Trust

GDPR & UK GDPR

Last reviewed May 16, 2026

This page summarizes how PEVCOS, Inc.("PEVCOS") handles personal data under the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR. It is intended for customers in the EEA, UK, and Switzerland and for their LPs, vendors, and counsel doing procurement review. For the full description of our data practices, see our Privacy Policy.

Our role under GDPR

Processorwith respect to customer content (deal-flow records, contacts, notes, documents, IC memos, LP records, synced Gmail messages, etc.). Our customer is the controller of that data. We process it only on the customer's instructions to deliver the Service.

Controller with respect to account-level data we collect directly (your name, email, billing details, application logs, telemetry).

Lawful bases (Article 6)

  • Contract (Art. 6(1)(b)) — processing your account data to provide the Service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — securing the Service against abuse, debugging errors, and improving the product. We balance these against your privacy rights.
  • Consent (Art. 6(1)(a)) — when you explicitly opt into connecting Gmail or accepting non-essential cookies (we do not currently use non-essential cookies).
  • Legal obligation (Art. 6(1)(c)) — retaining billing records to satisfy tax law.

Your rights as a data subject

If you are in the EEA, UK, or Switzerland, you have the following rights with respect to your personal data. To exercise any of them, email privacy@pevcos.com from the address tied to your account. We respond within 30 days.

  • Right of access — get a copy of the personal data we hold about you (Art. 15).
  • Rectification — correct inaccurate or incomplete data (Art. 16).
  • Erasure (right to be forgotten) — request deletion of your personal data (Art. 17), subject to retention required by law.
  • Restriction — pause our processing of your data while you dispute its accuracy or our lawful basis (Art. 18).
  • Data portability — receive your data in a structured, commonly-used, machine-readable format (Art. 20).
  • Objection — object to processing based on legitimate interests (Art. 21).
  • Automated decision-making — not be subject to decisions producing legal effect that are based solely on automated processing (Art. 22). PEVCOS does not make such decisions; AI outputs are advisory, with the user always in the loop.
  • Withdraw consent — where consent is the lawful basis, withdraw it at any time without affecting prior processing.
  • Lodge a complaint — with your local supervisory authority. In the EU, see edpb.europa.eu. In the UK, ico.org.uk.

International data transfers

PEVCOS infrastructure is in the United States (AWS us-east-1, via Supabase and Vercel). For transfers of personal data from the EEA, UK, or Switzerland to the US we rely on the following safeguards:

  • EU Standard Contractual Clauses (2021) — incorporated by reference into our Data Processing Addendum, with Module Two (controller-to-processor) applying to customer content.
  • UK International Data Transfer Addendum — for transfers from the UK.
  • Swiss Federal Data Protection Act — for transfers from Switzerland, with adaptations to the SCCs as required.

We also implement supplementary technical measures (encryption in transit and at rest, tenant isolation via RLS, restricted access) per the EDPB's recommendations following the Schrems II ruling.

Data Processing Addendum (DPA)

We provide a DPA that incorporates the EU SCCs and UK IDTA. Email privacy@pevcos.com to request a copy. For most customers, signing our standard DPA takes 24-48 hours; we review redlines for enterprise contracts on request.

Subprocessors

Our current subprocessor list (Supabase, Vercel, Anthropic, Stripe, Resend, Google for users who connect Gmail, DocuSign for users who connect e-signature) is published in our Privacy Policy. We will give customers reasonable advance notice of changes and allow you to object on reasonable grounds.

Data breach notification

If a personal-data breach occurs that is likely to result in a risk to data subjects, we will notify affected customers (controllers) without undue delay and in any event within 72 hours of becoming aware, per Article 33 GDPR. The notification will describe the nature of the breach, the categories of data affected, likely consequences, and remediation measures.

Data retention

Workspace data is retained for the life of the account. On cancellation it is deleted within 30 days. Billing records are retained for 7 years to satisfy tax obligations. Application logs are retained for 90 days. See the Privacy Policy for details.

EU/UK representative

PEVCOS does not yet meet the Article 27 GDPR threshold for mandatory EU/UK representative appointment. If your contract requires one, contact privacy@pevcos.com and we'll discuss arrangements.

Contact

Privacy questions, DSAR (Data Subject Access Request), DPA requests, or breach reports: privacy@pevcos.com.