Privacy Policy

1. Who this policy applies to

This policy applies to:

• Investors and VC teams using workspaces to track portfolio companies, meetings, and analyses;
• Founders invited to collaborate (notes, Q&A, corrections);
• Waitlist and marketing contacts who submit their details before full sign-up;
• Visitors to our marketing pages.

If you use VC Field Assistant on behalf of an organization, that organization may also be responsible for certain content you upload. We process data as described here regardless of role.

2. Data we collect

2.1 Account and identity

When you register or sign in (email/password or Google), we collect:

• email address;
• display name (if provided);
• Firebase user ID;
• email verification status;
• authentication metadata (e.g. sign-in provider).

We use Firebase Authentication (Google) for identity services.

2.2 Workspace and profile data

• workspace name, plan, billing metadata, member roles (founder / investor);
• user preferences (e.g. default sharing settings, email discoverability);
• invitations and contact records within a workspace.

2.3 Venture and business content (may include personal data)

Depending on how you use the service, we process:

• company names, domains, websites, notes, and status;
• meeting metadata (time, participants);
• audio recordings, transcripts, and AI-generated summaries;
• uploaded documents (PDF, DOCX, PPTX) and extracted text;
• company analyses, KPI samples, investment notes;
• investor–founder Q&A, voice notes, and collaboration messages;
• visibility and sharing settings (org-wide, private, or restricted to named members).

You are responsible for ensuring you have a lawful basis to upload content about third parties (e.g. founders or employees mentioned in meetings).

2.4 Integrations

If you connect Google (Calendar/Drive) or authorize MCP/OAuth clients, we store OAuth tokens and process data according to the scopes you approve.

2.5 Billing

Paid plans are handled via Stripe. We receive customer IDs, subscription status, and transaction references. We do not store full payment card numbers.

2.6 Waitlist and marketing

If you join our waitlist, we collect email, optional name and firm/role, consent to marketing contact, and submission source. We use this only to contact you about launch and early access unless you withdraw consent.

2.7 Technical, usage, and analytics data

We collect limited technical data to operate and improve the service:

• IP address, browser/device type, request timestamps;
• API route, workspace ID, user ID, latency, and error codes in server logs;
• Google Analytics 4 (GA4) on our marketing site and web application to understand how visitors find us, which pages they view, and how features are used. GA4 may set cookies or use similar technologies and receive pseudonymous identifiers, page URLs, referrer, and coarse device/location data. Where required by law, we ask for consent before loading non-essential analytics.

We do not intentionally log raw transcripts, full analyses, meeting audio, OAuth tokens, or complete prompt text in application logs.

2.8 Cookies and local storage

• Signed-in web app: Firebase Auth session data in browser storage (essential for the service).
• Analytics: GA4 cookies or storage as described above.
• We do not use third-party advertising trackers.

You can limit analytics via your browser settings, installed browser extensions, or Google's opt-out add-on. Blocking essential cookies may prevent sign-in from working.

3. How we use your data

We do not sell your personal data. We do not use your workspace content to train our own machine-learning models.

4. AI processing and third-party subprocessors

To deliver transcription and AI features, content you submit (e.g. audio, transcripts, document extracts, prompts) is sent to vetted subprocessors only to perform the service you request.

Third-party AI providers process content under their own terms and privacy policies. We select providers that offer API access intended for business use, but we cannot guarantee how each provider handles data internally. We do not authorize providers to use your content to train our models, and we do not train models on your workspace data ourselves.

Subprocessors are bound by data processing terms where applicable. Where required, we use Standard Contractual Clauses or equivalent safeguards for transfers outside the EEA.

A current subprocessor list is available on request at marcus@vcfieldassistant.com.

5. Data location and retention

• Primary storage is in the European Union (Google Cloud region europe-north1 by default).
• Workspace content is retained until you or your workspace admin deletes it, or until your account/workspace is deleted.
• Short-lived data (e.g. OAuth state, job previews, failed draft analyses) may expire automatically via TTL.
• Billing and credit-ledger records may be retained longer where required by Swedish accounting law, pseudonymized where possible after account closure.
• GA4 data is retained according to our GA4 property settings (typically up to 14 months).

6. Sharing within the product

Content visibility is controlled by you and your workspace:

• Org-shared analyses and meetings are visible to workspace members with appropriate roles.
• Private or restricted items are visible only to creators and explicitly shared members.
• Founder sharing exposes selected content to invited founders/investors per your settings.

We do not publish your workspace content publicly unless you use an explicit sharing mechanism (e.g. share links where offered).

7. Data export

You can request a structured export of your workspace data, including transcripts, meetings, analyses, and related content we store on your behalf. Email marcus@vcfieldassistant.com from your registered account address with the workspace name. We will provide the export in a commonly used machine-readable format within 30 days, subject to verification of your identity and authority over the workspace.

Self-service export in the app may be added over time; this policy applies regardless of channel.

8. Your rights (GDPR)

If you are in the EEA/UK, you have the right to:

• access your personal data;
• rectify inaccurate data;
• erase data ("right to be forgotten");
• restrict or object to certain processing;
• data portability (structured, machine-readable format where technically feasible);
• withdraw consent at any time (e.g. marketing or analytics where consent applies);
• lodge a complaint with Integritetsskyddsmyndigheten (IMY), Sweden.

To exercise rights, email marcus@vcfieldassistant.com. We respond within one month.

Account deletion: Contact us to request deletion of your account and associated workspace data, subject to legal retention requirements. Self-service deletion is planned.

9. Security

We apply technical and organizational measures including:

• API-only writes (clients do not write directly to the database);
• membership and role checks on every request;
• signed URLs for file uploads;
• encryption in transit (TLS) and at rest (cloud provider defaults);
• minimal logging of sensitive content.

No system is 100% secure. Report concerns to marcus@vcfieldassistant.com.

10. Children

VC Field Assistant is a B2B professional tool. It is not directed at children under 16. We do not knowingly collect data from children.

11. Changes

We may update this policy. Material changes will be notified via the app or email where appropriate. The "Last updated" date will change accordingly.

12. Contact

Scaleup Advisor
Värnpliktsgatan 15
97443 Luleå, Sweden
Email: marcus@vcfieldassistant.com
Org. no.: 740516-9033

See also our Terms & Conditions.