Version 2 · Effective: March 20, 2026 · Published: March 20, 2026
Malcolm
This notice supplements our Privacy Policy and provides additional disclosures required under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), and similar state privacy laws in Colorado, Connecticut, Virginia, and other US states.
This notice applies to California residents and residents of other US states with applicable consumer privacy laws whose personal information we process.
Important context: Malcolm is a business-to-business (B2B) SaaS platform. The vast majority of personal information we process falls under the CCPA's B2B exemption (Cal. Civ. Code § 1798.145(n)) — it is collected in the context of a business-to-business transaction where the individual is acting as an employee, owner, director, officer, or contractor of a company. We provide this notice for transparency and to address any personal information that may fall outside that exemption.
In the preceding 12 months, we have collected the following categories of personal information:
| Category (per CCPA § 1798.140(v)) | Examples | Source | Business Purpose |
|---|---|---|---|
| A. Identifiers | Name, email address, IP address, account username | Directly from you; your employer/organisation | Account creation, authentication, support |
| B. Professional or employment information | Job title, company name, role within organisation | Directly from you; your employer/organisation | Providing the service, access control |
| C. Internet or electronic network activity | Browser type, pages viewed, features used, session data | Automatically collected | Service operation, security, debugging |
| D. Geolocation data | Approximate location derived from IP address | Automatically collected | Security monitoring, jurisdiction determination |
| E. Inferences | User preferences, feature usage patterns | Derived from activity on the platform | Service improvement |
We do not collect: Social Security numbers, driver's licence numbers, financial account numbers (we use Stripe for payment processing — we do not store card details), biometric information, or precise geolocation data.
We use personal information for the business purposes described in our Privacy Policy, including:
We do not use personal information for:
We do not sell personal information. We have not sold personal information in the preceding 12 months.
We do not share personal information for cross-context behavioural advertising. We do not engage in targeted advertising or share personal information with advertising networks.
Depending on your state of residence, you may have the following rights:
| Right | Description |
|---|---|
| Right to Know | Request the categories and specific pieces of personal information we have collected about you |
| Right to Delete | Request deletion of personal information we have collected from you |
| Right to Correct | Request correction of inaccurate personal information |
| Right to Opt-Out of Sale/Sharing | We do not sell or share personal information, so this right does not apply in practice |
| Right to Non-Discrimination | We will not discriminate against you for exercising any of these rights |
| Right to Data Portability | Receive your personal information in a portable, readily usable format |
| Right to Limit Use of Sensitive Information | We do not collect sensitive personal information as defined by the CCPA |
You may exercise your rights by:
/updates/We will verify your identity before processing any request. For account holders, we verify identity through your authenticated session. For non-account holders, we may request additional information to verify your identity.
We will respond to verifiable requests within 45 days. If we need additional time (up to 45 more days), we will notify you of the extension and the reason.
Authorised agents: You may designate an authorised agent to submit requests on your behalf. We may require the agent to provide proof of authorisation and may separately verify your identity.
We disclose personal information to service providers and contractors who process it on our behalf under written agreements that restrict their use of the information to the purposes specified in those agreements. A complete list of our subprocessors is available at /legal/subprocessors/.
We retain personal information for as long as necessary to provide the service and fulfil the purposes described in our Privacy Policy and Data Retention Schedule. See our Privacy Policy for detailed retention periods by data category.
Malcolm is a B2B platform for investment professionals. We do not knowingly collect personal information from individuals under 16 years of age. If we learn that we have collected personal information from a child under 16, we will promptly delete it.
We may update this notice to reflect changes in our practices or applicable law. We will post the updated notice on this page with a revised effective date.
For questions about this notice or to exercise your privacy rights:
/updates/ (Support & Docs page)This notice was last updated on [effective date]. It is reviewed quarterly alongside our Privacy Policy.