← Back to main

Privacy Policy

Effective Date: January 2026

1. Scope

This Privacy Policy ("Policy") governs the collection, use, storage, and protection of information by Langar Technology, Inc. ("Langar," "we," or "us") in connection with the LAN.Q platform ("Platform"), an AI-powered portfolio intelligence and analytics platform for Registered Investment Advisers, hedge funds, family offices, and asset managers (each, a "Client"). This Policy applies to all data processed through the Platform, including Portfolio Data, Account Information, and Technical Data as defined below. This Policy does not govern data practices of third parties, including Client's own data handling obligations to their end investors. Addendum A addresses additional provisions applicable to Retail Users — individuals who create personal accounts to analyze their own portfolios. Addendum B contains Langar's Model Risk and AI Governance Disclosure, which applies to all users.

2. Definitions

"Aggregated Data" means data derived from Portfolio Data of multiple Clients that has been anonymized using industry-standard techniques including k-anonymization with a minimum threshold of five contributing portfolios, such that no individual Client, portfolio, adviser, or end investor can be identified or re-identified from the output. Aggregated Data is not Portfolio Data.

"Account Information"means the credentials, contact information, and access configurations associated with a Client's Platform account, including administrator and Authorized User names, email addresses, and role assignments.

"Authorized User"means any individual or individuals designated by Client to access the Platform under Client's subscription.

"Client Data" means Portfolio Data and Account Information, collectively.

"Output" means the analytical results, reports, classifications, exposure analyses, and other information generated by the Platform from Portfolio Data.

"Platform" means the LAN.Q portfolio intelligence and analytics platform operated by Langar, including all associated software, models, interfaces, and documentation.

"Portfolio Data" means portfolio holdings, position-level data, asset allocations and exposures, transaction history (where provided by Client), account type designations as included in custodian-generated export files, and partial account identifiers as masked by the custodian.

"Technical Data" means IP addresses, device and browser information, session timestamps, access logs, and cookies or similar technologies used for Platform security and functionality.

3. Information We Collect and Why

3.1 Portfolio Data.

Clients submit Portfolio Data to the Platform for analysis. This data is collected solely to deliver the Platform's analytical services — generating portfolio analytics, exposure diagnostics, classification intelligence, and risk assessments.

3.2 Account Information.

We collect Account Information to create and maintain Client accounts, authenticate Authorized Users, and manage access permissions.

3.3 Technical Data.

We collect Technical Data automatically when Authorized Users access the Platform. This data is used to maintain Platform security, detect unauthorized access, troubleshoot issues, and generate usage analytics for Platform improvement.

3.4 Communications.

We retain records of Client communications with Langar support for quality assurance, dispute resolution, and compliance purposes.

3.5 What We Do Not Collect.

Langar does not request or require: full names of Client's end investors, physical or mailing addresses, email addresses of end investors, Social Security numbers or government-issued identifiers, or full unmasked account numbers. If a Client uploads a file containing any of these data elements, the Platform will detect and automatically strip or mask such information upon ingestion and will notify the Client. Langar will treat any such data as nonpublic personal information ("NPI") under Regulation S-P and apply NPI-level protections until it is confirmed that the data has been fully removed.

4. How We Use Data

Langar uses Client Data exclusively for the following purposes, and no others:

  • Delivering, operating, and maintaining the Platform and generating Output for Client;
  • Providing technical support in response to Client requests;
  • Maintaining Platform security, preventing unauthorized access, and detecting fraud;
  • Complying with applicable legal and regulatory obligations, including responding to lawful subpoenas, court orders, and regulatory examinations;
  • Creating Aggregated Data for product improvement and industry benchmarking, subject to the anonymization standards defined in Section 2.

Langar does not sell Client Data. Langar does not share Client Data with third parties for marketing, advertising, or any commercial purpose unrelated to delivering the Platform. Langar does not use Client Data to trade securities or to benefit any other client at the expense of any Client. Langar does not use Portfolio Data to train third-party AI models. Langar may use Portfolio Data to train, fine-tune, or improve Langar's own proprietary models solely for the purpose of enhancing Platform functionality and analytical quality. Such use is subject to the data retention provisions in Section 7.4.

5. How We Protect Data

Langar maintains a written information security program reviewed and updated at least annually, consistent with the GLBA Safeguards Rule. The program includes:

5.1 Encryption.

All Client Data is encrypted at rest and in transit using industry-standard encryption protocols.

5.2 Access Controls.

Access to Client Data is restricted by role-based controls on a least-privilege basis. All personnel with access to Client Data are required to use multi-factor authentication. Access is logged and monitored.

5.3 Personnel.

All Langar personnel with access to Client Data are bound by written confidentiality obligations that survive termination. Personnel with access to Client Data undergo background checks and complete security training upon hire and annually thereafter.

5.4 Vendor Security.

All third-party processors with access to Client Data are bound by written data protection agreements incorporating security requirements no less protective than those in this Policy and the Data Processing Addendum. Langar conducts due diligence on processor security practices prior to engagement and monitors compliance on an ongoing basis.

5.5 Incident Response.

Langar maintains a documented incident response program. Details of breach notification procedures are provided in Section 6.

5.6 Testing.

Langar conducts annual penetration testing and security assessments of the Platform. Results are documented and remediation is tracked to completion.

6. Breach Notification

In the event of a security incident involving unauthorized access to, acquisition of, or disclosure of Client Data:

6.1 Assessment.

Langar will complete its initial assessment within 48 hours of becoming aware of the potential incident.

6.2 Notification.

If Langar becomes aware of a breach involving unauthorized access to a customer information system maintained by Langar, Langar will notify affected Clients as soon as possible, but no later than 72 hours after becoming aware of the breach. This timeline aligns with the service-provider notification requirement under the 2024 amendments to Regulation S-P and is designed to support Client's ability to meet its own 30-day individual notification obligation.

6.3 Content of Notice.

Notification will include, to the extent then known: the nature of the incident, the categories and approximate volume of data affected, the likely consequences, and the measures taken or proposed to contain and remediate the incident.

6.4 Cooperation.

Langar will cooperate with affected Clients in investigating the incident, mitigating harm, and fulfilling Client's own regulatory notification obligations, including the 30-day customer notification requirement under the 2024 amendments to Regulation S-P.

6.5 Written Report.

Within seven calendar days of the determination, Langar will provide a written incident report describing the root cause (if determined), the scope of the breach, the remediation completed, and the steps taken to prevent recurrence.

7. Data Retention

7.1 Active Accounts.

Langar retains Client Data for the duration of the service relationship and for the period specified in the applicable subscription agreement or Data Processing Addendum.

7.2 Post-Termination.

Upon termination of the service relationship, Langar returns Client Data in standard machine-readable format within 30 days. Langar retains Sensitive Client Data (including Account Information, access credentials, and identifiable portfolio records) for a period of one (1) year following termination, after which such Sensitive Client Data is permanently deleted. During the retention period, Sensitive Client Data remains subject to all security and access controls described in Section 5.

7.3 Anonymized Data Retention.

Portfolio Data uploaded to the Platform is assimilated into Langar's analytical systems in anonymized form, consistent with the anonymization standards defined in Section 2 (Aggregated Data). Once anonymized, such data is retained permanently to support ongoing analytics, benchmarking, and product improvement. Anonymized data cannot be re-identified to any individual Client, adviser, or end investor and is not subject to the deletion obligations in Section 7.2.

7.4 Model Training Data.

To the extent Portfolio Data has been used to train, fine-tune, or improve Langar's own proprietary models prior to termination, the model weights and parameters derived from such training are retained by Langar. Langar does not extract or reverse-engineer individual Client Data from trained models. Raw Portfolio Data used as training input is subject to the retention and deletion schedules in Sections 7.2 and 7.3. For clarity, this Section applies only to Langar's own models; third-party AI providers remain prohibited from using Portfolio Data for model training as described in Sections 4 and 9.

7.5 Regulatory Retention.

Where applicable law requires retention beyond the periods specified in this Section — including SEC recordkeeping requirements and state data retention laws — Langar retains the minimum data required for the minimum period required by law.

7.6 Backups.

Backup copies retained for disaster recovery are purged within 30 days following deletion of the corresponding primary data under this Section.

8. Your Rights

8.1 CCPA/CPRA Rights.

To the extent Client Data constitutes personal information under the CCPA/CPRA, Clients and their authorized agents have the right to: know what personal information is collected and how it is used; request deletion of personal information; request correction of inaccurate personal information; opt out of the sale of personal information (Langar does not sell personal information, but Clients may submit this request at any time); and limit the use of sensitive personal information. Langar will respond to verified requests within 45 days.

8.2 GDPR Rights.

To the extent GDPR applies to any data subjects whose data is processed through the Platform, such data subjects have the right to access, rectification, erasure, restriction of processing, data portability, and objection. Langar will assist Client in responding to data subject requests within timeframes that permit Client to meet its own regulatory obligations.

8.3 GLBA Rights.

Langar does not share NPI with nonaffiliated third parties except as permitted by GLBA and Regulation S-P. Clients may direct Langar to limit information sharing at any time.

8.4 How to Exercise Rights.

To exercise any right under this Section, contact: privacy@langartech.com

9. Third-Party Processors

Langar engages the following categories of third-party processors in connection with the Platform:

  • Cloud infrastructure providers for hosting and data storage;
  • AI analytics providers for model inference and portfolio classification;
  • Security monitoring providers for threat detection and incident response;
  • Operational support providers for logging and customer support tooling.

All processors are bound by written data protection agreements that: restrict processing to the purposes specified in this Policy; require security measures no less protective than Langar's own; prohibit processors from using Client Data for their own purposes, including model training; and require processors to delete Client Data upon termination of the processing relationship. AI model inference is performed under agreements that contractually prohibit the use of Client Data for model training, fine-tuning, or any purpose other than inference in connection with the Platform.

Langar provides its current processor list at contract execution and upon request. Langar provides 30 days advance written notice before adding or materially changing any processor. Client has the right to object to any new processor; if the objection cannot be resolved within 30 days, Client may terminate the subscription without penalty. The Data Processing Addendum contains detailed processor management provisions.

10. International Data Transfers

Client Data is stored and processed in the United States. Langar does not transfer Client Data outside the United States without Client's prior written consent and the implementation of appropriate safeguards, including Standard Contractual Clauses (Module 2: Controller to Processor) where required under GDPR. If transfer becomes necessary, Langar will notify Client in advance and execute any required transfer mechanism before the transfer occurs.

11. Contact and Governance

Privacy Contact: Langar Technology, Inc., Attn: Privacy Officer, Email: privacy@langartech.com

Langar's Privacy Officer is responsible for overseeing compliance with this Policy, responding to privacy inquiries, and coordinating with Client's compliance and legal teams on data protection matters. Where a Data Protection Officer is required under GDPR, the Privacy Officer serves in that capacity.

For concerns that are not resolved through Langar's Privacy Officer, Clients may raise complaints with the applicable supervisory authority.

12. Policy Updates

Langar may update this Policy to reflect changes in law, regulation, or Platform functionality. Material changes — defined as changes that expand Langar's data use rights, reduce Client protections, or alter breach notification obligations — will be communicated to Clients at least 30 days before taking effect and require affirmative written consent from Client before becoming effective. Non-material changes will be communicated through the Platform and take effect upon posting. The version number and effective date at the top of this Policy reflect the most recent revision.

13. Regulatory Applicability

This Policy and Langar's information security program are designed to satisfy the requirements applicable to service providers under both the SEC-regulated investment adviser framework and the FINRA-regulated broker-dealer framework. This section identifies the specific regulatory provisions that govern Langar's obligations to each client type.

13.1 All Clients.

Langar's security program is designed to comply with: the GLBA Safeguards Rule, 16 C.F.R. Part 314, as amended effective June 9, 2023; SEC Regulation S-P, 17 C.F.R. Part 248, including the Privacy Rule, the Safeguards Rule, and the 2024 amendments to the Disposal Rule and breach notification requirements (Release No. 34-100155, adopted May 16, 2024, effective August 2, 2024, with compliance dates of December 3, 2025 for larger covered institutions and June 3, 2026 for smaller entities); and the NIST Cybersecurity Framework 2.0 as a reference standard for security program design. Langar acts as a nonaffiliated third-party service provider under the Regulation S-P service-provider exception, 17 C.F.R. § 248.13, processing Client Data solely to provide the Platform.

13.2 Registered Investment Advisers.

For RIA Clients registered with the SEC or a state securities authority, Langar's obligations under this Policy and the Data Processing Addendum are designed to support Client's compliance with: SEC Regulation S-P (privacy notices, safeguards, and breach notification); the SEC's examination expectations for vendor oversight as articulated in OCIE Risk Alerts; and applicable state investment adviser regulations governing third-party service provider relationships. RIA Clients subject to Regulation S-P's annual privacy notice requirement should include their relationship with Langar in those notices, consistent with 17 C.F.R. § 248.6.

13.3 Broker-Dealers.

For broker-dealer Clients registered with FINRA, Langar's obligations under this Policy and the Data Processing Addendum are additionally designed to support Client's compliance with: FINRA Rule 3110 (Supervision), including the obligation to supervise third-party service providers who perform functions related to the member's business; FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information), to the extent Langar's business continuity commitments support Client's own BCP requirements; FINRA Notice to Members 05-48, which establishes the framework for outsourcing activities to third-party service providers, including the requirement for written agreements, due diligence, and ongoing monitoring; and SEC Regulation BI, 17 C.F.R. § 240.15l-1, to the extent that LAN.Q outputs do not constitute "recommendations" triggering best interest obligations — a position supported by the analytical, non-advisory nature of the Platform as described in Section 1 and the Terms of Service.

13.4 Client Responsibility.

Each Client is responsible for determining whether its use of LAN.Q satisfies its own regulatory obligations, including any required disclosures to its customers or investors, and for maintaining Langar's agreements as part of its vendor oversight program consistent with applicable SEC, FINRA, and state regulatory requirements. Langar will cooperate with Client's compliance inquiries and regulatory examinations as described in the Data Processing Addendum.

ADDENDUM A — RETAIL USERS

(Applies to individuals who create a personal account on LAN.Q to analyze their own investment portfolio.)

A.1 Scope and Applicability

Sections 1 through 12 of this Policy apply to all users, including Retail Users. This Addendum supplements those sections with provisions specific to Retail Users. Where this Addendum conflicts with the core Policy on matters specific to Retail Users, this Addendum controls. Terms not defined in this Addendum have the meanings given in the core Policy. For purposes of this Addendum, "you" and "your" refer to the individual Retail User.

A.2 Eligibility

LAN.Q is available to Retail Users who are eighteen (18) years of age or older. By creating an account, you represent that you meet this requirement. Langar does not knowingly collect personal information from individuals under 18. If Langar becomes aware that a Retail User is under 18, Langar will close the account and delete all associated data. If you believe a minor has created an account, contact us at privacy@langartech.com.

A.3 Information We Collect from Retail Users

In addition to Portfolio Data and Technical Data described in Section 3, Retail Users provide: (a) Registration Information — name, email address, and password — to create and authenticate the account; (b) Payment Information — for subscription billing, collected and processed by a third-party payment processor (Langar does not store full payment card numbers); and (c) Brokerage Connection Credentials — where supported, credentials or tokens to facilitate direct portfolio data import, stored in encrypted form and used solely to retrieve portfolio data.

Because Retail Users are the subjects of their own Portfolio Data, that data constitutes nonpublic personal information ("NPI") under Regulation S-P and is subject to the full protections of that regulation and applicable state law.

Where custodian-generated export files contain full, unmasked account numbers, LAN.Q automatically truncates to the last four digits upon ingestion. Full account numbers are not retained, displayed, or used in any analytics. Retail Users' names as embedded in custodian export files are stripped and anonymized upon ingestion. The name is used solely for initial account association, after which it is removed from the portfolio dataset. The underlying portfolio data, once anonymized, remains available for analytics and may be included in aggregated peer group outputs in accordance with Section 4. No name or personal identifier is included in any aggregated, de-identified, or peer group output.

A.4 Regulation S-P Privacy Rights

As a Retail User, you are a "customer" under Regulation S-P and are entitled to:

  • Annual Privacy Notice. Langar will provide a clear and conspicuous privacy notice at account opening and annually thereafter describing our information practices and your opt-out rights. This Policy constitutes the initial privacy notice. Annual notices will be delivered by email and confirmed through an in-app acknowledgment.
  • Opt-Out Right. You have the right to opt out of Langar sharing your NPI with nonaffiliated third parties for purposes other than those permitted by law. To exercise this right, contact us at privacy@langartech.com or use the opt-out mechanism in your account settings. Opt-out requests will be honored within 30 days.

A.5 State Privacy Rights

Depending on your state of residence, you may have additional rights, including the right to know what personal information is collected, to request deletion or correction, and to opt out of sale or sharing. These rights apply to residents of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive consumer privacy statutes. To exercise any state privacy right, submit a verifiable request to us at privacy@langartech.com. We will respond within 45 days, with a single 45-day extension if necessary. For California residents: to the extent your personal information constitutes NPI under GLBA, the GLBA framework governs and certain CCPA rights may not apply.

A.6 Cookies and Tracking

LAN.Q uses essential cookies necessary for platform security and functionality. Langar does not use third-party advertising cookies or cross-site tracking technologies. A detailed description of cookie practices is available in the Cookie Policy at /cookie-consent.

A.7 Breach Notification for Retail Users

In the event of a security incident involving your NPI, Langar will notify you within 30 days of discovering the incident, consistent with the 2024 amendments to Regulation S-P. Notification will be sent to the email address associated with your account and will describe the nature of the incident, the information involved, and the steps Langar is taking to protect you.

A.8 Account and Data Deletion

You may access, correct, or update your account information at any time through your account settings. To request deletion of your account and all associated data, contact us at privacy@langartech.com. Langar will confirm deletion within 30 days of a verified request, subject to any retention required by applicable law. Upon account deletion, your Portfolio Data is removed from all analytics and peer group calculations.

A.9 No Investment Advice

LAN.Q provides analytical tools to support your understanding of your own portfolio. Nothing in the Platform constitutes investment advice, a recommendation to buy or sell any security, or a solicitation to engage in any investment strategy. You are solely responsible for your investment decisions. If you need investment advice, consult a licensed financial professional.

A.10 Data Segregation

Institutional User Portfolio Data and Retail User data are maintained in logically segregated environments. No identifiable Institutional User data is accessible to Retail Users, and no identifiable Retail User data is accessible to Institutional Users. Langar may include fully anonymized, de-identified data from both user types in the same aggregated peer group cohorts used to generate benchmarks, provided that: (a) no output identifies any individual user, adviser, firm, or client; (b) peer group cohorts contain no fewer than five contributing portfolios; and (c) the peer group function is governed by the use restrictions in Section 4.

ADDENDUM B — MODEL RISK AND AI GOVERNANCE DISCLOSURE

(Applies to all users. Addresses model validation, monitoring, change notification, and limitations of AI-generated outputs.)

B.1 Purpose and Scope

This Addendum describes Langar's approach to model governance for the AI-assisted analytics engine that powers LAN.Q. It supports Institutional Users' model risk management programs, including programs informed by OCC Bulletin 2011-12, Federal Reserve SR Letter 11-7, and analogous SEC and FINRA guidance on the use of automated analytical tools in financial services.

B.2 Model Description

LAN.Q uses AI-assisted classification and analytics models to analyze portfolio holdings and generate insights related to risk concentration, sector and thematic exposure, and portfolio-level characteristics. Models process structured financial data (tickers, weights, account types, and derived metrics) and do not process unstructured text or personal identifiers as model inputs. Model outputs are probabilistic estimates and analytical classifications, not deterministic conclusions.

B.3 Model Validation

Langar subjects its core analytics models to internal validation prior to deployment and following material changes. Validation includes back-testing against historical portfolio data, stress-testing against edge-case inputs, and review of output distributions for consistency. Validation results are documented and maintained as part of Langar's model inventory. A summary of the validation approach is available upon written request as part of vendor diligence.

B.4 Model Monitoring and Drift

Langar monitors deployed models for output quality, distribution shift, and performance degradation on an ongoing basis. Monitoring includes periodic review of output distributions against validation benchmarks and automated alerting for anomalous patterns. Where material drift is detected, Langar will remediate and notify affected Institutional Users.

B.5 Model Change Notification

Langar will provide Institutional Users with at least 30 days' advance written notice before deploying material changes to the core analytics models that could affect the nature, scope, or reliability of outputs. Non-material changes (parameter tuning, minor classification refinements) are communicated in release notes. Users who rely on Output in client-facing materials or regulatory filings should maintain their own process for reviewing model change notifications.

B.6 Model Limitations and User Responsibility

AI-generated outputs are subject to inherent limitations, including sensitivity to input data quality, potential for classification errors, and inability to account for real-time market conditions or idiosyncratic characteristics not reflected in historical data. Outputs should be treated as one input into a broader analytical process, not as the sole basis for investment decisions, client recommendations, or regulatory filings. Users retain full responsibility for decisions made using Output. Langar does not warrant the accuracy, completeness, or fitness for any particular purpose of any model output.

B.7 Third-Party AI Components

Third-party AI model inference services used by the Platform are disclosed in Langar's sub-processor list (DPA Schedule 1). Portfolio Data submitted to third-party AI services is processed solely for generating Output and is subject to the data protection obligations described in Section 9 and the DPA. Langar does not permit third-party AI providers to use Portfolio Data for model training, fine-tuning, or any purpose other than inference.