Privacy Policy

ANGELS DEN PRIVACY POLICY

Version 4.0
Last updated: 14 February 2026 · Effective: 14 February 2026

  1. Who We Are (Data Controller)

This Privacy Policy explains how ANGELS DEN FUNDING LIMITED, trading as Angels Den ("Angels Den", "we", "us", "our"), collects and uses personal data when you visit our website, use our investment platform, or submit information via our forms.

Data Controller: ANGELS DEN FUNDING LIMITED
Registered address: 17 Holywell Hill, Suite 33, St. Albans, England, AL1 1DT
Company number: 08384317
Privacy contact: info@angelsden.com

Regulatory status: Angels Den operates as an introducer. We do not provide investment advice or manage investments. Where regulated investment activity occurs, it is conducted through our authorised partner, Vestd Ltd, which is authorised and regulated by the Financial Conduct Authority (FCA).

If you have any questions about this Policy or wish to exercise your data rights, contact us using the details above.

  1. What This Privacy Policy Covers

This Policy covers personal data we process when you:

• Visit our marketing website (angelsden.com), hosted on Framer;
• Create an account on or use our investment platform (app.angelsden.com or equivalent), hosted on Vercel;
• Submit an investor waitlist form, founder application form, or any other form on our website or platform;
• Complete investor self-certification through our platform;
• Browse or interact with deal listings on the platform;
• Subscribe to our newsletter;
• Communicate with us by email or other means.

This Policy does not cover third-party websites or services that may be linked from our website or platform, including our authorised partner Vestd Ltd, which maintains its own privacy policy.

  1. Personal Data We Collect

We collect personal data in the following ways:

A) Information you provide to us

Account registration and authentication:
• Email address (used as your login identifier)
• Password (stored as a cryptographic hash; we cannot see your actual password)
• Name and contact details provided during onboarding

Investor self-certification:
• Your selected certification type (High Net Worth, Sophisticated Investor, or Restricted Investor)
• A timestamped, versioned record of the full FCA-prescribed certification statement you confirmed
• The date of certification and its expiry date (12 months from certification)
• Your browser user-agent string at the time of certification
• These certification records are immutable and append-only. We explain why under "Retention" (Section 9).

Investor profile and preferences:
• Investment experience level and sector interests
• Geographic and stage preferences
• LinkedIn profile URL (if provided)
• Profile photo (if uploaded)

Investor waitlist form:
• Name, email address, phone number (if provided)
• Investment experience and interests
• Any information you include in free-text fields
• The version of this privacy policy you consented to at the time of submission

Founder application form:
• Name and contact details
• Company and startup information (sector, stage, traction, fundraising requirements, team details)
• Uploaded files (pitch decks, supporting documents)
• Financial information (revenue, costs, forecasts) where provided
• Any information you include in free-text fields
• The version of this privacy policy you consented to at the time of submission

Newsletter subscription:
• Email address only

Direct communications:
• Your contact details and the content of your messages

B) Information we collect automatically

Platform authentication and session data:
• Session tokens and authentication state
• Login timestamps and session duration
• Browser user-agent string (recorded during authentication events and certification)

CAPTCHA verification:
• We use Cloudflare Turnstile to prevent automated abuse of our forms. Turnstile collects limited technical data (such as browser characteristics) to assess whether a visitor is human. It is designed to operate without tracking cookies or persistent identifiers.

Website and platform technical data:
• IP address and approximate geographic location (derived from IP)
• Device type, operating system, and browser information
• Pages viewed, timestamps, and referring page or source
• Security and performance logs

C) Information you provide about other people

If you submit information that includes personal data about other individuals (for example, co-founders, team members, or references), you confirm that you have the right to provide that information and to share it with us for the purposes described in this Policy.

D) Professional contact details from public sources

We may occasionally obtain business contact details (name, job title, company email) from publicly accessible professional networks to identify relevant investors or founders. This is limited, B2B-focused, and always includes an immediate opt-out option.

  1. Special Category Data (Sensitive Information)

We do not intend to collect "special category" personal data (e.g., health information, ethnicity, religious beliefs, political opinions). We do not routinely collect criminal offence data, but in limited cases we may carry out proportionate verification checks where permitted by law and with appropriate safeguards.

Please do not include sensitive personal data in form free-text fields or uploaded documents unless it is strictly necessary. If you do provide sensitive information, we will handle it with care and only use it where necessary for the relevant purpose and lawful basis.

  1. How We Use Your Personal Data

To provide and operate the platform:
• Creating and managing your account
• Processing investor self-certification and maintaining certification records
• Displaying deal listings to certified investors
• Managing your profile, preferences, and watchlist
• Processing founder applications through our review pipeline

To receive and review submissions:
• Reviewing investor applications and founder pitches
• Assessing suitability for Angels Den's network and activities
• Scoring and categorising applications for internal review
• Requesting and reviewing additional materials (such as financial information and data room documents)

To communicate with you:
• Sending transactional emails (account verification, password resets, certification confirmations)
• Following up on investor and founder submissions
• Sending newsletter communications (where you have subscribed)
• Responding to enquiries

To operate, protect, and improve our services:
• Maintaining platform security and preventing fraud or abuse
• Verifying CAPTCHA responses to prevent automated submissions
• Measuring platform performance and understanding usage patterns
• Maintaining audit trails for administrative actions

To meet legal and regulatory obligations:
• Maintaining immutable investor certification records as required by FCA financial promotion rules
• Maintaining audit trails for compliance review
• Complying with applicable UK laws and responding to lawful requests
• Establishing, exercising, or defending legal claims

We do not use your data for automated decision-making that produces legal or similarly significant effects (as defined by data protection law). Application review and scoring is performed by our team, not by automated systems.

  1. Our Lawful Bases for Processing (UK GDPR)

A) Legitimate interests:
We process personal data where it is necessary for our legitimate interests, such as: reviewing and managing submissions; communicating with applicants; operating and securing our platform; improving our services; and connecting relevant investors and founders. When we rely on legitimate interests, we consider and balance our interests against your rights and freedoms.

B) Steps prior to entering a contract / contract performance:
We process data to take steps you request prior to entering into a contract (for example, creating your account and completing onboarding) or to perform a contract where an ongoing relationship is established.

C) Legal and regulatory obligation:
We process certain data to comply with legal obligations, including FCA financial promotion rules that require us to verify and record investor certification status before permitting access to investment content. Certification records are maintained on an immutable, append-only basis because financial promotion regulations require us to demonstrate that appropriate checks were in place at the time an investor viewed investment content.

D) Consent:
We rely on consent where required by law, including for newsletter marketing communications. You can withdraw consent at any time (see Section 11). Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

  1. Who We Share Your Personal Data With

We share personal data only as necessary and with appropriate safeguards.

A) Angels Den staff (internal access):
Founder submissions (including pitch decks) are reviewed by Angels Den staff and may be shared with selected certified investor members for investment consideration and introductions. We do not publish submissions publicly. You may request that we restrict sharing, but this may limit our ability to progress your submission. Access to administrative functions is restricted to authorised staff and all administrative actions are logged.

B) Authorised partner:
Where an investment proceeds beyond introduction, relevant data may be shared with our authorised partner, Vestd Ltd (FCA-authorised), to facilitate the regulated investment transaction. Vestd maintains its own privacy policy governing its processing of your data.

C) Service providers (processors):
We use the following trusted service providers, each of which acts as a data processor on our behalf:

• Supabase Inc. — Cloud database, user authentication, file storage (pitch decks and supporting documents), and server-side functions. Supabase stores the majority of platform data. Supabase provides a Data Processing Agreement (DPA) compliant with GDPR requirements.

• Vercel Inc. — Hosting and serving the platform frontend application. Vercel processes limited technical data (IP addresses, request metadata) in the course of serving pages.

• Resend Inc. — Transactional email delivery (account verification, password resets) and newsletter distribution. Resend processes email addresses and delivery metadata.

• Cloudflare Inc. — CAPTCHA verification (Turnstile) to prevent automated abuse of forms. Cloudflare processes limited technical data for bot detection. Our website may also use Cloudflare's CDN and security services.

• Framer B.V. — Hosting our marketing website (angelsden.com) and its built-in analytics. Framer states that its analytics do not use cookies or persistent identifiers.

We may use additional operational providers from time to time. Where we do, we ensure appropriate contractual protections (including Data Processing Agreements where required) are in place.

D) Legal and regulatory disclosures:
We may disclose personal data where required by law, by a court order, or by a regulatory authority, or where necessary to protect our rights, users, or the public.

  1. International Transfers

We are based in the United Kingdom. Our platform infrastructure is hosted in the EU (Supabase: eu-west-2, London region where available; Vercel: European edge network). Some of our service providers (including Supabase, Vercel, Resend, and Cloudflare) are US-based companies and may process data in the United States or other countries as part of their operations. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), EU-US Data Privacy Framework adequacy decisions (where applicable), or other approved mechanisms under UK data protection law.

  1. How Long We Keep Your Personal Data (Retention)

We keep personal data only for as long as necessary for the purposes described in this Policy, subject to the following specific retention periods:

Investor certification records:
These records are retained indefinitely on an immutable, append-only basis. They cannot be edited or deleted, even at your request. This is because FCA financial promotion rules (including FCA PS22/10 and COBS 4.12) require us to demonstrate that investors were appropriately certified at the time they accessed investment content. If you request deletion of your account, we will anonymise your profile data but your certification records will be retained with a reference to your user identifier to preserve the regulatory audit trail. This falls within the exemption under UK GDPR Article 17(3)(b) (compliance with a legal obligation).

Account and profile data:
Retained for the duration of your account. If you close your account or request deletion, we will delete or anonymise your profile data within 30 days, except where retention is necessary for regulatory compliance (see above) or to establish, exercise, or defend legal claims.

Investor waitlist submissions:
Retained for up to 24 months from submission, unless you create a platform account (in which case data is governed by account retention) or a longer period is needed for legal reasons.

Founder applications and uploaded documents:
Retained for up to 24 months from the last meaningful contact, unless an ongoing relationship is established or a longer period is needed for legal or regulatory reasons. Pitch decks and supporting documents are stored in private, access-controlled storage buckets and are not publicly accessible.

Newsletter subscriptions:
Your email address is retained until you unsubscribe. Upon unsubscribing, it is removed from our mailing list provider (Resend).

Ongoing relationships:
Where we enter into an ongoing relationship with you (for example, as an active investor member or a startup progressing through our pipeline), we retain relevant records for the duration of the relationship and typically up to 6 years after it ends, to deal with legal claims, regulatory requirements, and record-keeping obligations.

Administrative and audit logs:
Administrative action logs, data export audit trails, and access logs are retained for a minimum of 6 years for regulatory compliance and to support any investigation or audit.

Website and platform security logs:
Typically retained for up to 12 months, unless we need to keep them longer to investigate security incidents or abuse.

You can request deletion of your data at any time (see Section 11). Where deletion is not possible due to regulatory obligations, we will explain the reason and the specific data that must be retained.

  1. How We Protect Your Personal Data

We use technical and organisational measures designed to protect personal data, including:

• Encryption in transit (TLS/HTTPS) for all platform communications
• Encryption at rest for stored data
• Row-level security (RLS) policies that restrict database access so users can only access data they are authorised to see
• Role-based access controls for administrative functions
• Immutable database triggers that prevent backdating or tampering with certification timestamps
• Audit logging of all administrative actions
• Private, access-controlled storage for uploaded documents (pitch decks and supporting materials)
• Server-side validation for all security-sensitive operations (certification, legal acceptance, administrative actions)
• CAPTCHA verification to prevent automated abuse of public-facing forms
• Regular review of security practices

No system is completely secure, and we cannot guarantee absolute security. If we become aware of a security breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO and, where required, affected individuals in accordance with UK GDPR.

  1. Your Data Protection Rights (UK GDPR)

Subject to conditions and exemptions in the law, you have the right to:

• Access your personal data (receive a copy of what we hold about you)
• Rectify inaccurate or incomplete personal data
• Erase your personal data (subject to the limitations described below)
• Restrict processing of your personal data in certain circumstances
• Data portability (receive your data in a portable format, in certain circumstances)
• Object to processing based on legitimate interests

Important limitation — investor certification records:
Under UK GDPR Article 17(3)(b), we are not obliged to erase personal data where processing is necessary for compliance with a legal obligation. Investor certification records fall within this exemption because FCA financial promotion rules require us to maintain evidence that investors were appropriately certified. If you request account deletion, we will delete or anonymise your profile and personal information, but your certification records (certification type, statement confirmed, timestamps, and a pseudonymised user reference) will be retained.

Your right to object (important):
You have an absolute right to object at any time to direct marketing. You can also object to processing based on legitimate interests; if you do, we will stop processing unless we have compelling legitimate grounds to continue or the processing is needed for legal claims.

To exercise your rights, email info@angelsden.com. We will respond within one month. We may need to verify your identity before processing your request.

Complaints:
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK's supervisory authority: the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Website: ico.org.uk.

  1. Marketing Communications

We send marketing communications (such as our newsletter) only where you have actively subscribed or where otherwise permitted by law. You can opt out at any time by using the unsubscribe link in any email, or by emailing info@angelsden.com. Transactional emails (such as account verification, password resets, and certification confirmations) are not marketing communications and will continue to be sent as necessary for the operation of your account.

  1. Cookies, Analytics, and Similar Technologies (PECR)

A) Essential cookies and local storage:
Our platform uses essential cookies and browser local storage that are strictly necessary for core functionality. This includes authentication session tokens that keep you logged in and security-related state. Under UK PECR rules, essential cookies do not require consent, but you must be informed about them.

B) Analytics:
Our marketing website (Framer) may use Framer's built-in analytics, which Framer states does not use cookies or persistent identifiers. Our platform does not currently use third-party analytics services.

C) CAPTCHA:
Our forms use Cloudflare Turnstile for bot detection. Turnstile is designed to be privacy-preserving and does not use tracking cookies. It processes limited technical data to assess whether a visitor is human.

D) Managing cookies:
You can manage cookies through your browser settings. Disabling essential cookies may prevent you from using the platform. If we add non-essential cookies or third-party tracking in the future, we will update this Policy and, where required, request your consent.

  1. Children's Privacy

Our website and platform are not intended for children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact info@angelsden.com and we will take appropriate steps to delete it.

  1. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on our website and update the "Last updated" date and version number. If changes are significant, we may provide additional notice (for example, via email to registered users). The version identifier of this Policy is recorded against your submissions and certifications so that we can demonstrate which version you consented to.

  1. Version History

We maintain an archive of previous versions of this Policy. You may request a copy of any previous version by contacting info@angelsden.com.

Version Effective Date Summary of Changes 4.0 14 February 2026 Major update for platform launch. Added Supabase, Vercel, Resend, Cloudflare as processors. Added investor certification data, authentication data, FCA regulatory retention obligations, Article 17(3)(b) erasure limitation, security measures detail, version history. Replaced Tally references. Updated contact to info@angelsden.com. 3.0 10 February 2026 Updated for expanded due diligence processes, internal collaboration tools (Microsoft 365, Notion), additional evaluation materials, professional B2B sourcing. 2.0 29 January 2026 Added Tally as form processor, expanded data categories. 1.0 15 January 2026 Initial privacy policy for website and Tally forms.

END OF PRIVACY POLICY