Legal

Privacy Policy

Effective date: June 23, 2025 · Last updated: June 23, 2025

1. Who We Are

VCF.co (“VCF.co,” “we,” “our,” or “us”) operates a venture capital fund management software platform and related services at vcf.co. Our registered address and contact information are set out in Section 14.

2. Scope and Who This Policy Applies To

This Privacy Policy applies to three categories of individuals who interact with our Platform:

  • Fund Managers / GPs — general partners, emerging managers, and fund administrators who use the Platform to form and operate venture capital funds.
  • LP Investors — limited partners who access the Platform through the LP portal to manage their fund investments, sign documents, and receive fund communications.
  • Visitors — anyone who browses our public website without an account.

By using the Platform, you consent to the practices described in this Policy.

3. Information We Collect

From Fund Managers / GPs:

  • Name, email, phone number, and business address;
  • Fund entity formation documents and GP entity information;
  • Beneficial ownership information for GP and management company entities;
  • Bank account information for management fee receipt and fund operations;
  • Fund financial data, portfolio company information, and investment records uploaded to the platform.

From LP Investors:

  • Full legal name, date of birth, address, email, and phone number;
  • Government-issued ID (passport, driver’s license) for identity verification;
  • Social Security Number or Tax Identification Number (TIN) for KYC and tax reporting (Schedule K-1);
  • Accredited investor verification documents — financial statements, CPA letters, broker-dealer certifications;
  • Beneficial ownership information for entity investors (LLCs, trusts, family offices, IRAs);
  • Bank account information for capital call funding and distribution receipt;
  • Income and net worth information for accredited investor verification under Reg D 506(c).

From all users:

  • Usage data (pages visited, features used, session duration);
  • Device and browser information, IP address;
  • Communications sent to us via the platform or email.

4. Legal Basis for Processing (GDPR)

Where GDPR applies, we process personal data under these legal bases:

  • Contract performance (Art. 6(1)(b)) — to provide the platform services to fund managers and LPs;
  • Legal obligation (Art. 6(1)(c)) — to comply with KYC, AML, BSA, and securities law requirements;
  • Legitimate interests (Art. 6(1)(f)) — for fraud prevention, platform security, and analytics;
  • Consent (Art. 6(1)(a)) — for marketing communications (where required).

5. How We Use Your Information

  • To provide, operate, and improve the Platform;
  • To verify the identity of fund managers, GPs, and LP investors as required by KYC/AML law;
  • To verify accredited investor status under Regulation D;
  • To generate and deliver fund documents including LP agreements, subscription agreements, and capital call notices;
  • To process capital call funding and distribution payments;
  • To generate and deliver Schedule K-1s and fund tax packages at year end;
  • To produce ILPA-compliant LP reporting and capital account statements;
  • To communicate about fund operations, distributions, and platform updates;
  • To detect and prevent fraud and unauthorized activity;
  • To comply with legal and regulatory obligations.

6. Sharing Your Information

We share personal data with:

  • Service providers — KYC/identity verification vendors, payment processors, e-signature providers, cloud infrastructure, and analytics providers operating under data processing agreements;
  • Regulatory authorities — the SEC, FinCEN, OFAC, IRS, and state securities regulators, as required by applicable law;
  • Fund managers — LP investor information is shared with the fund manager (GP) who manages the fund in which the LP has invested, to the extent necessary to operate the fund;
  • Fund accountants and tax preparers — to prepare Schedule K-1s and fund-level tax returns, under data processing agreements;
  • Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to affected users;
  • Legal process — in response to valid subpoenas, court orders, or regulatory demands.

We do not sell personal data to third parties for their own marketing purposes.

7. Data Retention

We retain personal data for the period necessary to fulfill the purposes described above, subject to:

  • BSA/AML records: minimum 5 years from date of transaction (31 C.F.R. § 1020.430);
  • Securities records: minimum 5 years as required by SEC rules for Reg D offerings;
  • Tax records (K-1s, fund tax returns): minimum 7 years;
  • Fund records: minimum 5 years following fund wind-down;
  • Account data: for the life of the account plus 5 years following closure.

8. Security

We implement administrative, technical, and physical safeguards including:

  • TLS 1.2+ encryption for data in transit;
  • AES-256 encryption for sensitive LP and fund financial data at rest;
  • Role-based access controls — fund managers see LP data for their own fund only;
  • Multi-factor authentication for all platform accounts;
  • Regular penetration testing and vulnerability assessments;
  • Incident response procedures with breach notification protocols.

9. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential: authentication, session management, and security;
  • Functional: remembering preferences and settings;
  • Analytics: understanding platform usage (aggregated and anonymized);
  • Marketing: measuring the effectiveness of our advertising (with your consent where required).

You can manage cookies through your browser settings or our cookie preference center.

10. International Data Transfers

We are based in the United States. If you access the Platform from outside the U.S., your data will be transferred to and processed in the U.S. For transfers from the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Your Rights

Under GDPR (EEA residents): You have the right to access, correct, erase, restrict processing, data portability, and to object to processing (Arts. 15–22 GDPR). You may also lodge a complaint with your local data protection authority.

Under CCPA/CPRA (California residents): You have the right to know, delete, correct, opt out of sale/sharing, and to limit use of sensitive personal information. We do not discriminate against users who exercise these rights. To submit a request: [email protected].

Note: We may be required to retain certain data notwithstanding your request, to comply with regulatory obligations described in Section 7 — including BSA, securities law, and tax record retention requirements.

12. Children’s Privacy

The Platform is not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data, please contact us immediately.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated via email or prominent Platform notice at least 30 days before taking effect. Continued use after the effective date constitutes acceptance.

14. Contact

For privacy-related questions or to exercise your rights: