Request a meeting
Legal

Privacy Policy

Effective Date, Last Updated and Publication Date: April 18, 2026

This Privacy Policy describes how Proven Financials, Inc. ("PROVEN," "we," "us," or "our") collects, uses, discloses, and protects information in connection with our website at www.provenfinancials.com (the "Site") and the services we provide to institutional clients (collectively, the "Services").

PROVEN is a Delaware C Corporation with its principal place of business at 15210 Fitzhugh Road, Austin, Texas 78736, United States.

We respect the sensitivity of the information we handle. The substance of our business is the independent reconstruction of financial records for institutional investors, and the discipline we apply to our clients' data is reflected in how we treat any information we collect through the Site or in the course of our engagements.

1. Two distinct contexts for this Policy

This Policy applies in two distinct contexts, and the rules differ meaningfully between them.

Website visitor data. Information we collect from visitors to the Site — for example, when someone submits a contact form or when our servers log an HTTP request. For this information, PROVEN is the data controller.

Client engagement data. Financial and transactional information that a client provides to us, or authorizes us to access, in the course of a PROVEN engagement. For this information, the client is the data controller and PROVEN acts as a data processor. The rules governing this information are primarily set out in the Data Processing Agreement (the "DPA") that governs the engagement. This Policy describes our practices generally; the DPA controls in the event of any conflict.

2. Information we collect

Information you provide through the Site. When you submit a form on the Site — for example, the contact form on the home page or the publication-notification form on the Resources page — we collect the information you provide. This typically includes your name, work email address, firm name, professional role, optional AUM tier, and the content of your message.

Information collected automatically. When you visit the Site, our hosting infrastructure automatically logs certain technical information, including your IP address, browser type and version, operating system, the pages you visit, referring URLs, and timestamps. This information is used for security, diagnostic, and aggregated analytics purposes.

Information collected through engagements. In the course of a PROVEN engagement, we receive or access financial information — bank statements, payment records, transaction-level data, and related documentation — that our client has authorized us to process for the purpose of financial reconstruction and reconciliation. The specific categories, purposes, and permitted uses of this information are governed by the engagement's DPA.

Information we do not collect. We do not use advertising cookies, we do not sell personal information to third parties, and we do not knowingly collect biometric information, precise geolocation data, or special categories of data through the Site.

3. How we use information

We use information we collect for the following purposes:

To respond to inquiries. We use information you provide through the Site to respond to your inquiry, provide information you have requested, and follow up as appropriate.

To operate and secure the Site. We use automatically collected technical information to operate the Site, diagnose problems, prevent abuse, and protect the security of our infrastructure.

To deliver our Services. We use client engagement data strictly for the purposes set out in the applicable DPA — namely, the independent reconstruction and reconciliation of financial records for the client's benefit.

To comply with legal obligations. We may use information to comply with applicable laws, regulatory requirements, and lawful requests from public authorities.

To communicate about our work. If you have opted in to receive publication notifications, we will use your email address to notify you when the relevant publication is released.

4. Legal bases for processing (EEA / UK visitors)

For individuals in the European Economic Area or the United Kingdom, we process personal data on the following legal bases under the General Data Protection Regulation (the "GDPR") and the UK GDPR:

Legitimate interests. We rely on our legitimate interest in operating a secure business website, responding to institutional inquiries, and communicating with prospective counterparties, where these interests are not overridden by your rights and freedoms.

Consent. Where required by law, we process personal data on the basis of your consent — for example, when you opt in to receive publication notifications. You may withdraw consent at any time; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Performance of a contract. We process information as necessary to perform our obligations under client engagements.

Legal obligation. We process information as necessary to comply with legal obligations to which we are subject.

5. Sharing and disclosure

We do not sell personal information. We disclose information only in the limited circumstances described below.

Service providers and sub-processors. We rely on a limited set of vetted service providers to operate the Site and deliver our Services. Each is bound by contractual confidentiality and data-protection obligations appropriate to the information they process. Our current sub-processors include:

Amazon Web Services, Inc. (United States) — cloud infrastructure, compute, storage, and data processing.
Google LLC (United States) — web font delivery via Google Fonts.
Microsoft Corporation (United States) — business email and productivity services via Microsoft 365.
Netlify, Inc. (United States) — website hosting, form submission capture, content delivery, and security.

Business transactions. If PROVEN is involved in a merger, acquisition, financing, or sale of all or substantially all of its assets, information may be transferred as part of that transaction, subject to standard confidentiality protections.

Legal and regulatory compliance. We may disclose information if required by law, subpoena, court order, or other lawful request, or if we believe disclosure is necessary to protect our rights, the rights of others, or the integrity of our Services.

With your consent. We disclose information for other purposes only with your consent.

6. International data transfers

PROVEN is based in the United States, and certain of our sub-processors are located in the United States or other jurisdictions. Where personal data originating in the EEA, United Kingdom, or Switzerland is transferred to a jurisdiction that has not received an adequacy decision, we rely on appropriate safeguards for such transfers, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, as applicable.

7. Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, satisfy our legal and regulatory obligations, resolve disputes, and enforce our agreements.

General retention periods:

Contact-form submissions — retained for twenty-four (24) months from the date of submission, unless an active engagement or discussion is in progress.
Publication-notification email addresses — retained until withdrawal of consent or until notification is provided, whichever is earlier.
Server logs — retained for ninety (90) days for security and diagnostic purposes.
Client engagement data — retained in accordance with the applicable DPA and the client's documented instructions.

8. Your rights

Depending on your jurisdiction, you may have the following rights with respect to personal data we hold about you:

Access and portability. The right to request a copy of the personal data we hold about you, and to receive it in a structured, commonly used, machine-readable format where applicable.

Correction. The right to request correction of inaccurate or incomplete personal data.

Deletion. The right to request deletion of your personal data, subject to our legitimate grounds for continued processing.

Restriction and objection. The right to restrict or object to certain processing of your personal data.

Withdrawal of consent. Where processing is based on consent, the right to withdraw consent at any time.

Complaint to a supervisory authority. The right to lodge a complaint with the data protection authority in your jurisdiction.

To exercise any of these rights, contact us using the information in Section 13 below. We will respond within the time periods required by applicable law.

For California residents. The California Consumer Privacy Act and the California Privacy Rights Act provide additional rights, including the right to know what personal information we collect, disclose, or sell; the right to request deletion; the right to correct inaccurate information; and the right to non-discrimination for exercising these rights.

9. Cookies and similar technologies

The Site uses a minimal set of cookies and similar technologies.

Strictly necessary. Cookies required for the Site to function — for example, to maintain form submission state and protect against cross-site request forgery. These cannot be disabled.

We do not use advertising cookies or cross-site tracking cookies. You can configure your browser to refuse cookies or to alert you when cookies are being sent; note that some Site features may not function properly if cookies are disabled.

10. Security

PROVEN is built on institutional-grade cloud infrastructure with encryption in transit and at rest, tenant isolation, and full access logging. Our security posture and certifications roadmap are described in detail on our Trust & Security page at www.provenfinancials.com/trust.html.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the relevant supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach. Affected individuals will be notified where required by applicable law.

11. Children

The Site and Services are directed to institutional and professional audiences. We do not knowingly collect personal data from children under the age of sixteen (16). If you believe we have inadvertently collected such information, please contact us and we will take appropriate steps to delete it.

12. Changes to this Policy

We may update this Policy from time to time. When we do, we will revise the "Last updated" date above. Material changes will be communicated through the Site or, where appropriate, by direct notice to affected individuals. Your continued use of the Site following any update constitutes acceptance of the revised Policy.

13. Contact us

Questions about this Policy, requests to exercise your rights, or any other privacy-related inquiries should be directed to:

Proven Financials, Inc.
Attn: Legal & Privacy
15210 Fitzhugh Road
Austin, Texas 78736, United States
legal@provenfinancials.com

For matters related to a specific PROVEN engagement, please also refer to the DPA governing that engagement.