Privacy Policy
Version 2026-06-17 (v1). This policy explains what personal data Floancer collects, why, on what legal basis, who we share it with, how long we keep it, and the rights you have over it.
Plain-language summary (not part of the policy): We collect what we need to run an introductions service — your account and profile, who you message, your subscription status, and a sanctions screen we are legally required to run. We never sell your data. Your profile is only ever shown to eligible counterparties inside the platform, never on the open web. You can export or delete your data.
1. Who we are (controller)
Floancer is the controller of the personal data described here. [OPEN — legal entity name, registered address, and (if applicable) Data Protection Officer / EU representative contact.]
Contact for privacy requests: [OPEN — privacy contact email.]
2. What we collect
| Category | Examples | Where it comes from |
|---|---|---|
| Account | email, display name, role (startup/investor), authentication identifiers | you, at sign-up (email/password or Google sign-in) |
| Verification | email domain, whether it is a free/disposable domain, domain-match result, verification path | derived from your email and your entity's website |
| Access-request data (no-domain users, mainly angels) | LinkedIn URL, angel-investment-operations details (investments and capital deployed in the last 12 months, typical cheque size), optional bio | you, in the Request Access form |
| Profile content | startup or investor profile fields, focus, categories, logo/deck/materials, and information you provide about your founders/team | you (optionally AI-drafted from your own website for you to confirm) |
| Messaging | the messages you send and receive in conversations an investor opened | you and your counterparties |
| Signals & activity | triage actions, demand statistics, last-active time, telemetry tied to identifiers (no message content) | generated as you use the service |
| Billing | subscription tier and status, payment-processor customer/subscription references | our payment processor (Stripe); we never receive your card number |
| Compliance | sanctions/PEP screening result and minimal evidence reference; eligibility status and declared jurisdiction | our screening provider, run on the details you provide |
| Settings | notification and email preferences | you |
We do not put personal data in our application logs or analytics events — those carry identifiers and coarse attributes only.
3. Why we use it, and our legal basis (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Create and operate your account; provide discovery, messaging, and introductions | Performance of a contract with you |
| Show your published profile to eligible, paying counterparties | Performance of a contract and, for personal data about your founders/team that you publish, your act of publishing it / legitimate interests in operating the marketplace |
| Verify your email and domain; prevent impersonation and abuse; rate-limit and secure the service | Legitimate interests in trust, safety, and security |
| Run the sanctions/PEP screen | Legal obligation (sanctions law) and legitimate interests in lawful operation |
| Take subscription payments | Performance of a contract |
| Funding-outcome reporting you provide, and aggregate analytics | Consent / legitimate interests; you agree to the data-use term when you accept the Terms of Use |
| Send service and notification emails (with one-click unsubscribe for non-essential mail) | Legitimate interests / consent where required |
| Keep audit, abuse, and compliance records | Legal obligation and legitimate interests |
Where we rely on legitimate interests, we have weighed them against your rights; you may object (see §7).
4. Sanctions / PEP screening
At sign-up we screen your name (and optionally country) against sanctions and politically-exposed-person lists. This is a name screen only — no document upload is required — and is invisible to legitimate users. A clear result lets you proceed; a possible match is held for a quick human check; a confirmed match blocks the account. We are legally required to do this before providing the service.
5. Who we share it with (sub-processors)
We use trusted service providers to run Floancer. They process your data on our instructions:
| Provider | Purpose | Data involved |
|---|---|---|
| Google Firebase / Google Cloud | hosting, authentication, database, storage, file storage | most categories above |
| Stripe | subscription billing | billing identifiers and status (no card data reaches us) |
| Cloudflare | edge security, WAF, bot/abuse protection (Turnstile) | network/request metadata |
| Sanctions/PEP screening provider | compliance screening | name, optional country |
| Search-index provider | powering discovery search | discovery-safe profile fields |
| Email provider | transactional and notification email | email address, message metadata |
We share data with these providers only as needed to operate the service, and we do not sell your personal data or share it for third-party advertising. We may disclose data where required by law or to protect users and the platform. The current sub-processor list is maintained in our specifications register.
6. International transfers and where data is stored
The application backend currently runs in the EU (europe-west1). Some sub-processors may process data outside your country; where required we rely on appropriate safeguards (such as the EU Standard Contractual Clauses). [OPEN — final data-residency stance for global users, including where discovery projections and compliance evidence may legally live.]
7. Your rights
Subject to applicable law (including the GDPR), you have the right to: access a copy of your data; rectify inaccurate data; erase your data; restrict or object to certain processing; data portability; and to withdraw consent where processing is based on it. You also have the right to lodge a complaint with your data-protection supervisory authority.
We provide two self-service flows:
- Export (
requestDataExport) — assembles a copy of your own data (your account, your entity, signals you authored, your messages within conversations you took part in, notifications, settings, plan status, and eligibility status). It never includes another user's personal data or our internal compliance evidence. - Deletion (
requestAccountDeletion) — soft-deletes immediately and schedules a hard purge after a grace and legal-retention window. It is reversible until the purge date (cancelAccountDeletion).
8. Retention and what happens on deletion
We keep personal data for as long as your account is active and as needed to provide the service, then delete or anonymise it on the schedule below. Some records are retained by law or for safety/audit, and we tell you when that is the case rather than silently keeping them.
| Data | On account deletion (hard purge) |
|---|---|
Account (users) | deleted (a minimal tombstone only where abuse history requires); participation revoked at request time |
| Startup / investor entity, discovery projection, search-index entry | deleted |
| Your triage signals; signals about your startup | deleted |
| Conversations | your messages redacted/anonymised; the other party's messages are kept (their data); a thread is deleted only when both parties have erased |
| Notifications and settings | deleted |
| Uploaded files (deck/logo/documents) | deleted |
| Access-request data (LinkedIn + ops details) | deleted / anonymised |
| Compliance evidence | deleted, except a minimal proof-of-screening reference retained where sanctions/AML law requires (legal hold) |
| Abuse reports you filed | retained, with you anonymised (abuse/audit exception) |
| Abuse reports about you | retained (trust & safety exception) |
| Audit logs | retained (immutable, identifier-based, no profile content) (legal/audit exception) |
| Billing | payment-processor customer record deleted/anonymised; invoices retained as tax law requires |
[OPEN — exact grace-period length and per-jurisdiction retention windows.]
9. Cookies and analytics
We use cookies and similar technologies that are necessary to run the service (authentication, security) and analytics to understand product usage. Analytics events carry identifiers and coarse attributes only — not your messages or other sensitive content. [OPEN — cookie banner / consent management where required by your jurisdiction.]
10. Security
We protect your data with default-deny access rules, server-side enforcement of who can see what, encryption in transit, edge protection (WAF, bot management), and audit logging of sensitive actions. We store no card data. No system is perfectly secure, but we work to a recognised security baseline appropriate for an investment-adjacent product holding personal data.
11. Children
Floancer is not directed to anyone under 18 and we do not knowingly collect their data.
12. Changes to this policy
We may update this policy. For material changes we will give reasonable notice. The current version and date appear at the top.
See also the Terms of Use.