Privacy Policy

1. Introduction & Scope

Welcome to VentureBoard. This Privacy Policy explains how VentureBoard (“we,” “us,” “our”) collects, uses, discloses, and protects your personal data when you access or use our AI-powered virtual advisory board platform available at ventureboard.ai, including our website, web application, mobile applications, APIs, and any related services (collectively, the “Platform”).

VentureBoard is an AI SaaS platform that provides a virtual Advisory Board consisting of 20 specialized AI agents designed to help entrepreneurs, solopreneurs, small businesses, and creative agencies develop their ideas, validate strategies, and prepare business documents. Our Platform processes user inputs through multiple large language models (LLMs) to generate strategic advice and business artifacts. In accordance with Article 50 of the EU AI Act (Regulation 2024/1689), we inform you that when you interact with our AI Advisors, you are communicating with artificial intelligence systems, not human advisors.

This Privacy Policy applies to all users of our Platform worldwide, including visitors, free users, and paid subscribers. By accessing or using VentureBoard, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.

This Privacy Policy should be read together with our Terms of Service, Cookie Policy, and any Data Processing Agreements (DPAs) applicable to your use of the Platform.

2. Data Controller Information

For the purposes of applicable data protection legislation, the data controller responsible for your personal data is:

As a Bulgaria-based company operating within the European Union, VentureBoard is directly subject to the General Data Protection Regulation (EU) 2016/679 (GDPR), the Bulgarian Personal Data Protection Act (Закон за защита на личните данни, PDPA/ЗЗЛД), and the EU AI Act (Regulation 2024/1689). We also comply with applicable data protection laws in all jurisdictions where we offer our services, including the United Kingdom, the United States, Canada, and Brazil.

Note: As VentureBoard is established within the EU, the appointment of an EU Representative under GDPR Article 27 is not required. The Commission for Personal Data Protection (CPDP/КЗЛД) of Bulgaria serves as our lead supervisory authority under the GDPR's one-stop-shop mechanism (Article 56).

3. Definitions

To ensure clarity and consistency throughout this Privacy Policy, the following terms have the meanings set forth below:

• “Personal Data” means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1), CCPA Section 1798.140(v), and equivalent provisions in other applicable laws.
• “Processing” means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• “AI Advisors” means the 20 specialized artificial intelligence agents available on the VentureBoard Platform. In accordance with Article 50 of the EU AI Act, we confirm that these are AI systems — not human advisors. Each has distinct expertise areas including CEO, CFO, CMO, CTO, Legal, HR, Sales, Product, UX, Data, Growth, PR, Investor Relations, Customer Success, Strategy, Innovation, Sustainability, International, Risk, and COO advisory.
• “Business Artifacts” means the structured business documents generated through your interactions with the AI Advisors, including but not limited to business model canvases, financial projections, marketing plans, pitch deck outlines, and other strategic deliverables (up to 38 document types).
• “Conversation Data” means the text-based inputs you provide to the AI Advisors and the corresponding AI-generated outputs during your use of the Platform.
• “Sub-processor” means any third-party entity engaged by VentureBoard to process personal data on its behalf, including AI model providers, cloud infrastructure providers, and analytics services.

4. Personal Data We Collect

4.1 Data You Provide Directly

• Account Registration Data: name, email address, password (encrypted), company name, job title, industry, and country of residence.
• Profile Information: optional details such as business description, professional background, LinkedIn profile URL, and profile picture.
• Conversation Data: all text-based inputs, prompts, questions, and instructions you submit to AI Advisors during advisory sessions.
• Business Information: business ideas, strategies, financial data, competitive information, market analysis details, and any other business-related information shared during advisory sessions.
• Payment Information: billing address, payment method details (processed securely by our third-party payment processor; we do not store full credit card numbers).
• Communications: emails, support tickets, feedback, and other correspondence you send to us.

4.2 Data Collected Automatically

• Usage Data: pages visited, features used, session duration, frequency of use, AI Advisors consulted, Business Artifacts generated, and interaction patterns.
• Device & Technical Data: IP address, browser type and version, operating system, device type, screen resolution, language preferences, and unique device identifiers.
• Log Data: server logs including access times, error logs, referral URLs, and pages viewed before and after visiting our Platform.
• Cookie & Tracking Data: cookies, web beacons, pixel tags, and similar technologies (see Section 8).
• Location Data: approximate geographic location derived from your IP address (we do not collect precise geolocation data).

4.3 Data from Third-Party Sources

• Single Sign-On (SSO): if you register or log in via third-party services (e.g., Google, GitHub), we receive your name, email address, and profile picture as authorized by your SSO provider settings.
• Analytics Partners: aggregated and anonymized usage data from analytics providers to help us understand Platform usage patterns.

4.4 Sensitive Data

VentureBoard does not intentionally collect special categories of personal data as defined under GDPR Article 9 or sensitive personal information as defined under applicable US state privacy laws (including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, sexual orientation, citizenship or immigration status, financial account numbers, or precise geolocation). If you inadvertently include such information in your Conversation Data, we will treat it with the highest level of protection and will delete it upon request.

5. How We Use Your Data

We process your personal data for the following specific, explicit, and legitimate purposes:

5.1 Service Delivery & Core Functionality

• Operating, maintaining, and providing the VentureBoard Platform and its features
• Processing your inputs through AI models to deliver multi-agent advisory sessions with our 20 AI Advisors
• Generating Business Artifacts (up to 38 document types) based on your advisory sessions
• Managing your account, subscriptions, and user preferences
• Providing context management for long strategic advisory sessions
• Enabling prompt caching for improved performance and efficiency

5.2 Payment Processing

• Processing subscription payments, managing billing cycles, and handling refunds
• Fraud detection and prevention in financial transactions

5.3 Platform Improvement & Analytics

• Analyzing usage patterns to improve Platform features and user experience
• Conducting aggregated, anonymized research on advisory session quality
• Testing new features, functionality, and performance optimizations
• Monitoring system performance, uptime, and technical reliability

5.4 Communication

• Sending transactional notifications (account verification, password resets, billing receipts)
• Providing customer support and responding to your inquiries
• Sending product updates, feature announcements, and service-related notices
• Marketing communications (only with your explicit consent; you may opt out at any time). Our marketing practices comply with the CAN-SPAM Act (for US recipients), GDPR Article 7 (for EU/EEA recipients), and UK PECR (for UK recipients)

5.5 Legal & Compliance

• Complying with applicable laws, regulations, and legal processes
• Enforcing our Terms of Service and other legal agreements
• Protecting against fraud, abuse, and security threats
• Establishing, exercising, or defending legal claims

6. Legal Bases for Processing

Under the GDPR (directly applicable to VentureBoard as a Bulgarian/EU entity) and the Bulgarian PDPA, we rely on the following legal bases to process your personal data:

• Contract Performance (Article 6(1)(b)): Processing necessary for the performance of our contract with you, including providing the Platform, AI advisory sessions, Business Artifact generation, account management, and payment processing.
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, including Platform improvement, analytics, fraud prevention, network and information security, and intra-group transfers for administrative purposes — provided these interests are not overridden by your fundamental rights and freedoms.
• Consent (Article 6(1)(a)): Processing based on your freely given, specific, informed, and unambiguous consent, including marketing communications, non-essential cookies, and optional data processing activities. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with our legal obligations, such as tax reporting under Bulgarian law (Accountancy Act, Tax Insurance Procedure Code/ДОПК), anti-money laundering requirements, and responding to lawful government requests.

Where we rely on legitimate interests, we have conducted Legitimate Interest Assessments (LIAs) to balance our interests against your rights. You may request details of these assessments by contacting our DPO.

For UK users: Under the UK GDPR as amended by the Data (Use and Access) Act 2025, certain processing activities — including direct marketing, intra-group transfers for administrative purposes, and network and information security — are recognised legitimate interests under the updated framework.

7. AI-Specific Data Processing & EU AI Act Compliance

Given the AI-powered nature of our Platform, we provide the following transparency disclosures in compliance with the GDPR, the Bulgarian PDPA, the EU AI Act (Regulation 2024/1689), and ICO Guidance on AI and Data Protection.

7.1 EU AI Act Compliance

VentureBoard is committed to compliance with the EU AI Act, the world's first comprehensive AI regulation. We have classified our AI Advisory system as a limited-risk AI system under the Act's risk-based framework. Our AI Advisors are designed for informational and strategic advisory purposes; they do not make decisions that produce legal effects or similarly significant effects on users.

In compliance with Article 4 (AI Literacy), VentureBoard ensures that our staff and users have sufficient understanding of AI systems. In compliance with Article 50 (Transparency Obligations, applicable from August 2, 2026), we clearly inform users that they are interacting with AI systems through both this Privacy Policy and in-product interface disclosures.

VentureBoard does not deploy AI systems for prohibited purposes as defined in Article 5 of the AI Act, including social scoring, subliminal manipulation, or exploitation of vulnerabilities.

7.2 Multi-LLM Architecture

VentureBoard utilizes a multi-LLM (Large Language Model) architecture. Your Conversation Data may be processed by one or more AI model providers, including but not limited to Anthropic (Claude API) and OpenAI (GPT-4), to power our 20 AI Advisors. Each AI Advisor has distinct system prompts that define its personality and expertise area.

7.3 How AI Processes Your Data

• Your text inputs are transmitted to AI model providers via secure, encrypted API connections for real-time processing
• AI models generate responses based on your inputs combined with advisor-specific system prompts and session context
• Prompt caching may temporarily store portions of your session data (maximum 5 minutes) to improve performance and reduce latency
• Multi-agent debate functionality involves routing your queries to multiple AI Advisors who generate interconnected responses
• Business Artifact generation involves structuring AI outputs into formatted business documents

7.4 AI Model Provider Data Practices

We require our AI model providers to process your data solely for the purpose of providing our service. Under our Data Processing Agreements with these providers:

• Your Conversation Data is NOT used to train or improve their general-purpose AI models
• AI providers may retain data temporarily (up to 30 days maximum) for abuse monitoring and safety purposes
• Data is processed primarily on servers located in the United States; appropriate transfer mechanisms (SCCs and TIAs) are in place (see Section 10)

We encourage you to review the privacy policies of our AI model providers (Anthropic: anthropic.com/privacy; OpenAI: openai.com/privacy) for complete details.

7.5 Data Protection Impact Assessments for AI

In accordance with GDPR Article 35 and EDPB guidance, VentureBoard has conducted Data Protection Impact Assessments (DPIAs) for its AI processing activities, given the use of new technologies (LLMs) and systematic processing of user data. These DPIAs are reviewed regularly and updated when processing activities change materially. DPIAs are available for review by the CPDP or other relevant supervisory authorities upon request.

7.6 AI Limitations & Disclaimers

AI-generated advice and Business Artifacts are provided for informational purposes only and should not be considered professional legal, financial, tax, or medical advice. VentureBoard does not guarantee the accuracy, completeness, or suitability of AI-generated outputs. We recommend consulting qualified professionals for critical business decisions. VentureBoard's AI systems do not engage in discriminatory profiling based on special categories of personal data, in compliance with Article 52(4) of the Bulgarian PDPA.

8. Cookies and Tracking Technologies

VentureBoard uses cookies and similar tracking technologies to enhance your experience. The types of cookies we use include:

• Strictly Necessary Cookies: Essential for Platform functionality, including authentication, session management, and security. These cannot be disabled.
• Performance & Analytics Cookies: Collect aggregated information about Platform usage to improve performance. Deployed with your consent (except where exempted under UK DUAA amendments to PECR for low-risk analytics).
• Functionality Cookies: Remember your preferences (language, display options) for a personalized experience. Deployed with your consent (except where exempted under UK DUAA for low-risk functional cookies).
• Marketing Cookies: Used to deliver relevant advertisements and measure campaign effectiveness. Deployed only with your explicit consent.

You can manage your cookie preferences through our cookie consent banner displayed on first visit, or through your browser settings at any time. Consent is granular — you may accept or reject each category independently.

For EU/EEA users: Non-essential cookies are disabled by default and require your opt-in consent in compliance with the ePrivacy Directive (2002/58/EC) as transposed into Bulgarian national law via the Electronic Communications Act (Закон за електронните съобщения, ZES).

For UK users: We comply with the Privacy and Electronic Communications Regulations 2003 (PECR) as amended by the Data (Use and Access) Act 2025. Certain low-risk cookies (essential analytics, functional, and security cookies) may be deployed without prior consent under the DUAA amendments, in accordance with Schedule 12.

For US users: We honor Global Privacy Control (GPC) signals as a valid opt-out request as required by the CCPA/CPRA and other applicable state privacy laws.

9. Data Sharing and Third-Party Services

VentureBoard does not sell your personal data. We do not share your personal information for cross-context behavioral advertising. We share personal data only in the following circumstances:

9.1 AI Model Providers (Sub-processors)

• Anthropic (Claude API) — AI-powered advisory session processing (data processed in US)
• OpenAI (GPT-4) — AI-powered advisory session processing (data processed in US)

These providers process Conversation Data solely to deliver advisory responses and are bound by Data Processing Agreements (DPAs) compliant with GDPR Article 28. Standard Contractual Clauses and Transfer Impact Assessments are in place for US-bound data transfers.

9.2 Infrastructure & Hosting

• Cloud hosting providers for Platform infrastructure and data storage
• MongoDB (database management) for secure data storage
• Content delivery networks (CDNs) for optimized Platform delivery

9.3 Service Providers

• Payment processors for secure billing and subscription management
• Email service providers for transactional and marketing communications
• Analytics providers for aggregated Platform usage insights
• Customer support tools for managing user inquiries

9.4 Legal & Compliance Disclosures

We may disclose personal data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of VentureBoard, our users, or the public.

9.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or asset sale, your personal data may be transferred. We will notify you via email or prominent notice on our Platform at least 30 days before your data becomes subject to a different privacy policy.

9.6 Sub-Processor List

A current list of our sub-processors, including their locations and processing purposes, is published at ventureboard.ai/subprocessors and updated whenever changes occur. You may also request the list by contacting privacy@ventureboard.ai.

10. International Data Transfers

VentureBoard is headquartered in Bulgaria, a member state of the European Union. As we use AI model providers and infrastructure based in various countries (including the United States), your personal data may be transferred outside the EU/EEA.

For transfers to countries not recognized as providing an adequate level of data protection, we implement the following safeguards:

• Standard Contractual Clauses (SCCs): EU Commission-approved clauses under Implementing Decision (EU) 2021/914, specifically in place with our AI model providers (Anthropic, OpenAI) and US-based infrastructure providers.
• UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA or UK Addendum to EU SCCs, as approved by the ICO. Note: The EU renewed its adequacy decision for the UK in December 2025, valid until December 2031, enabling free flows of personal data from the EU (including Bulgaria) to the UK.
• EU-US Data Privacy Framework (DPF): Where applicable, we rely on the EU-U.S. Data Privacy Framework for transfers to certified US organizations.
• Transfer Impact Assessments (TIAs): We conduct TIAs for all international data transfers to evaluate the legal framework in the recipient country and implement supplementary measures where necessary.

For UK users: The UK Data (Use and Access) Act 2025 introduces a revised ‘data protection test’ for international transfers, assessing whether protection in the destination country is ‘not materially lower’ than UK standards. VentureBoard's transfer mechanisms satisfy this updated standard.

You may request copies of the relevant transfer mechanisms by contacting our DPO at dpo@ventureboard.ai.

11. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. In compliance with Maryland's MODPA and GDPR data minimization principles, we retain data only where reasonably necessary and proportionate.

When data reaches the end of its retention period, it is securely deleted or irreversibly anonymized. You may request earlier deletion by exercising your rights under Sections 12–17.

12. Your Privacy Rights — Overview

VentureBoard respects your right to control your personal data. Regardless of your location, we provide all users with the following baseline privacy rights:

• The right to access your personal data and obtain a copy
• The right to correct inaccurate or incomplete personal data
• The right to delete your personal data (subject to legal retention requirements)
• The right to restrict or object to certain processing activities
• The right to data portability in a structured, machine-readable format
• The right to withdraw consent at any time for consent-based processing
• The right to lodge a complaint with a supervisory authority
• The right to appeal a denial of any privacy rights request

To exercise any of these rights, contact us at privacy@ventureboard.ai or through your account settings on the Platform. We will respond within the timeframes required by applicable law (typically 30 days under GDPR, 45 days under CCPA).

We verify your identity before processing any rights request. You may also designate an authorized agent to submit requests on your behalf — we will require the agent to provide written authorization from you and may verify your identity directly.

We will not discriminate against you for exercising any privacy rights. In accordance with GDPR Article 12(5), we reserve the right to refuse or charge a reasonable administrative fee for requests that are manifestly unfounded or excessive, particularly where requests are repetitive. We will always explain our reasons for any refusal.

13. Rights Under GDPR (EU/EEA Residents)

If you are a resident of the European Economic Area (EEA) or the European Union, you have the following rights under the GDPR as supplemented by the Bulgarian PDPA:

• Right of Access (Article 15): Obtain confirmation of processing and access to your personal data along with supplementary information.
• Right to Rectification (Article 16): Obtain rectification of inaccurate data and have incomplete data completed.
• Right to Erasure (Article 17): Obtain erasure where data is no longer necessary, you withdraw consent, you object to processing, or data was unlawfully processed.
• Right to Restriction (Article 18): Obtain restriction of processing where you contest accuracy, processing is unlawful, or you need data for legal claims.
• Right to Data Portability (Article 20): Receive your data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller.
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right re: Automated Decision-Making (Article 22 GDPR / Article 52 PDPA): You have the right not to be subject to decisions based solely on automated processing. See Section 21 for details.
• Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you may withdraw at any time. Withdrawal does not affect prior lawful processing.

For Bulgarian residents: Under Article 39(4) of the PDPA, please note that you may not bring the same violation simultaneously before the CPDP and the courts — proceedings in one forum exclude the other while pending.

14. Rights Under UK GDPR & DUAA 2025 (UK Residents)

If you are a resident of the United Kingdom, you have rights under the UK General Data Protection Regulation as amended by the Data (Use and Access) Act 2025 (DUAA). Your rights mirror those in Section 13 (GDPR rights), with the following UK-specific provisions:

• Automated Decision-Making: The DUAA replaced UK GDPR Article 22 with new Articles 22A-22D, broadening the scope for automated decision-making with safeguards. You have the right to: be informed about significant automated decisions, make representations about such decisions, challenge decisions, and obtain meaningful human intervention. See Section 21.
• Data Subject Access Requests: Under the DUAA, we will conduct a ‘reasonable and proportionate’ search when responding to access requests. We may pause the response timeline (‘stop the clock’) if we need additional information from you to process the request.
• Right to Complain to VentureBoard: The DUAA introduces a statutory right to complain directly to us about how your data is processed. We provide an electronic complaints form at ventureboard.ai/privacy-complaint. We will acknowledge your complaint within 30 days and respond without undue delay. If you are not satisfied with our response, you may escalate to the ICO.
• Children's Higher Protection: If you are under 18, the DUAA requires us to give specific consideration to your needs and the protections you merit. See Section 18.

15. Rights Under US State Privacy Laws

VentureBoard complies with applicable US state comprehensive privacy laws. As of 2026, twenty US states have enacted comprehensive privacy laws, and we respect the rights granted by each applicable law.

15.1 California (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to Know: Know what categories and specific pieces of personal information we have collected, the sources, purposes, and categories of third parties with whom we share data.
• Right to Delete: Request deletion of your personal information, subject to legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: VentureBoard does not sell or share your personal information for cross-context behavioral advertising. VentureBoard is not a data broker.
• Right to Limit Sensitive Data Use: Limit the use and disclosure of sensitive personal information to service-necessary purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

We honor Global Privacy Control (GPC) signals as a valid opt-out request. We will publish annual CCPA metrics on consumer rights requests received, complied with, and denied at ventureboard.ai/ccpa-metrics.

Categories of personal information collected in the preceding 12 months (CCPA disclosure): Identifiers (name, email, IP address); commercial information (subscription records, purchase history); internet or electronic network activity (usage data, browsing history on our Platform); geolocation data (approximate location via IP); professional or employment-related information (job title, company); and inferences drawn from the above.

15.2 Other US State Privacy Laws

We also comply with the privacy laws of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), Tennessee (TIPA), Nebraska (NDPA), New Hampshire, New Jersey, Minnesota (MCDPA), Maryland (MODPA), Indiana (INCDPA), Kentucky (KCDPA), Rhode Island (RIDTPPA), and other states as applicable. Key rights common across these laws include:

• Right to confirm whether we process your personal data and access it
• Right to correct inaccuracies
• Right to delete your personal data
• Right to obtain a portable copy of your data
• Right to opt out of targeted advertising, sale of personal data, and profiling

Where applicable state laws provide a right to appeal a denied privacy request, you may submit an appeal to privacy@ventureboard.ai within 45 days of receiving our response. We will respond to appeals within 60 days. If you are not satisfied with the appeal outcome, you may contact your state's Attorney General.

16. Rights Under LGPD (Brazilian Residents)

If you are a resident of Brazil, the Lei Geral de Proteção de Dados (LGPD) grants you rights including: confirmation of processing; access to your data; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary data; data portability; deletion of data processed with consent; information about entities with which data was shared; information about the possibility of denying consent; and revocation of consent.

Contact our DPO at dpo@ventureboard.ai. We will respond within 15 business days as required by LGPD.

17. Rights Under PIPEDA (Canadian Residents)

If you are a resident of Canada, PIPEDA entitles you to: access your personal information held by us; challenge its accuracy and have it amended; withdraw consent for collection, use, or disclosure (subject to legal restrictions); and file a complaint with the Office of the Privacy Commissioner of Canada.

We will respond to PIPEDA access requests within 30 days. Contact us at privacy@ventureboard.ai.

18. Children's Privacy

VentureBoard is designed for business professionals and is not intended for use by individuals under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children under 16.

If we become aware that we have collected personal data from a child without appropriate consent, we will take immediate steps to delete such data. Contact us at privacy@ventureboard.ai if you believe data from a minor has been collected.

We comply with: the Children's Online Privacy Protection Act (COPPA) for US users; GDPR Article 8 for EU/EEA users; and the ICO's Age Appropriate Design Code (AADC/Children's Code) and the children's higher protection matters requirement under Section 81 of the UK Data (Use and Access) Act 2025 for UK users. Should our Platform be accessed by users under 18, we will give specific consideration to their data protection needs as required by the DUAA.

19. Data Security

VentureBoard implements appropriate technical and organizational measures to protect your personal data in accordance with GDPR Article 32, Article 25 (data protection by design and by default), and the Bulgarian PDPA:

19.1 Technical Measures

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 or equivalent standards
• Secure API connections to all AI model providers with authentication tokens
• Regular security assessments, vulnerability scanning, and penetration testing
• Automated monitoring and alerting for suspicious activities
• Regular software updates and security patch management

19.2 Organizational Measures

• Role-based access control (RBAC) limiting data access to authorized personnel
• Mandatory data protection training for all employees and contractors
• Confidentiality agreements (NDAs) with all personnel handling personal data
• Data Processing Agreements (DPAs) with all sub-processors per GDPR Article 28
• Incident response procedures and documented data breach response plan
• Regular reviews of security policies and access permissions

19.3 Data Protection by Design and by Default

In compliance with GDPR Article 25, VentureBoard embeds privacy into the Platform's architecture from the design stage. This includes data minimization in AI prompt construction, pseudonymization where feasible, default privacy-protective settings, and context window management that limits data exposure during AI processing sessions.

While we implement robust security measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.

20. Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will:

• GDPR / Bulgarian PDPA: Notify the Commission for Personal Data Protection (CPDP/КЗЛД, 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592) within 72 hours using the CPDP's published breach notification form. Where the breach is likely to result in high risk, we will notify affected individuals without undue delay.
• UK GDPR/DUAA: Notify the Information Commissioner's Office (ICO) within 72 hours where feasible.
• CCPA/CPRA: Provide notification as required by California Civil Code Section 1798.82 and applicable state breach notification laws.
• LGPD: Notify the ANPD and affected data subjects within a reasonable time period.
• PIPEDA: Report breaches involving real risk of significant harm to the OPC and notify affected individuals.

All breach notifications will include a description of the breach, likely consequences, measures taken, and contact information for our DPO.

21. Automated Decision-Making & Profiling

VentureBoard uses artificial intelligence to provide advisory services and generate Business Artifacts. We provide the following jurisdiction-specific disclosures about automated processing:

21.1 EU/EEA (GDPR & Bulgarian PDPA)

Under GDPR Article 22 and Article 52 of the Bulgarian PDPA, decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect individuals are prohibited unless specific conditions are met. Article 52 of the Bulgarian PDPA is stricter than the general GDPR provision, requiring mandatory human interference for any permitted automated decision-making.

VentureBoard's AI Advisors provide suggestions and recommendations for informational purposes only. No automated decisions are made regarding your access to the Platform, pricing, or terms of service based on profiling. All final business decisions remain with you. VentureBoard does not engage in profiling that leads to discrimination based on special categories of personal data (Article 52(4) PDPA).

21.2 United Kingdom (UK GDPR as amended by DUAA)

The Data (Use and Access) Act 2025 replaced UK GDPR Article 22 with new Articles 22A-22D, broadening the scope for automated decision-making while introducing specific safeguards. Under this framework, if VentureBoard were to make significant solely automated decisions affecting UK users, we would implement the required safeguards: informing you about the decision, enabling you to make representations and challenge the decision, and providing meaningful human intervention. Currently, VentureBoard does not make significant solely automated decisions about users.

21.3 United States

Several US states (including California under CPRA, Connecticut, and Colorado) grant consumers the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. VentureBoard does not use AI processing to make such decisions about users. If this changes, we will update this policy and provide appropriate opt-out mechanisms.

If we introduce any automated decision-making processes that could produce significant effects, we will update this policy, provide meaningful information about the logic involved, and implement all safeguards required by applicable law.

22. Accountability & Compliance Framework

In accordance with GDPR Article 5(2) (accountability principle), VentureBoard maintains the following compliance documentation and practices:

• Records of Processing Activities (ROPA) as required by GDPR Article 30, available for inspection by the CPDP
• Data Protection Impact Assessments (DPIAs) for AI processing activities per GDPR Article 35
• Legitimate Interest Assessments (LIAs) for all processing based on legitimate interests
• Data Processing Agreements (DPAs) with all sub-processors per GDPR Article 28
• Internal data protection policies and staff training records
• Data breach response plan and incident register
• EU AI Act compliance documentation, including AI system risk classification and transparency measures

VentureBoard commits to reviewing this Privacy Policy at least annually, or upon significant regulatory changes (such as EU AI Act implementation milestones or GDPR reform adoption), whichever is sooner.

23. Third-Party Links

Our Platform may contain links to third-party websites, services, or applications that are not operated by VentureBoard. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service you access through our Platform. VentureBoard is not responsible for the privacy practices of third parties.

24. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

• We will update the “Last Updated” date at the top of this policy
• We will notify you via email or prominent notice on the Platform at least 30 days before material changes take effect
• For material changes affecting the legal basis of processing or introducing new data categories, we will seek renewed consent where required
• Previous versions will be archived and available upon request with a version history/change log

Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated policy.

25. Contact Information & Data Protection Officer

For questions, concerns, or requests relating to this Privacy Policy or your personal data:

26. Supervisory Authorities, Complaints & Appeals

If you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with the appropriate authority:

• Bulgaria (Lead Supervisory Authority): Commission for Personal Data Protection (Комисия за защита на личните данни, CPDP/КЗЛД), 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592 — cpdp.bg
• EU/EEA: Your local Data Protection Authority. Full list at edpb.europa.eu.
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk. Under the DUAA, we encourage you to use our complaints process first (see Section 25).
• United States: California Privacy Protection Agency (CPPA) — cppa.ca.gov; or your state's Attorney General for other state privacy laws.
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
• Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca

26.1 Appeal Process

If we deny your privacy rights request, you may appeal our decision. Submit your appeal to privacy@ventureboard.ai within 45 days of receiving our response. We will review your appeal and respond within 60 days. The appeal response will include our reasoning and, if the appeal is denied, information about how to lodge a complaint with the relevant supervisory authority or state Attorney General.

We encourage you to contact us first so we can attempt to resolve your concern directly.