Privacy Policy

Version 2026-06-17 (v1). This policy explains what personal data Floancer collects, why, on what legal basis, who we share it with, how long we keep it, and the rights you have over it.

Plain-language summary (not part of the policy): We collect what we need to run an introductions service — your account and profile, who you message, your subscription status, and a sanctions screen we are legally required to run. We never sell your data. Your profile is only ever shown to eligible counterparties inside the platform, never on the open web. You can export or delete your data.

1. Who we are (controller)

Floancer is the controller of the personal data described here. [OPEN — legal entity name, registered address, and (if applicable) Data Protection Officer / EU representative contact.]

Contact for privacy requests: [OPEN — privacy contact email.]

2. What we collect

CategoryExamplesWhere it comes from
Accountemail, display name, role (startup/investor), authentication identifiersyou, at sign-up (email/password or Google sign-in)
Verificationemail domain, whether it is a free/disposable domain, domain-match result, verification pathderived from your email and your entity's website
Access-request data (no-domain users, mainly angels)LinkedIn URL, angel-investment-operations details (investments and capital deployed in the last 12 months, typical cheque size), optional bioyou, in the Request Access form
Profile contentstartup or investor profile fields, focus, categories, logo/deck/materials, and information you provide about your founders/teamyou (optionally AI-drafted from your own website for you to confirm)
Messagingthe messages you send and receive in conversations an investor openedyou and your counterparties
Signals & activitytriage actions, demand statistics, last-active time, telemetry tied to identifiers (no message content)generated as you use the service
Billingsubscription tier and status, payment-processor customer/subscription referencesour payment processor (Stripe); we never receive your card number
Compliancesanctions/PEP screening result and minimal evidence reference; eligibility status and declared jurisdictionour screening provider, run on the details you provide
Settingsnotification and email preferencesyou

We do not put personal data in our application logs or analytics events — those carry identifiers and coarse attributes only.

3. Why we use it, and our legal basis (GDPR Art. 6)

PurposeLegal basis
Create and operate your account; provide discovery, messaging, and introductionsPerformance of a contract with you
Show your published profile to eligible, paying counterpartiesPerformance of a contract and, for personal data about your founders/team that you publish, your act of publishing it / legitimate interests in operating the marketplace
Verify your email and domain; prevent impersonation and abuse; rate-limit and secure the serviceLegitimate interests in trust, safety, and security
Run the sanctions/PEP screenLegal obligation (sanctions law) and legitimate interests in lawful operation
Take subscription paymentsPerformance of a contract
Funding-outcome reporting you provide, and aggregate analyticsConsent / legitimate interests; you agree to the data-use term when you accept the Terms of Use
Send service and notification emails (with one-click unsubscribe for non-essential mail)Legitimate interests / consent where required
Keep audit, abuse, and compliance recordsLegal obligation and legitimate interests

Where we rely on legitimate interests, we have weighed them against your rights; you may object (see §7).

4. Sanctions / PEP screening

At sign-up we screen your name (and optionally country) against sanctions and politically-exposed-person lists. This is a name screen only — no document upload is required — and is invisible to legitimate users. A clear result lets you proceed; a possible match is held for a quick human check; a confirmed match blocks the account. We are legally required to do this before providing the service.

5. Who we share it with (sub-processors)

We use trusted service providers to run Floancer. They process your data on our instructions:

ProviderPurposeData involved
Google Firebase / Google Cloudhosting, authentication, database, storage, file storagemost categories above
Stripesubscription billingbilling identifiers and status (no card data reaches us)
Cloudflareedge security, WAF, bot/abuse protection (Turnstile)network/request metadata
Sanctions/PEP screening providercompliance screeningname, optional country
Search-index providerpowering discovery searchdiscovery-safe profile fields
Email providertransactional and notification emailemail address, message metadata

We share data with these providers only as needed to operate the service, and we do not sell your personal data or share it for third-party advertising. We may disclose data where required by law or to protect users and the platform. The current sub-processor list is maintained in our specifications register.

6. International transfers and where data is stored

The application backend currently runs in the EU (europe-west1). Some sub-processors may process data outside your country; where required we rely on appropriate safeguards (such as the EU Standard Contractual Clauses). [OPEN — final data-residency stance for global users, including where discovery projections and compliance evidence may legally live.]

7. Your rights

Subject to applicable law (including the GDPR), you have the right to: access a copy of your data; rectify inaccurate data; erase your data; restrict or object to certain processing; data portability; and to withdraw consent where processing is based on it. You also have the right to lodge a complaint with your data-protection supervisory authority.

We provide two self-service flows:

8. Retention and what happens on deletion

We keep personal data for as long as your account is active and as needed to provide the service, then delete or anonymise it on the schedule below. Some records are retained by law or for safety/audit, and we tell you when that is the case rather than silently keeping them.

DataOn account deletion (hard purge)
Account (users)deleted (a minimal tombstone only where abuse history requires); participation revoked at request time
Startup / investor entity, discovery projection, search-index entrydeleted
Your triage signals; signals about your startupdeleted
Conversationsyour messages redacted/anonymised; the other party's messages are kept (their data); a thread is deleted only when both parties have erased
Notifications and settingsdeleted
Uploaded files (deck/logo/documents)deleted
Access-request data (LinkedIn + ops details)deleted / anonymised
Compliance evidencedeleted, except a minimal proof-of-screening reference retained where sanctions/AML law requires (legal hold)
Abuse reports you filedretained, with you anonymised (abuse/audit exception)
Abuse reports about youretained (trust & safety exception)
Audit logsretained (immutable, identifier-based, no profile content) (legal/audit exception)
Billingpayment-processor customer record deleted/anonymised; invoices retained as tax law requires

[OPEN — exact grace-period length and per-jurisdiction retention windows.]

9. Cookies and analytics

We use cookies and similar technologies that are necessary to run the service (authentication, security) and analytics to understand product usage. Analytics events carry identifiers and coarse attributes only — not your messages or other sensitive content. [OPEN — cookie banner / consent management where required by your jurisdiction.]

10. Security

We protect your data with default-deny access rules, server-side enforcement of who can see what, encryption in transit, edge protection (WAF, bot management), and audit logging of sensitive actions. We store no card data. No system is perfectly secure, but we work to a recognised security baseline appropriate for an investment-adjacent product holding personal data.

11. Children

Floancer is not directed to anyone under 18 and we do not knowingly collect their data.

12. Changes to this policy

We may update this policy. For material changes we will give reasonable notice. The current version and date appear at the top.

See also the Terms of Use.