Privacy Policy
This notice explains what personal data Fons.vc collects, why we collect it, how we use it, who we share it with, and the rights you have. Plain language, no legal padding.
1. Who we are
Fons.vc is operated by Lewis Rogers, trading as Fons.vc (a sole trader based in the United Kingdom). For the purposes of UK GDPR and the Data Protection Act 2018, Lewis Rogers is the data controller for personal data collected through fons.vc.
Contact for any privacy matter: admin@fons.vc.
2. What data we collect
If you register as a founder
When you register your company on fons.vc, we ask for:
- Required: company name, your name, your work email address.
- Optional: company website, your LinkedIn URL, a pitch deck file (.pptx / .ppt).
If you upload a pitch deck, that file (and any business information it contains — team, traction, financials, plans) is treated as personal data of the founders it identifies and as confidential business information of the company.
If you request VC fund access
If you fill in the request-access form on our For VC funds page, we ask for:
- Required: your name, your work email address, your fund's name, your fund's sector focus, your fund's AUM band.
- Optional: your fund's website URL.
We treat the sector focus and AUM band as business information about the fund, not as your personal opinion. You should not submit information you are not authorised to share on the fund's behalf.
Data we collect automatically
- Request metadata: when you submit either form, our server records your IP address and browser user-agent string alongside the submission, for abuse prevention and security investigations.
- Server logs: standard web server access logs (timestamp, URL requested, response status, IP, user-agent). These are retained briefly for operations and security only.
We do not use Google Analytics, advertising pixels, session replay, fingerprinting, behavioural-tracking cookies, or any third-party analytics on this site.
Local storage on your device
The site stores two small preference values in your browser's local storage (not cookies, not transmitted to us):
fons-theme— your light/dark theme choice.fons-vc-currency— your preferred display currency on the VC calculator page.
See our Cookie Notice for the full inventory and how to clear them.
3. Why we collect it (and our lawful basis)
| What we do with it | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Process your registration; create your future founder profile; send a confirmation email; reply to your questions. | Performance of pre-contractual steps you requested (Art. 6(1)(b)). |
| Send you occasional pre-launch product updates (kept low-frequency; you can unsubscribe at any time from any email). | Consent, given by your submission of the registration form having read this notice (Art. 6(1)(a)). |
| Parse an uploaded pitch deck (locally and via our deck-reading agent) to pre-fill your future profile. | Performance of pre-contractual steps you requested (Art. 6(1)(b)). |
| Process a VC fund's request for access; send a confirmation email; contact you about a walkthrough; keep an internal record of fund interest while we shape v1. | Performance of pre-contractual steps you requested (Art. 6(1)(b)), and our legitimate interests in managing the access waitlist (Art. 6(1)(f)). |
| Record IP and user-agent on submissions; keep brief server logs; rate-limit uploads. | Legitimate interests — preventing abuse, fraud, and unauthorised access (Art. 6(1)(f)). |
| Meet legal obligations (e.g. responding to lawful requests from authorities). | Legal obligation (Art. 6(1)(c)). |
We do not sell your data. We do not use it to train third-party AI models. The pitch decks you upload are read by our deck-extraction agent for the sole purpose of pre-filling your own profile.
4. Who we share it with
We use a small number of third-party processors. Each is contractually required to process personal data only on our instructions and in line with UK GDPR.
| Processor | What they do for us | Where |
|---|---|---|
| Resend (Resend Inc.) | Delivers our transactional and pre-launch emails; stores your email address in our "Pre-Release" audience so we can send announcements (always with a one-click unsubscribe). | United States |
| Supabase (Supabase Inc.) | Hosted Postgres database. Stores a mirror of founder registrations and VC fund access requests so we can manage them once the platform launches. Row-level security is enabled and forced; only our server-side secret key can read or write the tables — the database is never reached directly from your browser. | European Union |
| Our hosting infrastructure | Serves the website and the registration API. Hosted on a server we operate; static files served by nginx, registrations handled by a Node service. | United Kingdom |
We do not share your personal data with advertisers, data brokers, or investors. (Once we launch the investor-facing product, any sharing of your structured profile with investors will be a separate, explicit opt-in flow — distinct from this notice.)
5. International transfers
Our hosting and our Supabase database are inside the United Kingdom and the European Union respectively — areas the UK recognises as providing an adequate level of data protection, so no additional safeguards are required.
Resend processes email in the United States. For that transfer we rely on the UK Information Commissioner's Office "UK Extension to the EU–US Data Privacy Framework" and standard contractual clauses to ensure your data continues to be protected to UK GDPR standards. You can request a copy of the safeguards by emailing admin@fons.vc.
6. How long we keep it
- Founder registration record (name, email, company, links, deck): kept while you remain on the pre-launch list, and for as long as we operate Fons.vc — your data is the basis of your future founder profile. If you ask us to delete it, we delete it within 30 days (except where we have a legal obligation to retain it).
- VC fund access request (your name, email, fund details): kept while you remain on the access waitlist or are an active discussion partner, and for as long as we operate Fons.vc. Deleted within 30 days of a written request.
- Database mirror at Supabase: the same retention as the underlying record. When you ask us to delete your data, the Supabase row is removed as part of the same request.
- Pre-launch audience contact at Resend: kept while you remain subscribed. Unsubscribing removes you from active sending; on your written request we will also delete the contact record entirely.
- Server logs and request metadata (IP, user-agent): kept for up to 90 days, then deleted, except where retained longer for active abuse or security investigations.
- Email correspondence: kept for as long as needed to handle your query and meet our records obligations.
7. How we protect it
- All web traffic is served over HTTPS (TLS).
- Our registration API is reachable from the internet only through nginx, which proxies to a Node service bound to loopback.
- Deck uploads run through a sandboxed parser (read-only filesystem, no network), with size, type, zip-bomb, and XML-entity guards before any business data is extracted.
- API keys and processor credentials are stored as environment variables on the server, never committed to source control.
- Access to the server is restricted to the controller; non-production environments are protected by HTTP basic authentication.
8. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct anything that is inaccurate or incomplete.
- Erasure ("right to be forgotten") — ask us to delete your data, subject to limited exceptions.
- Restriction — ask us to pause processing while a query is resolved.
- Portability — receive a machine-readable copy of the data you gave us, or have us send it to another controller.
- Object — object to processing carried out under our legitimate interests, including profiling.
- Withdraw consent — where we rely on your consent (e.g. pre-launch emails), you can withdraw it at any time. Every email contains an unsubscribe link; you can also email us.
- Complain — lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) if you believe we have mishandled your data. We'd ask you to talk to us first so we can put it right.
To exercise any of these rights, email admin@fons.vc. We respond within one calendar month (and usually within a few days). There is no charge for a reasonable request.
9. Children
Fons.vc is a B2B service for founders, operators, and investors. It is not directed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has registered, contact us and we will delete the record.
10. Changes to this policy
If we make material changes — new processors, new purposes, new categories of data — we will update the "Last updated" date at the top of this page and, where the change affects you, notify subscribers by email before it takes effect. Minor wording fixes won't trigger a notice.
11. Contact
Privacy questions, data-subject requests, or anything else covered by this notice:
Lewis Rogers, trading as Fons.vc
Email: admin@fons.vc