ColdMsg

This notice is for investors and others whose professional contact details may appear in ColdMsg's investor database. It explains what we hold, where we got it, why we hold it, and how to have it changed or removed. This notice satisfies our obligations under Articles 13 and 14 of the EU GDPR and the equivalent provisions of the UK GDPR.

If you are a ColdMsg user (a founder running outreach), please see our main Privacy Policy instead.

1. WHO WE ARE AND OUR ROLE

ColdMsg ("we", "us") operates an investor-outreach platform used by founders to contact investors. We maintain a curated database of investor records that powers matching and outreach inside the product. For that database, ColdMsg acts as an independent data controller under GDPR Article 4(7) — we determine the purposes and means of processing the database itself.

When a ColdMsg user sends a specific email to a specific investor, that user is the controller of the act of sending and is responsible for ensuring they have a lawful basis to contact you for the purpose of their message. ColdMsg acts as a processor for that send.

2. WHAT WE HOLD

For each investor record, we may hold some or all of the following: your name, the name of the fund or organisation you are publicly associated with, your role / title, a professional email address, public profile links (for example LinkedIn, Crunchbase, fund website), and signals derived from public sources about your stated investment focus — typical stage, geography, industry focus, check size, and similar.

We do not knowingly hold special-category data (Article 9 data such as health, religion, biometrics) and we do not include data sourced from breached datasets or scraped consumer profiles.

3. WHERE WE GOT IT

The investor database is compiled from public and licensed sources, including:

fund and firm websites where partners are publicly listed;
public regulatory filings and disclosures;
press releases, podcasts, and conference materials;
public LinkedIn and similar professional profiles;
licensed third-party business directories and data providers.

On request, we will tell you the specific category of source from which your record was derived.

4. WHY WE HOLD IT (PURPOSE AND LAWFUL BASIS)

Purpose. To provide founders with a curated business directory of investors who publicly hold themselves out as actively investing in startups, so that founders can identify investors whose stated focus matches their company.

Lawful basis. Legitimate interests under Article 6(1)(f). We have documented a balancing test that weighs (a) the legitimate interest of founders in efficient discovery of professionally relevant investors, and (b) ColdMsg's interest in operating the service, against the rights and freedoms of investors. We consider that processing professional contact data of individuals who publicly hold themselves out as making investments, for the purpose of being contacted in that professional capacity, is within their reasonable expectations.

You have the right to object to this processing at any time. See Section 7.

5. WHO SEES IT

Investor records are visible inside the product to ColdMsg users who match against them. We do not sell the database, do not license it as a standalone product, and do not use it for advertising. We share data with the sub-processors that help us operate the product — most notably Mailgun (email delivery), our cloud host, our error-monitoring provider, and the AI providers we use for matching and copy drafting. These sub-processors are bound by data-processing agreements.

6. HOW LONG WE KEEP IT

We keep records while the underlying public sources continue to support inclusion and the investor remains professionally active in investing. We delete records on opt-out request and when a public source no longer supports inclusion. Suppression-list entries are retained indefinitely, because deleting them would defeat the purpose of an opt-out.

7. YOUR RIGHTS

Under GDPR / UK GDPR (and comparable regimes) you have the right to:

be informed about the processing (this notice);
access the data we hold about you;
have inaccurate data corrected;
have your data erased;
restrict processing;
object to processing — including objecting to outreach based on legitimate interests, in which case we will suppress the record from the database;
data portability;
lodge a complaint with your supervisory authority (in the UK, the Information Commissioner's Office; in the EU, the data protection authority of your country of residence).

Exercising any of these rights is free of charge and does not require a reason.

8. HOW TO OPT OUT OR EXERCISE A RIGHT

You can have your record suppressed in any of the following ways:

Reply to any email sent through ColdMsg with words such as "unsubscribe", "remove", or "stop". We parse the reply and apply a global suppression that prevents any further sends to that address from any ColdMsg account.
Click the unsubscribe link that your mail client may surface from the List-Unsubscribe header. This produces the same global suppression.
Email investors@coldmsg.com from any address associated with your record. Tell us what you would like (suppression, deletion, access, correction, restriction, objection, portability) and we will action it within 30 days.

We may ask for limited verification before actioning a request that is not made from an address we already hold.

8a. DECK-VIEWER ANALYTICS & SESSION REPLAY

When you open a deck shared with you through ColdMsg (links of the form decks.vc/p/<slug>), we collect engagement signals so the founder who shared the deck can see which slides drew interest and on what device. Specifically, for each visit we record: an opaque per-browser session identifier (kept in your browser's localStorage for 30 days), the time of arrival, your IP address, the browser User-Agent string parsed into device/OS/browser, the page referrer, the slides that scrolled into view, and the maximum scroll depth reached.

We additionally capture a session recording of cursor movements, scrolling, and clicks on the deck page (using the open-source rrweb library), so the founder can replay how you read the deck. Form inputs are masked at capture time and the deck viewer carries no inputs in any case. Recording is automatically skipped for browsers that identify as bots (search-engine crawlers, link-preview prefetchers, headless automation).

Consent. Deck-viewer analytics and session recording are off by default and only switch on after you click "Accept" on the consent banner shown the first time you open a decks.vc/p/<slug> link. Your decision is stored as a first-party cookie (deck-tracking) on the decks.vc host and applies to that browser. Clicking "Reject" keeps tracking off; you can change your mind by clearing site data for decks.vc in your browser, which will surface the banner again.

The lawful basis is your consent under Article 6(1)(a). We retain deck-viewer events and recordings for 12 months from collection, after which they are deleted. To request earlier deletion of previously collected events, email investors@coldmsg.com.

9. AUTOMATED DECISION-MAKING

We do not make decisions producing legal or similarly significant effects about you using solely automated processing. AI-driven matching is used to surface relevance signals to founders, who decide whether to contact you.

10. INTERNATIONAL TRANSFERS

Some of our sub-processors are based in the United States. Transfers from the EEA / UK rely on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and where applicable the EU-U.S. Data Privacy Framework.

11. CHANGES TO THIS NOTICE

We may update this notice. The effective date above reflects the current version.

12. CONTACT

Investor-database inquiries and rights requests: investors@coldmsg.com
General privacy inquiries: privacy@coldmsg.com

INVESTOR PRIVACY NOTICE