PRIVACY POLICY
VC Compass (operated by Compassio Ltd.)
Last updated: 24 March 2026
1. Data Controller
The data controller responsible for your personal data is:
Compassio Ltd.
Registered address: Trakia 44, Plovdiv, Bulgaria
Company Number (EIK): 208421277
Email: hello@vccompass.co
Website: www.vccompass.co
For any questions or requests regarding your personal data, please contact us at hello@vccompass.co.
2. Scope of This Policy
This Privacy Policy describes how we collect, use, store, and protect your personal data when you:
Visit or interact with our Website (www.vccompass.co).
Book and attend consulting sessions through our scheduling platform (currently Calendly).
Make payments through our payment processor (currently Stripe).
Subscribe to our email communications (currently via Kit.com).
Participate in consulting sessions delivered via video conferencing (currently Google Meet).
Purchase or download digital products.
This policy applies to all personal data collected through the above channels, whether provided directly by you or collected automatically.
3. Data We Collect
3.1 Data You Provide Directly
Identity and contact data: Name, email address, phone number (if provided).
Company data: Company name, website URL, stage of development, fundraising status and target amounts, and other business information provided during booking.
Booking data: Responses to intake questions on the booking form (e.g., your company stage, fundraising plans, session topics). This includes links to external documents you choose to share (e.g., pitch deck links hosted on Google Drive, Dropbox, or similar platforms). We may access these links solely to prepare for your session.
Guest data: If you add guests to your booking, we collect their email addresses as provided by you. By adding guests, you confirm you have their permission to share their email address with us and our scheduling platform.
Payment data: Billing name, billing address, VAT number (if provided). Note: Full payment card details are processed and stored exclusively by Stripe; we do not have access to or store your full card numbers.
Communication data: Content of emails, messages, or other communications you send to us.
Consent records: Your acceptance of our Terms and Conditions during booking and payment.
Newsletter subscription data: Email address (and name, if provided) when subscribing to our mailing list via Kit.com forms on the Website.
We do not intentionally collect sensitive categories of personal data (e.g., health data, political opinions, religious beliefs). If you voluntarily share such information during a session, it will be treated with the same confidentiality as all other session data.
3.2 Data Collected During Consulting Sessions
Session notes: The consultant may take notes during or after the session for the purpose of delivering the Service and providing follow-up materials.
Materials you share: Any documents, presentations, financial data, or other materials you provide before, during, or after the session.
Session recordings: If you explicitly consent to recording, the audio/video recording of the session. No recording is made without your prior explicit consent.
You control what information you share during sessions. We recommend exercising discretion with highly sensitive information (e.g., trade secrets, unpublished patents, confidential financial records). See Section 10 of our Terms and Conditions for more details on confidentiality obligations.
3.3 Data Collected Automatically
Website usage data: Pages visited, time spent, click patterns, referral source (collected via Google Analytics).
Device and technical data: IP address, browser type, operating system, device type, screen resolution.
Cookie data: As described in Section 8 of this policy and in our cookie consent banner.
4. Legal Basis for Processing
We process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):
Contract performance (Art. 6(1)(b) GDPR): Processing necessary to fulfil our contractual obligations to you, including booking management, service delivery, payment processing, and providing Deliverables.
Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, such as for email marketing communications, session recordings, or optional cookies.
Legitimate interest (Art. 6(1)(f) GDPR): For improving our Services, website analytics, fraud prevention, and business communications, where our interests do not override your rights and freedoms.
Legal obligation (Art. 6(1)(c) GDPR): Where processing is required to comply with Bulgarian tax, accounting, or other legal obligations.
5. How We Use Your Data
We use your personal data for the following purposes:
Service delivery: To schedule, prepare for, conduct, and follow up on consulting sessions.
Payment processing: To process payments, issue invoices and receipts, and manage refunds.
Communication: To send booking confirmations, payment reminders, session-related communications, and respond to your inquiries.
Service improvement: To analyze session feedback and website usage to improve our Services.
Marketing: To send you newsletters, updates, and promotional content (only with your explicit consent; you can unsubscribe at any time).
Legal compliance: To maintain records required by Bulgarian tax and accounting laws, and to respond to lawful requests from authorities.
Security and fraud prevention: To protect against unauthorized access, fraud, and other security threats.
6. Third-Party Data Processors
We share your personal data with the following categories of third-party processors, who process data on our behalf and in accordance with our instructions:
Calendly — Session scheduling and booking management. Data shared: Name, email, booking responses. Location: USA (SCCs).
Stripe — Payment processing, invoicing, receipts. Data shared: Name, email, billing address, payment data. Location: USA (SCCs / DPF).
Google (Meet, Analytics) — Video conferencing, website analytics. Data shared: Name, email, IP address, usage data. Location: USA (SCCs / DPF).
Kit.com (ConvertKit) — Email marketing and newsletters. Data shared: Name, email. Location: USA (SCCs).
CookieYes — Cookie consent management. Data shared: Consent preferences, IP address. Location: EU.
Google Forms — Surveys and form responses (if used). Data shared: Name, email, form responses. Location: USA (SCCs / DPF).
Website hosting provider — Website hosting and delivery. Data shared: IP address, usage data. Location: EU / USA (SCCs).
All third-party processors are contractually bound to process your data only for the specified purposes and in compliance with applicable data protection laws. Where data is transferred outside the European Economic Area (EEA), appropriate safeguards are in place (e.g., Standard Contractual Clauses).
We do not sell your personal data to any third party.
7. Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy:
Booking and session data: Retained for the duration of the client relationship plus 3 years, or as required by applicable law.
Session notes and Deliverables: Retained for 3 years after the last session, unless you request earlier deletion.
Session recordings (if consented): Retained for up to 12 months after the session, then permanently deleted unless you request earlier deletion or provide renewed consent.
Payment and invoicing records: Retained for 10 years as required by Bulgarian tax and accounting legislation.
Marketing consent records: Retained until you withdraw consent.
Website analytics data: Retained according to Google Analytics default settings (currently 14 months) and then automatically deleted.
Communication records: Retained for 3 years after the last communication.
When data is no longer needed, it is securely deleted or anonymised so that it can no longer be associated with you.
8. Cookies and Tracking Technologies
The Website uses cookies and similar technologies for the following purposes:
Strictly necessary cookies: Essential for the Website to function (e.g., session management). These do not require consent.
Analytics cookies: Used to understand how visitors interact with the Website (e.g., Google Analytics). Enabled only with your consent.
Marketing cookies: Used to deliver relevant content and track the effectiveness of campaigns. Enabled only with your consent.
You can manage your cookie preferences at any time through the cookie consent banner on the Website (powered by CookieYes) or through your browser settings. Disabling certain cookies may affect Website functionality.
9. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR:
Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for continued processing.
Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
Right to lodge a complaint: You have the right to lodge a complaint with the Commission for Personal Data Protection of Bulgaria (CPDP) or the supervisory authority in your EU member state of residence.
To exercise any of these rights, please contact us at hello@vccompass.co. We will respond to your request within 30 days.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
Use of secure, encrypted connections (HTTPS/TLS) for all website and payment interactions.
Processing payments exclusively through PCI-DSS compliant payment processors (Stripe).
Limiting access to personal data to authorised personnel only.
Regular review of our security practices and third-party processor compliance.
While we take reasonable measures to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
11. International Data Transfers
Some of our third-party processors are based outside the EEA (e.g., in the United States). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs) approved by the European Commission.
Adequacy decisions by the European Commission (e.g., EU-US Data Privacy Framework, where applicable).
You may request information about the specific safeguards applied to international transfers by contacting us at hello@vccompass.co.
12. Children's Privacy
Our Website and Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be published on the Website with an updated "Last updated" date. For material changes that significantly affect how we process your data, we will make reasonable efforts to notify you (e.g., via email).
We maintain archived versions of previous Privacy Policies. You may request a copy of any previous version by contacting us.
14. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:
Compassio Ltd.
Email: hello@vccompass.co
Address: Trakia 44, Plovdiv, Bulgaria
Website: www.vccompass.co
