Privacy Policy — Correa Public Investments LLC

CONFIDENTIAL | FOR AUTHORIZED RECIPIENTS ONLY | ACCREDITED INVESTORS

Section 1

Data Controller and Scope of This Policy

1.1 DATA CONTROLLER

The data controller responsible for the collection, processing, storage, and protection of your personal information is Correa Alonso Asset Management LLC ("CAAM" or the "Manager"), a Delaware limited liability company acting as the investment manager and managing member of Correa Public Investments LLC (the "Company," the "Fund," or "CPI"), a Delaware limited liability company organized and operated as a manager-managed private investment fund. Christopher Correa, Managing Partner, serves as the designated privacy officer responsible for overseeing compliance with this Privacy Policy.

1.2 SCOPE AND APPLICABILITY

This Privacy Policy (this "Policy") describes how the Company and the Manager collect, use, process, disclose, retain, protect, and dispose of personal information and nonpublic personal information ("NPI") in connection with all aspects of the Fund's operations. This Policy applies to the following services, platforms, and interactions (collectively, the "Platform"):

The Company's website located at correafunds.com, including all subdomains and pages;
The Company's investor portal, including all account management, document access, and reporting features;
Any mobile application developed, published, or operated by the Company or the Manager;
All subscription, onboarding, and Know Your Customer ("KYC") processes;
All investor communications, including investment letters, account statements, research memoranda, and correspondence;
All administrative and operational processes related to Fund management, including capital account maintenance, NAV calculations, redemption processing, and tax reporting; and
Any offline interactions involving the collection of personal information, including in-person meetings, telephone calls, and physical document submissions.

1.3 WHO THIS POLICY APPLIES TO

This Policy applies to all individuals and entities that provide personal information to the Company or the Manager, including:

Current Members (investors) of the Fund;
Prospective investors who submit subscription documents, access non-public investor materials, or engage with the Manager regarding a potential investment;
Authorized representatives, agents, trustees, and signatories of entity investors;
Beneficial owners of entity investors identified through KYC and anti-money laundering ("AML") processes;
Users of the Company's website, investor portal, and any mobile application; and
Any other individual whose personal information is provided to the Company or the Manager in connection with Fund operations.

1.4 REGULATORY FRAMEWORK

This Policy is designed to comply with applicable U.S. federal and state privacy and data protection laws and regulations, including: Regulation S-P under the Securities Exchange Act of 1934 (to the extent applicable); the Gramm-Leach-Bliley Act ("GLBA") and its implementing regulations; the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"); the Washington My Health My Data Act and the Washington Privacy Act (to the extent applicable); the USA PATRIOT Act and Bank Secrecy Act AML and KYC record-retention requirements; the Apple Developer Program License Agreement and App Store Review Guidelines; the Google Play Developer Distribution Agreement and Google Play Data Safety requirements; and such other federal, state, and international privacy laws as may be applicable from time to time.

Section 2

Categories of Personal Information Collected

The Company and the Manager collect the following categories of personal information in connection with Fund operations and Platform use. Each category is mapped to the Apple App Store privacy label taxonomy and Google Play Data Safety categories for transparency and compliance.

2.1 IDENTITY DATA

Full legal name (first, middle, last) and any aliases or former names;
Date of birth (individuals) or date and jurisdiction of formation (entities);
Government-issued identification numbers, including Social Security number ("SSN"), taxpayer identification number ("TIN"), passport number, and driver's license number;
For entity investors: entity legal name, type of entity, jurisdiction of organization, organizational documents, certificate of good standing, certificate of incumbency, and employer identification number ("EIN");
Beneficial ownership information for entities; and
Photographs or digital images of government-issued identification documents submitted for KYC verification.

Apple Privacy Label: Name, User ID, Physical Address. Google Data Safety: Personal info (Name, Email address, Personal identifiers).

2.2 CONTACT DATA

Current residential address or principal business address;
Mailing address (if different from residential/business address);
Primary and secondary telephone numbers (including mobile);
Primary and secondary email addresses; and
Preferred method of communication (email, telephone, mail).

Apple Privacy Label: Email Address, Phone Number, Physical Address. Google Data Safety: Personal info (Address, Phone number, Email address).

2.3 FINANCIAL DATA

Annual income and net worth information provided in the Investor Questionnaire for accredited investor determination;
Investment experience (years) and investment objectives;
Bank account information, including institution name, account number, routing number, and SWIFT/BIC codes;
Wire transfer instructions and confirmation records;
Brokerage account statements, bank statements, tax returns, W-2 forms, and 1099 forms submitted for accredited investor verification under Rule 506(c);
Third-party verification letters from licensed attorneys, CPAs, or registered broker-dealers;
Capital account balances, contribution amounts and dates, redemption amounts and dates, and historical account activity;
Management fee and performance allocation amounts charged to the investor's capital account; and
NAV per Interest calculations and period-over-period return data.

Apple Privacy Label: Financial Info (Payment Info, Other Financial Info). Google Data Safety: Financial info (Purchase history, Other financial info).

2.4 TAX AND REGULATORY DATA

IRS Form W-9 for U.S. persons;
IRS Form W-8BEN for non-U.S. individuals; IRS Form W-8BEN-E for non-U.S. entities;
ERISA status and Benefit Plan Investor classification;
FATCA classification and documentation;
Schedule K-1 data, including allocable shares of Fund income, gain, loss, deduction, and credit; and
State tax withholding elections and applicable state filing nexus information.

2.5 COMPLIANCE AND DUE DILIGENCE DATA

Results of identity verification checks conducted against government databases and commercial verification services;
OFAC Specially Designated Nationals and Blocked Persons List screening results;
EU consolidated sanctions list and other applicable international sanctions list screening results;
Politically Exposed Person ("PEP") status disclosures;
Source of funds and source of wealth documentation and representations;
Enhanced due diligence records for high-risk investors; and
Bad Actor disqualification certifications under Rule 506(d).

2.6 TECHNICAL DATA

Internet Protocol (IP) address and approximate geolocation derived from IP address;
Device type, device identifier, operating system name and version, and browser type and version;
Screen resolution and language preferences;
Session tokens and authentication credentials (encrypted); and
Referral URL (the page from which you navigated to the Platform).

2.7 USAGE DATA

Login and logout timestamps;
Pages and sections of the investor portal accessed, including frequency and duration;
Documents viewed, downloaded, or printed through the investor portal;
Search queries entered within the Platform; and
Error logs and crash reports generated during Platform use.

2.8 COMMUNICATIONS DATA

Emails, messages, and correspondence sent to or received from the Manager;
Records of telephone conversations (date, time, duration, and summary notes — calls are not recorded without consent);
Meeting notes and records of in-person discussions; and
Feedback, complaints, and inquiries submitted through the Platform or by other means.

Section 3

Legal Bases for Processing

The Manager processes personal information on the following legal bases:

Contractual Necessity — Identity, Contact, Financial data. Processing necessary to perform the Subscription Agreement, Operating Agreement, and Fund administration obligations, including capital account maintenance, NAV calculation, subscription processing, and redemption processing.

Legal Obligation — Identity, Tax/Regulatory, Compliance data. Processing required to comply with applicable securities laws (Reg D, Securities Act, Exchange Act), tax laws (IRC, Form 1065, K-1 reporting), AML laws (USA PATRIOT Act, Bank Secrecy Act), OFAC sanctions screening, FATCA, and state regulatory requirements.

Legitimate Interest — Technical, Usage, Communications data. Processing necessary for the security of the Platform, fraud prevention, internal audit, recordkeeping, improvement of services, and protection of the legal rights of the Company and the Manager. The Manager has conducted a balancing test to ensure that these legitimate interests do not override your fundamental rights.

Consent — As applicable. Where required by law, the Manager obtains your explicit consent before processing personal information for purposes not covered by the bases above. You may withdraw consent at any time by contacting the Manager, without affecting the lawfulness of processing conducted prior to withdrawal.

Section 4

How We Use Your Information

4.1 SUBSCRIPTION AND ONBOARDING

Processing subscription applications and determining eligibility for admission as a Member;
Verifying accredited investor status through documentation review or third-party verification, as required under Rule 506(c);
Conducting KYC identity verification and AML screening, including OFAC and sanctions list checks;
Collecting and validating tax documentation (W-9, W-8BEN, W-8BEN-E); and
Executing the Subscription Agreement and admitting the investor as a Member.

4.2 FUND ADMINISTRATION

Maintaining individual capital accounts and recording contributions, redemptions, allocations, and expenses;
Calculating the Fund's NAV and each Member's NAV per Interest on applicable valuation dates;
Processing quarterly redemption requests, including verification of lock-up expiration and notice requirements;
Calculating and applying the 2% annual management fee and 20% performance allocation subject to the high-water mark;
Preparing and distributing quarterly account statements; and
Coordinating with Interactive Brokers LLC for trade settlement, custody, and account reconciliation.

4.3 TAX REPORTING

Preparing and filing the Fund's annual Form 1065 (U.S. Return of Partnership Income) with the IRS;
Preparing and distributing individual Schedule K-1s to each Member;
Calculating and applying U.S. withholding tax on allocations to non-U.S. Members, including FATCA withholding;
Filing state partnership tax returns and processing state withholding for non-resident Members; and
Providing estimated tax information to Members in advance of K-1 delivery where practicable.

4.4 INVESTOR COMMUNICATIONS

Distributing quarterly or periodic investment letters discussing portfolio performance, market developments, and the Manager's outlook;
Sending operational notices, including subscription confirmations, redemption confirmations, gate or suspension notifications, and amendments to Fund documents;
Responding to investor inquiries, feedback, and information requests; and
Delivering annual financial statements (audited, when available) within 90 to 120 days after fiscal year-end.

4.5 REGULATORY COMPLIANCE

Filing Form D with the SEC and Blue Sky notice filings in applicable states;
Maintaining the Fund's compliance with Section 3(c)(1) of the Investment Company Act (monitoring the 100 beneficial owner limit);
Monitoring compliance with ERISA plan asset thresholds (maintaining Benefit Plan Investor participation below 25%);
Responding to regulatory examinations, audits, subpoenas, court orders, and government inquiries; and
Filing Schedule 13D/13G and Form 13F with the SEC if applicable ownership or AUM thresholds are reached.

4.6 PLATFORM SECURITY AND OPERATIONS

Authenticating user identity and managing access credentials for the investor portal;
Monitoring for unauthorized access attempts, suspicious activity, and potential security incidents;
Maintaining system logs for audit trail and forensic analysis in the event of a security breach;
Diagnosing and resolving technical issues, errors, and performance problems; and
Improving the functionality, security, and user experience of the Platform based on aggregated usage patterns.

Section 5

Data Sharing and Disclosure

The Manager does not sell personal information. The Manager does not share personal information with third parties for marketing purposes. The Manager does not share personal information for cross-context behavioral advertising. The Manager does not engage in data brokerage.

Personal information may be disclosed to the following categories of recipients, solely for the purposes described below and subject to strict confidentiality obligations:

Interactive Brokers LLC (Custodian) — Identity, Contact, Financial, Tax data. Custody of Fund assets, trade execution and settlement, account administration, SIPC coverage, and regulatory reporting.

Legal Counsel — Identity, Contact, Financial, Compliance, Communications data. Legal advice, regulatory compliance guidance, contract preparation and review, dispute resolution, and litigation defense.

Accountants and Auditors — Identity, Financial, Tax data. Preparation of annual financial statements, annual audit (when engaged), Form 1065 preparation, Schedule K-1 preparation, and tax advisory services.

Fund Administrator (if engaged) — Identity, Contact, Financial data. Independent NAV calculation, investor accounting, subscription and redemption processing, and periodic reporting.

AML/KYC Service Providers — Identity, Compliance data. Identity verification, sanctions screening, PEP screening, adverse media screening, and ongoing monitoring.

Regulatory Authorities — As required. Compliance with SEC, IRS, OFAC, FinCEN, state securities regulators, and law enforcement as compelled by law, subpoena, court order, or regulatory examination.

All third-party service providers are subject to written confidentiality agreements or are otherwise bound by professional duties of confidentiality. The Manager conducts periodic reviews of service provider data handling practices.

Section 6

Data Retention Schedule

The Manager retains personal information for the minimum period necessary to fulfill the purposes for which it was collected, to comply with applicable legal and regulatory retention requirements, and to protect the Company's legal interests.

Subscription Documents & Investor Questionnaires: Duration of membership plus 5 years following final redemption or termination. (Reg D record-retention; state securities laws; statute of limitations for securities fraud claims.)

Accredited Investor Verification Records (Rule 506(c)): Duration of membership plus 5 years following final redemption. (Rule 506(c) reasonable steps verification requirement; SEC examination guidelines.)

Capital Account Records, Transaction History, and NAV Data: Duration of membership plus 7 years following final redemption. (IRC Section 6501; Treasury Regulation record-retention requirements.)

Tax Documentation (W-9, W-8, K-1 records, Form 1065 data): Duration of membership plus 7 years. (IRC Section 6501; IRS record-retention guidance; BBA Audit Rules.)

AML/KYC Records: 5 years following termination of investor relationship. (USA PATRIOT Act Section 326; FinCEN CDD Rule; Bank Secrecy Act.)

Correspondence and Communications: 5 years following the date of communication.

Technical and Usage Logs: 2 years from date of collection.

Cookies and Session Data: Session duration only (not persisted).

Upon expiration of the applicable retention period, personal information will be securely destroyed using industry-standard data disposal methods, including secure electronic deletion (multi-pass overwrite or cryptographic erasure) and cross-cut shredding for physical documents.

Section 7

Data Security Measures

The Manager maintains a comprehensive information security program designed to protect personal information from unauthorized access, use, disclosure, alteration, or destruction.

7.1 TECHNICAL SAFEGUARDS

Encryption of all personal information in transit using Transport Layer Security (TLS) 1.2 or higher;
Encryption of sensitive personal information at rest using AES-256 encryption or equivalent;
Multi-factor authentication ("MFA") required for all access to the investor portal and internal administrative systems;
Secure password policies requiring minimum length, complexity, and periodic rotation;
Firewall protection, intrusion detection systems, and continuous network monitoring;
Regular vulnerability assessments and penetration testing of Platform infrastructure; and
Automated session timeout and forced re-authentication after periods of inactivity.

7.2 ADMINISTRATIVE SAFEGUARDS

Role-based access controls ("RBAC") restricting access to personal information to authorized personnel on a strict need-to-know basis;
Employee and contractor training on data privacy, information security, phishing awareness, and incident response procedures;
Written information security policies and procedures reviewed and updated at least annually;
Background checks for personnel with access to sensitive personal information; and
Incident response plan with defined procedures for detection, containment, investigation, notification, and remediation.

7.3 PHYSICAL SAFEGUARDS

Secure physical storage of paper documents containing personal information in locked, access-controlled facilities;
Controlled physical access to offices and facilities where personal information is processed; and
Secure disposal of physical media through cross-cut shredding or certified destruction services.

No method of electronic transmission or data storage is completely secure. In the event of a data breach, the Manager will: (i) promptly investigate and take reasonable steps to contain and remediate the breach; (ii) notify affected individuals as required by applicable law, including within 72 hours where required by state breach notification statutes; and (iii) notify applicable regulatory authorities as required by law.

Section 8

Cookies and Tracking Technologies

8.1 WHAT WE USE

The Platform uses only the following categories of cookies:

Session Cookies — Maintain authenticated session state, prevent session hijacking, and enable navigation between secure pages. Session only; deleted when browser is closed. No third party.

Authentication Cookies — Remember authenticated status across page loads within a single session and facilitate multi-factor authentication workflows. Session only. No third party.

Security Cookies — Detect and prevent cross-site request forgery (CSRF), brute-force login attempts, and other security threats. Session only or up to 24 hours. No third party.

8.2 WHAT WE DO NOT USE

Advertising cookies, pixels, or tags of any kind;
Third-party analytics services (such as Google Analytics, Mixpanel, or Amplitude);
Cross-site tracking technologies;
Browser fingerprinting;
Social media tracking pixels or share buttons; or
Any technology that enables behavioral profiling, retargeting, or cross-context advertising.

8.3 YOUR COOKIE CHOICES

Because the Platform uses only essential session, authentication, and security cookies, there is no opt-out mechanism for these cookies — they are strictly necessary for the secure operation of the investor portal. The Platform does not respond to Do Not Track ("DNT") browser signals because no tracking occurs.

Section 9

Your Rights Regarding Personal Information

Subject to applicable law and the Manager's legal and regulatory retention obligations, you may exercise the following rights:

9.1 Right of Access. You may request a copy of the personal information the Manager maintains about you. The Manager will respond to verified access requests within 45 calendar days, with one 45-day extension if reasonably necessary.

9.2 Right of Correction. You may request correction of inaccurate or incomplete personal information. Corrections to tax-related information (SSN, TIN, W-9/W-8) may require submission of updated forms and may trigger amended filings.

9.3 Right of Deletion. You may request deletion of personal information that is no longer necessary for the purposes for which it was collected. The Manager will comply except where retention is required by law or regulation (AML/KYC records: 5-year minimum; tax records: 7-year minimum; subscription documents: 5-year minimum).

9.4 Right to Data Portability. Where technically feasible, you may request a copy of your personal information in a structured, commonly used, machine-readable format (such as CSV or JSON).

9.5 Right to Opt-Out of Sale. The Manager does not sell personal information and has never sold personal information. No opt-out mechanism is required.

9.6 Right to Non-Discrimination. The Manager will not discriminate against you for exercising any of your privacy rights.

9.7 How to Exercise Your Rights. Submit a written request to the Manager at ask@correafunds.com or by mail to the address specified in Section 14. The Manager will verify your identity before processing any request.

Section 10

California Consumer Privacy Act (CCPA/CPRA) Disclosure

If you are a California resident, the following additional disclosures are provided pursuant to the CCPA:

10.1 Categories of Personal Information Collected: Identifiers; Financial information; Professional or employment-related information; Internet or other electronic network activity information; and Sensitive personal information (as defined by California Civil Code Section 1798.140).

10.2 Business Purposes for Collection: Subscription processing and accredited investor verification; Fund administration and capital account maintenance; tax reporting and K-1 preparation; regulatory compliance (AML, KYC, OFAC, FATCA); investor communications; and Platform security.

10.3 Third Parties: The categories of third parties with whom the Manager shares personal information are described in Section 5. No personal information has been sold. No personal information has been shared for cross-context behavioral advertising.

10.4 Sensitive Personal Information: Collected solely for subscription processing, accredited investor verification, tax reporting, and regulatory compliance. The Manager does not use sensitive personal information for any purpose other than those expressly permitted under CCPA Section 1798.121.

10.6 Your CCPA Rights: California residents have the right to know, request deletion, request correction, opt out of sale/sharing (not applicable), and limit use of sensitive personal information (already limited). The Manager will not discriminate against you for exercising any CCPA right.

Section 11

Children's Privacy

The Platform and the Fund's services are not directed to, designed for, or intended for use by individuals under the age of 18. The Company does not knowingly collect, solicit, or process personal information from minors. If the Manager becomes aware that personal information has been inadvertently collected from an individual under the age of 18, such information will be promptly deleted and the individual's account (if any) will be terminated. If you believe that a minor has provided personal information to the Company, please contact the Manager immediately at ask@correafunds.com.

Section 12

International Data Transfers

The Company and the Manager are based in the United States. All personal information collected through the Platform is stored and processed in the United States. If you are accessing the Platform from outside the United States, you acknowledge and consent to the transfer of your personal information to the United States, where data protection laws may differ from those of your home jurisdiction. The Manager will take reasonable steps to ensure that your personal information receives an adequate level of protection in accordance with this Policy. Non-U.S. investors should consult their own legal advisors regarding the implications of cross-border data transfers applicable to their jurisdiction.

Section 13

Changes to This Policy

The Manager reserves the right to update, amend, or replace this Policy at any time. Material changes will be communicated through one or more of the following methods: (i) posting the revised Policy on the Company's website with an updated "Last Updated" date; (ii) publishing a notice on the investor portal; (iii) sending a direct notification via email; or (iv) providing notice through the mobile application (if applicable). Continued use of the Platform following notification of material changes constitutes acceptance of the revised Policy. If you do not agree with any changes, you should discontinue use of the Platform and contact the Manager to discuss your options.

Section 14

Contact Information

For all questions, concerns, requests, or complaints regarding this Privacy Policy or the handling of your personal information:

Correa Public Investments LLC

Correa Alonso Asset Management LLC

Attention: Christopher Correa, Managing Partner — Privacy Inquiries
Email: ask@correafunds.com
Phone: 206-430-3325
Web: correafunds.com

The Manager will acknowledge receipt of your inquiry within five (5) business days and will provide a substantive response within a reasonable timeframe consistent with applicable law. If you are not satisfied with the Manager's response, you may have the right to lodge a complaint with the applicable state attorney general or other regulatory authority.

This Privacy Policy is provided in connection with the offering of membership interests in Correa Public Investments LLC pursuant to Regulation D, Rules 506(b) and 506(c), under the Securities Act of 1933. It is intended solely for accredited investors and authorized recipients. The membership interests described herein have not been registered under the Securities Act of 1933 or any state securities laws. Neither the SEC nor any state securities commission has approved or disapproved of these securities or passed upon the accuracy or adequacy of this document.