Privacy notice

How we handle your personal data.

Version 1.0. Last updated 2026-05-28. Applies to visitors of this landing page and recipients of the expression-of-interest (EOI) form.

This privacy notice explains what personal data we collect when you interact with this landing page or submit an expression of interest, why we collect it, how long we keep it, and what rights you have under the EU General Data Protection Regulation (GDPR) and the Dutch Implementation Act (UAVG).

Plain language is used throughout. If anything is unclear, please contact us at the email address at the bottom of this notice.

Relationship to the parent group privacy statement. This notice is a surface-specific supplement to the parent Sirrapa Group privacy statement at sirrapagroup.com/privacy. For activity on this landing page we follow a more restrictive practice than the parent statement (no analytics, no advertising tags, no payment data collected here). Where this notice is silent, the parent statement applies.

1. Who is the data controller

The data controller for personal data collected via this landing page is currently Sirrapa Group Holding B.V., the Dutch parent company of the Sirrapa group.

KVK number: 84669837
Registered address: De Praam 15, 1747 TK Tuitjenhorn, the Netherlands
Telephone: +31 628 776 963
Contact for data-protection matters: Armand Parris. armand.parris@sirrapagroup.com. Named as Functionaris Gegevensbescherming in the parent group privacy statement.

SRET B.V. (working name. [Brand name pending trademark registration]) will become an additional or successor controller once it is incorporated and the platform raise closes. This notice will be updated accordingly.

2. What personal data we collect

We collect only what you submit voluntarily through the expression-of-interest (EOI) form or by emailing us, plus minimal technical state stored in your own browser. We do not run analytics scripts, advertising tags or third-party trackers on this page.

Category	Examples	Source
Identification data	Full name, email address, organisation (optional), country of residence	You submit it via the EOI form or by email
Investor-context data	Who invited you, indicative ticket size (optional), instrument preference (optional), free-text notes (optional)	You submit it via the EOI form
Attestation flags	Confirmation that you were personally invited, that you read the risk factors and that you read the related-party disclosure	You confirm via the form interface
Browser storage	A short attestation flag (key: `sret-invite-confirmed-v1`, value: `yes`)	Stored only in your browser’s sessionStorage. Cleared automatically when you close the tab

We do not collect: cookies for tracking purposes, IP-address logs on this static landing page, device fingerprints, geolocation, special-category data (Article 9 GDPR), or financial-account data.

3. How the EOI form transmits and stores data

When you submit the expression-of-interest form, the data is sent over HTTPS to a Cloudflare Worker we operate at this domain. The Worker validates the input, writes the submission to a Cloudflare D1 database, and sends a notification email to the founder mailbox. The form does not pass through Systeme.io, Tally or any third-party form vendor.

Hosting and processors. The landing page and EOI endpoint are hosted on Cloudflare Pages and processed by Cloudflare Workers and Cloudflare D1 (SQLite). Cloudflare Inc. acts as a processor on our behalf under its Data Processing Addendum. Notification and confirmation emails are delivered via Resend (Resend, Inc.), a transactional email service that sends from our EU (Ireland) region. Cloudflare’s privacy statement is available at cloudflare.com/privacypolicy. Resend’s privacy statement is available at resend.com/legal/privacy-policy.

4. Why we process this data. Purposes.

To respond to your expression of interest.
To send you the investor memorandum and any follow-up materials.
To arrange a founder call if appropriate.
To keep a record of who has expressed interest, for the purpose of orderly capital-raise management.

We do not use your personal data for advertising, profiling, or automated decision-making within the meaning of Article 22 GDPR.

5. Lawful basis

We rely on two lawful bases under Article 6 GDPR:

Consent (Art. 6(1)(a)). When you submit the EOI form, you actively confirm three attestations. This constitutes specific, informed consent for the processing described above.
Legitimate interest (Art. 6(1)(f)). For ongoing communication with you about the raise after your EOI, we rely on our legitimate interest in managing an orderly capital-raise process with parties who have actively expressed interest. You can object to this processing at any time (see section 9).

6. Who we share data with. Recipients.

We do not sell, rent or share your personal data with third parties for marketing purposes. We may share data only as follows, and only when necessary:

Cloudflare Inc. as hosting, edge network and processor (Pages, Workers, D1). Cloudflare regional services are configured so that data processing for this property is performed in the European Union where supported. See cloudflare.com/privacypolicy.
Resend (Resend, Inc.) as transactional email delivery for the notification and confirmation emails triggered by EOI submissions, sending from our EU (Ireland) region. See resend.com/legal/privacy-policy.
Professional advisors (legal, tax, accounting) under written confidentiality, where their input is required to respond to your enquiry or to structure the platform.
Regulated service providers, in particular Creatrust as the regulated administrator at the level of any future Luxembourg compartment, for KYC and AML purposes. This only applies to those who proceed to investment in a token product, and only with separate consent at that stage.
Email infrastructure. Our email provider processes incoming and outgoing mail as a processor on our behalf.
Where required by law, including in response to a valid legal request from a competent authority.

7. International transfers

Personal data is processed within the European Economic Area (EEA) where supported by our hosting provider. The Cloudflare account for this property is configured to use Cloudflare’s Regional Services / EU Data Localisation features so that EOI request handling and D1 database storage are performed within the European Union. Our transactional email provider, Resend, sends from its EU (Ireland) region; Resend, Inc. is US-incorporated, so some control-plane metadata may be processed outside the EEA under Standard Contractual Clauses (SCCs). Some Cloudflare operational metadata (for example, edge log signals and abuse-detection signals) may likewise be processed outside the EEA under SCCs. Our own email service (Google Workspace for sirrapagroup.com) may also process some operational metadata outside the EEA under SCCs per Google’s Data Processing Addendum. We do not transfer EOI data outside the EEA for any business purpose.

8. How long we keep your data. Retention.

EOI submissions from those who do not become investors: kept for a maximum of 24 months from the date of your submission.
EOI submissions from those who become investors: 7 years post relationship end, in line with Dutch fiscal record-keeping obligations (Algemene wet inzake rijksbelastingen, art. 52).
Attestation flags in sessionStorage: cleared automatically when you close the browser tab. We do not access this data; it lives in your browser only.
Email correspondence: aligned to the above retention periods, then archived and deleted in line with normal business-record retention. Deleted on request unless a legal hold applies.

9. Your rights

Under GDPR Articles 15 to 22 you have the right to:

Access. Request a copy of the personal data we hold about you.
Rectification. Ask us to correct inaccurate or incomplete data.
Erasure (right to be forgotten). Ask us to delete your data, subject to limited legal-retention exceptions.
Restriction. Ask us to suspend processing in certain circumstances.
Portability. Receive your data in a structured, machine-readable format.
Object. Object to processing that is based on legitimate interest.
Withdraw consent. For processing based on consent, at any time and without giving reasons.

To exercise any of these rights, email armand.parris@sirrapagroup.com. We aim to respond within 30 days.

10. Complaints

If you are not satisfied with how we handle your data, you have the right to complain to the Dutch data-protection authority, Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or to your local supervisory authority in the EEA. We would appreciate the opportunity to address your concerns first.

11. Cookies and browser storage

This landing page does not use cookies, advertising tags, analytics scripts or third-party trackers in its own code. It uses a single sessionStorage item to remember that you have completed the invitation attestation, so you are not asked to attest again as you scroll between sections in the same session. This storage:

is technical and necessary for the attestation mechanism;
stays only in your browser and is never sent to a server;
is cleared automatically when you close the tab.

Under the ePrivacy Directive (as implemented in the Telecommunicatiewet), storage that is strictly necessary for a service you actively requested does not require separate cookie consent. We have classified this attestation flag as strictly necessary.

Cloudflare, as our hosting provider, may set a small number of operational and security cookies (for example to manage edge-cache state or to detect abusive traffic). These are not used by us for analytics, profiling or advertising. See cloudflare.com/cookie-policy for details.

12. Security

We take reasonable technical and organisational measures to protect personal data, including encrypted email transport, restricted access to founder mailboxes, and minimisation of stored data. No transmission over the internet is fully secure. We cannot guarantee absolute security but we take it seriously.

13. Changes to this notice

We may update this privacy notice from time to time, for example when SRET B.V. is incorporated and becomes a controller, when we engage a regulated administrator, or when the EOI form mechanism changes. The version number and “Last updated” date at the top of this notice will be revised. We will not retroactively reduce your rights without your consent.

14. Contact

For questions about this notice or any data-protection matter:
armand.parris@sirrapagroup.com
Armand Parris. Founder and CEO, Sirrapa Group Holding B.V. Named as Functionaris Gegevensbescherming.
KVK 84669837. De Praam 15, 1747 TK Tuitjenhorn. Telephone: +31 628 776 963.

See also the parent group privacy statement at sirrapagroup.com/privacy.

This notice is provided in good faith and reflects our intended practice. It is not legal advice. It will be reviewed by a qualified Dutch data-protection professional before the landing page is distributed more broadly than the initial invitation list.