Privacy Policy

Part I: For Site Visitors and Customers

1. Data we collect

When you register, sign in via Google or GitHub, or buy access to the database, we collect:

• Email address (provided during registration or by your OAuth provider)
• Name and avatar (when supplied by Google/GitHub during OAuth)
• Billing identifiers and payment status (processed by Stripe — we never see your full card number)
• Account preferences and the products you have purchased
• Usage analytics — pages viewed, referrers, device class — collected through PostHog in cookieless mode
• Request metadata (IP address, user agent) needed for security, rate limiting, and abuse prevention

2. How we use your information

• Provide and maintain the Site and deliver the directory you purchased
• Process transactions and send receipts and security notifications
• Respond to support requests and removal requests
• Detect abuse, fraud, and violations of our Terms of Service
• Analyse aggregate usage to prioritise improvements

3. Sharing with third parties

We do not sell information about Site visitors or customers. We share the minimum data required with the following processors:

• Google and GitHub — OAuth identity providers, only if you sign in with them
• Stripe — payment processing and fraud screening
• PostHog — product analytics (cookieless, EU-hosted)
• OpenAI — used by upcoming AI features (investor matcher); only the inputs you submit to those features are sent, no account data
• Law enforcement and regulators when legally required
• An acquirer or successor in the event of a merger, acquisition, or financing event

Part II: For investors listed in the directory

4. What we hold about you

We compile professional information about venture capital firms and angel investors from publicly available sources: firm websites, press releases, regulatory filings, conference rosters, and professional networking platforms.

• Name and professional title
• Business email address and, where public, business phone
• Links to professional profiles (LinkedIn, X/Twitter, Crunchbase)
• Firm affiliation, investment stages, sectors, and portfolio history

5. Legal basis for processing

For business contacts at venture capital firms we rely on legitimate interests (Article 6(1)(f) GDPR) — the operational reality that founders need to reach investors, and that fund partners hold public business roles. For angel investors we likewise rely on legitimate interests, balanced against your right to object and have your data removed, which we honour on request as described below.

Where applicable U.S. state laws (California, Vermont, Texas, Oregon, and others) classify Stakyo, LLC as a "Data Broker," we comply with the disclosure and opt-out requirements of those laws.

6. Your rights under GDPR and similar laws

• Access — request a copy of the data we hold about you
• Rectification — ask us to correct inaccurate fields
• Erasure — have your profile removed from the public directory and from customer exports
• Restriction or objection — limit or object to specific uses
• Portability — receive your data in a machine-readable format
• Complaint — lodge a complaint with your local data protection authority

7. How to request removal

The fastest route is the dedicated form at vcdir.com/contact-removal. You can also email hello@vcdir.com with the subject line "Data Removal Request" from the email address listed on your profile. We acknowledge requests promptly and complete removal within 30 days. Once processed, your profile is hidden from the public directory, search results, and customer CSV exports.

Part III: General provisions

8. Data retention

Account and billing data is retained while your account is active and for the period required by tax and accounting law (typically seven years for invoices). Directory entries are retained until you request removal. Analytics events expire automatically after 12 months.

9. Data security

We use commercially reasonable technical and organisational safeguards — encryption in transit, role-based access controls, and least-privilege backend access. No method of transmission or storage is perfectly secure.

10. International data transfers

Our infrastructure is based in the United States. For EEA and UK data subjects, we rely on appropriate safeguards including Standard Contractual Clauses.

11. Children's privacy

The Site and directory are intended for business professionals and are not directed to anyone under 18. We do not knowingly collect data from minors.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced on the Site, and the "Last updated" date at the top of this page will be revised.

13. Contact