Privacy Policy

VentraMatch (“we”, “us”) operates a software platform that helps founders and investors discover one another. For purposes of EU/UK GDPR, we are the data controller for the information you provide to us.

Information you give us

• Account: name, email, password (hashed), role (founder or investor).
• Profile: company or firm name, description, industry, stage, check size, geography, traction metrics, deck files, photos, social links.
• Verification: LinkedIn profile, GitHub profile, domain ownership proofs, payment processor data (Stripe), portfolio links.
• Communication: in-app messages and notes you write about other users.
• Consents: timestamped record of your acceptance of these Terms and Privacy Policy, and your marketing-email preference.

Information collected automatically

• Device and browser information (user agent, IP address, locale).
• Usage events (pages visited, features used, click patterns).
• Cookies and similar technologies — see “Cookies” below.

Information from third parties

• OAuth providers (Google, LinkedIn, Microsoft Entra ID, GitHub) — basic profile information when you sign in or connect an account.
• Email delivery providers (Resend) — delivery and bounce events.

• To operate the platform and match founders and investors based on stated fit.
• To verify identity, employment, domain ownership, and other claims.
• To detect and prevent fraud, spam, and abuse.
• To send transactional email (verification links, security alerts, mutual-match notifications).
• To send marketing email — only if you opted in.
• To comply with legal obligations and respond to lawful requests.

For users in the EEA / UK, our lawful bases under GDPR / UK GDPR are: (a) performance of a contract (operating your account), (b) legitimate interests (security, fraud prevention, product improvement), (c) consent (marketing emails, optional cookies), and (d) legal obligation (responding to lawful requests).

• Other users on the platform. Profile information you mark as visible is shown to matched counterparties.
• Service providers. Hosting (Railway), email (Resend), payments (Stripe), analytics (post-consent only). Each is bound by a data processing agreement.
• Optional AI text-parsing assistant. If you choose to use our optional “Parse from pitch” feature on the profile builder, the pitch text you paste is sent to OpenAI’s API to extract structured fields (sector, stage, customer type, etc.). The text is only sent when you click the button — never automatically. OpenAI does not train its models on data submitted through its API. Pitch text is not retained by us or by OpenAI beyond what is needed to generate the response. You can use the entire platform without ever invoking this feature.
• Automated profile review. When you submit your profile for review, a compact snapshot of the information you provided (company or firm name, one-line description or thesis, sector, stage, website URL, deck link, check-size range, and any verification claims you added) is sent to OpenAI’s API for an advisory review pass alongside our deterministic rule checks. We never send your password, email address, private messages, session tokens, or the raw contents of your deck file. The review output is advisory only: it surfaces possible quality issues to our human reviewers. It does not admit or reject your profile on its own — every acceptance, rejection, and ban is made by a human on our team. OpenAI does not train its models on data submitted through its API.
• Verification sources. When you connect LinkedIn, GitHub, Stripe, or similar, we exchange the minimum information needed to verify the claim.
• Legal requests. When required by law, court order, or legitimate legal process. We will notify you unless prohibited from doing so.

We do not sell your personal information. We do not share your information with third-party advertisers.

VentraMatch is a connection-routing layer, not a communication tool. When two parties match, we make it easy to take the conversation to your own email, calendar, LinkedIn, or CRM. We do not host the conversation. The handoff features and what they include:

• “Open email” (`mailto:`). Generates a pre-filled email draft in your default mail client. The subject and body include both parties’ names, your role, and (when present) your one-line pitch from your contact card. The template is deterministic — no AI is invoked. We never see whether you actually send the email or what you change. We log the click event so the connection record can show “you opened email handoff at 3:14pm.”
• vCard download (`.vcf`). Lets you save a matched user’s contact details to your address book. The vCard contains only the fields the other user explicitly opted to share (name, organization, email, phone, LinkedIn, booking URL, personal site, public-blurb note). Phone is included only if the user enabled the “share my phone” toggle.
• “Add to calendar” deep links. Generates pre-filled calendar URLs for Google Calendar, Outlook, Office 365, and Yahoo Calendar. The link includes the event title (“VentraMatch: A ↔ B”), the description (the same intro template), and the time you pick. We never call the calendar provider — the URL opens the provider in your browser, where you confirm the event yourself. No data is transmitted to the calendar provider by us.
• Booking-link passthrough. If a matched user has set a Cal.com / Calendly / SavvyCal URL on their contact card, we render a button that opens that URL in a new tab. We log only that you clicked it.
• Optional Google Calendar OAuth (off by default). If both parties explicitly opt in via “Settings → Connections,” VentraMatch will create a calendar event on each party’s primary calendar when an intro request is accepted. Google sends an invite to the other party. To use this you must connect your Google Calendar via OAuth in “Settings → Integrations.”

For each handoff click we record a small audit row in `connection_events` with the kind of action, the timestamp, and your user id — never the contents of any message. This audit drives the timeline you see on each connection record.

To make match cards more readable, we run an optional enrichment pass over the short profile text you have already published on your own profile (your one-line pitch or thesis, the sectors you tagged, and your industry slug). The pass produces two purely descriptive outputs that are shown alongside your profile on other users’ match cards:

• 3-5 keyword chips summarising the space you operate in (e.g. “Developer Tools”, “Climate Tech”).
• Logo tiles for well-known companies you mention by name in your own pitch text. Logos are first looked up in our local asset set; if the company isn’t there, we render a logo from logo.dev (a public logo CDN) using a domain hint the LLM extracted from your pitch. Logo.dev does not receive any of your profile text — only the public domain string (e.g. stripe.com). The LLM never generates an image. Companies you do not mention are not included.

What we send: only the four fields above, plus your role (founder / investor) and your name as it appears on your profile. We never send your email address, password, private messages, contact card, deck file, or any field you have marked private. The result is cached per-user and only recomputed when your source pitch text changes. Each call is rate-limited per user and audit-logged in the same `llm_calls` table used for all other LLM uses on the platform.

The output is descriptive metadata only. We never label a company as “Previously at” or otherwise imply employment, endorsement, investment, or any other relationship unless you yourself wrote that on your profile. OpenAI does not train its models on data submitted through its API.

Our matching algorithm is deterministic and rule-based. We use a calibrated statistical model (logistic regression) over structured profile fields — sector, stage, check size, geography, and similar dimensions — to compute a profile-fit score between two users. The ranking model and the eligibility filter that govern who appears in your feed run entirely on our own infrastructure.

We do notuse large language models (LLMs) such as GPT or Claude to make matching decisions, to rank your feed, or to admit or reject profiles. The only places an LLM is invoked at all are: (a) the optional “Parse from pitch” feature described in section 4 above, which runs only when you click the button; (b) an advisory review pass at profile submission time that surfaces possible quality issues to our human reviewers; and (c) the match-card enrichment pass described in section 4c, which produces descriptive keyword chips and (where you mention them in your own pitch) local-asset company logos. The review-time LLM call operates on the profile snapshot you submitted alongside our deterministic rule checks, and its output is stored as advisory notes on your application. It cannot accept, reject, or ban an account on its own — every final decision is made by a human reviewer on our team.

Match scores and any AI-generated text are informational only. They do not constitute investment advice, predict startup success, or make any forward-looking statement about any company’s funding potential. The “verified” badge means a profile passed our review checks; it does not independently guarantee every claim.

Our infrastructure is hosted in the United States. If you access the platform from outside the United States, your information may be transferred to, stored in, and processed in the United States and other countries where our service providers operate. Where required, we rely on Standard Contractual Clauses (EEA/UK) or comparable safeguards.

We keep your personal information for as long as your account is active and for a limited period afterwards as required for legal, tax, accounting, fraud-prevention, or dispute-resolution purposes. You can delete your account at any time, after which we will delete or de-identify your personal information except where retention is required by law.

Depending on where you live, you may have the right to: access, correct, delete, or port your personal information; object to or restrict certain processing; withdraw consent; and lodge a complaint with a supervisory authority.

You can exercise these rights from your account settings or by emailing privacy@ventramatch.com. We respond within the timeframes required by your local law (typically 30–45 days).

Specific framework rights:

• California (CCPA / CPRA): right to know, right to delete, right to correct, right to opt out of “sale” / “sharing” (we do not sell or share for cross-context behavioral advertising), right to limit use of sensitive information, right to non-discrimination.
• EEA / UK (GDPR / UK GDPR): rights of access, rectification, erasure, restriction, portability, and objection. Right to lodge a complaint with your local data-protection authority.
• Canada (PIPEDA): right to access and correct your personal information, and to challenge accuracy.
• Brazil (LGPD): right to confirmation of processing, access, correction, anonymization, deletion, portability, and information about sharing.
• India (DPDP): right to access, correction, completion, updating, erasure, and grievance redressal.
• Singapore (PDPA): right to access and correct your personal data.
• Australia (Privacy Act): rights under the Australian Privacy Principles, including access and correction.

We use cookies and similar technologies for: (a) essential functions (authentication, security, load balancing) which do not require consent, (b) preferences (theme, language) which do not require consent, and (c) analytics, which we only enable after you accept via the cookie banner. You can change your cookie preferences at any time from the cookie banner control.

The platform is not directed to children under 18 (under 16 in the EEA, where applicable). We do not knowingly collect personal information from children. If you believe a child has created an account, contact us and we will delete the data.

We use reasonable technical and organizational measures to protect your information, including encryption in transit (TLS), encryption at rest, role-based access controls, and audit logs. No system is fully secure; we cannot guarantee absolute security.

We may update this Privacy Policy from time to time. Material changes will be announced in-app and by email. The version and effective date at the top of this page reflect the current version.

Questions or to exercise your rights: privacy@ventramatch.com.