Privacy Policy

ANGELS DEN PRIVACY POLICY

Version 5.0
Last updated: 29 March 2026 · Effective: 29 March 2026

1. Who We Are (Data Controller)

This Privacy Policy explains how ANGELS DEN FUNDING LIMITED, trading as Angels Den ("Angels Den", "we", "us", "our"), collects and uses personal data when you visit our website, use our investment platform, or submit information via our forms.

Data Controller: ANGELS DEN FUNDING LIMITED Registered address: 17 Holywell Hill, Suite 33, St. Albans, England, AL1 1DT Company number: 08384317 Privacy contact: info@angelsden.com

Regulatory status: Angels Den is authorised and regulated by the Financial Conduct Authority (FCA), firm reference number 604431. We operate as an introducer: we introduce certified investors to startups seeking investment. We do not provide investment advice or manage investments. Where regulated investment activity occurs (such as the execution of an investment transaction), it is conducted through our authorised partner, Vestd Ltd, which is separately authorised and regulated by the FCA.

If you have any questions about this Policy or wish to exercise your data rights, contact us using the details above.

2. What This Privacy Policy Covers

This Policy covers personal data we process when you:

  • Visit our marketing website (angelsden.com), hosted on Framer

  • Create an account on or use our investment platform (app.angelsden.com), hosted on Vercel

  • Submit an investor waitlist form, founder application form, or any other form on our website or platform

  • Complete investor self-certification through our platform

  • Browse or interact with deal listings on the platform

  • Purchase a due diligence report or other paid service through the platform

  • Subscribe to our newsletter

  • Communicate with us by email or other means

This Policy does not cover third-party websites or services that may be linked from our website or platform, including our authorised partner Vestd Ltd, which maintains its own privacy policy.

3. Personal Data We Collect

We collect personal data in the following ways:

A) Information you provide to us

Account registration and authentication:

  • Email address (used as your login identifier)

  • Password (stored as a cryptographic hash by our authentication provider; we cannot see your actual password)

  • Name and contact details provided during onboarding

Investor self-certification:

  • Your selected certification type (High Net Worth, Sophisticated Investor, or Restricted Investor)

  • A timestamped, versioned record of the full FCA-prescribed certification statement you confirmed

  • The date of certification and its expiry date (12 months from certification)

  • Your browser user-agent string at the time of certification

  • These certification records are immutable and append-only. We explain why under "Retention" (Section 9).

Investor profile and preferences:

  • Investment experience level and sector interests

  • Geographic and stage preferences

  • LinkedIn profile URL (if provided)

  • Profile photo (if uploaded)

  • Bio and location information (if provided)

Investor waitlist form:

  • Name, email address, phone number (if provided)

  • LinkedIn profile URL, location, investment experience and sector interests

  • Any information you include in free-text fields

  • The version of this privacy policy you consented to at the time of submission

Founder application form:

  • Name and contact details (including LinkedIn profile URL)

  • Company and startup information (company name, company number, sector, stage, traction, fundraising requirements, team size, founding team details)

  • Uploaded files (pitch decks, supporting documents, company logos)

  • Financial information (revenue, MRR, costs, forecasts, funding raised, funding sought, pre-money valuation, founder ownership percentage, EIS/SEIS eligibility) where provided

  • Any information you include in free-text fields

  • The version of this privacy policy you consented to at the time of submission

Success fee consent:

  • Acceptance of the Angels Den success fee terms, including signatory role, company details, IP address, user-agent string, and the consent version accepted

  • These records are immutable and append-only for contractual evidence purposes

Newsletter subscription:

  • Email address only

Direct communications:

  • Your contact details and the content of your messages

B) Information we collect automatically

Platform authentication and session data:

  • Session tokens and authentication state

  • Login timestamps and session duration

  • Browser user-agent string (recorded during authentication events and certification)

Platform activity data:

  • Deal listings you have viewed (recorded as an audit trail)

  • Expressions of interest, interest levels, and watchlist additions

  • Pledge amounts and pledge history

  • Introduction records (where we have introduced you to a founder or investor)

Financial transaction data:

  • If you purchase a due diligence report or other paid service, we record: the transaction reference (Stripe payment intent ID), the amount paid, and the investor and report identifiers

  • Payment card details are processed entirely by our payment provider, Stripe. Card data never reaches our servers.

CAPTCHA verification:

  • We use Cloudflare Turnstile to prevent automated abuse of our forms. Turnstile collects limited technical data (such as browser characteristics) to assess whether a visitor is human. It is designed to operate without tracking cookies or persistent identifiers.

Website and platform technical data:

  • IP address and approximate geographic location (derived from IP)

  • Device type, operating system, and browser information

  • Pages viewed, timestamps, and referring page or source

  • Security and performance logs

Product analytics:

  • Our platform uses PostHog (EU cloud) for product analytics, including page views, anonymised usage events, session recordings (with personal data fields masked), and funnel tracking (e.g., signup completion, certification completion, deal engagement). PostHog identifies users by an anonymous UUID only — we do not send your name or email address to PostHog. PostHog uses browser local storage (not cookies) to maintain this anonymous identifier. See Section 12 for more detail.

Error monitoring:

  • Our platform uses Sentry (EU region) to detect and diagnose technical errors. When an error occurs, Sentry receives the error details, browser metadata, and a session replay of the error context. Sentry identifies users by UUID and user type only — no name, email, or other personal identifiers are sent.

C) Information you provide about other people

If you submit information that includes personal data about other individuals (for example, co-founders, team members, or references), you confirm that you have the right to provide that information and to share it with us for the purposes described in this Policy.

D) Professional contact details from public sources

We may occasionally obtain business contact details (name, job title, company email) from publicly accessible professional networks to identify relevant investors or founders. This is limited, B2B-focused, and always includes an immediate opt-out option.

4. Special Category Data (Sensitive Information)

We do not intend to collect "special category" personal data (e.g., health information, ethnicity, religious beliefs, political opinions). We do not routinely collect criminal offence data, but in limited cases we may carry out proportionate verification checks where permitted by law and with appropriate safeguards.

Please do not include sensitive personal data in form free-text fields or uploaded documents unless it is strictly necessary. If you do provide sensitive information, we will handle it with care and only use it where necessary for the relevant purpose and lawful basis.

5. How We Use Your Personal Data

To provide and operate the platform:

  • Creating and managing your account

  • Processing investor self-certification and maintaining certification records

  • Displaying deal listings to certified investors

  • Managing your profile, preferences, and watchlist

  • Processing founder applications through our review pipeline

  • Recording and facilitating introductions between investors and founders

To process payments:

  • Processing purchases of due diligence reports via our payment provider (Stripe)

  • Maintaining transaction records for accounting and regulatory purposes

To receive and review submissions:

  • Reviewing investor applications and founder pitches

  • Assessing suitability for Angels Den's network and activities

  • Scoring and categorising applications for internal review

  • Requesting and reviewing additional materials (such as financial information and data room documents)

To communicate with you:

  • Sending transactional emails (account verification, password resets, certification confirmations, deal notifications)

  • Following up on investor and founder submissions

  • Sending newsletter communications (where you have subscribed)

  • Responding to enquiries

To operate, protect, and improve our services:

  • Maintaining platform security and preventing fraud or abuse

  • Verifying CAPTCHA responses to prevent automated submissions

  • Measuring platform performance and understanding usage patterns (via PostHog analytics)

  • Detecting and resolving technical errors (via Sentry error monitoring)

  • Maintaining audit trails for administrative actions, data exports, and compliance review

To meet legal and regulatory obligations:

  • Maintaining immutable investor certification records as required by FCA financial promotion rules

  • Maintaining audit trails for compliance review

  • Retaining financial transaction records in accordance with UK tax and accounting obligations

  • Complying with applicable UK laws and responding to lawful requests

  • Establishing, exercising, or defending legal claims

We do not use your data for automated decision-making that produces legal or similarly significant effects (as defined by data protection law). Application review and scoring is performed by our team, not by automated systems.

6. Our Lawful Bases for Processing (UK GDPR)

A) Legitimate interests: We process personal data where it is necessary for our legitimate interests, such as: reviewing and managing submissions; communicating with applicants; operating and securing our platform; measuring platform performance and diagnosing errors; connecting relevant investors and founders; and maintaining audit trails. When we rely on legitimate interests, we consider and balance our interests against your rights and freedoms.

B) Steps prior to entering a contract / contract performance: We process data to take steps you request prior to entering into a contract (for example, creating your account and completing onboarding), to perform a contract where an ongoing relationship is established (for example, processing a due diligence report purchase), or to maintain contractual records (such as success fee consent acceptances).

C) Legal and regulatory obligation: We process certain data to comply with legal obligations, including FCA financial promotion rules that require us to verify and record investor certification status before permitting access to investment content. Certification records are maintained on an immutable, append-only basis because financial promotion regulations require us to demonstrate that appropriate checks were in place at the time an investor viewed investment content. We also retain financial transaction records to comply with UK tax and accounting obligations.

D) Consent: We rely on consent where required by law, including for newsletter marketing communications. You can withdraw consent at any time (see Section 11). Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

7. Who We Share Your Personal Data With

We share personal data only as necessary and with appropriate safeguards.

A) Angels Den staff (internal access): Founder submissions (including pitch decks) are reviewed by Angels Den staff and may be shared with selected certified investor members for investment consideration and introductions. We do not publish submissions publicly. You may request that we restrict sharing, but this may limit our ability to progress your submission. Access to administrative functions is restricted to authorised staff and all administrative actions are logged.

B) Authorised partner: Where an investment proceeds beyond introduction, relevant data may be shared with our authorised partner, Vestd Ltd (FCA-authorised), to facilitate the regulated investment transaction. Vestd maintains its own privacy policy governing its processing of your data. Vestd acts as a separate data controller for data it receives.

C) Service providers (processors): We use the following trusted service providers, each of which acts as a data processor on our behalf:

Supabase Inc. — Cloud database, user authentication, file storage, and serverless compute. Supabase stores the majority of platform data including user profiles, certifications, applications, documents, and authentication sessions. Data location: EU (eu-west-2, London region).

Vercel Inc. — Frontend hosting and CDN. Vercel processes limited technical data (IP addresses, request metadata) in the course of serving pages. No persistent user data stored. Data location: Vercel Edge Network (global CDN, European edge).

Stripe Inc. — Payment processing for due diligence report purchases. Payment card details are processed entirely by Stripe and never touch our servers. We store only the payment reference, amount, and associated investor/report identifiers. Data location: Stripe infrastructure (PCI DSS Level 1 compliant).

Resend Inc. — Transactional email delivery (account verification, password resets, notifications). Resend processes recipient email addresses and email content. Data location: Resend infrastructure (US).

Beehiiv Inc. — Newsletter subscription management. Beehiiv stores subscriber email addresses. Subscription data is managed by Beehiiv, not in our platform database. Data location: Beehiiv infrastructure (US).

PostHog Inc. — Product analytics, session replay, and funnel tracking. PostHog receives anonymised usage events, page views, and masked session recordings. Users are identified by UUID only (no name or email sent). Data location: PostHog EU cloud.

Sentry (Functional Software Inc.) — Frontend error monitoring. Sentry receives error stack traces, browser metadata, and session replay on errors. Users are identified by UUID and user type only (no name or email sent). Data location: Sentry EU region.

Cloudflare Inc. — CAPTCHA verification (Turnstile) and CDN/security services. Cloudflare processes limited technical data (browser fingerprint data) for bot detection. Data location: Cloudflare infrastructure (global).

Framer B.V. — Marketing website hosting and built-in analytics. Framer states its analytics does not use cookies or persistent identifiers. Data location: Framer infrastructure (EU).

We may use additional operational providers from time to time. Where we do, we ensure appropriate contractual protections (including Data Processing Agreements where required) are in place.

D) Legal and regulatory disclosures: We may disclose personal data where required by law, by a court order, or by a regulatory authority, or where necessary to protect our rights, users, or the public.

8. International Transfers

We are based in the United Kingdom. Our core platform database is hosted in the EU (Supabase: eu-west-2, London region). Our frontend is served via Vercel's European edge network.

Some of our service providers are US-based companies and may process data in the United States or other countries as part of their operations. This includes Supabase (US-headquartered, EU-hosted data), Vercel, Stripe, Resend, Beehiiv, PostHog (EU cloud), Sentry (EU region), and Cloudflare.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), the EU–US Data Privacy Framework (where the recipient is certified), or other approved transfer mechanisms under UK data protection law.

9. How Long We Keep Your Personal Data (Retention)

We keep personal data only for as long as necessary for the purposes described in this Policy, subject to the following specific retention periods:

Investor certification records: Retained indefinitely on an immutable, append-only basis. They cannot be edited or deleted, even at your request. FCA financial promotion rules (including FCA PS22/10 and COBS 4.12) require us to demonstrate that investors were appropriately certified at the time they accessed investment content. If you request account deletion, we will anonymise your profile data but your certification records will be retained with a pseudonymised user reference to preserve the regulatory audit trail. This falls within the exemption under UK GDPR Article 17(3)(b) (compliance with a legal obligation).

Consent acceptances (success fee, GDPR): Retained indefinitely on an immutable, append-only basis for contractual and compliance evidence.

Financial transaction records (DD report purchases): Retained for a minimum of 7 years to comply with UK tax and accounting regulations. Cannot be deleted during this period.

Administrative and audit logs (including data export logs): Retained for a minimum of 6 years for operational compliance, dispute resolution, and regulatory audit.

Investment activity (deal views, interests, pledges): Retained for the duration of your account plus 6 years. Interests and pledges use a "soft delete" pattern: if you withdraw an interest or pledge, it is marked as withdrawn with a timestamp but the underlying record is retained for audit purposes. Deal view records are permanent.

Account and profile data: Retained for the duration of your account. If you close your account or request deletion, we will delete or anonymise your profile data within 30 days, except where retention is necessary for regulatory compliance (see above) or to establish, exercise, or defend legal claims.

Investor waitlist submissions: Retained for up to 24 months from submission, unless you create a platform account (in which case data is governed by account retention) or a longer period is needed for legal reasons.

Founder applications and uploaded documents: Retained for up to 24 months from the last meaningful contact, unless an ongoing relationship is established or a longer period is needed for legal or regulatory reasons. Pitch decks and supporting documents are stored in private, access-controlled storage and are not publicly accessible.

Newsletter subscriptions (Beehiiv): Your email address is retained until you unsubscribe. Upon unsubscribing, it is removed from our mailing list provider (Beehiiv).

Ongoing relationships: Where we enter into an ongoing relationship with you (for example, as an active investor member or a startup progressing through our pipeline), we retain relevant records for the duration of the relationship and typically up to 6 years after it ends, to deal with legal claims, regulatory requirements, and record-keeping obligations.

Error monitoring data (Sentry): Retained per Sentry's default retention policy (typically 90 days). No personal identifiers — UUID and user type only.

Analytics data (PostHog): Retained per PostHog's configured retention settings. Anonymous UUID, masked input fields. EU cloud.

Website and platform security logs: Typically retained for up to 12 months, unless needed longer for security incident investigation.

You can request deletion of your data at any time (see Section 11). Where deletion is not possible due to regulatory obligations, we will explain the reason and the specific data that must be retained.

10. How We Protect Your Personal Data

We use technical and organisational measures designed to protect personal data, including:

  • Encryption in transit (TLS/HTTPS) for all platform communications, enforced via HSTS headers

  • Encryption at rest for stored data

  • Row-level security (RLS) policies that restrict database access so users can only access data they are authorised to see

  • A certification firewall: deal content is inaccessible without a valid FCA certification on record

  • Role-based access controls for administrative functions

  • Passwords hashed by our authentication provider (bcrypt)

  • Immutable database triggers that prevent backdating or tampering with certification and consent timestamps

  • Comprehensive audit logging of all administrative actions (including IP address, user agent, action type, and target record)

  • Private, access-controlled storage for uploaded documents, with signed URLs that expire after a short period

  • Content Security Policy (CSP) headers restricting script and connection sources

  • CAPTCHA verification (Cloudflare Turnstile) on all authentication and public-facing forms

  • JWT-based authentication (reducing CSRF risk compared to session cookies)

  • Server-side validation for all security-sensitive operations

  • CSV data exports protected against formula injection

  • Independent penetration testing completed across all user roles (investor, founder, admin)

  • Regular review of security practices

No system is completely secure, and we cannot guarantee absolute security. If we become aware of a security breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO and, where required, affected individuals in accordance with UK GDPR.

11. Your Data Protection Rights (UK GDPR)

Subject to conditions and exemptions in the law, you have the right to:

  • Access your personal data (receive a copy of what we hold about you)

  • Rectify inaccurate or incomplete personal data

  • Erase your personal data (subject to the limitations described below)

  • Restrict processing of your personal data in certain circumstances

  • Data portability (receive your data in a portable format, in certain circumstances)

  • Object to processing based on legitimate interests

Important limitation — investor certification records: Under UK GDPR Article 17(3)(b), we are not obliged to erase personal data where processing is necessary for compliance with a legal obligation. Investor certification records fall within this exemption because FCA financial promotion rules require us to maintain evidence that investors were appropriately certified. If you request account deletion, we will delete or anonymise your profile and personal information, but your certification records (certification type, statement confirmed, timestamps, and a pseudonymised user reference) will be retained.

Important limitation — financial transaction records: Records of due diligence report purchases and other financial transactions are retained for a minimum of 7 years to comply with UK tax and accounting obligations, regardless of account deletion requests.

Important limitation — consent acceptances and audit logs: Consent acceptance records and administrative audit logs are retained for their specified periods to maintain contractual evidence and operational compliance, and cannot be erased on request during those periods.

Your right to object (important): You have an absolute right to object at any time to direct marketing. You can also object to processing based on legitimate interests; if you do, we will stop processing unless we have compelling legitimate grounds to continue or the processing is needed for legal claims.

To exercise your rights, email info@angelsden.com. We will respond within one month. We may need to verify your identity before processing your request.

Complaints: If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK's supervisory authority: the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Website: ico.org.uk.

12. Cookies, Analytics, and Similar Technologies (PECR)

This section describes how our website and platform use cookies, browser local storage, and similar technologies. For a full breakdown, please see our separate Cookie Policy.

A) Essential cookies: Our platform sets a small number of cookies that are strictly necessary for core functionality:

  • Supabase authentication cookies: Maintain your logged-in session. Set by the Supabase JavaScript SDK as part of the PKCE authentication flow.

  • Cloudflare Turnstile: Session-duration cookie used to maintain CAPTCHA challenge state for bot detection.

Under UK PECR rules, strictly necessary cookies do not require consent, but we are required to inform you about them.

B) Essential local storage and session storage: Our platform uses browser local storage and session storage for functional purposes that are strictly necessary for the platform to operate:

  • Authentication tokens (local storage, "sb-*" keys): Supabase authentication session tokens (JWT and refresh token).

  • Application draft state (local storage, "ad_pending_claim"): Maintains application claim state when confirming your email in a different browser tab.

  • Post-authentication redirect (local storage, "ad_auth_redirect"): Records where to return you after login.

  • Application form drafts (session storage, "ad_apply_form_*"): Preserves your application form progress if you refresh the page within the same browser session.

  • Application step tracker (session storage, "ad_apply_step"): Records your current step in the application wizard.

C) Analytics (PostHog): Our platform uses PostHog for product analytics. PostHog is configured in localStorage-only mode and does not set cookies. It stores an anonymous user identifier (UUID) in your browser's local storage to associate usage events with a consistent anonymous session. No personal identifiers (name, email) are sent to PostHog. Input fields in session recordings are masked to prevent capture of personal data.

PostHog's use of local storage for analytics purposes falls within the scope of UK PECR Regulation 6, which covers storage of information on a user's device. We have assessed that the privacy impact of this local storage is minimal given the anonymous nature of the data collected and the EU hosting of PostHog data, and we have determined that it falls within our legitimate interest in understanding how our platform is used. If you prefer to opt out of analytics, you can clear your browser local storage at any time or enable your browser's "Do Not Track" setting.

D) Marketing website analytics (Framer): Our marketing website (angelsden.com) may use Framer's built-in analytics, which Framer states does not use cookies or persistent identifiers.

E) Cookie consent: Our website displays a cookie consent banner. At present, the only cookies and similar technologies we use are those described above. If we introduce additional non-essential cookies or third-party tracking technologies in the future (such as advertising pixels or third-party analytics), those technologies will not be activated until you provide consent through the banner. We will update this Policy and our Cookie Policy before activating any new non-essential tracking.

F) Managing cookies and local storage: You can manage cookies and local storage through your browser settings. Disabling essential cookies or local storage may prevent you from using the platform. See our Cookie Policy for instructions.

13. Children's Privacy

Our website and platform are not intended for children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact info@angelsden.com and we will take appropriate steps to delete it.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on our website and update the "Last updated" date and version number. If changes are significant, we may provide additional notice (for example, via email to registered users). The version identifier of this Policy is recorded against your submissions and certifications so that we can demonstrate which version you consented to.

15. Version History

We maintain an archive of previous versions of this Policy. You may request a copy of any previous version by contacting info@angelsden.com.

Version 5.0 — 29 March 2026 — Added Stripe, Beehiiv, PostHog, Sentry as processors. Expanded data categories and retention periods.

Version 4.0 — 14 February 2026 — Platform launch update. Added Supabase, Vercel, Resend, Cloudflare.

Version 3.0 — 10 February 2026 — Due diligence processes, internal tools.

Version 2.0 — 29 January 2026 — Added Tally, expanded data categories.

Version 1.0 — 15 January 2026 — Initial policy.

END OF PRIVACY POLICY

Building the future of angel investing.

I'm an Investor

I'm an Investor

Im a Founder

Im a Founder

Main

Home

Investors

Founders

Mission

Portfolio

Support

FAQ

Privacy

Cookies

Disclaimer

Contact Us

Social

X

Facebook

Linkedin

Instagram

Investment Disclaimer

Investing in early-stage businesses involves significant risk, including illiquidity, dilution and the potential loss of capital. Investments should only be made as part of a diversified portfolio. Angels Den is intended solely for investors who are sufficiently sophisticated to understand these risks and make their own investment decisions. Access to investment opportunities is available only to registered members who have been assessed as suitable. All investments are made directly in the businesses presented. Information is provided by the businesses themselves, and Angels Den does not verify, endorse, or take responsibility for any statements, forecasts, opinions or outcomes. Nothing on this site constitutes investment, legal or tax advice, nor an offer or solicitation to buy or sell securities in any jurisdiction where such activity would be unlawful.

ST Albans, Hertfordshire, LONDON, UK AL1 1DT

©2026. All right reserved

CREATED BY BEFLUX.STUDIO