Privacy Policy

Last updated: May 28, 2026 · Version: v1.0-draft

Draft document for a pre-launch product. Must be reviewed by EU/PT counsel before public release.

1. Who we are

SpeedrunFounder is a professional platform for the startup ecosystem. The data controller is the entity operating the project, reachable at privacy@speedrunfounder.com.

2. Data we collect

• Identity & profile: name, photo, location (city/country), languages, roles (founder, BA, VC, mentor, incubator, service provider), free-text pitch/thesis/ICP, links to LinkedIn/X/GitHub/Crunchbase when connected.
• Matching signals: industries, stages, ticket range, sectors, geos, availability, and the halfvec embedding computed from your profile.
• Activity: intros sent/received, messages, RSVPs, applications, deck views directed to you.
• Technical data: IP address (hashed only), user-agent (hashed), session cookies.

3. Legal bases (GDPR Art. 6)

• Contract: account creation, matching, messaging, payments.
• Legitimate interest: platform security, abuse prevention, aggregate metrics.
• Consent: analytics (PostHog), marketing comms, Gmail contacts import.
• Legal obligation: retention of fiscal records (Stripe) and moderation logs (DSA).

4. Retention

• Active account: while account remains + 30 days after deletion request.
• Messages and intros: until account deletion (sender anonymized to preserve threads).
• Fiscal records: 10 years.
• Moderation records (DSA Art. 17): 6 months after decision for appeal window.

5. Your rights (GDPR Art. 15-22)

You have rights of access, rectification, erasure, restriction, portability and objection. We provide a self-serve center at /settings/data with:

• Export (Art. 20): ZIP package with all your data as JSON + files (decks, CVs).
• Delete (Art. 17): request with 30-day grace period to cancel. After grace, personal data is wiped; messages in shared conversations remain visible to other participants with Deleted user in place of your name.
• Rectify (Art. 16): direct edit on profile.
• Restrict (Art. 18): freeze profile without deletion.

For additional questions or complaints: dpo@speedrunfounder.com. You also have the right to lodge a complaint with the CNPD (cnpd.pt) or your local DPA.

6. Sub-processors

• Supabase (Frankfurt, EU) — database, auth, storage, realtime.
• Vercel (EU edge) — application hosting.
• Stripe (EU/US, SCCs + EU-US DPF) — payments.
• Resend + Loops — transactional and lifecycle email.
• AWS Bedrock (eu-central-1) — match explanation generation.
• Voyage AI — embedding generation.
• PostHog (EU Cloud) — product analytics (consent-gated).
• Sumsub (Frankfurt) — investor KYC.

DPAs signed with all sub-processors above. Transfers outside the EU are covered by SCCs or the EU-US Data Privacy Framework, with documented TIAs.

7. Security

• TLS-only connections.
• Passwords stored by Supabase Auth using Argon2.
• Row-Level Security on all tables with personal data.
• Audit log for sensitive actions.
• Scheduled deletion with cancellation token.

8. Minors

SpeedrunFounder is not intended for users under 18. We do not knowingly collect minors' data.

9. Changes

We notify by email + in-product banner on material changes. Version history at /legal/privacy/history.