Privacy Policy

Overview

This Privacy Policy describes how data is collected, used, disclosed, and handled in using our Services, including our ComplyWithVCC FIPVCC compliance software report preparation workflows (the “Product”), which helps investment funds and venture capital companies collect their investment information to calculate and prepare filings to the California Department of Financial Protection and Innovation (DFPI) required under the California Fair Investment Practices by Venture Capital Companies Act (California Corporations Code § 27500) (the “FIPVCC”).

By using the Services, you consent to the practices described here. Capitalized terms not defined here have the meaning given in our General Terms.

1. Who This Policy Applies To

This policy applies to three categories of users:

Venture capital company account holders (“fund account holders”) — individuals at covered venture capital companies or investment funds, or individuals contractually engaged with such funds (such as law firms, fund administrators, or administrators), who use the Product to manage FIPVCC compliance by collecting information from their portfolio companies (also known as “investments”) for submission to the VCC Reporting portal in the California Department of Financial Protection and Innovation (“DFPI”). Fund account holders invite a designated point of contact at each portfolio company to coordinate the survey process.

Portfolio company points of contact (“portfolio contacts”) — individuals at a portfolio company designated by the fund account holder to coordinate the distribution of demographic surveys to eligible team members at their company. A portfolio contact may hold any role at the company (e.g., operations, HR, legal, or a founding team role). Portfolio contacts invite eligible survey recipients and may complete a survey themselves if they are eligible, but they cannot view individual survey responses.

Survey recipients (“survey recipients”) — individuals at a portfolio company, including current and former founding team members as well as current employees with the role CEO or President, who are invited by the portfolio contact to complete a demographic survey in connection with their company's receipt of a venture capital investment from a covered venture capital entity as defined by the FIPVCC regulations.

The Services are not intended for children below 16 and we do not knowingly collect or solicit personal information from anyone under the age of 16. If we become aware that we have collected personal information from a child under age 16, we will take steps to remove that information.

2. Information We Collect

2.1 Team Member (Founder, CEO, President) Survey Data

To enable compliance with FIPVCC's reporting requirements, the Product facilitates collection of the following demographic categories from survey recipients, including members with role CEO, President and former as well as current founding team members. The information requested matches California's FIPVCC regulation requirements:

• Gender identity (including nonbinary and gender-fluid identities)
• Race
• Ethnicity
• Disability status
• LGBTQ+ identification
• Veteran or disabled veteran status
• California residency
• Whether the survey recipient declined to respond to any or all of the above

Per FIPVCC, participation is disclosed to be voluntary and survey recipients may decline any or all individual questions. Individual survey responses are not visible to portfolio contacts or fund account holders.

2.2 Portfolio Company Point of Contact Data

To facilitate the survey coordination workflow, we may collect the following from portfolio contacts:

• Name
• Email address
• Company name and role

2.3 Fund Account Holder Data

To operate the Product and prepare entity-level submissions required by the FIPVCC, we collect and store the following from fund account holders:

• Covered entity name
• Name, title, and email address of the covered entity's designated point of contact
• Covered entity's designated email address, telephone number, physical address, and website

Certain fund account holder information — specifically, the account holder's name, email address, and covered entity name — is visible to portfolio contacts and survey recipients via invitation links generated by the Product (see Section 5).

Depending on how you use the Service, you may also provide:

• Financial: credit card payment information
• Transaction: payment history, subscription history
• Communications: email newsletter preferences and correspondence with us

2.4 Usage and Technical Data

We collect behavioral usage and technical data (e.g., log data, device information, session metadata, IP address, approximate location, browser metadata, device and operating system information). For logged-in users, usage data may be associated with your account to help us understand how the Service is used and to improve its functionality. We may also rely on third-party analytics providers to inform our continued research and development into improving our Services, which may rely on clear pixels or web beacons.

We may derive Aggregated Data from your information. Once aggregated so that it no longer identifies you, it is not Personal Data and we may use it for any purpose. If we re-combine it with Personal Data, we treat it as Personal Data.

Managing Cookies: configure your browser to refuse or delete cookies. Disabling cookies may affect functionality. We do not currently respond to “Do Not Track” browser signals. More information: www.allaboutcookies.org and www.youronlinechoices.com.

3. How We Use Information

3.1 Founder Survey Data

Founder survey responses are used solely to:

• Generate aggregated, de-identified demographic reports as required by the FIPVCC for submission to the DFPI.
• Populate the specific reporting fields mandated by California Corp. Code § 27500, including aggregate demographic breakdowns, percentages of investments in businesses primarily founded by diverse founding team members, and related investment totals.

We do not use founder survey responses for marketing, profiling, product analytics, or any purpose unrelated to FIPVCC compliance reporting.

3.2 Portfolio Contact Data

Portfolio contact data is used solely to facilitate survey coordination between fund account holders and survey recipients.

3.3 Fund Account Holder Data

Fund account holder data is used to operate the Product, manage filing workflows, communicate with fund account holders about their compliance obligations, and fulfill our obligations under applicable service agreements.

4. Data Minimization and De-Identification

The Product is designed with the following privacy-protective principles:

Aggregation by design. Reports generated by the Product present demographic data only at the aggregate level required by the FIPVCC.

Technical controls to reduce re-identification risk. While we have implemented workflow designs intended to limit de-aggregation risks, we cannot warrant that such risks are fully eliminated such as when a covered entity (e.g. fund) has made only one investment in a given reporting period wherein the invested company only has one founder who replies to a demographic survey.

5. How We Share Information

We may share information in the following circumstances:

With the DFPI. Aggregated reports generated through the Product are intended for submission by the covered entity to the DFPI, which may make such reports publicly available as required by the FIPVCC.

With the account holders (of covered entities). Aggregated survey results are made available to the fund account holder's authorized users for review, recordkeeping, and filing. Individual survey responses are not disclosed to fund account holders or portfolio contacts.

Service providers. We engage third-party service providers (“subprocessors”) to support the Product's technical infrastructure and operations, subject to appropriate confidentiality and security obligations. See Section 5.1 below for details.

Via invitation links. The Product generates unique invitation links that portfolio contacts use to invite survey recipients. These links provide access to the email addresses of invited survey recipients and display the fund account holder's name, email address, and covered entity name. Individual survey responses are never accessible via these links. However, if an invitation link is shared beyond its intended recipient, any person with the link may view this information. It is the responsibility of the fund account holder and the portfolio contact to ensure that invitation links are disseminated through private channels and are not shared publicly.

Legal requirements. We may disclose information as required by applicable law, regulation, or legal process.

We do not sell demographic survey data or share it with third parties for advertising or marketing purposes.

5.1 Subprocessors

We use the following categories of third-party service providers to operate the Service. Each subprocessor is bound by contractual obligations to process data only as necessary to provide their respective services and to maintain appropriate security measures.

Founder demographic survey source records are stored in our SOC 2 Type II compliant, AES-256 at-rest encrypted (with TLS-transit) database infrastructure provider.

We may update our subprocessors from time to time. Material changes to the subprocessors that handle personal data will be reflected in updates to this policy.

6. Data Retention

Demographic survey data is retained as necessary for FIPVCC compliance to generate the required aggregated reports. Because covered entities must preserve records related to their FIPVCC obligations for at least five years after delivery of each report, such data and related compliance records may be retained for this statutory period.

Account holder data is retained for the duration of the account and for a reasonable period thereafter to fulfill legal and operational obligations.

Fund account holders are responsible for maintaining their own records as required by the FIPVCC, including secure storage and any applicable retention disclosures in their own privacy policies.

The Services are maintained in the United States of America. Personal Data that you provide us may be stored, processed and accessed by us, our staff, sub-contractors and third parties with whom we share Personal Data in the United States of America for the purposes described in this policy. We may also store Personal Data in locations outside the direct control we have (for instance, on servers or databases co-located with hosting providers). Although we welcome users from all over the world, by accessing the Services and providing us with your Personal Data, you consent to and authorize the export of Personal Data to the United States and its storage and use as specified in this Policy. Note the laws of the United States might not be as comprehensive or protective as laws in the country where you live.

7. Security

We use industry-standard physical, managerial, and technical safeguards to preserve the integrity and security of your information, including two-factor authentication and role-based access controls that limit infrastructure access to authorized personnel. We limit access to your Personal Data to those employees and other staff who have a business need to have such access.

Given the sensitivity of surveyed demographic information, the Product incorporates additional measures including database encryption appropriate to the nature of the data processed.

We periodically review our policies and procedures to evaluate their effectiveness and ensure that they remain up to date. We cannot, however, ensure or warrant the security of any information you transmit to us or guarantee that your information on the Services may not be accessed, disclosed, altered, or destroyed by a breach of any of our physical, managerial, or technical safeguards.

We have put in place procedures to respond to any actual or suspected Personal Data breach. In the event that personal information is compromised as a result of such a breach of security, we may promptly notify those persons whose personal information has been compromised by posting a notice on the Site, via the functionality of the Services, or by sending an email to you. You may have a legal right to receive this notice in writing.

We cannot ensure that your Personal Data will be protected, controlled or otherwise managed pursuant to this Policy if you share your login and password information with any third party, including any third party operating a website or providing other services. Similarly, invitation links generated by the Product should be treated as confidential; the Company is not responsible for unauthorized access resulting from links shared beyond their intended recipients.

8. Changes to This Policy

We reserve the right to update this product-specific policy from time to time.

Material product updates will be communicated through the Product or email to account holders.

Continued use of the Product following notice of changes constitutes acceptance of the updated policy.

9. Your Rights

Depending on your jurisdiction, you may have rights regarding your personal data, including the right to access, correct, delete, or restrict processing of your information. California residents may have additional rights under the CCPA. To exercise any data rights under applicable privacy laws, please contact support@complywithvcc.com. We will respond to verified requests within the timeframes required by applicable law.

Please note that we may be unable to delete survey data that has already been used to calculate aggregated, anonymized DFPI reports, as such reports may have already been exported by the fund account holder and submitted to the DFPI. In these cases, the underlying data may need to be retained to support the accuracy and auditability of filed reports and to satisfy the FIPVCC's five-year record retention requirement.

10. Contact

For questions about this policy or the Product's data practices, please contact support@complywithvcc.com