Data Processing & Sub-processors
The processing terms that apply when SeedPilot handles personal data on your behalf, and the sub-processors we rely on.
Draft for review. This document is a carefully researched template that still requires sign-off by a qualified solicitor and completion of any [bracketed] fields before it is relied upon. It is provided for transparency, not as legal advice.
01Controller and processor roles
For most personal data on the Platform (your account, the investor directory, matching, and notifications) FreshGeo Ltd acts as an independent controller and the Privacy Policy applies.
Where you upload content about identifiable third parties (for example, details of your team or customers in a data room) and you determine the purposes of that processing, we act as a processoron your behalf, and the terms on this page (the “Data Processing Terms”) apply.
02Our processor commitments
When we act as your processor, we will:
- process personal data only on your documented instructions, as set out in these terms and your use of the Platform;
- ensure persons authorised to process the data are under appropriate confidentiality obligations;
- implement technical and organisational security measures appropriate to the risk (encryption in transit, access controls, row-level security, logging);
- engage sub-processors only under written terms offering equivalent protection, and maintain the list below;
- assist you, taking into account the nature of processing, with data subject requests and with your security, breach-notification, and impact-assessment obligations;
- notify you without undue delay on becoming aware of a personal data breach affecting your data;
- delete or return personal data at the end of the service, save for copies required by law; and
- make available information needed to demonstrate compliance and allow for reasonable audits.
03Current sub-processors
We use the following sub-processors to deliver the Platform. We will give notice of changes so you can object on reasonable grounds.
| Sub-processor | Purpose | Data | Location |
|---|---|---|---|
| Supabase | Application database, authentication, and file storage | Account, profile, deal, and document data | EU / UK region |
| Vercel | Application hosting, edge delivery, and request logs | Technical/usage data, IP addresses | EU / global edge |
| Anthropic (Claude) | AI assessment, scoring, and matching | Founder/investor briefing content submitted for analysis | United States |
| Resend | Transactional and notification email delivery | Recipient name and email address | United States / EU |
| Companies House | Verification of UK company and investor filings (public register) | Company numbers, director and filing data (public source) | United Kingdom |
04International transfers
Where a sub-processor is outside the UK, transfers are made under the UK’s adequacy regulations or the International Data Transfer Agreement / UK Addendum to the EU Standard Contractual Clauses, with appropriate safeguards in place.
05Requesting a signed DPA
If your organisation requires a countersigned Data Processing Agreement for diligence, email legal@getseedpilot.com and we will provide one.