calendar, Meet recordingsUnited States
Altruist Financial LLC, Charles Schwab & Co.Qualified custodiansUnited States
ResendTransactional and newsletter emailUnited States
Anthropic, PBCAI-assisted draftingUnited States
DeepInfraEmbedding and transcription modelsUnited States
VonagePhone routing and call recordingUnited States
ElevenLabsVoicemail greeting synthesisUnited States
Hetzner Online GmbHBacktest analytics database, vector search index, CI runnerNuremberg, Germany (EU)

Transfers from the EEA, UK, or Switzerland to the United States

When you visit our website, submit a form, or become a client while located in the EEA, UK, or Switzerland, your personal data is transferred to the United States for processing by us and the U.S.-based providers listed above. The United States has not received an adequacy decision from the European Commission for purposes of GDPR Article 45, other than the limited EU–U.S. Data Privacy Framework certification path, which not all of our providers participate in.

We rely on the following Article 46 safeguards for such transfers:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), incorporated in our agreements with each U.S.-based processor that handles personal data of EEA/UK/Swiss data subjects;
  • UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office, where applicable;
  • Swiss Federal Data Protection and Information Commissioner addendum for transfers from Switzerland; and
  • Supplementary measures including encryption in transit (TLS 1.2+), encryption at rest, access logging, and contractual obligations on each processor to challenge unlawful government access requests.

You may request a copy of the relevant SCCs (with commercial terms redacted) by emailing privacy@ethicic.com.

Transfers to Hetzner Online GmbH (Germany)

We operate a virtual private server with Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, in their Nuremberg data center park. We have executed a written Data Processing Agreement with Hetzner pursuant to GDPR Article 28, most recently updated April 30, 2026 (v1.2).

The data processed at the Nuremberg facility includes:

  • public market reference data (no personal data);
  • backtest output and strategy metadata (no personal data);
  • vector embeddings derived from research notes and meeting transcripts (these may indirectly relate to identifiable individuals); and
  • system and application logs, which may contain IP addresses.

Because Hetzner is established in the EU and the data center is in Germany, this is an intra-EU transfer when initiated by an EEA data subject. When we (in the U.S.) query or retrieve data from the Hetzner server, the resulting export from Germany to the United States is covered by the Standard Contractual Clauses included in our agreement with Hetzner.

Hetzner’s data protection officer and contact for data subject inquiries is:

Alena Scholz, Data Protection Manager, Hetzner Online GmbH data-protection@hetzner.com · +49 9831 505‑216

A current list of Hetzner’s sub-processors is published at hetzner.com/AV/subcontractors.pdf.

Transfer Impact Assessment

We have conducted a Transfer Impact Assessment in line with the European Data Protection Board’s Recommendations 01/2020 and concluded that the categories of data we transfer (primarily contact and contractual information for prospective clients; no special-category data) and the supplementary measures we have implemented provide an essentially equivalent level of protection for transfers from the EEA/UK/Switzerland to the United States. A summary of this assessment is available to data subjects on request.

Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify clients of material changes through email notifications to active clients, prominent notices on our website, updates in the client portal, and updates in regular client communications. The effective date at the top of this page reflects the most recent revision.

State-Specific Privacy Rights

California Residents

Under the California Consumer Privacy Act (CCPA), California residents have additional rights including the right to know what personal information we collect and how it is used, the right to request deletion of personal information (subject to legal and regulatory requirements), and the right to non-discrimination for exercising privacy rights. Note that GLBA-covered information may be exempt from certain CCPA provisions.

Other States

We comply with applicable state privacy laws and will honor similar rights where required by law.

Contact Information

Privacy Questions and Requests

For questions about this Privacy Policy or to exercise your privacy rights:

Privacy Officer Ethical Capital LLC Provo, UT Phone: +1 347 625 9000 Email: privacy@ethicic.com

Complaints

If you believe your privacy rights have been violated, you may contact us directly using the information above, file a complaint with the Utah Division of Securities, file a complaint with the Federal Trade Commission, or contact other applicable regulatory authorities.

This Privacy Policy applies to information collected through our website (including the client portal, online forms, and community notes) and in connection with our investment advisory services. It should be read in conjunction with our Terms of Use, our Important Disclosures, our client agreements, our Consent to Use Electronic Signatures and Electronic Records, and our Form ADV disclosure documents.

Ethical Capital LLC is a state-registered investment adviser registered with the Utah Division of Securities. Registration does not imply a certain level of skill or training.

Last updated: May 1, 2026