Privacy policy

This policy explains how Matcha Ventures collects, uses, stores, and protects your personal data when you visit our website, subscribe to our newsletter, apply for a role, or otherwise interact with us. It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the EU ePrivacy rules.

1. Data controller

The controller responsible for your personal data is:

Matcha Ventures
[Registered address, EU member state]
Contact: our contact form

For any privacy-related question, request, or complaint, contact us via our contact form. We act as the controller for the processing activities described below; for a handful of operational tasks we rely on processors, listed in section 6.

2. What we collect and why

We only collect what we need. We do not sell personal data, and we do not build advertising or cross-site profiles of you.

• Newsletter (email address, subscription date, IP and user-agent at sign-up) — to send you updates about Matcha Ventures and our portfolio.
  Legal basis: your consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time via the unsubscribe link in every email or by writing to us.
• Contact form / email enquiries (name, email, message content) — to respond to your message and keep a record of the correspondence.
  Legal basis: our legitimate interest in handling enquiries (Art. 6(1)(f) GDPR) and, where a contract is under discussion, pre-contractual steps (Art. 6(1)(b) GDPR).
• Job applications (CV, cover letter, contact details and anything you send us) — to assess your application.
  Legal basis: pre-contractual steps (Art. 6(1)(b) GDPR) and, for retention after a rejection, your consent (Art. 6(1)(a) GDPR).
• Website analytics — aggregate page views, referrers, country, device type, and browser, collected via Plausible Analytics. Plausible is a cookie-free, EU-hosted analytics tool that anonymises visitor data on the fly and does not use persistent identifiers.
  Legal basis: our legitimate interest in understanding how our site is used and improving it (Art. 6(1)(f) GDPR). Because no cookies or other identifiers are stored on your device, no consent is required under the ePrivacy Directive.
• Server and security logs (truncated IP address, user-agent, request path, timestamp, response status) — to keep the service running, detect and prevent abuse, and investigate incidents.
  Legal basis: our legitimate interest in the security and integrity of our service (Art. 6(1)(f) GDPR) and, where applicable, our legal obligation to secure processing (Art. 32 GDPR).
• Strictly necessary cookies — we only set cookies that are essential for the site to work (e.g. a CSRF token, your language preference, a session cookie if you log into a protected area). These do not require consent.

3. What we don’t do

• No third-party advertising or marketing trackers.
• No sale of personal data.
• No cross-site profiling or behavioural advertising.
• No automated decision-making that produces legal or similarly significant effects on you (Art. 22 GDPR).
• We do not use your content to train third-party AI models without a separate, explicit legal basis.

4. How long we keep data

• Newsletter subscribers: until you unsubscribe, then deleted within 30 days (with a minimal suppression record to honour your opt-out).
• Contact form and email threads: up to 24 months after the last message, unless a longer period is needed to comply with a legal obligation or to pursue/defend a legal claim.
• Job applications: deleted within 6 months of the hiring decision, unless you explicitly consent to us keeping them for future opportunities (max. 24 months).
• Analytics data: aggregated and retained by Plausible for up to 24 months. No individual-level data is stored.
• Server and security logs: up to 30 days, longer only where needed to investigate an incident.

5. Who we share data with

We share personal data only with trusted processors who act on our instructions under a GDPR Art. 28 data processing agreement, and with public authorities where we are legally required to do so.

• Hosting and infrastructure — our cloud provider hosts the website and database within the European Economic Area (EEA).
• Email delivery — transactional and newsletter emails are delivered via an email service provider.
• Analytics — Plausible Analytics (EU-based, cookie-free).
• Error monitoring — limited technical diagnostics to debug errors and keep the site reliable.

A current list of sub-processors is available on request via our contact form.

6. International transfers

We prefer EEA-based providers. Where a processor operates outside the EEA, we rely on one of the transfer mechanisms permitted under Chapter V GDPR: an adequacy decision of the European Commission, the EU Standard Contractual Clauses (2021/914), or, for the United States, the EU-US Data Privacy Framework where the recipient is certified. We carry out a transfer impact assessment and apply supplementary safeguards where needed. You can request a copy of the relevant safeguards from us.

7. Your rights

Under the GDPR you have the right to:

• access your personal data (Art. 15);
• have inaccurate data rectified (Art. 16);
• have your data erased where one of the grounds in Art. 17 applies (“right to be forgotten”);
• restrict processing in certain cases (Art. 18);
• receive the data you provided in a structured, machine-readable format and have it transmitted to another controller (Art. 20);
• object to processing based on legitimate interests, including direct marketing (Art. 21);
• withdraw any consent you have given, at any time, without affecting the lawfulness of processing before the withdrawal (Art. 7(3));
• lodge a complaint with a supervisory authority — in particular in the EU member state where you live, work, or where the alleged infringement took place (Art. 77).

To exercise any of these rights, contact us via our contact form. We will respond without undue delay and in any event within one month (extendable by two further months for complex requests, as permitted by Art. 12(3) GDPR). We may ask for information to verify your identity before acting on a request.

8. Cookies and similar technologies

We do not use advertising, analytics, or social-media cookies. We only set strictly necessary cookiesrequired to operate the site securely — for example, a CSRF protection token, a locale preference, or a session cookie when you log into an admin area. Under the ePrivacy Directive these cookies do not require consent. You can block or delete cookies in your browser; doing so may break parts of the site.

9. Security

We apply appropriate technical and organisational measures under Art. 32 GDPR, including encryption in transit (TLS), access controls, least-privilege for staff access, regular backups, and monitoring. No system is perfectly secure — if we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, inform affected users without undue delay (Arts. 33–34 GDPR).

10. Children

Our services are not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this policy to reflect changes in our practices or in the law. Material changes will be announced on the newsroom and, where we hold your email address, communicated to you before they take effect. The “Last updated” date below always reflects the current version.

12. Contact

Questions, requests, or complaints: reach us via our contact form.

Last updated: 22 April 2026.