Privacy Policy

1. Introduction

This Privacy Policy explains how StagTower OÜ (“StagTower”, “we”, “us”, “our”) collects, uses, shares, and protects your personal data when you visit our websites, join our waitlist, create an account, complete identity verification, invest through our platform, or otherwise interact with us.

StagTower operates a platform for fractional, tokenised ownership of Canadian multifamily residential real estate, offered to eligible investors in the European Economic Area (EEA). Because our service is a regulated financial activity that involves identity verification and anti-money-laundering checks, we process a significant amount of personal data, and we take that responsibility seriously.

We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), the EU ePrivacy regime as transposed into Estonian law (including the Electronic Communications Act), and other applicable Estonian and EU law.

Please read this Policy together with our Cookie Policy, Terms of Service, and any product- or jurisdiction-specific notices we provide to you.

2. Scope

This Policy applies to personal data we process about:

• visitors to stagtower.com and beam.stagtower.com;
• waitlist subscribers and recipients of our communications;
• prospective, current, and former investors and account holders;
• individuals who contact us or otherwise deal with us.

This Policy does not apply to third-party websites, platforms, or services that we link to or integrate with, which have their own privacy policies.

Eligibility note. Our platform is intended for adults (18 years and over) who are eligible to invest under applicable law. Our offering is structured for EEA retail investors and excludes U.S. persons (Regulation S). We process certain data, including your nationality and country of residence, to enforce these eligibility rules (see Section 7).

3. Who we are and how to contact us

Data controller

For any question about this Policy or about how we handle your personal data, or to exercise your rights, please contact us at legal@stagtower.com or by post at the registered office above, marked for the attention of the Privacy / Data Protection team.

Data Protection Officer (DPO)

We are not required to appoint a Data Protection Officer at this time. You can raise any data-protection question, or exercise your rights, using the privacy contact above.

Supervisory authority

You also have the right to lodge a complaint with the supervisory authority in your own EEA country of residence (see Section 17).

4. The personal data we collect

We collect and process the following categories of personal data, depending on how you interact with us.

Identity and verification data — Full name, date of birth, place of birth, nationality, gender (where provided), identity-document details (document type, number, issuing country, and validity dates), national identification or tax numbers, and the outcome of identity-verification checks. Our identity verification is carried out by a specialist provider, Didit, which captures and checks images of your government-issued identity documents and performs biometric “liveness” and facial-matching checks. Those document images and biometric data are processed and stored by Didit acting as our processor; StagTower receives your identity details and the verification result. The biometric element is a special category of data — see Section 4.1.

Contact data — Email address, telephone number, postal/residential address, and country of residence.

Anti-money-laundering (AML) and compliance data — Information gathered to meet our legal obligations, including customer due diligence (CDD) and enhanced due diligence (EDD) information; source-of-funds and source-of-wealth information; politically-exposed-person (PEP) status; sanctions and adverse-media screening results; and risk-assessment records. This may include data relating to alleged or actual criminal offences (for example sanctions matches) handled under strict legal controls.

Eligibility and investor-profile data — Nationality and residence (to confirm eligibility and apply the U.S.-person exclusion), and any suitability/appropriateness information we are required to collect, such as your investment experience, objectives, and acknowledgement of risks.

Financial and transaction data — Bank account or payment details, stablecoin and other payment information, blockchain wallet address(es), token holdings, investment amounts, distribution payments, and transaction history.

Account and platform-usage data — Username and credentials, account settings and preferences, your activity on the platform (offerings viewed, investments made), and records of your interactions with us.

Communications and marketing data — Your marketing preferences and consents, your engagement with our emails and other communications (e.g. opens and clicks), survey responses, and the content of messages you send us.

Technical data — IP address, approximate location derived from IP, device and browser type, operating system, and similar technical identifiers, collected automatically when you use our websites and platform.

4.1 Special categories of data

Identity verification involves biometric facial-matching and liveness detection, and the resulting biometric data is a special category of data under Article 9 GDPR. This biometric processing is performed by our verification provider (Didit) on our behalf and instructions, and the biometric data is held in Didit’s systems rather than copied into ours. As the controller that directs this processing, we rely on your explicit consent (Article 9(2)(a)) and/or the substantial public interest in preventing money laundering and fraud as provided by EU and Estonian law (Article 9(2)(g)). We do not otherwise seek to collect special-category data, and we ask you not to provide it to us unless we specifically request it.

5. How we collect your personal data

We collect personal data:

• Directly from you — when you join the waitlist, register, complete onboarding and verification, make an investment, contact us, or respond to communications.
• Automatically — through cookies and similar technologies and our analytics tools when you use our websites and platform (see Section 9).
• From third parties — including our identity-verification, KYC, and screening provider (Didit); sanctions, PEP, and adverse-media databases; payment and blockchain-infrastructure providers; fraud-prevention sources where applicable; and publicly available sources, where this is necessary for verification, compliance, or fraud prevention.

6. Why we use your personal data, and our legal bases

We only process your personal data where we have a lawful basis to do so under Article 6 GDPR (and, for special categories, Article 9). Our main processing purposes and legal bases include:

• Account management and platform delivery — Performance of a contract (Art. 6(1)(b))
• Identity verification and KYC/CDD/EDD — Legal obligation (Art. 6(1)(c)); explicit consent for biometrics (Art. 9(2)(a))
• Sanctions, PEP, and adverse-media screening — Legal obligation (Art. 6(1)(c))
• Eligibility confirmation — Legal obligation (Art. 6(1)(c)); contract (Art. 6(1)(b))
• Processing investments and distributions — Performance of a contract (Art. 6(1)(b))
• Fraud prevention and platform security — Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))
• Marketing to prospective investors — Consent (Art. 6(1)(a))
• Marketing to existing investors — Legitimate interests (Art. 6(1)(f))
• Analytics and service improvement — Legitimate interests (Art. 6(1)(f))
• Legal, regulatory, and tax compliance — Legal obligation (Art. 6(1)(c))
• Legal claims — Legitimate interests (Art. 6(1)(f))

Where we rely on legitimate interests, we have carried out a balancing assessment to confirm that our interests are not overridden by your rights and freedoms. You can ask us for more information about that assessment at any time.

Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

7. Marketing and communications

We want to keep you informed about StagTower and the opportunities available through our platform. Depending on your relationship with us and the permissions you have given, we may send you news, announcements of new property offerings, educational content, invitations to events, and personalised recommendations.

Prospective investors and waitlist subscribers: We send marketing on the basis of your consent, which you give when you join our waitlist or subscribe.

Existing or former investors: We may send marketing about our own similar products and offerings on the basis of our legitimate interest. You can object at any time.

Personalisation: We may analyse information such as offerings you have viewed, your preferences, and engagement to tailor communications. This does not produce legal or similarly significant effects.

Advertising and audiences: Where you have given consent through our cookie banner, we may share online identifiers with advertising platforms to show you StagTower advertising and identify similar audiences.

Staying in control: You can click unsubscribe in any email, adjust preferences in your account settings, or contact us at legal@stagtower.com. Opting out of marketing does not affect your ability to use the platform.

8. Profiling and automated decision-making

We use some automated processing for identity and AML screening, eligibility checks, and fraud/risk scoring. Where this amounts to a decision based solely on automated processing that produces legal or similarly significant effects, you have the right to obtain human intervention, express your point of view, and contest the decision. Contact us at legal@stagtower.com.

9. Cookies, analytics, and online tracking

We use cookies and similar technologies on our websites:

• Strictly necessary technologies that make the site work (security, session management, cookie choices). These do not require consent.
• Analytics — we currently use Plausible, a privacy-friendly, cookieless analytics tool that measures aggregate website usage without tracking you across sites.
• Marketing and advertising technologies deployed only with your consent.

We ask for your consent to non-essential cookies through a cookie banner. You can change your preferences at any time. For full details, please see our Cookie Policy.

10. Who we share your personal data with

We share personal data only where necessary and with appropriate safeguards. Recipients include:

• Identity-verification, KYC, and screening providers — in particular Didit, acting as our processor.
• Blockchain and tokenisation infrastructure providers — for ERC-3643 compliant token issuance and administration.
• Payment and stablecoin providers — including Circle, for EURC/USDC settlement.
• Property-holding entities and managers — our Canadian SPVs and professional property managers.
• Professional advisers — lawyers, auditors, accountants, bound by confidentiality.
• Authorities and regulators — where required by law.
• Hosting infrastructure (Railway) — cloud hosting in the Netherlands (EEA), acting as our processor.
• Email marketing (Brevo) — waitlist, subscriber lists, and communications, acting as our processor within the EU.
• Business email (Fastmail) — corporate mailboxes, acting as our processor.

11. International transfers

Some personal data is transferred outside the EEA:

• Canada — benefits from an EU adequacy decision for PIPEDA recipients.
• United States — via the EU–U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs).
• Didit — established in the EEA (Spain); transfers to sub-processors outside the EEA protected by adequacy decisions or SCCs.
• Fastmail — established in Australia with servers in the US; transfers under SCCs with supplementary measures.
• Railway — data stored in the Netherlands (EEA); US-based entity access covered by SCCs.

You can request a copy of the relevant safeguards by contacting legal@stagtower.com.

12. Blockchain and the public ledger

Our platform issues tokens on the Avalanche C-Chain. Important consequences:

• Wallet addresses, token holdings, and transaction records are written to a public, distributed ledger.
• Blockchain data is permanent and publicly visible and generally cannot be altered or deleted.
• Wallet addresses are pseudonymous but can be linked to you through our off-chain records.

Your rights to erasure and rectification cannot apply to data already recorded on the blockchain (see Section 14). We minimise what we write on-chain and keep identity/KYC data off-chain.

13. Data security

We implement appropriate technical and organisational measures to protect your personal data, including access controls, encryption, segregation of sensitive data, secure development practices, logging, vendor due diligence, and staff confidentiality obligations.

If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate without undue delay (within 72 hours where required), and notify you where the law requires.

14. How long we keep your personal data

• KYC, AML, and transaction records — at least 5 years after end of relationship, up to 10 years where required.
• Biometric data (Didit) — retained to match our AML retention period, then deleted.
• Accounting and tax records — 7 years.
• Account and platform data — duration of relationship plus a reasonable period, subject to AML/accounting periods.
• Marketing data — while consent or legitimate interest subsists; minimal suppression list maintained after opt-out.
• Analytics data — brief and aggregate only.
• Blockchain data — permanent by design.

15. Your rights

Subject to GDPR conditions and exceptions, you have the right to:

• Access — obtain confirmation and a copy of your data
• Rectification — have inaccurate data corrected
• Erasure — have data deleted in certain circumstances
• Restriction — limit our processing in certain circumstances
• Data portability — receive data in a machine-readable format
• Object — object to processing based on legitimate interests, and absolutely to direct marketing
• Withdraw consent at any time
• Not be subject to solely automated decisions (see Section 8)
• Lodge a complaint with a supervisory authority (Section 17)

Important limits: We may be legally required to retain data (AML/accounting law); we cannot erase blockchain data (Section 12); AML law may limit access rights and prohibit disclosure of certain reports.

To exercise any right, contact legal@stagtower.com. We will respond within one month.

16. Children

Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

17. Complaints

If you have a concern, please contact us first at legal@stagtower.com.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, Tatari 39, 10134 Tallinn; info@aki.ee; www.aki.ee), or the supervisory authority in your EEA country of residence.

18. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date and, where appropriate, notify you by email or through the platform.

19. Governing law

This Policy and any matter relating to the processing of your personal data by StagTower are governed by Estonian law and by directly applicable EU law, including the GDPR, without prejudice to any mandatory protections available to you under the law of your EEA country of residence.