Privacy
Policy.

If you only read one section, read this one.

• We collect the data you give us when you sign up and use the Service - your name, email, company, and the cap-table / filings / CRM data you store with us.
• We use it to run the Service, keep your account secure, and improve the product. That's it.
• We never sell your personal information. We never share it with advertisers.
• You can export or delete your data at any time, from your account settings or by emailing privacy@startupintros.com.
• We're SOC 2 Type II certified. Data is encrypted in transit and at rest.

Information you provide

• Account data. Name, email, phone number, password (hashed), company name, role.
• Founder profile. Stage, sector, location, stated interests - used by the intro network and only shared with your opt-in.
• Company data. Cap-table entries, incorporation documents, investor correspondence, data-room files, task lists, and any other content you upload. This is Customer Content under the Terms.
• Payment data. Billing address and tax ID. Card numbers are handled by Stripe and never touch our servers.

Information we collect automatically

• Usage data. Pages visited, features used, timestamps, errors. We use this to fix bugs and prioritize features.
• Device data. Browser, operating system, approximate location derived from IP. Used for security and debugging.
• Cookies. Strictly-necessary cookies for authentication and session. Analytics cookies only with your consent (cookie banner on first visit).

We do not use Customer Content to train any machine-learning model. We do not sell, rent, or lease personal information to third parties. We do not share data with advertisers or data brokers.

If you're in the European Economic Area, United Kingdom, or Switzerland, we process your personal data under one or more of the following lawful bases:

• Contract. To provide the Service you subscribed to.
• Legitimate interest. To secure the Service, prevent fraud, and improve the product, balanced against your rights.
• Consent. For non-essential cookies and optional marketing emails. You can withdraw at any time.
• Legal obligation. To comply with tax, accounting, or regulatory requirements.

We share personal information only in these circumstances:

• With your consent. For example, when you opt into a warm introduction on the intro network, we share your profile with the matched party.
• With subprocessors. Vendors who help us operate the Service (hosting, email, payments). See the full list in §06. Each is bound by a data-processing agreement.
• For legal reasons. In response to a lawful subpoena, court order, or other legal process, and only after reviewing the request and, where permitted, notifying you.
• In a business transfer.If we're acquired or merge, personal information may transfer to the acquirer under the same protections as this policy.

Our current subprocessors - the third-party services we use to run Startup Intros. We publish a change log and notify customers before adding new ones.

We keep personal information only as long as necessary for the purposes described in this policy, or as required by law.

• Active accounts. Customer Content is retained for the duration of your subscription.
• After termination. 30 days for export, then deleted from production within 60 days. Secure backups rotate out within 180 days.
• Billing records. Retained for 7 years to comply with US tax law.
• Security logs. Retained for 13 months, then purged.

Depending on where you live, you have some or all of the following rights over your personal information:

• Access. Request a copy of the personal information we hold about you.
• Correction. Ask us to fix inaccurate information.
• Deletion.Ask us to delete your personal information. We'll comply unless retention is legally required.
• Portability. Export your data in a machine-readable format (JSON or CSV).
• Objection. Object to processing based on legitimate interest, including profiling.
• Withdraw consent. Where we rely on consent, you can withdraw it at any time without affecting prior lawful processing.
• Non-discrimination (California).Exercising a right won't result in a lower-quality Service or different pricing.

To exercise any of these rights, email privacy@startupintros.com. We'll respond within thirty (30) days and may need to verify your identity before acting on a request.

We take security seriously and align our practices with SOC 2 Type II controls.

• Data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Secrets and keys are stored in AWS KMS and rotated on a schedule.
• Production access requires SSO, two-factor, and is logged.
• Penetration tests run annually by an independent third party.
• Security disclosures: security@startupintros.com. We respond within 24 hours and don't sue researchers who follow our coordinated disclosure policy.

Startup Intros is based in the United States, and our primary infrastructure is in the US. If you access the Service from outside the US, your data will be transferred to and processed in the US.

For transfers from the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum. A copy of the SCCs is available on request.

The Service is not directed to children under 16. We don't knowingly collect personal information from children. If you believe we've collected information from a child, contact us and we'll delete it.

We may update this policy from time to time. If we make material changes, we'll email account owners at least thirty (30) days before the change takes effect and post a summary at the top of this page. The "Last updated" date above always reflects the current version.

For privacy questions, data-subject requests, or anything else covered by this policy:

If you're in the EEA and aren't satisfied with our response, you have the right to lodge a complaint with your local data-protection authority.