[Draft and subject to change] — this document is published in draft, pending legal counsel review, and may be revised.
KJ Investment Management Partners, LLC

Privacy Policy

[DRAFT AND SUBJECT TO CHANGE]

This Privacy Policy is published in draft form and may be revised. It is under

review by legal counsel; the substance describes our current, actual data

practices and is effective as written until superseded by a finalized version.

Status: Draft, subject to change

Draft published: 2026-06-02

Owner: KJ Investment Management Partners, LLC — Fund Manager

Last updated: 2026-06-02

1. About this Policy

KJ Investment Management Partners, LLC ("we", "our", "the firm") operates a private investment management platform serving limited partners ("LPs") and prospective investors. This Privacy Policy describes the personal information we collect when you interact with our investor portal, prospect portal, marketing materials, bank-connection feature, and capital-call and tax-document workflows; how we use that information; with whom we share it; how long we keep it; and the rights you have over it.

This policy applies to anyone who accesses the platform at keel.fund, including LPs, prospects, managing members, and authorized third-party representatives (accountants, legal counsel acting on behalf of an LP).

As a financial-services firm, we also handle certain information in accordance with the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) and applicable state financial-privacy law. We do not disclose nonpublic personal financial information about you except as described in this policy.

2. Information We Collect

2.1 Information you provide directly

When you complete a subscription booklet, prospect intake form, or LP onboarding flow, you supply:

  • Identity and contact: legal name, entity name (for entity investors), date of birth (for individual investors), home or business address, email, phone number, primary contact name.
  • Tax identifiers: Social Security Number (for U.S. individuals) or Employer Identification Number (for entities); foreign tax identifier (for non-U.S. investors completing IRS Form W-8 BEN / W-8 BEN-E).
  • Banking details: bank name, ABA routing number, account number, SWIFT/BIC for international wires, bank mailing address.
  • Accreditation and KYC evidence: net worth attestation, accredited-investor source-of-wealth narrative, government-issued identification, certificate of formation or trust agreement (for entity investors), beneficial-owner certification (for FinCEN compliance).
  • Subscription commitment terms: target commitment amount, currency, payment preference, side-letter provisions where applicable.
  • Authentication credentials: email and password (or magic-link verification) for portal access, and — where enabled — a multi-factor authentication (MFA) enrollment secret.

2.2 Information we generate

  • Capital-account ledger entries: contributions, distributions, allocated profits and losses, capital-call obligations, transfer history.
  • Document records: capital-call notices, K-1 statements, signed subscription agreements, executed amendments and side letters.
  • Audit and consent logs: timestamped records of administrative actions affecting your account, and a record of disclosures you were shown and consents you granted (for example, when connecting a bank account).

2.3 Information collected automatically

  • Authentication and access metadata: timestamps of sign-in, sign-out, password-reset, and magic-link issuance; IP address of the request.
  • Application logs: server-side request logs containing route, status code, and request timing. These logs do not include the contents of any record but may include the route and the timestamp at which it was accessed.
  • Email tracking metadata (where applicable): when capital-call notices and other transactional emails are sent through Resend, our delivery vendor records delivery status and bounce/complaint events.

We do not use third-party advertising cookies or behavioral-advertising trackers on the platform.

2.4 Bank-account information collected via Plaid

If you choose to connect a bank account for transaction import and reconciliation, we use Plaid Inc. ("Plaid") to establish that connection. When you connect an account:

  • You authenticate directly with Plaid and your bank. We never see or store your online-banking username or password.
  • Plaid provides us with an access credential (an "access token") and the bank-account and transaction data scoped to the account you connect — specifically account metadata (institution name, account name, mask/last four, type) and transaction history (date, amount, description). We request only the transactions data scope; we do not request balances, identity, or other Plaid products we do not need.
  • Plaid's collection and use of your information is governed by Plaid's End User Privacy Policy (https://plaid.com/legal/#end-user-privacy-policy). We encourage you to review it.
  • You can disconnect a linked account at any time; on disconnection we instruct Plaid to remove the connection and we delete the stored access credential. Previously imported transactions already used for reconciliation are retained as part of the fund's books and records.

3. How We Use Information

We use personal information only for the following purposes, all of which are necessary to operate the fund or required by law:

1. Fund operations: issuing capital calls, processing contributions and distributions, maintaining the capital account, preparing K-1 statements, executing transfers between LPs, and reconciling bank transactions against capital-call activity.

2. Identity verification and compliance: confirming accreditation, conducting know-your-customer (KYC) checks, complying with anti-money-laundering (AML) obligations and FinCEN beneficial-ownership reporting.

3. Tax reporting: producing and distributing K-1 statements; submitting required information to the U.S. Internal Revenue Service and applicable state authorities; supporting accountants engaged by the fund.

4. Communication: sending capital-call notices, fund updates, deck shares, prospect education materials, transactional account emails (password reset, magic-link, portal welcome).

5. Platform security and integrity: authenticating users (including MFA), detecting anomalous access, maintaining audit logs, fulfilling our patch and vulnerability-management obligations.

6. Legal and regulatory: complying with subpoenas, court orders, regulatory inquiries, and the firm's record-retention obligations under applicable securities and tax law.

We do not sell personal information, and we do not "share" it for cross-context behavioral advertising. We do not use personal information to train machine-learning models that benefit third parties. We do not share personal information with marketing-advertising networks.

4. Third-party Service Providers

We rely on a small number of vetted vendors to operate the platform. Each vendor receives only the data necessary for its specific function, under a written agreement that imposes equivalent privacy and security obligations.

VendorFunctionData shared
VercelApplication hosting, deployment, edge networkAll application traffic, request logs, environment configuration
Neon (Postgres)Primary databaseAll persisted LP, fund, and audit data
Vercel BlobFile storage (subscription documents, K-1 PDFs, decks)Uploaded files and generated PDFs
ResendTransactional email deliveryRecipient email, subject, message body, delivery and bounce events
PlaidBank-account connection and transaction import for reconciliationBank-account metadata and transaction history scoped to the connected account; per Plaid's End User Privacy Policy
AnthropicAI-assisted document review (subscription booklet, fund manager onboarding)Document contents during analysis; not retained by Anthropic per their API terms
AnvilE-signature and form fillingFilled subscription forms, signature, completion timestamp
DocuSign (legacy)Document signing (where used)Signed documents and signature audit trail

We update this list as vendors change. The full vendor inventory and contractual data-processing summaries are maintained internally under the firm's Vendor Management process (Information Security Policy, § 7).

5. Sharing of Information

Beyond the service providers above, we share personal information only:

  • With authorized representatives acting on your behalf (your accountant, attorney, financial advisor) and only when you have authorized that representative in writing.
  • With regulators, tax authorities, and law enforcement when legally required or compelled.
  • With other LPs only to the extent required by the fund's governing documents (typically the limited-partnership agreement) — for instance, when an LP elects to transfer an interest, certain transaction details may be reflected in capital-account statements available to the GP and to the transferring LPs.
  • With successor entities in the event of a merger, acquisition, restructuring, or sale of substantially all of the firm's assets, subject to equivalent privacy obligations.

We do not share personal information for any other purpose.

6. Data Retention

We retain personal information for as long as we have a legitimate operating, legal, tax, or regulatory reason to do so, as set out in the firm's Data Retention and Deletion Policy. In summary:

  • LP subscription and contribution records are retained for the life of the fund and for at least seven years following final fund wind-down, consistent with IRS partnership recordkeeping requirements and SEC investment-adviser recordkeeping standards.
  • Capital-account ledger and K-1 statements are retained indefinitely.
  • Authentication and audit logs are retained for at least seven years.
  • Prospect records (individuals who inquired but did not convert to LP) are retained for up to 24 months from the last activity, after which they may be deleted on request.
  • Subscription document drafts and abandoned booklets are retained for 12 months from last activity, then deleted.
  • Bank-connection access credentials are retained only while a connection is active and are deleted on disconnection or revocation.

7. Your Rights

Subject to applicable law, you have the following rights with respect to personal information about you that we hold:

  • Access: request a copy of the personal information we hold about you.
  • Correction: request that we correct inaccurate or incomplete information.
  • Deletion: request that we delete personal information, subject to our legal obligation to retain certain records (for example, completed subscription documents, capital-account ledger, K-1s).
  • Restriction and objection: request that we limit or stop a specific use of your information.
  • Portability: request a machine-readable copy of information you supplied to us.
  • Withdrawal of consent: where processing is based on consent (for example, a connected bank account), you may withdraw consent at any time by disconnecting the account or contacting us.

To exercise any of these rights, contact us at the address in § 12. We will respond within 30 days. Where we cannot honor a request (for example, because we are required by law to retain the data), we will explain why.

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the rights described in § 7 (access, correction, deletion, and to know what we collect and why), and additionally:

  • The right to know the categories of personal information we collect, the purposes, and the categories of third parties with whom we share it — all described in §§ 2–5 above.
  • The right to opt out of sale or sharing: we do not sell personal information and do not share it for cross-context behavioral advertising, so there is nothing to opt out of.
  • The right to non-discrimination for exercising your privacy rights.

Note that personal information processed solely to comply with federal financial-privacy law (GLBA) and information about you in your capacity as an investor may be exempt from certain CCPA provisions; we honor the rights above regardless, to the extent they apply.

9. Security

We protect personal information using technical and organizational measures appropriate to the sensitivity of the data. These include:

  • TLS encryption for all data in transit.
  • Encryption at rest, including AES-256-GCM encryption of especially sensitive fields (such as bank account numbers and Plaid access credentials), in addition to provider-level encryption at Neon (database) and Vercel Blob (file storage).
  • Role-based access control with periodic access reviews (Access Control Policy).
  • Comprehensive audit logging of administrative actions.
  • Vulnerability scanning and a defined Patch SLA (Patch SLA Policy).
  • Defined end-of-life management for software and infrastructure (EOL Software Management Policy).
  • Multi-factor authentication (MFA) on the application, including the console where bank connections are managed.

These measures are described in detail in the firm's internal Information Security Policy.

10. International Transfers

The platform is hosted in the United States. If you access the platform from outside the United States, your information will be transferred to and stored in the United States. By using the platform you understand and consent to this transfer.

11. Children

The platform is not directed to children under 18. We do not knowingly collect personal information from children.

12. Contact

For questions about this Privacy Policy or to exercise any of the rights described in §§ 7–8, contact the firm's privacy contact at privacy@keel.fund. We will route your request to the appropriate owner and respond within 30 days.

13. Changes to this Policy

We will post material updates to this Privacy Policy at keel.fund/privacy and notify LPs by email of any material change at least 30 days before the change takes effect. The "Last updated" date at the top of this policy reflects the most recent revision. While this policy is marked [DRAFT AND SUBJECT TO CHANGE], revisions may be made without prior notice as we finalize it with counsel; the version posted is the version in effect.

Change history

  • 2026-06-02 — Published in draft. Added a dedicated Plaid / bank-connection disclosure (§ 2.4) with a link to Plaid's End User Privacy Policy, a GLBA financial-privacy note (§ 1), a California (CCPA/CPRA) section (§ 8), updated security to reflect field-level encryption and MFA (§ 9), and a privacy contact (§ 12). Marked [DRAFT AND SUBJECT TO CHANGE] pending legal counsel review.
  • 2026-05-27 — Initial internal draft (v0.9). Authored alongside the firm's Plaid compliance attestation work; pairs with the Information Security Policy, Patch SLA Policy, EOL Software Management Policy, and Access Control Policy.