Privacy Policy

Last updated: November 2025

Invest How Now is operated by Concept by Hannah Ltd (UK Company Number 15280150). Your privacy is important to us. This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

Concept by Hannah Ltd is the data controller for your personal information. For data protection enquiries, please contact us using the details at the end of this policy.

2. Information We Collect

We collect the following categories of personal data:

Account Information

• Name and email address
• LinkedIn profile URL
• Location (city/region)
• Role (founder, investor, or both)
• Profile photograph (if provided or obtained via Google sign-in)

Profile Information

• For Founders: Company name, description, sector, stage, fundraising details, SEIS/EIS status, Companies House registration number (for verified profiles)
• For Investors: Investment thesis, sector preferences, stage preferences, check size range, investment track record

Pitch Deck and Documents

• Pitch deck files uploaded for sharing with potential investors (PDF, PowerPoint)
• Extracted text content from pitch decks for AI-assisted analysis and matching
• Access logs showing which users have viewed shared pitch decks

Usage Information

• Matches viewed and interactions
• Introduction requests sent and received
• Scheduled meetings and booking history
• Platform usage analytics

Technical Information

• IP address and browser type
• Device information
• Cookies and similar technologies (see Cookies section below)

3. Third-Party Authentication

We offer sign-in via Google OAuth. When you choose to sign in with Google, we receive:

• Your Google account email address
• Your name as registered with Google
• Your Google profile picture (if available)

We do not receive or store your Google password. Google's use of your information is governed by Google's Privacy Policy. You can revoke our access to your Google account at any time via your Google Account settings.

4. AI and Automated Processing

We use artificial intelligence to enhance the Service. This includes:

• Profile Matching: AI analyses your profile information to identify potential connections with aligned interests, sectors, and investment criteria. This processing is based on our legitimate interest in providing the core Service functionality.
• Text-to-Speech: Blog article summaries may be converted to audio using AI voice synthesis (Deepgram). The text content is processed but not stored by the audio provider.
• Chat Assistance: AI-powered chat helps you complete your profile and understand the platform. Conversation content is processed to provide responses but is not used to train AI models.

You have the right to object to automated decision-making. Contact us if you wish to request human review of any AI-generated suggestions or decisions.

5. Scheduling and Calendar Integration

We integrate with Cal.com to facilitate meeting scheduling between users. When you use the scheduling feature:

• A managed calendar profile is created on your behalf
• Your availability preferences and scheduled meetings are stored
• Meeting participants receive calendar invitations with meeting details
• You may optionally connect your personal calendar (Google Calendar, Outlook) for availability sync

Cal.com processes this data as our sub-processor under a data processing agreement. See Cal.com's Privacy Policy for details.

6. Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract: To provide the Service you have signed up for
• Consent: For marketing communications (you can withdraw anytime)
• Legitimate Interest: To improve our Service, prevent fraud, ensure security, and provide AI-powered matching
• Legal Obligation: To comply with applicable laws, maintain audit records, and respond to regulatory enquiries

7. How We Use Your Information

• To create and manage your account
• To generate discovery suggestions based on profile alignment using AI
• To facilitate introductions and meeting scheduling between users who choose to connect
• To process payments and manage subscriptions via Revolut Business
• To send service-related communications via email
• To improve and personalise the Service
• To prevent fraud and ensure platform security
• To verify founder profiles against Companies House records (UK companies only)
• To maintain audit logs for regulatory compliance

8. Data Processors and Sub-processors

We use the following third-party service providers who process personal data on our behalf:

"EU SCCs" refers to Standard Contractual Clauses approved by the UK ICO for international data transfers. All processors are bound by data processing agreements compliant with UK GDPR.

9. Audit Logs and Compliance

To maintain platform integrity and support potential regulatory enquiries, we maintain audit logs of certain activities including:

• Introduction requests between users
• Profile verification status changes
• Meeting bookings and cancellations
• Account creation and authentication events

These logs include timestamps, IP addresses, and user agent information. They are retained for 7 years to comply with potential regulatory requirements and are only accessed for security investigations or in response to lawful requests.

10. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion:

• Profile data is deleted within 30 days
• Audit logs are retained for up to 7 years for legal, tax, and regulatory purposes
• Payment records are retained as required by financial regulations
• Anonymised and aggregated data may be retained indefinitely for analytics

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS) and at rest (AES-256)
• Row-level security policies on database tables
• Access controls and authentication via secure OAuth flows
• Regular security assessments and dependency updates
• Staff training on data protection

While we take reasonable precautions, no method of transmission or storage is 100% secure. Please notify us immediately if you suspect unauthorised access to your account.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. We will also report qualifying breaches to the Information Commissioner's Office (ICO) within 72 hours of becoming aware, as required under UK GDPR Article 33.

Notification will include the nature of the breach, likely consequences, and measures taken or proposed to address the breach and mitigate potential adverse effects. We maintain an internal breach register and incident response procedures to ensure timely detection and response.

13. Your Rights (GDPR)

Under UK GDPR, you have the following rights:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request limitation of processing
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests or automated decision-making
• Withdraw Consent: Withdraw consent at any time for consent-based processing

To exercise these rights, contact us using the details below. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

14. International Transfers

Your data is primarily stored within the European Economic Area (Supabase EU region). Where we use service providers outside these regions (see Section 8), we ensure appropriate safeguards are in place through Standard Contractual Clauses approved by the UK ICO.

15. Cookies

We use cookies and similar technologies to operate the Service, remember your preferences, and analyse usage. Essential cookies are required for authentication and security. You can manage non-essential cookie preferences through your browser settings.

For detailed information, see allaboutcookies.org.

16. Third-Party Links

Our website may contain links to third-party websites including LinkedIn profiles and external resources. This policy applies only to our Service. Please review the privacy policies of any third-party sites you visit.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or platform notification. The "Last updated" date at the top indicates when the policy was last revised.

18. Contact Us

For privacy-related questions or to exercise your rights, contact us via the details on our website.

Supervisory Authority: You may also contact the Information Commissioner's Office (ICO) at ico.org.uk if you have concerns about our data practices.