Se rendre au contenu

Data Processing Notice

DATA PROCESSING NOTICE

 

This Data Processing Notice and Addendum (the “DPA”) forms an integral part of, and is incorporated by reference into:

  • the Platform Terms of Service (“TOS”),
  • the Non-Disclosure Agreement (“NDA”),
  • the Program Terms Addendum,
  • the Privacy Policy, and
  • the Builder Intellectual Property Ownership, Collaboration and Equity Agreement (for Builders).

By accessing or using the Platform, you expressly acknowledge and agree to the data processing practices described herein. This DPA is binding on all Participants (Builders, Mentors, Investors, Partner Companies, Donors, Guardians, and authorized team members).

1. Parties and Roles

1.1 Controller and Processor. Foundation Incubator (the “Foundation,” “we,” “us,” or “Controller”) is the primary data controller of all personal data processed in connection with the Platform. In limited circumstances (e.g., when the Foundation engages licensed third-party providers for psychological, social-work, or support services on behalf of a Builder), the Foundation acts as a processor acting on documented instructions from the data subject or their Guardian.

1.2 Data Subjects. Data subjects include: (i) Builders (including minors under 18 and their Guardians), (ii) Mentors, (iii) Investors, (iv) Partner Companies and their representatives, (v) Donors, and (vi) any authorized team members who execute a Joinder.

2. Categories of Personal Data Processed

2.1 Personal Data.

  • Identification and contact data (name, email, phone, date of birth, government-issued ID).
  • Account and profile data (role on the Platform, onboarding information, background details).
  • Platform usage data (Community Hub activity, matching requests, messages, collaboration workspace content, access logs).
  • Technical data (IP address, device identifiers, browser type, usage analytics).
  • Payment/donation data (processed by third-party providers only).

2.2 Sensitive / Special Category Personal Data.

  • Psychological, mental health, social-work, counseling, or personal-barrier-removal information shared in private support sessions.
  • Any data concerning minor Builders that qualifies as sensitive under applicable law (e.g., family circumstances, health, or social support needs).
  • Biometric or health-related data (if voluntarily provided in support contexts).

2.3 Project IP Data. All data, code, inventions, prototypes, business plans, and other materials that constitute Project IP (jointly owned under the IP & Equity Agreement) are processed by the Foundation as co-owner and Platform operator.

3. Purposes and Legal Bases for Processing

We process personal data solely for the following purposes and on the following legal bases:

Purpose

Legal Basis

Provide Platform access, Community Hub matching, collaboration tools, and private support services

Performance of contract (TOS, NDA, Program Addendum, IP & Equity Agreement)

Facilitate curated introductions and Permitted Purpose activities

Performance of contract + legitimate interests (ecosystem integrity)

Deliver psychological, social-work, or barrier-removal support

Explicit consent (documented) or necessity to protect vital interests (especially for minors)

Administer joint ownership of Project IP and commercialization decisions

Performance of contract (IP & Equity Agreement)

Monitor, moderate, and enforce Platform rules, NDA obligations, and safety (especially for minor Builders)

Legitimate interests + legal obligation

Comply with legal, regulatory, tax, or law-enforcement requests

Legal obligation

Improve Platform technology, matching algorithms, and analytics (de-identified where possible)

Legitimate interests

Communicate important notices and updates

Performance of contract + legitimate interests

4. Sub-Processors and Third-Party Service Providers

4.1 The Foundation uses the following categories of sub-processors (current list available upon written request to [email protected]):

  • Cloud hosting and infrastructure providers (e.g., AWS, GCP, or equivalent).
  • Licensed third-party psychologists, social workers, and counseling platforms.
  • Background verification, identity verification, and security service providers.
  • Email, messaging, and collaboration tool providers.
  • Analytics and monitoring tools (anonymized where feasible).
  • Payment and donation processors.

4.2 All sub-processors are contractually bound by obligations at least as protective as those in this DPA and the NDA. The Foundation maintains a written sub-processor list and provides at least 30 days’ notice of any material addition or replacement. Data subjects may object to a new sub-processor on legitimate grounds; continued use of the Platform after notice constitutes acceptance.

5. International Data Transfers

The Foundation is based in the United States. When personal data is transferred outside the EEA, UK, Switzerland, or other jurisdictions with adequacy decisions:

  • Transfers are safeguarded by the latest EU Standard Contractual Clauses (2021/914) + UK International Data Transfer Addendum (as applicable), supplemented by technical and organizational measures.
  • For U.S. recipients, the Foundation relies on the EU-U.S. Data Privacy Framework (where certified) or equivalent mechanisms.
  • Project IP Data (jointly owned) is processed in accordance with the IP & Equity Agreement regardless of location.

6. Data Security

The Foundation implements and maintains industry-leading administrative, technical, and physical safeguards consistent with the sensitivity of the data, including:

  • Encryption in transit and at rest (AES-256 or higher).
  • Role-based access controls and multi-factor authentication.
  • Regular security audits, penetration testing, and vulnerability scanning.
  • Incident response plan with 72-hour breach notification to affected data subjects and regulators where required by law.

7. Data Retention and Deletion

Personal data is retained only as long as necessary for the purposes set forth in this DPA and the governing agreements, or as required by law. Confidentiality obligations under the NDA survive indefinitely. Jointly owned Project IP is retained for the duration of co-ownership. Upon valid deletion request (subject to legal and contractual limitations, including joint-ownership rights), the Foundation will delete or irreversibly anonymize the data and certify compliance.

8. Data Subject Rights

Depending on your jurisdiction, you may have the following rights (subject to verification and contractual limitations):

  • Right of access, rectification, erasure, restriction, portability, and objection.
  • Right to withdraw consent (where processing is consent-based).
  • Right not to be subject to automated decision-making (none is currently used).
  • For California residents: CCPA/CPRA rights to know, delete, correct, and opt-out of sales (we do not sell data).
  • For EU/UK residents: full GDPR rights.

To exercise any right, contact [email protected]. We respond within the statutory timeframe. Rights related to jointly owned Project IP may be limited by the IP & Equity Agreement.

9. Children and Minor Builders

For Builders under 18, verifiable parental/guardian consent is obtained prior to processing. Private support services for minors are provided only with guardian awareness and consent where required. The Foundation complies with COPPA (U.S.) and all applicable children’s privacy laws.

10. Audit Rights

Upon reasonable written request and subject to confidentiality obligations, the Foundation will make available to data subjects (or their authorized representatives) information necessary to demonstrate compliance with this DPA. Audits are conducted at the requester’s expense and during normal business hours, with no more than one audit per 12-month period unless a material breach is suspected.

11. Liability and Indemnification

Each party is liable for its own breaches of this DPA. The Builder Parties indemnify the Foundation for claims arising from their data contributions or breaches. The Foundation’s total liability under this DPA shall not exceed the limitations set forth in the TOS.

12. Governing Law and Miscellaneous

This DPA is governed by the laws of the State of Delaware, without regard to conflict of laws principles. It supplements (and does not replace) the Privacy Policy and all other Platform agreements. In the event of any conflict, this DPA controls with respect to data processing obligations. Amendments must be in writing. Electronic signatures are binding.

IN WITNESS WHEREOF, by using the Platform you acknowledge and agree to this DPA.