Privacy Policy

CofounderUp ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you visit our website, join our waitlist, complete your profile, or use any part of our platform.

By using CofounderUp, you agree to the practices described in this policy. If you do not agree, please stop using the platform and contact us to request deletion of your data.

This policy is compliant with the Digital Personal Data Protection (DPDP) Act, 2023 (India) and applicable guidelines issued by the Data Protection Board of India.

We collect information in three ways:

Information you provide directly:

• Email address (when you join the waitlist or sign in)
• Full name and professional background (during profile completion)
• Your startup idea, domain preferences, and skills (profile questions)
• Quiz responses that determine your compatibility traits
• Content you submit to Founder Diaries (name, video link, story)
• Newsletter subscription preference

Information collected automatically:

• IP address and approximate location (country/region)
• Browser type, device type, and operating system
• Pages visited, time spent, and referral source
• Session identifiers stored in secure HttpOnly cookies

Information from third parties:

• Authentication data from Supabase (our infrastructure provider)
• Email delivery status from Brevo (our email service provider)

We use your data to:

• Verify your email address and manage your account
• Build your founder compatibility profile
• Match you with potential cofounders (when matching goes live)
• Send you transactional emails (verification, magic links, onboarding)
• Send Founder Letters if you have opted in to marketing communications
• Review Founder Diaries submissions and contact you if we wish to feature your story
• Improve our platform, fix bugs, and understand usage patterns
• Comply with legal obligations under Indian law

We do not use your data for automated decision-making or profiling that produces legal effects without human review.

Under the Digital Personal Data Protection Act, 2023, we process your personal data on the following bases:

• Consent: You explicitly consent when you join the waitlist, complete your profile, or opt in to marketing emails. You may withdraw consent at any time.
• Legitimate uses: Processing necessary to provide the services you have requested, including email verification, account management, and platform functionality.
• Legal obligation: Where we are required by law to retain or disclose certain data.

You have the right to withdraw consent at any time by contacting us at hello@cofounderup.com. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

We do not sell your personal data. We share data only in the following limited circumstances:

• Service providers: Supabase (database and authentication), Brevo (email delivery), and Vercel (hosting). Each is bound by data processing agreements.
• Legal requirements: If required by a court order, government authority, or applicable Indian law.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. You will be notified before any such transfer.
• With your consent: In any other case where you have explicitly agreed to the sharing.

Cofounder matches, when live, will only show your profile to other verified members of the platform. You control what is visible.

Your data is stored on servers operated by Supabase, which maintains infrastructure in secure, compliant data centres. We take reasonable technical and organisational measures to protect your data from unauthorised access, loss, or disclosure.

We retain your data for as long as your account is active or as necessary to provide services. Specifically:

• Waitlist and profile data: retained until you request deletion
• Quiz responses: retained for the lifetime of your account
• Founder Diaries submissions: retained for review purposes; deleted on request
• Session cookies: expire after 24 hours
• Anonymised analytics data: may be retained indefinitely

To request deletion of your data, email us at hello@cofounderup.com with subject line "Data Deletion Request". We will action requests within 30 days.

Under the DPDP Act, 2023, and as applicable, you have the following rights regarding your personal data:

• Right to access: Request a copy of the personal data we hold about you.
• Right to correction: Request that inaccurate or incomplete data be corrected.
• Right to erasure: Request deletion of your personal data, subject to our legal obligations.
• Right to withdraw consent: Withdraw your consent for marketing communications at any time (one-click unsubscribe in every email).
• Right to grievance redressal: Lodge a grievance with our Grievance Officer (see the Grievance Redressal Policy).
• Right to nominate: Nominate another individual to exercise rights on your behalf in the event of your death or incapacity.

To exercise any of these rights, contact us at hello@cofounderup.com.

We use cookies to operate the platform. For full details, please read our Cookie Policy.

In summary:

• Strictly necessary cookies: Session identifiers required to keep you signed in (HttpOnly, Secure, SameSite=Strict).
• Analytics cookies: Anonymous usage data to improve the platform. We do not use advertising cookies.

You can manage cookie preferences in your browser settings at any time.

We use the following third-party services. Each has its own privacy policy that governs their handling of your data:

• Supabase — database, authentication, and storage (supabase.com/privacy)
• Brevo — transactional and marketing email (brevo.com/legal/privacypolicy)
• Vercel — website hosting and edge network (vercel.com/legal/privacy-policy)

We do not share your data with advertisers, data brokers, or social media platforms.

CofounderUp is intended for users aged 18 and above. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with their data, please contact us at hello@cofounderup.com and we will delete that data immediately.

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encrypted connections (HTTPS/TLS) for all data in transit
• HttpOnly, Secure, SameSite cookies to prevent XSS and CSRF attacks
• Row-level security (RLS) policies on our database
• Service role keys never exposed to the client
• Regular review of access controls and third-party integrations

No method of transmission over the internet is 100% secure. If you become aware of a security vulnerability, please disclose it responsibly by emailing hello@cofounderup.com.

Some of our service providers (Supabase, Brevo, Vercel) may process data outside India. Where this occurs, we rely on their data processing agreements and applicable transfer mechanisms to ensure your data receives adequate protection consistent with the DPDP Act, 2023.

We will update this section as the Data Protection Board of India issues further guidance on cross-border transfers.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email.

Continued use of CofounderUp after changes are posted constitutes your acceptance of the revised policy.

If you have questions about this Privacy Policy or wish to exercise your rights, please contact:

• Email: hello@cofounderup.com
• Grievance Officer: See our Grievance Redressal Policy

We aim to respond to all privacy-related queries within 10 business days.