Protocol Wealth, LLC
Effective / Last Revised: July 2, 2026 Owner: Adam Blumberg, Chief Compliance Officer Companion: List of Subprocessors (effective July 2, 2026)
This document is identified by its effective date, not a sequential version number. Last updated July 2, 2026; change reference v3.7 — see Version History below for the dated revision log.
This version adds an International Clients and Cross-Border Data Processing section for our non-U.S. clients, a California Privacy Rights (CCPA/CPRA) section for prospect and website-visitor data, a Sensitive Personal Information enumeration with a use-limitation, and a statement on the recording and transcription of client meetings; it also cross-links the AI Acceptable Use Policy that governs the AI assistant in the client portal. It does not add Plaid; Plaid Link is not enabled.
FACTS: What Does Protocol Wealth, LLC Do With Your Personal Information?
Why?
Protocol Wealth collects and develops personal information about clients, and some of that information is non-public personal information (Customer Information). The essential purpose for collecting Customer Information is to provide and service the appropriate financial products and services clients obtain from Protocol Wealth.
What?
The categories of Customer Information collected by Protocol Wealth depend upon the scope of the engagement and are generally described below. As an investment adviser, Protocol Wealth collects and develops Customer Information about clients in order to provide investment advisory services. Customer Information collected includes:
- Information received from clients on financial inventories and questionnaires through consultation with Advisory Representatives, including personal and household information such as income, spending habits, investment objectives, financial goals, statements of account, and other records concerning clients' financial condition and assets.
- Information needed to open an account including social security numbers, investment experience, assets, income, and account balances.
- Information developed as part of financial plans, analyses, or investment advisory services.
- Information concerning investment advisory account transactions.
- Information about clients' financial products and services transactions with Protocol Wealth.
When you are no longer our customer, we continue to share your information as described in this notice.
How?
All financial companies need to share customers' personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers' personal information; the reasons Protocol Wealth chooses to share; and whether you can limit this sharing.
| Reasons we can share your personal information | Does Protocol Wealth share? | Can you limit this sharing? |
|---|---|---|
| For our everyday business purposes — such as to process your transactions, maintain your account(s), respond to court orders and legal investigations | Yes | No |
| For our compliance with rules and regulations — information about your transactions and communications provided to non-affiliated firms when required | Yes | No |
| For our marketing purposes — to offer our products and services to you | Yes | No |
| For joint marketing with other financial companies | Yes | No |
| For our affiliates' everyday business purposes — information about your transactions and experiences | Yes | No |
| For our affiliates' everyday business purposes — information about your creditworthiness | No | We don't share |
| For our affiliates to market to you | No | We don't share |
| For nonaffiliates to market to you | No | We don't share |
Who We Are
Who is providing this notice? Protocol Wealth, LLC — an SEC-registered investment adviser (CRD #335298).
What We Do
Use of AI Tools and Data Privacy
Protocol Wealth uses AI tools as part of a co-intelligence framework that combines human adviser expertise with artificial intelligence under human oversight. AI supports research, analysis, portfolio monitoring, document preparation, and administrative workflows. It does not replace our advisers, make autonomous investment decisions, or operate outside our supervision. Every material AI-assisted output is reviewed by a human adviser before it reaches you or influences a recommendation made on your behalf.
Our primary AI provider is Anthropic, PBC, engaged under a Zero Data Retention agreement. Inputs and outputs sent via the Claude API are not retained by Anthropic beyond request duration; our data is contractually excluded from any use in training or improving AI models; inference is restricted to US-based infrastructure; and outputs are not subject to human review.
Two additional AI providers operate in narrower, firm-internal roles, behind the same brokering, PII redaction, and egress controls we apply to our Claude traffic:
- Google Gemini (Google LLC, Gemini API) — (a) image and graphics generation for advisor workflows, and (b) automated source-code-review scans as one of the model providers in our internal software-review process. All Gemini calls are brokered through our backend and run on the paid tier of the Gemini API, under which Google does not use our inputs or outputs to train its models and does not subject them to human review; inputs and outputs are subject only to a short abuse-monitoring retention window (approximately 72 hours) and processing is US-based. Client PII is removed before any data reaches Google; the source-code-review path handles only our own source code (not client data) and runs behind a separate pre-egress secret and PII scan.
- OpenAI — (a) voice transcription via the Whisper API for advisor-initiated dictation (advisor voice memos transcribed into internal workflows), and (b) automated source-code review via the OpenAI API (Codex) as one of the model providers in our internal software-review process. OpenAI does not use our API data to train its models. Whisper content is limited to what an advisor dictates and is not connected to client accounts or the client portal; the source-code-review path handles only our own source code (not client data) behind a pre-egress secret and PII scan. OpenAI is not used to process client data.
We do not currently operate self-hosted AI models; should external ZDR conditions change, we reserve the ability to deploy self-hosted alternatives and will update this policy before doing so.
The safeguards we apply when AI touches client information:
- Client nonpublic personal information is anonymized, tokenized, or removed before being entered into external AI tools where feasible
- Account numbers, Social Security numbers, and similarly sensitive identifiers are never submitted directly to external AI tools
- AI tool settings are configured to opt out of model training where available, and we prefer providers who contractually commit to no-training terms
- AI-generated content is reviewed by qualified personnel before use in client communications or investment decisions
- AI outputs that affect your account are auditable — we maintain records of AI-assisted work to support compliance review
- We review AI tool terms of use, privacy policies, and data sharing practices before engagement and on an ongoing basis
What AI does not do at Protocol Wealth:
- AI does not make final investment decisions on your behalf without human adviser review
- AI does not override the fiduciary judgment of your investment adviser representative
- AI does not determine your fees, account access, or legal rights under your advisory agreement
- AI-generated outputs that include client data are never sold, syndicated, or shared with third parties for purposes unrelated to serving you
If you use the AI assistant in your client portal, your use is also governed by our AI Acceptable Use Policy, which explains in plain language what the assistant will and will not do, how your data is handled, and how to reach a human on your advisory team.
Recording and Transcription of Client Meetings
We do not record or transcribe client meetings without your consent and advance notice. Advisor-initiated dictation — short voice memos an advisor records for internal note-taking, transcribed into our internal workflows (see the OpenAI / Whisper disclosure above) — does not involve recording your meetings with us. Where we hold the technical ability to record or transcribe a video meeting (for example, through our Google Workspace conferencing tools), we will notify you before any meeting is recorded or transcribed and will proceed only with the consent of the participants, consistent with applicable two-party-consent expectations. You may decline recording at any time.
Co-Intelligence Framework — How AI and Human Advisers Work Together
The core of our approach is that AI and human advisers guard each other rather than replace each other:
AI as a guardrail on advisers. AI provides 24/7 monitoring, flags portfolio drift, identifies concentration risk, performs consistency checks on advisory outputs, and produces double-checks on numerical work. If an adviser misses something, AI is positioned to catch it.
Human advisers as a guardrail on AI. Every material AI-assisted output is reviewed by a registered investment adviser representative before it reaches you or influences an action on your behalf. AI can produce plausible-looking but incorrect outputs ("hallucinations"). Human review catches these before they become problems.
AI excels at persistent, repetitive work. Continuous monitoring of portfolios, regime detection, document summarization, research synthesis, compliance screening. These tasks benefit from AI's tireless consistency.
Human advisers excel at judgment, relationship, and fiduciary obligations. Understanding your life circumstances, weighing tradeoffs that don't reduce to numbers, exercising the duty of care that is legally and ethically ours to bear. These are not delegated to AI.
This dual-guardrail approach is how we preserve the fiduciary relationship while making use of technology that genuinely improves our service quality.
PW Nexus API and MCP Server
Protocol Wealth operates PW Nexus (nexusmcp.site), a research API and Model Context Protocol (MCP) server that provides investment analysis tools, market data, and portfolio analytics. This section describes data practices specific to API and MCP server usage.
Data collected from API and MCP users:
- Authentication data: Email address, OAuth tokens, and session identifiers used to authenticate your access. OAuth tokens issued by our authorization server (pwportal.app for clients, pwos.app for advisor personnel) are encrypted in transit and stored with standard security controls.
- Usage logs: Tool invocations, API endpoint requests, timestamps, IP addresses, and request metadata. These logs are used for rate limiting, abuse prevention, service reliability, and debugging.
- Query data: Ticker symbols, wallet addresses, and other parameters you submit when using API endpoints or MCP tools. Query data is processed to return results and may be cached temporarily to improve performance.
How API and MCP data is used:
- To provide and improve the API and MCP services
- To enforce rate limits and prevent abuse
- To diagnose technical issues and maintain service reliability
- To generate aggregate, non-identifying usage statistics
How API and MCP data is NOT used:
- API and MCP usage data is never sold to third parties
- Query parameters and tool invocations are not used to build individual user profiles for marketing purposes
- Non-client API usage data is not shared with third parties except as required by law
Data retention for API and MCP usage:
- Non-advisory access logs (IP addresses, request timestamps, rate-limiting metadata for non-client, non-advisory interactions): retained for 90 days, then automatically purged.
- Advisory-related interactions (tool invocations by Clients that constitute or relate to investment advisory communications): retained for a minimum of five (5) years in accordance with SEC Rule 204-2.
- Authentication tokens: retained for the duration of the session or until revoked.
- Cached query results: retained according to cache TTL policies (ranging from 30 seconds to 24 hours depending on data type).
Accessing PW Nexus through third-party AI platforms:
When you connect to PW Nexus via an MCP connector in a third-party AI assistant (such as Claude, Cursor, or similar MCP-compatible platforms), your queries and our responses are transmitted through that platform's infrastructure. Protocol Wealth applies automated PII filtering to API and MCP responses to prevent client nonpublic personal information from being transmitted through third-party platforms.
However, Protocol Wealth does not control how third-party platforms process, cache, or retain data transmitted through their systems. Users accessing PW Nexus through third-party platforms should review that platform's privacy policy.
Advisory clients should not submit nonpublic personal information (such as account numbers, Social Security numbers, or detailed financial data) through third-party AI platforms or MCP connectors. For communications involving sensitive account information, please use the client portal (pwportal.app) or contact your advisor directly.
Third-Party Financial Data Services
To provide account aggregation, cashflow analysis, and portfolio reporting to advisory clients, Protocol Wealth uses third-party financial data services to securely connect to your external financial accounts. These services are available exclusively to clients who have executed an Investment Advisory Agreement with Protocol Wealth ("Clients") and are used solely to provide advisory services. Account data retrieved through these services is not shared with, sold to, or made accessible to any third party for their independent use.
Prospective clients ("Prospects") and general users of Protocol Wealth digital properties do not have access to account linking or financial data aggregation features. Access to aggregation services requires both authentication and verified Client status.
Currently active third-party data service providers:
- Quiltt, Inc. — provides a unified data aggregation platform that connects to financial institutions on our behalf. Quiltt is used exclusively for Client account aggregation within the advisory relationship. Quiltt's privacy policy: https://www.quiltt.io/policies/privacy-policy
- MX Technologies, Inc. — provides financial institution connectivity through Quiltt's aggregation platform (the firm's currently active connectivity path). MX's privacy policy: https://www.mx.com/privacy-policy
- FinGoal — provides data cleaning and enrichment through Quiltt's aggregation platform. FinGoal's privacy policy: https://fingoal.com/privacy
Additional Quiltt-routed connectivity providers — Finicity, Inc. (a Mastercard company) and Akoya LLC — are available on a Quiltt plan upgrade but are not currently active; no client data flows through them at this time. They would be added to the active roster above, with the notice described under "How We Share Information with Third Parties," if and when they are enabled. Protocol Wealth does not currently use Plaid.
You initiate all account connections through a secure interface provided by these services within the client portal (pwportal.app). Protocol Wealth does not receive or store your banking login credentials. You may disconnect any linked account at any time through the client portal or by contacting your advisor.
Financial data retrieved through these services is:
- Encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Stored only for the purpose of providing Advisory Services
- Never sold to third parties
- Never shared with or accessible to non-Client users of Protocol Wealth digital properties
- Subject to our data retention schedule (retained per SEC requirements, securely disposed when no longer required)
Cookies and Tracking Technologies
Protocol Wealth uses cookies and similar technologies only as necessary to operate our digital properties securely. We do not use third-party advertising, marketing, or cross-site tracking cookies, and we do not sell or share personal information for cross-context behavioral advertising.
- Strictly necessary cookies. Our authenticated client and advisor portals (pwportal.app, pwos.app) set first-party session and authentication cookies that are required to sign you in, keep your session active, and protect that session. These cannot be disabled without breaking core functionality.
- Security and infrastructure cookies. Our public website is served through Cloudflare, which sets short-lived, strictly necessary cookies (for example,
__cf_bmfor bot management and__cflbfor load balancing) to keep the site secure and available. - No advertising or cross-site tracking. We do not embed third-party advertising pixels, retargeting tags, or cross-site trackers on any Protocol Wealth property.
Because we use only strictly necessary cookies, no consent banner is required. You may control or block cookies through your browser settings, although disabling strictly necessary cookies will prevent you from signing in to the portals. If we introduce analytics or any non-essential tracking technologies in the future, we will update this section and provide any choices or opt-outs required by applicable law, including recognition of Global Privacy Control (GPC) signals where required.
How We Share Information with Third Parties
To administer, manage, and service client accounts, process transactions, and provide related services, Protocol Wealth provides access to Customer Information to non-affiliated companies, other investment advisers, custodians, and financial institutions. Third-party service providers who may receive Customer Information include:
Custody, Brokerage, Trading, and Billing
- Altruist Financial LLC — advisory billing and custody
- Interactive Brokers LLC — brokerage
- Anchorage Digital Bank — qualified digital asset custodian (federally chartered)
- FalconX — digital asset trading / execution provider in a tri-party arrangement where Anchorage Digital Bank remains the qualified custodian
- BitGo Trust Company — qualified digital asset custodian
- Fordefi — multi-party computation (MPC) wallet infrastructure for onchain holdings
- Coincover — independent third-party backup key holder for MPC wallet recovery
Financial Data Aggregation
- Quiltt, Inc. — financial account aggregation platform (orchestrator)
- MX Technologies, Inc. — connectivity through Quiltt (currently active)
- FinGoal — data cleaning and enrichment through Quiltt (currently active)
- Finicity, Inc. (a Mastercard company) and Akoya LLC — additional Quiltt-routed connectivity providers, available on a plan upgrade but not currently active
AI Services
- Anthropic, PBC — primary AI provider; Claude API under a Zero Data Retention agreement (US-only inference, no model training on our data, no human review)
- Google LLC — Gemini API for (a) advisor-facing image and graphics generation and (b) automated source-code-review scans (paid tier: no model training on our data, no human review; ~72-hour abuse-monitoring retention; US-based; brokered through our backend behind our PII redaction pipeline and egress controls)
- OpenAI — Whisper API for advisor-initiated voice-memo transcription and the OpenAI API (Codex) for automated source-code review (no model training on our data; source-code review processes our own code, not client data, behind a pre-egress secret and PII scan; not connected to client accounts)
Infrastructure and Platform
- Google Cloud Platform and Google Workspace — compute, email, document storage, productivity, and identity services under Google's business and enterprise terms
- Cloudflare — DNS, content delivery, web application firewall, and network security
Identity Verification and Compliance
- Veriff — identity verification during onboarding (used for clients whose identity is not verified through a custodian's onboarding flow, including DeFi/crypto-only clients)
- Scorechain S.A.S. (via QuickNode) — blockchain sanctions screening (Scorechain Free Sanctions API: OFAC and international sanctions lists applied to onchain wallet addresses) and Know Your Transaction / Know Your Wallet risk scoring (Scorechain Risk Assessment API via QuickNode). Only public onchain identifiers are transmitted; no client PII.
- QuickNode, Inc. — multi-chain RPC and blockchain-data infrastructure; the substrate carrying the Scorechain Risk Assessment API and general onchain reads (public onchain identifiers only)
- Hadrius — compliance monitoring and supervision (trade surveillance, marketing review, communication archiving)
Communications and Documents
- Wealthbox — customer relationship management (CRM)
- Postmark — transactional email delivery
- Anvil — document signing services
Onchain Data
- DeBank — multi-chain wallet and DeFi position data (primary onchain position-data source; read-only, public onchain data only)
- Octav — multi-chain wallet and DeFi position data (backup/fallback to DeBank for resilience and cross-source reconciliation; read-only, public onchain data only)
A current list of service providers is maintained at protocolwealthllc.com/subprocessors and available on request. All third-party providers are subject to our vendor risk assessment process and contractual data protection requirements.
Protocol Wealth may also provide Customer Information outside the firm as permitted by law — for example, to government entities or other third parties in response to subpoenas, regulatory examinations, or similar legal processes. We do not share Customer Information with affiliates or non-affiliated third parties for marketing purposes. We do not sell client information. We do not authorize our service providers to use client information for purposes other than providing services to us.
How Does Protocol Wealth Protect My Information?
To protect your personal information from unauthorized access and use, we maintain an information security program that complies with federal law, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Multi-factor authentication for system access
- Role-based access controls limiting data access to authorized personnel
- Immutable audit trail logging all access to client data
- Incident response program for detecting and responding to security events
- Regular security assessments of third-party service providers
- Due diligence and monitoring of third-party service providers who have access to client information
- Automated PII filtering on API and MCP responses to prevent inadvertent disclosure of client information through programmatic interfaces
- Tenant isolation at the database level — client data is isolated from other clients' data through database-engine-level row-level security policies. This is a structural control that prevents cross-client data exposure even in the event of application-layer errors.
- AI data handling controls — external AI services are engaged under terms that prohibit use of our data for model training. Our primary AI provider (Anthropic) additionally operates under a Zero Data Retention agreement with US-only inference. See the "Use of AI Tools and Data Privacy" section above for the specifics of each AI service we use.
- Data residency in the United States — client data storage occurs on infrastructure located within the United States. Our primary storage and processing is within Google Cloud Platform (US regions). External AI inference with our primary AI provider (Anthropic) is contractually restricted to US regions.
- Segregation of sensitive data from external AI — client nonpublic personal information is segregated from external AI workflows through our PII filtering pipeline. Where AI assistance is applied to client-identified data, the data passes through redaction controls that replace identifiers with placeholder tokens before external transmission.
In the event of a data security incident involving unauthorized access to your sensitive customer information, we will notify you as soon as practicable, but no later than 30 days after becoming aware of the incident, in accordance with SEC Regulation S-P as amended.
International Clients and Cross-Border Data Processing
Protocol Wealth serves a limited number of non-U.S. clients, including entity and individual clients in jurisdictions such as Singapore and the United Arab Emirates. If you are located outside the United States, you should understand that:
- Your personal information is processed and stored on infrastructure located in the United States (primarily Google Cloud Platform, US regions), and external AI inference with our primary AI provider is contractually restricted to US regions. We do not maintain client-data processing in your country of residence.
- Because your information is stored and processed in the United States, it is subject to U.S. law, including lawful access by U.S. government authorities under U.S. legal process, and the United States may not provide the same level of data-protection or privacy rights as your country of residence. By entering into an advisory relationship and using our Services, you consent to this transfer and processing.
- Non-U.S. relationships are additionally subject to our OFAC / sanctions screening, FATCA, and (where applicable) CRS procedures, and to the international / non-U.S. terms of your Investment Advisory Agreement, which control the cross-border aspects of the relationship.
- Crypto-only non-U.S. engagements are scoped to the digital-asset advisory services described in your Investment Advisory Agreement; we do not provide services we are not registered or permitted to provide in your jurisdiction.
If you have questions about cross-border processing, contact [email protected].
Data Retention for Advisory Services
We retain client information for the duration of the advisory relationship plus the period required by applicable law and regulation:
- Advisory records required under Investment Advisers Act of 1940 Rule 204-2 — at least 5 years from the end of the fiscal year in which the record was created, with the first 2 years in an easily accessible location
- Audit logs (sanitized of identifying information) — at least 7 years
- Identity verification and sanctions screening records — per applicable vendor defaults and compliance requirements, typically 7 years
- Transactional email and document signing records — 7 years
- AI-assisted research outputs that become part of an advisory record — subject to Rule 204-2 retention; retained consistent with the related advisory record
When the required retention period expires, we delete or anonymize the data. Certain derivative data (anonymized analytics, system telemetry without client identifiers) may be retained longer for operational purposes.
Your Data Rights
You have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate information
- Deletion: Request deletion of your personal information, subject to regulatory retention requirements (certain records must be retained for 5 years per SEC Rule 204-2)
- Disconnect accounts: Remove any linked financial account connection at any time through the client portal or by contacting your advisor
- Revoke API access: Revoke any API keys or OAuth tokens associated with your account at any time through the client portal or by contacting your advisor
- Opt out: Opt out of certain information sharing as described below
To exercise any of these rights, contact us at [email protected] or [email protected]. We will respond to verified requests within 30 days. Some requests may be subject to regulatory exceptions — for example, we cannot delete records that SEC regulations require us to retain.
Your Rights Regarding AI-Assisted Services
You have rights regarding how AI is used in connection with your account:
Explanation of human review. If an AI-assisted output affects your account or advisory experience, you may ask your adviser to walk through the human review that occurred before the output was acted on. We will provide that explanation promptly.
Inquiry into AI involvement. You may ask what AI tools were involved in any specific analysis, report, or recommendation you received from us. We will tell you.
Opt-out from external AI processing. If you prefer that your data not pass through external AI services (such as Anthropic's Claude API), contact your adviser to discuss. We will describe which services remain available without external AI, any operational implications (for example, certain analyses may take longer or be structured differently), and any cost implications. We will not penalize you for choosing this option.
Opt-out from all AI-assisted workflows. You may request that no AI tools be used in work related to your account. This request will be accommodated to the extent feasible, and we will discuss the scope and implications with you.
These rights are in addition to the data rights described in "Your Data Rights" above.
Sensitive Personal Information
Some of the information we collect is Sensitive Personal Information — the categories that receive heightened protection under privacy laws such as the California Privacy Rights Act (CPRA). For Protocol Wealth, Sensitive Personal Information includes:
- Social Security numbers, taxpayer identification numbers, and other government-issued identifiers;
- financial account numbers and the access credentials or tokens used to reach a financial account;
- precise financial and transactional data, including account balances, holdings, and transaction history.
We use Sensitive Personal Information only as necessary to provide the Services, to meet our legal and regulatory obligations, and for other purposes permitted by law. We do not use it to infer characteristics about you, and we do not sell it or "share" it for cross-context behavioral advertising. As described in "Use of AI Tools and Data Privacy" above, account numbers, Social Security numbers, and similarly sensitive identifiers are never submitted directly to external AI tools, and client identifiers are removed or tokenized before any AI processing.
California Privacy Rights (CCPA/CPRA)
Most of the personal information Protocol Wealth holds about advisory clients is financial information collected in the course of providing financial services. That information is regulated under the Gramm-Leach-Bliley Act (GLBA) and is exempt from the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA); it is governed by the "FACTS" notice and the other sections of this Privacy Policy.
The CCPA/CPRA does, however, apply to personal information we collect from California residents who are prospects or website visitors — for example, information submitted through our contact forms, diagnostics, and risk questionnaires — that is not collected under the GLBA. If you are a California resident, you have the right to:
- Know and access the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom we share it;
- Delete personal information we have collected from you, subject to legal and regulatory retention exceptions;
- Correct inaccurate personal information we maintain about you;
- Opt out of the sale or "sharing" of personal information for cross-context behavioral advertising; and
- Not receive discriminatory treatment for exercising any of these rights.
We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising, so there is nothing to opt out of today; if that ever changes, we will update this policy and provide the opt-out mechanisms the law requires. Where we are required to honor them, we recognize Global Privacy Control (GPC) browser signals as a valid opt-out request. You may exercise these rights yourself or through an authorized agent, and you may submit a request by contacting [email protected]. We will take reasonable steps to verify your request, respond within the timeframes required by law, and will not require you to create an account in order to make a request.
Why Can't I Limit All Sharing?
Federal law gives you the right to limit only:
- Sharing for affiliates' everyday business purposes — information about your creditworthiness
- Affiliates from using your information to market to you
- Sharing for nonaffiliates to market to you
State laws and individual companies may give you additional rights to limit sharing.
How Do I Limit Sharing?
If you choose to opt out now, at any time in the future, or wish to withdraw your opt out request, contact us at [email protected]. If it is your choice to opt out, there will be a 30-day period before your opt out will take effect.
Definitions
Affiliates: Companies related by common ownership or control. They can be financial and nonfinancial companies. Protocol Wealth does not share with affiliates.
Nonaffiliates: Companies not related by common ownership or control. They can be financial and nonfinancial companies. Protocol Wealth does not share with nonaffiliates so they can market to you.
Joint Marketing: A formal agreement between nonaffiliated financial companies that together market financial products or services to you. Protocol Wealth may enter into joint marketing agreements with other financial companies.
Client: An individual or entity that has executed a written Investment Advisory Agreement with Protocol Wealth, LLC.
Prospect: A registered user of a Protocol Wealth digital property who has not executed an Investment Advisory Agreement.
Version History
- v3.7 (effective July 2, 2026) — Client-facing legal refresh: international, California, sensitive-data, and recording disclosures. Added four sections and one cross-link, closing gaps identified in the 2026-07-02 legal-docs gap analysis versus mature RIA comparables. (1) A new International Clients and Cross-Border Data Processing section for our non-U.S. clients (US data residency and processing; consent to US processing and U.S. legal jurisdiction; OFAC / sanctions / FATCA / CRS screening; the Investment Advisory Agreement controls the cross-border relationship). (2) A new California Privacy Rights (CCPA/CPRA) section granting the CPRA rights (know/access, delete, correct, opt out of sale and "sharing," non-discrimination; GPC honored; authorized-agent requests) for California prospect and website-visitor data, while noting the GLBA exemption for advisory-client financial data. (3) A new Sensitive Personal Information enumeration (SSNs/TINs, financial account numbers and credentials, precise financial/transactional data) with a CPRA-style use-limitation. (4) A new Recording and Transcription of Client Meetings statement (we do not record or transcribe client meetings without consent and advance notice; two-party-consent posture). (5) A cross-link to the client-portal AI Acceptable Use Policy in the AI section. No new categories of client data are shared and there is no vendor-roster change; the AI-provider and subprocessor disclosures remain reconciled to List of Subprocessors v1.8. Companion to Subprocessors Inventory v1.8.
- v3.6 (effective July 2, 2026) — Vendor-roster and AI-disclosure reconciliation to List of Subprocessors v1.8. (1) Reconciled the account-aggregation roster to the providers actually active today — Quiltt + MX + FinGoal — and moved Finicity and Akoya to a "not currently active / available on plan upgrade" note (both had been listed as active connectivity providers but no client data flows through them today), matching Subprocessors v1.8. (2) Corrected and expanded the AI-provider disclosures: the OpenAI entry now discloses both its Whisper voice-memo transcription use and its OpenAI-API (Codex) automated source-code-review use; the Google Gemini entry now discloses both graphics generation and source-code-review scans, with the paid-tier no-training / no-human-review terms, the ~72-hour abuse-monitoring retention window, and US-based processing. Both AI code-review paths process only the firm's own source code (no client data) behind a pre-egress secret and PII scan. Anthropic remains the primary provider (ZDR, US-only inference, no training, no human review). (3) No Plaid — Plaid Link is not enabled and Plaid is not added as a vendor; Anvil (document signing) and Postmark (transactional email) remain disclosed under "Communications and Documents." No new categories of client data are shared as a result of this version. Companion to Subprocessors Inventory v1.8.
- v3.5 (effective June 11, 2026) — Added FalconX to the named third-party sharing roster as a digital asset trading / execution provider in a tri-party arrangement where Anchorage Digital Bank remains the qualified custodian. No change to the AI disclosures, cookies posture, or account-aggregation scope. Companion to the Subprocessors list.
- v3.4 (effective June 11, 2026) — AI-disclosure update closing the Gemini live-vs-disclosed mismatch flagged in v3.3 ("Google Gemini not added until its capability ships" — the brokered Gemini capability went live June 4-5, 2026). Added Google LLC (Gemini API) (advisor-facing image and graphics generation, brokered through our backend behind the firm's PII redaction pipeline and egress controls; paid-tier no-training/no-human-review terms; added under the firm's documented AI-use and vendor-governance review process) and OpenAI (Whisper) (advisor-initiated voice-memo transcription only; no chat or reasoning models) to the AI disclosures and the third-party sharing list. Scoped the AI data-handling and data-residency statements so the Zero Data Retention and US-only-inference claims attach to Anthropic specifically. Companion to the Subprocessors list.
- v3.3 (June 2026; consolidated into v3.4) — Vendor reconciliation to the current Subprocessors inventory + new disclosures. Removed Chainalysis (onchain sanctions screening decommissioned 2026-05-29) and replaced it with Scorechain S.A.S. (via QuickNode) for sanctions + KYT/KYW screening, plus QuickNode, Inc. as the RPC/addon substrate. Removed Zapper (never integrated) and added Octav as the onchain position-data backup; annotated DeBank as the primary onchain source. Added Finicity (a Mastercard company) and Akoya LLC as Quiltt-routed account-connectivity providers (USAA + coverage gaps). Added a new Cookies and Tracking Technologies section (strictly-necessary cookies only; no advertising/cross-site trackers; no banner required). No change to AI disclosures (Anthropic-only; Google Gemini not added until its capability ships).
- v3.2 (May 3, 2026) — Added co-intelligence framework, Anthropic ZDR disclosure with US-only inference and no-training commitments, corrected vendor list (Quiltt + MX + FinGoal; no Plaid), added Anthropic / Google Cloud / Cloudflare / Hadrius / Anchorage / BitGo / Coincover / Altruist / IBKR / Veriff / Chainalysis / DeBank / Zapper, tenant isolation disclosure, AI data handling controls, US data residency, PII segregation, advisory-level retention schedule, AI-specific client rights. Updated portal references from pwdashboard.com to pwportal.app (client) and pwos.app (advisor). Subprocessors page reference added.
- v3 (March 19, 2026) — Prior baseline. Superseded in full by v3.2.
Questions?
If you have any questions about this privacy notice, please contact us at [email protected] or [email protected], or reach us at:
Protocol Wealth, LLC Attn: Chief Compliance Officer (Adam Blumberg) 201 Milwaukee St., Suite 200 Denver, CO 80206 Phone: 720-383-4550
Protocol Wealth, LLC | SEC-Registered Investment Adviser | CRD #335298
Form ADV | Form ADV Part 2A | Form CRS | Terms of Service | Subprocessors | Disclosures