Privacy Policy

1. Who we are

Fons.vc is operated by Lewis Rogers, trading as Fons.vc (a sole trader based in the United Kingdom). For the purposes of UK GDPR and the Data Protection Act 2018, Lewis Rogers is the data controller for personal data collected through fons.vc.

Contact for any privacy matter: admin@fons.vc.

2. What data we collect

If you register as a founder

When you register your company on fons.vc, we ask for:

If you upload a pitch deck, that file (and any business information it contains — team, traction, financials, plans) is treated as personal data of the founders it identifies and as confidential business information of the company.

If you create an account

When you create a Fons account we store your name and email, and the details you choose to add to your profile (headline, bio, location, career history, links, avatar, and connected social accounts). We also assign you a public handle.

Your profile is private by default. A new account is not published anywhere until you choose to make it public. When you opt in (via the Visibility control on your profile), your profile is served at fons.vc/<your-handle> and is visible to anyone with the link — but only the fields listed above; your email address is never shown publicly. You can switch it back to private, or to unlisted (reachable by direct link but kept out of the directory and search), at any time. If you become a Founding Member, your subscription is processed by Stripe (see §4) and we store your membership status and Stripe references.

If you connect a YouTube channel

If you use our Connect YouTube feature to verify a channel, you authorise Fons — through Google's OAuth consent screen — to read your own YouTube channel using the read-only scope youtube.readonly. We use it for a single purpose: to confirm you control the channel and obtain its canonical public URL, which we then show on your profile with a verified marker. We call the YouTube Data API once (channels.list for the signed-in user) to read your channel's public identity. We do not read private videos, modify your channel, post on your behalf, or access viewer or analytics data. We store only your public channel URL and the verified marker; you can remove them at any time by disconnecting the channel, which also ends our access.

Fons's use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. This feature uses YouTube API Services; by connecting you also agree to the YouTube Terms of Service, and Google's handling of your data is governed by the Google Privacy Policy. We do not use this data for advertising, we do not sell it, and we do not use it to train AI models.

Data we collect automatically

Product analytics (PostHog)

We use PostHog, a product-analytics tool, to understand how the site is used (which pages are viewed, in what sequence) so we can improve it. We've configured it to be privacy-preserving: data is sent to PostHog's EU region and stored in the EU, your IP address is anonymised, session recording is disabled (we never record your screen or keystrokes), and your name and email are never attached to analytics events. It runs in two tiers. By default it is cookieless and anonymous: it stores nothing on your device (only short-lived page memory), ties events only to a random visitor ID, counts page views anonymously, and so needs no consent. If you click Accept on our cookie banner, we additionally set one analytics cookie (a longer-lived random visitor ID) for more accurate, cross-visit measurement — and, if you are signed in, we link analytics events to a pseudonymous account identifier (a random account ID, not your name or email) so we can measure how the product is genuinely used by signed-in users. You can change or withdraw your choice at any time via “Cookie settings” in the footer, which unlinks the account identifier and reverts us to the cookieless, anonymous baseline. See our Cookie Notice for the full inventory.

Beyond PostHog we do not use Google Analytics, advertising pixels, remarketing tags, fingerprinting, or any cross-site tracking on this site.

Profile interaction analytics

So that a founder can see who is engaging with their own profile, we keep a minimal, first-party count of interactions with each public profile — page views, agent reads of the machine-readable .md version, and clicks on the profile's links. These counts are private to the profile owner and are deliberately kept coarse. For each interaction we store only: which surface it came through, a broad device type (desktop / mobile / tablet / agent), the host of any referring site (never the full address), the name of the automated agent where the visitor is a known bot, and a two-letter country code. The country is worked out on our own server, offline, from your IP address using a local lookup database (derived from MaxMind's GeoLite2 data) and the IP address is immediately discarded — we never store it against the interaction, and it never leaves our server for this purpose. We do not record your identity, the full URL you came from, your exact location, or any cross-site activity, and this feature sets no cookies. These counts are kept for 90 days and then automatically deleted.

Bot protection (Cloudflare Turnstile)

To protect our sign-in, sign-up, and password-reset forms from automated abuse, we use Cloudflare Turnstile, a privacy-preserving CAPTCHA alternative. It runs invisibly in your browser — there is normally nothing for you to click. To tell humans apart from bots, Turnstile processes a small set of technical signals (such as your IP address, a TLS/HTTP fingerprint, and your browser user-agent). Cloudflare states it cannot identify individuals from these signals, does not use them for advertising, and does not track you across sites. For the full detail of what Turnstile processes, see Cloudflare's Turnstile Privacy Addendum.

Local storage on your device

The site stores a couple of small values in your browser's local storage (not cookies, not transmitted to us):

Signed-in sessions also use a small number of strictly-necessary keys (for example a cross-tab sign-out signal so signing out in one tab signs you out everywhere). See our Cookie Notice for the full inventory and how to clear them.

3. Why we collect it (and our lawful basis)

What we do with itLawful basis (UK GDPR Art. 6)
Process your registration; create your founder profile; send a confirmation email; reply to your questions. Performance of pre-contractual steps you requested (Art. 6(1)(b)).
Send you occasional product updates (kept low-frequency; you can unsubscribe at any time from any email). Consent, given by your submission of the registration form having read this notice (Art. 6(1)(a)).
Parse an uploaded pitch deck (locally and via our deck-reading agent) to pre-fill your profile. Performance of pre-contractual steps you requested (Art. 6(1)(b)).
Read your own YouTube channel (via Google OAuth, youtube.readonly) to verify you control it and show it as a verified link on your profile. Consent (Art. 6(1)(a)), given when you start the connection and withdrawable at any time by disconnecting the channel.
Record IP and user-agent on submissions; keep brief server logs; rate-limit uploads. Legitimate interests — preventing abuse, fraud, and unauthorised access (Art. 6(1)(f)).
Understand how the site is used — cookieless analytics (PostHog): anonymous page-view counts, anonymised IPs, no device storage, no profiling. Legitimate interests — measuring and improving our service with privacy-preserving, anonymous data (Art. 6(1)(f)). No cookies, so no PECR consent needed.
The same analytics, with a cookie (longer-lived visitor ID) for cross-visit measurement — and, for signed-in users, events linked to a pseudonymous account identifier (a random account ID, never name or email) to measure real product usage. Consent (Art. 6(1)(a)), given via our cookie banner and withdrawable anytime — withdrawal unlinks the account identifier. PECR requires consent for non-essential analytics cookies.
Give a profile owner private, minimised interaction counts for their own profile (surface, coarse device, referring host, agent name, two-letter country derived from IP then discarded — no identity, no stored IP, no cookies; deleted after 90 days). Legitimate interests — letting a founder understand engagement with their own profile using privacy-preserving, aggregate data (Art. 6(1)(f)). No cookies, so no PECR consent needed.
Meet legal obligations (e.g. responding to lawful requests from authorities). Legal obligation (Art. 6(1)(c)).

We do not sell your data. We do not use it to train third-party AI models. The pitch decks you upload are read by our deck-extraction agent for the sole purpose of pre-filling your own profile.

4. Who we share it with

We use a small number of third-party processors. Each is contractually required to process personal data only on our instructions and in line with UK GDPR.

ProcessorWhat they do for usWhere
Resend (Resend Inc.) Delivers our transactional and product-update emails; stores your email address in our "Pre-Release" audience so we can send announcements (always with a one-click unsubscribe). United States
Supabase (Supabase Inc.) Hosted Postgres database. Stores founder registrations and your account and profile data so we can operate the platform. Row-level security is enabled and forced; only our server-side secret key can read or write the tables — the database is never reached directly from your browser. European Union
PostHog (PostHog, Inc.) Product analytics. Counts page views and basic interactions so we can see how the site is used and improve it. Events are tied to a random visitor ID — or, if you have accepted analytics cookies and are signed in, to a pseudonymous account identifier so we can measure real product usage. IP addresses are anonymised, session recording is disabled, and your name and email are never attached. European Union
Cloudflare (Cloudflare, Inc.) Bot and abuse protection on our authentication forms via Cloudflare Turnstile (an invisible CAPTCHA alternative). Processes minimal technical signals to distinguish humans from bots; not used for advertising or cross-site tracking. See Cloudflare's Turnstile Privacy Addendum. United States
Stripe (Stripe, Inc.) Payment processing for Founding Member subscriptions. When you subscribe, Stripe collects and processes your payment details directly on its own hosted checkout — your card number never reaches Fons. We store only a Stripe customer/subscription reference and your membership status. See Stripe's Privacy Policy. United States
Anthropic (Anthropic PBC) AI processing. Our intake assistant and decision engine send the profile, company, and pitch-deck/CV text you provide to Anthropic's Claude models to help structure and pre-fill your own profile. Anthropic processes this on our instructions via its API and does not use it to train its models. See Anthropic's Privacy Policy. United States
Our hosting infrastructure Serves the website and the registration API. Hosted on a server we operate; static files served by nginx, registrations handled by a Node service. United Kingdom

We do not share your personal data with advertisers, data brokers, or investors. (If we introduce an investor-facing product, any sharing of your structured profile with investors will be a separate, explicit opt-in flow — distinct from this notice.)

5. International transfers

Our hosting (United Kingdom), our Supabase database, and our PostHog analytics (both European Union) sit in areas the UK recognises as providing an adequate level of data protection, so no additional safeguards are required.

Resend processes email in the United States. For that transfer we rely on the UK Information Commissioner's Office "UK Extension to the EU–US Data Privacy Framework" and standard contractual clauses to ensure your data continues to be protected to UK GDPR standards. You can request a copy of the safeguards by emailing admin@fons.vc.

Cloudflare provides our bot protection from the United States. For that transfer we rely on Cloudflare's certification under the EU–US Data Privacy Framework and its UK Extension, together with the standard contractual clauses in Cloudflare's data-processing terms, so the technical signals Turnstile processes remain protected to UK GDPR standards.

Stripe (payments) and Anthropic (AI processing) both operate from the United States. For those transfers we rely on each provider's certification under the EU–US Data Privacy Framework and its UK Extension, together with the standard contractual clauses in their data-processing terms, so your data remains protected to UK GDPR standards. You can request a copy of the safeguards by emailing admin@fons.vc.

6. How long we keep it

7. How we protect it

No system is perfectly secure. If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will report it to the UK Information Commissioner's Office without undue delay — and within 72 hours of becoming aware of it — and, where the risk to you is high, we will tell you directly.

8. Your rights

Under UK GDPR you have the right to:

To exercise any of these rights, email admin@fons.vc. We respond within one calendar month (and usually within a few days). There is no charge for a reasonable request.

9. Automated decisions and the decision engine

Fons includes a decision engine that produces a structured readiness signal from the information in a company or product profile. This is decision support: we do not make decisions that produce legal or similarly significant effects on you by solely automated means. A person is involved in any consequential decision, and the output is a signal for you to interpret, not an automated verdict. You can ask us about the logic involved, share your point of view, and contest a result by emailing admin@fons.vc.

10. Children

Fons.vc is a B2B service for founders, operators, and investors. It is not directed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has registered, contact us and we will delete the record.

11. Changes to this policy

If we make material changes — new processors, new purposes, new categories of data — we will update the "Last updated" date at the top of this page and, where the change affects you, notify subscribers by email before it takes effect. Minor wording fixes won't trigger a notice.

12. Contact

Privacy questions, data-subject requests, or anything else covered by this notice:

Lewis Rogers, trading as Fons.vc
Email: admin@fons.vc