Privacy Policy
This notice explains what personal data Fons.vc collects, why we collect it, how we use it, who we share it with, and the rights you have. Plain language, no legal padding.
1. Who we are
Fons.vc is operated by Lewis Rogers, trading as Fons.vc (a sole trader based in the United Kingdom). For the purposes of UK GDPR and the Data Protection Act 2018, Lewis Rogers is the data controller for personal data collected through fons.vc.
Contact for any privacy matter: admin@fons.vc.
2. What data we collect
If you register as a founder
When you register your company on fons.vc, we ask for:
- Required: company name, your name, your work email address.
- Optional: company website, your LinkedIn URL, a pitch deck file (.pptx / .ppt).
If you upload a pitch deck, that file (and any business information it contains — team, traction, financials, plans) is treated as personal data of the founders it identifies and as confidential business information of the company.
If you create an account
When you create a Fons account we store your name and email, and the details you choose to add to your profile (headline, bio, location, career history, links, avatar, and connected social accounts). We also assign you a public handle.
Your profile is private by default. A new account is not published anywhere until you choose to make it public. When you opt in (via the Visibility control on your profile), your profile is served at fons.vc/<your-handle> and is visible to anyone with the link — but only the fields listed above; your email address is never shown publicly. You can switch it back to private, or to unlisted (reachable by direct link but kept out of the directory and search), at any time. If you become a Founding Member, your subscription is processed by Stripe (see §4) and we store your membership status and Stripe references.
If you connect a YouTube channel
If you use our Connect YouTube feature to verify a channel, you authorise Fons — through Google's OAuth consent screen — to read your own YouTube channel using the read-only scope youtube.readonly. We use it for a single purpose: to confirm you control the channel and obtain its canonical public URL, which we then show on your profile with a verified marker. We call the YouTube Data API once (channels.list for the signed-in user) to read your channel's public identity. We do not read private videos, modify your channel, post on your behalf, or access viewer or analytics data. We store only your public channel URL and the verified marker; you can remove them at any time by disconnecting the channel, which also ends our access.
Fons's use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. This feature uses YouTube API Services; by connecting you also agree to the YouTube Terms of Service, and Google's handling of your data is governed by the Google Privacy Policy. We do not use this data for advertising, we do not sell it, and we do not use it to train AI models.
Data we collect automatically
- Request metadata: when you submit either form, our server records your IP address and browser user-agent string alongside the submission, for abuse prevention and security investigations.
- Server logs: standard web server access logs (timestamp, URL requested, response status, IP, user-agent). These are retained briefly for operations and security only.
Product analytics (PostHog)
We use PostHog, a product-analytics tool, to understand how the site is used (which pages are viewed, in what sequence) so we can improve it. We've configured it to be privacy-preserving: data is sent to PostHog's EU region and stored in the EU, your IP address is anonymised, session recording is disabled (we never record your screen or keystrokes), and your name and email are never attached to analytics events. It runs in two tiers. By default it is cookieless and anonymous: it stores nothing on your device (only short-lived page memory), ties events only to a random visitor ID, counts page views anonymously, and so needs no consent. If you click Accept on our cookie banner, we additionally set one analytics cookie (a longer-lived random visitor ID) for more accurate, cross-visit measurement — and, if you are signed in, we link analytics events to a pseudonymous account identifier (a random account ID, not your name or email) so we can measure how the product is genuinely used by signed-in users. You can change or withdraw your choice at any time via “Cookie settings” in the footer, which unlinks the account identifier and reverts us to the cookieless, anonymous baseline. See our Cookie Notice for the full inventory.
Beyond PostHog we do not use Google Analytics, advertising pixels, remarketing tags, fingerprinting, or any cross-site tracking on this site.
Profile interaction analytics
So that a founder can see who is engaging with their own profile, we keep a minimal, first-party count of interactions with each public profile — page views, agent reads of the machine-readable .md version, and clicks on the profile's links. These counts are private to the profile owner and are deliberately kept coarse. For each interaction we store only: which surface it came through, a broad device type (desktop / mobile / tablet / agent), the host of any referring site (never the full address), the name of the automated agent where the visitor is a known bot, and a two-letter country code. The country is worked out on our own server, offline, from your IP address using a local lookup database (derived from MaxMind's GeoLite2 data) and the IP address is immediately discarded — we never store it against the interaction, and it never leaves our server for this purpose. We do not record your identity, the full URL you came from, your exact location, or any cross-site activity, and this feature sets no cookies. These counts are kept for 90 days and then automatically deleted.
Bot protection (Cloudflare Turnstile)
To protect our sign-in, sign-up, and password-reset forms from automated abuse, we use Cloudflare Turnstile, a privacy-preserving CAPTCHA alternative. It runs invisibly in your browser — there is normally nothing for you to click. To tell humans apart from bots, Turnstile processes a small set of technical signals (such as your IP address, a TLS/HTTP fingerprint, and your browser user-agent). Cloudflare states it cannot identify individuals from these signals, does not use them for advertising, and does not track you across sites. For the full detail of what Turnstile processes, see Cloudflare's Turnstile Privacy Addendum.
Local storage on your device
The site stores a couple of small values in your browser's local storage (not cookies, not transmitted to us):
fons-theme— your light/dark theme choice.fons-cookie-consent— whether you accepted or rejected analytics, so we don't ask you again.
Signed-in sessions also use a small number of strictly-necessary keys (for example a cross-tab sign-out signal so signing out in one tab signs you out everywhere). See our Cookie Notice for the full inventory and how to clear them.
3. Why we collect it (and our lawful basis)
| What we do with it | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Process your registration; create your founder profile; send a confirmation email; reply to your questions. | Performance of pre-contractual steps you requested (Art. 6(1)(b)). |
| Send you occasional product updates (kept low-frequency; you can unsubscribe at any time from any email). | Consent, given by your submission of the registration form having read this notice (Art. 6(1)(a)). |
| Parse an uploaded pitch deck (locally and via our deck-reading agent) to pre-fill your profile. | Performance of pre-contractual steps you requested (Art. 6(1)(b)). |
Read your own YouTube channel (via Google OAuth, youtube.readonly) to verify you control it and show it as a verified link on your profile. |
Consent (Art. 6(1)(a)), given when you start the connection and withdrawable at any time by disconnecting the channel. |
| Record IP and user-agent on submissions; keep brief server logs; rate-limit uploads. | Legitimate interests — preventing abuse, fraud, and unauthorised access (Art. 6(1)(f)). |
| Understand how the site is used — cookieless analytics (PostHog): anonymous page-view counts, anonymised IPs, no device storage, no profiling. | Legitimate interests — measuring and improving our service with privacy-preserving, anonymous data (Art. 6(1)(f)). No cookies, so no PECR consent needed. |
| The same analytics, with a cookie (longer-lived visitor ID) for cross-visit measurement — and, for signed-in users, events linked to a pseudonymous account identifier (a random account ID, never name or email) to measure real product usage. | Consent (Art. 6(1)(a)), given via our cookie banner and withdrawable anytime — withdrawal unlinks the account identifier. PECR requires consent for non-essential analytics cookies. |
| Give a profile owner private, minimised interaction counts for their own profile (surface, coarse device, referring host, agent name, two-letter country derived from IP then discarded — no identity, no stored IP, no cookies; deleted after 90 days). | Legitimate interests — letting a founder understand engagement with their own profile using privacy-preserving, aggregate data (Art. 6(1)(f)). No cookies, so no PECR consent needed. |
| Meet legal obligations (e.g. responding to lawful requests from authorities). | Legal obligation (Art. 6(1)(c)). |
We do not sell your data. We do not use it to train third-party AI models. The pitch decks you upload are read by our deck-extraction agent for the sole purpose of pre-filling your own profile.
4. Who we share it with
We use a small number of third-party processors. Each is contractually required to process personal data only on our instructions and in line with UK GDPR.
| Processor | What they do for us | Where |
|---|---|---|
| Resend (Resend Inc.) | Delivers our transactional and product-update emails; stores your email address in our "Pre-Release" audience so we can send announcements (always with a one-click unsubscribe). | United States |
| Supabase (Supabase Inc.) | Hosted Postgres database. Stores founder registrations and your account and profile data so we can operate the platform. Row-level security is enabled and forced; only our server-side secret key can read or write the tables — the database is never reached directly from your browser. | European Union |
| PostHog (PostHog, Inc.) | Product analytics. Counts page views and basic interactions so we can see how the site is used and improve it. Events are tied to a random visitor ID — or, if you have accepted analytics cookies and are signed in, to a pseudonymous account identifier so we can measure real product usage. IP addresses are anonymised, session recording is disabled, and your name and email are never attached. | European Union |
| Cloudflare (Cloudflare, Inc.) | Bot and abuse protection on our authentication forms via Cloudflare Turnstile (an invisible CAPTCHA alternative). Processes minimal technical signals to distinguish humans from bots; not used for advertising or cross-site tracking. See Cloudflare's Turnstile Privacy Addendum. | United States |
| Stripe (Stripe, Inc.) | Payment processing for Founding Member subscriptions. When you subscribe, Stripe collects and processes your payment details directly on its own hosted checkout — your card number never reaches Fons. We store only a Stripe customer/subscription reference and your membership status. See Stripe's Privacy Policy. | United States |
| Anthropic (Anthropic PBC) | AI processing. Our intake assistant and decision engine send the profile, company, and pitch-deck/CV text you provide to Anthropic's Claude models to help structure and pre-fill your own profile. Anthropic processes this on our instructions via its API and does not use it to train its models. See Anthropic's Privacy Policy. | United States |
| Our hosting infrastructure | Serves the website and the registration API. Hosted on a server we operate; static files served by nginx, registrations handled by a Node service. | United Kingdom |
We do not share your personal data with advertisers, data brokers, or investors. (If we introduce an investor-facing product, any sharing of your structured profile with investors will be a separate, explicit opt-in flow — distinct from this notice.)
5. International transfers
Our hosting (United Kingdom), our Supabase database, and our PostHog analytics (both European Union) sit in areas the UK recognises as providing an adequate level of data protection, so no additional safeguards are required.
Resend processes email in the United States. For that transfer we rely on the UK Information Commissioner's Office "UK Extension to the EU–US Data Privacy Framework" and standard contractual clauses to ensure your data continues to be protected to UK GDPR standards. You can request a copy of the safeguards by emailing admin@fons.vc.
Cloudflare provides our bot protection from the United States. For that transfer we rely on Cloudflare's certification under the EU–US Data Privacy Framework and its UK Extension, together with the standard contractual clauses in Cloudflare's data-processing terms, so the technical signals Turnstile processes remain protected to UK GDPR standards.
Stripe (payments) and Anthropic (AI processing) both operate from the United States. For those transfers we rely on each provider's certification under the EU–US Data Privacy Framework and its UK Extension, together with the standard contractual clauses in their data-processing terms, so your data remains protected to UK GDPR standards. You can request a copy of the safeguards by emailing admin@fons.vc.
6. How long we keep it
- Founder registration record (name, email, company, links, deck): kept for as long as we operate Fons.vc and you maintain a profile or registration with us — your data is the basis of your founder profile. If you ask us to delete it, we delete it within 30 days (except where we have a legal obligation to retain it).
- Database mirror at Supabase: the same retention as the underlying record. When you ask us to delete your data, the Supabase row is removed as part of the same request.
- Account & profile (name, email, profile fields, handle): kept while your account exists. Deleting your account removes the profile and its public page within 30 days (except where we have a legal obligation to retain a record).
- Membership & billing (Stripe customer/subscription references, status): kept while you are a member and afterwards only as long as needed for accounting and tax records. Stripe retains payment records under its own obligations.
- Email audience contact at Resend: kept while you remain subscribed. Unsubscribing removes you from active sending; on your written request we will also delete the contact record entirely.
- Server logs and request metadata (IP, user-agent): kept for up to 90 days, then deleted, except where retained longer for active abuse or security investigations.
- Product-analytics events (PostHog): pseudonymous — tied only to a random visitor ID, never your identity — and retained at PostHog for analysis under its data-retention controls.
- Profile interaction counts (the owner-only engagement figures): minimised and never tied to your identity or a stored IP; automatically deleted 90 days after each interaction.
- Email correspondence: kept for as long as needed to handle your query and meet our records obligations.
7. How we protect it
- All web traffic is served over HTTPS (TLS).
- Our registration API is reachable from the internet only through nginx, which proxies to a Node service bound to loopback.
- Deck uploads run through a sandboxed parser (read-only filesystem, no network), with size, type, zip-bomb, and XML-entity guards before any business data is extracted.
- API keys and processor credentials are stored as environment variables on the server, never committed to source control.
- Access to the server is restricted to the controller; non-production environments are protected by HTTP basic authentication.
No system is perfectly secure. If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will report it to the UK Information Commissioner's Office without undue delay — and within 72 hours of becoming aware of it — and, where the risk to you is high, we will tell you directly.
8. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct anything that is inaccurate or incomplete.
- Erasure ("right to be forgotten") — ask us to delete your data, subject to limited exceptions.
- Restriction — ask us to pause processing while a query is resolved.
- Portability — receive a machine-readable copy of the data you gave us, or have us send it to another controller.
- Object — object to processing carried out under our legitimate interests, including profiling.
- Withdraw consent — where we rely on your consent (e.g. product-update emails), you can withdraw it at any time. Every email contains an unsubscribe link; you can also email us.
- Complain — lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) if you believe we have mishandled your data. We'd ask you to talk to us first so we can put it right.
To exercise any of these rights, email admin@fons.vc. We respond within one calendar month (and usually within a few days). There is no charge for a reasonable request.
9. Automated decisions and the decision engine
Fons includes a decision engine that produces a structured readiness signal from the information in a company or product profile. This is decision support: we do not make decisions that produce legal or similarly significant effects on you by solely automated means. A person is involved in any consequential decision, and the output is a signal for you to interpret, not an automated verdict. You can ask us about the logic involved, share your point of view, and contest a result by emailing admin@fons.vc.
10. Children
Fons.vc is a B2B service for founders, operators, and investors. It is not directed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has registered, contact us and we will delete the record.
11. Changes to this policy
If we make material changes — new processors, new purposes, new categories of data — we will update the "Last updated" date at the top of this page and, where the change affects you, notify subscribers by email before it takes effect. Minor wording fixes won't trigger a notice.
12. Contact
Privacy questions, data-subject requests, or anything else covered by this notice:
Lewis Rogers, trading as Fons.vc
Email: admin@fons.vc