Back to home

Privacy Policy

Last updated: June 2026

1. Data controller

The controller responsible for the processing of personal data described in this policy is:
CINDR.LA — Bernhard Reiterer
Vienna, Austria
E-mail: hello@cindr.la

Where required by applicable law, a Data Protection Officer (DPO) has been appointed and can be reached at the address above.

2. Scope of this policy

This Privacy Policy applies to the Prospector web application and landing site operated at prospector.cindr.la. It describes what personal data we collect, why, how long we keep it, and the rights you have over it.

3. Data we process and why

3.1 Platform users (investors and founders with access)

  • Account data: email address, name, organisation name — collected at sign-in via Google OAuth to create and maintain your account. Lawful basis: contract (Art. 6(1)(b) GDPR).
  • Usage data: pages visited, features used, timestamps — collected automatically to provide and improve the service. Lawful basis: legitimate interests (Art. 6(1)(f) GDPR).
  • Preferences and settings: saved searches, contact lists, outreach configurations — stored to deliver the core functionality of the platform. Lawful basis: contract.

3.2 Investor profile data (third-party subjects)

Prospector processes publicly available professional information about investors (e.g. fund affiliation, investment thesis, LinkedIn profile data, portfolio companies). This data is sourced from public sources, professional databases, and user-provided inputs. Processing is based on legitimate interests (Art. 6(1)(f) GDPR) — specifically the legitimate interest of our users to conduct targeted fundraising outreach to relevant parties.

Investors whose data appears in Prospector may exercise their rights under Section 7 of this policy.

3.3 Email outreach data

When users send outreach through Prospector, we process email addresses and message content to deliver those communications. Open and reply events may be tracked to support the sequencing features. Lawful basis: legitimate interests of the sending user.

3.4 Technical and log data

Our servers collect IP addresses, browser type, referrer, and error logs for security monitoring and debugging. Retention: rolling 30-day window. Lawful basis: legitimate interests.

4. Data sharing and sub-processors

We share personal data only as follows:

  • Infrastructure providers: cloud hosting and database services (Hetzner Online GmbH, EU data centres) — necessary for service delivery.
  • Authentication: Google LLC (Google OAuth) — for sign-in only; we receive only the identity token and email your Google account authorises.
  • Your email provider (Gmail / Microsoft Outlook): outreach is created as drafts in your own connected mailbox; you send them yourself. We do not use a separate bulk-email provider. With your authorisation we access only the messages related to your outreach (to create drafts and detect sent messages and replies).
  • AI model providers: OpenAI, Anthropic, and Ollama — enrichment and drafting features may send relevant data to AI APIs. Data is not used for third-party model training under our agreements.

We do not sell personal data. We do not share personal data for advertising purposes. Where sub-processors are located outside the EEA, appropriate safeguards (Standard Contractual Clauses or equivalent) are in place.

5. Retention

  • Active account data: retained for the duration of the account, plus 24 months after account closure for legal/contractual purposes.
  • Investor profile data: refreshed or deleted when no longer accurate or when an objection is received.
  • Log data: 30 days rolling.
  • Outreach history: retained until the user deletes it or closes their account.

6. Cookies and tracking

The Prospector landing site (prospector.cindr.la) uses no third-party cookies and no advertising trackers. A single first-party localStorage entry (cindrla-theme) stores your display-theme preference on your device.

The authenticated application (/portal) uses session cookies required for login and security. These are strictly necessary and not subject to consent requirements under the ePrivacy Directive.

7. Your rights

Under the GDPR you have the right to: access your personal data; correct inaccurate data; request erasure ("right to be forgotten"); restrict or object to processing; data portability; and to withdraw consent where processing is based on consent.

To exercise any of these rights, contact us at hello@cindr.la. We will respond within 30 days. You also have the right to lodge a complaint with the supervisory authority in your country of residence.

8. Security

We implement appropriate technical and organisational measures to protect personal data, including TLS encryption in transit, encrypted storage at rest, access controls, and regular security reviews. No transmission over the internet is 100% secure; we cannot guarantee absolute security.

9. Changes to this policy

We may update this policy from time to time. Material changes will be notified to active users by email or via an in-app notice at least 14 days before taking effect. The "last updated" date at the top of this page reflects the most recent revision.

10. Contact

For questions about this policy or to exercise your rights:
CINDR.LA — Bernhard Reiterer
Vienna, Austria
hello@cindr.la