Skip to content

Holistic Capital – Privacy Policy & Information Security Program

1. Purpose & Scope

• This policy outlines Holistic Capital’s commitment to protecting the confidentiality and

security of clients’ non-public personal information (NPI) in accordance with Regulation

S-P, the Gramm-Leach-Bliley Act (GLBA), and state privacy laws.

• It applies to all records, documents, and data related to current, former, and prospective

clients.

2. Information Collected

• Holistic Capital collects the following types of non-public personal information (NPI):

• - Name, address, date of birth, and contact information

• - Social Security number or Tax ID

• - Investment account numbers and balances

• - Financial goals, income, and employment data

• - Tax, legal, and estate planning documents

3. Collection & Storage Methods

• Information is collected directly from the client via forms, meetings, secure email, and

document uploads.

• All data is stored in encrypted cloud-based platforms, such as Google Workspace or

Dropbox Business.

• Access is limited to Juan Garcia, the sole principal of the firm.

4. Use and Sharing of Information

• Information is used solely to provide investment advisory services, develop financial

plans, and comply with legal or regulatory requirements.

• Holistic Capital does not sell or rent client information to any third parties.

• NPI may be shared with service providers (e.g., custodians or legal counsel) only as

necessary and with appropriate safeguards.

5. Safeguards

• Holistic Capital implements the following safeguards to protect client data:

• - Technical: Encrypted devices, cloud storage, secure passwords, VPN for remote access

• - Physical: Secure workspace and devices with timed auto-lock

• - Administrative: Confidentiality procedures, secure shredding, and document access

limits

6. Employee Access & Training

• As a sole proprietor, Juan Garcia is the only individual with access to client NPI.• An annual self-review and continuing education process ensures ongoing compliance

with privacy and cybersecurity obligations.

7. Incident Response & Breach Notification

• In the event of an actual or suspected breach of client information:

• - Juan Garcia will immediately assess the nature and scope of the breach

• - Affected clients will be notified within 72 hours if their data is compromised

• - Regulatory authorities will be informed as required by law

• - Steps will be taken to mitigate further exposure and remediate risk

8. Client Rights & Annual Privacy Notice

• Clients have the right to review and request corrections to their personal information.

• Holistic Capital provides an annual privacy notice summarizing this policy, in

accordance with Regulation S-P.

9. Review & Updates

• This Privacy Policy is reviewed annually by Juan Garcia and updated as needed to reflect

changes in technology, regulations, or firm operations.

• Last Reviewed: 5.22.25