Privacy Policy
Graphene Capital Management LP
Effective Date: June 1, 2026
Supersedes: Privacy Policy dated October 1, 2024
Regulatory Basis: Regulation S-P (17C.F.R. Part 248) · Gramm-Leach-Bliley Act
Next Scheduled Review: March, 2027
Notice to Clients: This Privacy Policy is provided pursuant to Regulation S-P (17 C.F.R. Part 248), implementing Title V of the Gramm-Leach-Bliley Act ("GLBA"), 15 U.S.C. §§ 6801–6809. A copy of this notice is delivered to each new client at or before the establishment of the advisory relationship and is always available on GCM's website at www.graphenelp.com/privacy-policy. If you have questions or wish to exercise any rights described herein, please contact our Privacy Officer at privacy@graphenelp.com.
1. Introduction and Scope
Graphene Capital Management, LP ("GCM," "we," "our," or "us") is registered with the U.S. Securities and Exchange Commission ("SEC") as an investment adviser under the Investment Advisers Act of 1940. As a registered investment adviser, GCM is a "covered institution" subject to Regulation S-P and its 2024 amendments.
This Privacy Policy describes how GCM collects, uses, protects, shares, and disposes of non-public personal information ("NPI") about our clients, investors, and prospective investors. It applies to:
• All individuals who obtain or have obtained investment advisory services from GCM primarily for personal, family, or household purposes ("clients");
• Prospective clients whose NPI GCM collects in connection with evaluating an advisory relationship;
• Former clients whose NPI GCM continues to hold after the advisory relationship ends; and
• Individuals whose NPI GCM receives from other financial institutions — such as custodians, prime brokers, or fund administrators — in connection with providing advisory services.
This Policy applies to all forms of NPI — electronic, paper, and verbal — regardless of the medium in which it is stored, processed, or transmitted.
2. Key Definitions
The following terms have the meanings given below, consistent with Regulation S-P(17 C.F.R. § 248.3):
• Non-public personal information (NPI): Personally identifiable financial information that is not publicly available, including information a client provides to GCM to obtain an advisory service, information GCM obtains about a client in connection with providing services, and information GCM otherwise obtains (e.g., from a custodian or fund administrator).
• Customer information: Any record containing NPI about a GCM client, regardless of whether the record relates to a current, former, or prospective client, and regardless of whether GCM received the NPI directly from the individual or from another financial institution.
• Sensitive customer information: The subset of customer information whose compromise — alone or in conjunction with other information —could create a reasonably likely risk of substantial harm or inconvenience to an individual. This includes Social Security numbers, government identification numbers, financial account numbers, electronic identification numbers and login credentials, biometric records, and routing codes combined with access credentials.
• Service provider: Any person or entity that receives, maintains, processes, or is otherwise permitted access to customer information through its provision of services to GCM, including affiliates, custodians, fund administrators, technology vendors, and cloud service providers.
3. Information We Collect
GCM collects NPI necessary to establish and maintain the advisory relationship, provide investment management services, and comply with applicable legal and regulatory obligations.
Information You Provide Directly
• Personal identifiers: Full legal name, mailing address, email address, telephone number, date of birth
• Government identification: Social Security number, employer identification number (EIN), driver's license or passport number, alien registration number
• Financial information: Income, net worth, liquid assets, account balances, investment holdings, and sources of wealth and funds
• Investment profile: Investment objectives, risk tolerance, time horizon, investment restrictions, and suitability information
• Tax information: Taxpayer identification numbers, tax residency status, FATCA/CRS classification, and related documentation
• Account credentials: Usernames and authentication credentials for GCM-administered portals or systems (treated as sensitive customer information)
• Communications: Records of correspondence, instructions, and other communications with GCM
Information We Receive from Third Parties
• Custodians and prime brokers: Account positions, transaction history, cash balances, and related account information
• Fund administrators: Capital account statements, NAV calculations, investor ledger information, and tax reporting data
• Identity verification providers: Know-your-customer (KYC) and anti-money laundering (AML) screening results
• Publicly available sources: Government records, regulatory databases, and other lawful public sources
Sensitive Customer Information Note: GCM specifically identifies and affords heightened protection to sensitive customer information as defined in Section 2 above — including Social Security numbers, financial account numbers, and electronic authentication credentials. This category of information is subject to the notification obligations described in Section 9.
4. How We Use Your Information
GCM uses client NPI solely for legitimate business purposes necessary to provide and administer the advisory relationship, including to:
• Establish and maintain your investment account(s) and the advisory relationship
• Provide portfolio management, investment advisory, and related services
• Process investment transactions and maintain required books and records
• Conduct AML, KYC, OFAC, and other required regulatory due diligence
• Prepare and deliver account statements, tax documents, and regulatory disclosures
• Comply with applicable legal, regulatory, and tax obligations under the Investment Advisers Act of 1940, GLBA, the Internal Revenue Code, and applicable SEC rules and regulations
• Respond to inquiries, complaints, and requests from you or your authorized representatives
• Detect, investigate, and prevent fraud, unauthorized access, identity theft, and other security incidents
GCM does not use client NPI for marketing purposes unrelated to the advisory relationship without your consent.
5. Information Sharing and Disclosure
5.1 We Do Not Sell Client Information
GCM does not sell, rent, license, or trade client NPI to any third party for commercial or marketing purposes.
5.2 Sharing with Affiliates
GCM may share your NPI with affiliated entities (including related general partner entities, investment vehicles, and management companies under common control with GCM) as necessary to manage and administer your investment(s) and fulfill GCM's advisory obligations.
5.3 Sharing with Service Providers (Non-Affiliated Third Parties)
GCM shares client NPI with non-affiliated third-party service providers that assist GCM in delivering advisory services. This sharing is made pursuant to the service provider exception under GLBA Section 502(e)(3) (17 C.F.R. § 248.14) and does not require an opt-out opportunity.
GCM's service providers are contractually required to: (i) use client NPI only to perform services on GCM's behalf; (ii) protect client NPI with safeguards at least equivalent to those in GCM's Written Information Security Program; (iii)notify GCM within 72 hours of becoming aware of any unauthorized access to client NPI; and (iv) cooperate with GCM's oversight and monitoring obligations under Regulation S-P.
Categories of service providers that may access client NPI include:
· Prime brokers and custodians (account custody, trade settlement,and position reporting)
· Fund administrators (fund accounting, NAV calculations, capital account administration, and investor reporting)
· Portfolio management system providers (trade execution, portfolio management, and risk analytics)
· Managed IT and cybersecurity service providers (infrastructure management, security operations, and incident response)
· Cloud infrastructure and data storage providers (secure storage, email, collaboration, and virtual desktop services)
· Regulatory communications archiving services
· Legal counsel and compliance advisors
· Auditors and accountants (annual audit, financial statements, and tax preparation)
· Identity verification and AML/KYC screening providers
· Human resources and payroll processors (limited NPI in the context of employee administration)
5.4 Legally Required Disclosure
GCM may disclose your NPI when required or permitted by law, including:
· To comply with a court order, subpoena, arbitration demand, or other legal process
· To respond to a regulatory examination, inquiry, or request from the SEC, FINRA, CFTC, NFA, or other regulatory authority
· To report suspected fraud, money laundering, terrorist financing, or other illegal activity to law enforcement or regulatory authorities
· To protect the rights, property, or safety of GCM, its personnel, clients, or the public, as permitted by law
· In connection with the sale, merger, acquisition, or transfer of all or substantially all of GCM's business or assets, subject to appropriate confidentiality protections
These disclosures are made pursuant to exceptions under 17 C.F.R. §§ 248.14–248.15 and do not require an opt-out opportunity.
5.5 No Other Sharing — Opt-Out Statement
GCM does not share your NPI with any non-affiliated third party for any purpose other than as described in Sections 5.2, 5.3, and 5.4 of this Policy. Because all NPI sharing by GCM is limited to GLBA-permitted exceptions, no opt-out right is applicable to GCM's current information-sharing practices. You are not required to take any action.
If GCM's information-sharing practices change in a manner that would trigger opt-out rights under Regulation S-P, GCM will provide you with a revised privacy notice and a reasonable opportunity to opt out before implementing any such change.
6. Protection of Your Information
GCM maintains a comprehensive Written Information Security Program ("WISP") containing physical, administrative, and technical safeguards designed to protect customer information — including sensitive customer information — against unauthorized access, use, disclosure, alteration, or destruction. Key safeguards include:
· Access controls: Access to client NPI is restricted on a need-to-know, least-privilege basis. Role-based access controls and multi-factor authentication (MFA) are enforced across all systems that store or process customer information.
· Encryption: Sensitive customer information is encrypted both in transit (TLS 1.2 or higher) and at rest using industry-standard encryption algorithms. Device-level encryption is enforced on all company-issued endpoints.
· Infrastructure security: GCM's infrastructure includes redundant firewalls with intrusion detection and prevention systems, 24×7 Security Operations Center (SOC) and Network Operations Center (NOC) monitoring, continuous SIEM logging, web filtering, and endpoint detection and response (EDR). Data is stored across geographically redundant, independently certified data centers and cloud environments.
· Vendor security: GCM conducts due diligence on all service providers prior to engagement and monitors their security posture on an ongoing basis. Critical service providers are required to maintain recognized industry certifications (e.g., SOC 2 Type 2, ISO 27001) and to conduct annual business continuity and disaster recovery testing.
· Employee training: All GCM personnel with access to customer information receive annual training on data security policies, privacy obligations, phishing awareness, and incident reporting procedures. Phishing simulation exercises are conducted regularly.
· Incident response: GCM maintains a written Incident Response Program designed to detect, respond to, and recover from unauthorized access to or use of customer information. The program includes a designated Incident Management Team, containment and remediation procedures, and client notification protocols consistent with Section 9 below. GCM maintains cyber insurance to assist with breach notification, forensic analysis, and incident response. The program is tested at least annually through tabletop and functional exercises.
7. Disposal of Customer Information
When customer information is no longer needed for operational, legal, or regulatory purposes, GCM disposes of it in a manner designed to protect against unauthorized access or use:
· Electronic records: Secure deletion using approved overwriting methods or cryptographic erasure. Decommissioned hardware is subject to secure wiping or physical destruction prior to disposal or reuse.
· Paper records: Cross-cut shredding or incineration using certified document destruction services.
· Service provider disposal: Service providers holding customer information on GCM's behalf are contractually required to dispose of such information using methods consistent with this Policy upon termination of the service relationship or upon GCM's written instruction.
· Documentation: Each disposal event is documented, including the date, method, data category, and responsible party. Disposal records are retained in accordance with Section 8.
Disposal practices apply to all customer information, including sensitive customer information and NPI received from other financial institutions.
8. Retention of Your Information
GCM retains customer information for as long as necessary to fulfill the purposes described in this Policy and to comply with applicable legal, regulatory, and record keeping obligations, including:
· Regulation S-P compliance records (written policies, incident documentation, notification decisions, vendor agreements): 5 years, with the first 2 years maintained in an easily accessible location
· Advisory records under the Investment Advisers Act of 1940: generally 5 years from the end of the fiscal year in which the record was created
· Tax and AML records: as required by the Internal Revenue Code, Bank Secrecy Act, and applicable regulations
Upon expiration of applicable retention periods, GCM disposes of customer information in accordance with Section 7 of this Policy.
9. Security Incident Notification
9.1 Notification Obligation
In the event of a security incident involving unauthorized access to or use of sensitive customer information — or where GCM becomes aware that such access is reasonably likely to have occurred — GCM will notify each affected individual whose sensitive customer information was or may have been accessed without authorization.
9.2 Timing
Notice will be provided as soon as practicable, but no later than 30 days after GCM becomes aware that sensitive customer information has been, or is reasonably likely to have been, accessed or used without authorization, consistent with 17 C.F.R. § 248.30(a)(3).
9.3 Content of Notice
Each notification will include, to the extent available:
· A general description of the nature of the security incident
· The type of sensitive customer information that was or may have been accessed
· The date, or estimated date range, of the incident
· GCM's name, address, telephone number, and email address for client inquiries
· Steps affected individuals can take to protect themselves, including placing fraud alerts or credit freezes and reviewing account statements
· A reference to the Federal Trade Commission's identity theft guidance at www.identitytheft.gov
9.4 No-Notification Determination
If, following a reasonable investigation, GCM determines that the sensitive customer information that was accessed has not been and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience, GCM may determine that notification is not required. Any such determination will be documented in writing, including the basis for the determination, and retained as a Regulation S-P compliance record for 5 years.
9.5 Service Provider Incidents
GCM retains primary responsibility for client notification under Regulation S-P, regardless of whether a security incident originates at a third-party service provider. GCM's service providers are contractually required to notify GCM within 72 hours of becoming aware of any unauthorized access to client information maintained on GCM's behalf, enabling GCM to meet its notification obligations.
10. Your Rights
Access and correction: You may request access to the NPI GCM maintains about you and request correction of any inaccuracies. Contact GCM's Privacy Officer (see Section 11). GCM will respond within a reasonable period and as required by applicable law.
Former clients: GCM's obligations to protect your NPI continue after the advisory relationship ends. GCM will not use or disclose former client NPI except as required or permitted by law and as described in this Policy.
No opt-out required under current practices: As described in Section 5.5, because GCM does not share your NPI with non-affiliated third parties outside of GLBA-permitted exceptions, no opt-out right is applicable to GCM's current practices. If sharing practices change, you will be notified in advance and given the opportunity to opt out.
11. Privacy Officer and Contact Information
All privacy-related inquiries, access or correction requests, and complaints should be directed to GCM's designated Privacy Officer. Please include your full legal name, account number (if applicable), and a description of your request. GCM will acknowledge receipt within 5 business days.
Privacy Officer
Graphene Capital Management, LP
489 Fifth Avenue
New York, NY 10017
Email: privacy@graphenelp.com
Telephone: 646-585-6515
12. Annual Privacy Notice — FAST Act Exception
Under Rule 248.5 of Regulation S-P (17 C.F.R. § 248.5), covered institutions are generally required to deliver annual privacy notices to clients. GCM qualifies for the exception codified pursuant to the Fixing America's Surface Transportation Act ("FAST Act") because:
1. GCM shares client NPI with non-affiliated third parties only under GLBA-permitted exceptions (as described in Sections 5.3and 5.4); and
2. GCM has not changed its privacy policies and practices in a manner that would require an annual notice since the most recent disclosure.
Accordingly, GCM is not required to deliver annual privacy notices to clients unless and until one of the above conditions is no longer satisfied. GCM reassesses its qualification for this exception on an annual basis and documents that assessment. If GCM's information-sharing practices change such that the exception no longer applies, GCM will promptly resume delivering annual privacy notices.
13. Changes to This Policy
GCM reserves the right to amend this Privacy Policy at any time to reflect changes in its privacy practices, regulatory requirements, or business operations. In the event of a material change —including any change that would alter the basis for the FAST Act annual notice exception or trigger opt-out rights — GCM will:
1. Provide clients with advance notice of the proposed change;
2. Deliver an updated Privacy Policy clearly identifying the nature of the change;
3. Provide a reasonable opt-out opportunity before any change that triggers such right stakes effect; and
4. Update the effective date of the revised Policy.
All amended versions of this Policy will be available on GCM's website at www.graphenelp.com/privacy-policy.
14. Regulatory Authority
This Privacy Policy is provided pursuant to the following regulatory authority:
Rule 248.4 Initial privacy notice to consumers
Rule 248.5 Annual privacy notice (FAST Act exception)
Rule 248.6 Opt-out notice and opt-out rights
Rule 248.13 Limits on disclosure of NPI to non-affiliated third parties
Rule 248.14 Service provider / joint marketing exception
Rule 248.15 Other exceptions to notice and opt-out requirements
Rule 248.30 Safeguards Rule (as amended May 2024) — incident response, disposal, recordkeeping
Questions about this Privacy Policy should be directed to privacy@graphenelp.com or to the Privacy Officer at the address in Section 11.
© 2026 Graphene Capital Management, LP. All rights reserved. This notice is provided pursuant to Regulation S-P, 17 C.F.R. Part 248.