Privacy Policy

DRAFT. This Privacy Policy is a draft pending counsel review. Section structure is final; specific commitments may be adjusted prior to the policy's effective date. Last updated: 2026-06-10.

This Privacy Policy describes how ARX Prime Brokerage (the "Firm", "we", "us", or "our") collects, uses, shares, and protects information about you when you access our portfolio-management services, including the Client Portal and any mobile or third-party applications operated by the Firm.

1. Legal entity and contact

ARX Prime Brokerage LLC
Registered address: 2598 East Sunrise Blvd, Suite 2104, Fort Lauderdale, FL 33304
D-U-N-S number: 145015308
Phone: +1 650-346-5477
Privacy contact: privacy@investrlot.com

2. Information we collect

We collect the categories of information listed below. Some are required to deliver the service; others are collected only where you provide them voluntarily.

Account holder information — legal name, residential and mailing address, date of birth, tax identification number, citizenship, employment status, and other information required for "know your customer" and anti-money-laundering compliance.
Transactional and holdings data — trades, lots, accruals, corporate actions, dividends, balances, and the cost-basis and gain/loss derivatives of those records.
Communications — messages you send through the Contact form, email to the Firm, support tickets, and (where applicable per Section 8) recorded telephone calls.
Telemetry and device fingerprints — IP address, user-agent string, session identifiers, page navigation, and feature usage. These are used to operate the service, detect abuse, and improve product quality.
Authentication data — OAuth identifiers from supported identity providers (Google, Microsoft, LinkedIn, Slack). We do not store your passwords for these providers.

3. How we use information

To deliver portfolio-accounting and reporting services to you and your authorized representatives.
To meet regulatory and recordkeeping obligations imposed on broker-dealers and registered investment advisers, including FINRA Rule 17a-4 and applicable SEC rules.
To detect, investigate, and prevent fraud, unauthorized access, and other security incidents.
To respond to your communications (including Contact-form inquiries) and to send service-related notices.
To operate, maintain, and improve the service, including troubleshooting, performance measurement, and product development.

4. Third parties with whom we share information

We do not sell your personal information. We share information only with the service providers and counterparties listed below, and only to the extent necessary to deliver the service or comply with applicable law.

Pershing LLC (clearing and custody). Trade, position, and settlement information is shared with our clearing custodian as required to maintain your accounts.
Amazon Web Services, Inc. (hosting). The Firm's application infrastructure, including database storage, is operated within AWS regions in the United States.
Twilio Inc. and ElevenLabs Inc. (telephony, transcription, and voice synthesis — see Section 8).
OpenAI, Anthropic, and other AI service providers (see Section 7). Query text and the minimum context needed to fulfill an AI-assisted feature are transmitted to these providers; we do not transmit account holder identity, full holdings, or transactional history beyond what the specific feature requires.
Market-data vendors (pricing, reference data, corporate actions). Identifiers, not personal information, are shared with these vendors.
Auditors, regulators, and law-enforcement authorities, where disclosure is compelled by subpoena, regulation, or other legal process.

We do not use third-party advertising trackers, behavioral profiling networks, or analytics that share user-level data with advertising platforms.

5. How long we keep information

Books and records, including transactions, statements, and trade confirmations — retained for six years per FINRA Rule 17a-4, with the first two years in an immediately accessible location.
Recorded calls and call transcripts — retained for six years where the call constitutes a "business record" subject to 17a-4 (see Section 8).
Authentication logs and login history — retained for at least one year for security-incident investigation, and longer where required by examination or litigation hold.
Telemetry and operational logs not constituting books and records — retained for shorter, operationally appropriate windows (typically 30 to 180 days).
Contact-form inquiries — retained for at least two years to support follow-up and audit, and longer if associated with a regulated record.

6. Your rights

Subject to applicable law and the regulatory carve-outs noted below, you may:

Access and obtain a copy of the personal information we hold about you.
Request correction of inaccurate or incomplete personal information.
Request deletion of personal information that is not subject to a regulatory retention requirement. Records required by FINRA Rule 17a-4 or similar rules cannot be deleted until the applicable retention window expires.
Withdraw consent for processing that depends on consent (e.g., marketing communications you opted into). Withdrawal does not affect prior lawful processing.

California residents (CCPA / CPRA). You have the right to know what categories of personal information we collect, the categories of third parties with whom we share it, and to request deletion subject to the regulatory carve-outs above. We do not sell or "share" personal information for cross-context behavioral advertising. Requests may be submitted to privacy@investrlot.com.

European Union / United Kingdom residents (GDPR / UK GDPR). Where applicable, you have the rights of access, rectification, erasure, restriction, portability, and objection, subject to the same regulatory carve-outs. Our legal bases for processing are the performance of a contract (delivering the service), our legitimate interests (operating, securing, and improving the service), compliance with legal obligations (broker-dealer recordkeeping), and consent (where explicitly obtained). The service is offered primarily to United States residents; availability in the EU/UK is limited.

7. Artificial-intelligence features

The Firm offers features powered by third-party large-language-model providers (currently OpenAI and Anthropic). When you use one of these features — for example, the AI Query tool in the Client Portal — your query text and the minimum context required to answer it are transmitted to the model provider. We do not transmit your full account holder identity, your complete holdings, or your full transactional history beyond what the specific feature requires. AI outputs are not used to make automated investment decisions on your behalf; operational use is supervised by Firm personnel and a server-side safety guard.

8. Telephony and call recording

Inbound and outbound telephone calls to or from Firm-published numbers may be recorded and transcribed. You will be informed at the start of each call that the call may be recorded. Recordings and transcripts are stored encrypted at rest and retained as described in Section 5. Where state law requires two-party consent, we obtain consent before recording.

9. Cookies and similar technologies

The Client Portal uses a small number of cookies strictly necessary to operate the service: an authenticated-session cookie, an anti-forgery token, and a theme-preference cookie. We do not set advertising or cross-site tracking cookies.

10. Children's privacy

The service is not directed to, and is not intended for use by, individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact privacy@investrlot.com and we will delete it.

11. Security

We protect your information using industry-standard administrative, technical, and physical safeguards. These include TLS encryption in transit, AWS KMS-managed encryption at rest, role-based access control with multi-factor authentication for privileged users, network segmentation, and server-side enforcement of book-scoping rules so that data belonging to one client is never returned to another client's session. No security program is perfect; we encourage you to report suspected incidents to security@investrlot.com.

12. Data isolation between clients

Client data is logically partitioned per "book" of business. Server-side checks enforce that any data request issued from the Client Portal returns only information for books that the requesting user is authorized to view. This enforcement is performed on the server and does not rely on client-side filtering.

13. International transfers

Personal information is stored and processed in the United States. If you access the service from outside the United States, you consent to the transfer of your personal information to the United States, where data-protection rules may differ from those in your home jurisdiction.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced through a notice in the Client Portal at least 30 days before they take effect, except where a shorter notice period is required by law. The "Last updated" date at the top of this page reflects the most recent revision.

15. How to contact us

For privacy inquiries, use the Contact form and select "Privacy" as the Subject, or email privacy@investrlot.com.