Privacy Policy
1. Introduction
UniPrisma Kft. (registered office: Révay köz 4, 1065 Budapest, Hungary; company registration number at the Budapest Metropolitan Tribunal: 01-09-448571; hereinafter: the "Data Controller" or "UniPrisma"), operating under the trading name UniVCC (University Venture Capital Coalition), pays particular attention to ensuring that its activities comply with the applicable legal requirements governing personal data.
This includes, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "General Data Protection Regulation" or "GDPR"), and the provisions of Act CXII of 2011 on the right to informational self-determination and freedom of information.
The purpose of this Privacy Policy is to ensure transparency of the Data Controller's data processing activities and to inform all individuals whose personal data is processed (the "Data Subjects") about their rights and about how their data is handled.
This Privacy Policy applies to personal data processed in connection with UniVCC's activities: operating the website univccoalition.org, responding to enquiries and applications, coordinating the UniVCC coalition, organising events, conducting research and benchmarking, and maintaining relationships with members, partners, prospective limited partners, and other stakeholders of the university venture capital ecosystem.
2. Data Controller
- Name: UniPrisma Kft.
- Registered office: Révay köz 4, 1065 Budapest, Hungary
- Company registration number: 01-09-448571 (Budapest Metropolitan Tribunal)
- VAT number: 26606572-2-42
- International VAT number: HU26606572
- Managing Director: Károly Zoltán Szántó
- Contact for privacy matters: privacy@univccoalition.org
We are not required to appoint a statutory Data Protection Officer under Article 37 GDPR. Privacy enquiries are handled by Thijmen Meijer, Chief Operating Officer, reachable at the email address above.
A UniVCC entity in the Netherlands is currently in formation. If and when that entity becomes an additional controller, this Policy will be updated to reflect the joint controller arrangement under Article 26 GDPR.
3. Principles of data processing
- Lawfulness, fairness and transparency. The Data Controller processes personal data lawfully, fairly, and in a transparent manner, cooperating with Data Subjects and providing clear information about how their data is handled.
- Purpose limitation. Personal data is collected only for specified, explicit, and legitimate purposes, and is not further processed in a manner incompatible with those purposes.
- Data minimisation. The Data Controller limits the personal data collected and processed to what is strictly necessary for the purposes identified in this Policy.
- Accuracy. The Data Controller takes reasonable steps to keep personal data accurate and up to date, and to promptly correct or delete inaccurate data upon request.
- Storage limitation. Personal data is retained only for as long as necessary for the purposes for which it was collected, in line with the retention periods set out in this Policy.
- Integrity and confidentiality. The Data Controller protects personal data against unauthorised access, loss, misuse, alteration, disclosure, or destruction through appropriate technical and organisational measures.
- Accountability. The Data Controller is responsible for complying with the principles above and is able to demonstrate compliance with them.
4. Personal data we collect
Depending on how you interact with UniVCC, we may collect the following categories of personal data.
- Full name
- Job title or role
- Organisation name and type
- Work email address
- Phone number, where provided
- Country of operation
- Role and seniority
- Your organisation's type (UVC fund, university, technology transfer office, limited partner, partner, or other)
- Fund or institutional details you choose to share, such as assets under management, stage focus, geographic focus, vintage year, or investment strategy
- Publicly available information about you or your organisation
- Visual brand assets: Organisation logo files (PNG, SVG, or similar) provided to us for use in coalition materials
- Emails, calls, and meeting notes arising from our interactions
- Responses to forms you submit to us
- Notes and records kept in our customer relationship management system
- Where AI-assisted transcription or meeting summary tools are used, the transcribed content of meetings. We currently use Google Meet's "Take notes for me" (Gemini-powered) and Attio Notetaker for this purpose. The use of such tools requires your prior consent, obtained at the start of the meeting.
- IP address
- Browser type and device information
- Pages visited and time on site
- Referral source
We do not knowingly collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, or health data). If you share such data with us voluntarily, we will only process it where we have a valid legal basis under Article 9 GDPR.
5. How we collect your data
We collect personal data through the following channels.
- When you submit a form on univccoalition.org
- When you email us, write to us, or respond to our outreach
- When you register for or attend a UniVCC event
- When you connect with us on LinkedIn or similar professional networks
- When you take part in a meeting, call, or interview with us
- Your organisation's website
- Public professional profiles, including LinkedIn, company registries, and press releases
- Public databases relevant to venture capital, including Dealroom, Crunchbase, and Global University Venturing
- Mutual contacts who introduce you to us
- Event organisers, where you have consented to share your details
- Referral partners
6. Why we use your data and legal basis
- Responding to enquiries and applications. Legal basis: your consent (Article 6(1)(a) GDPR), and, where relevant, pre-contractual steps taken at your request (Article 6(1)(b) GDPR).
- Building and maintaining relationships within the university venture capital ecosystem. Legal basis: our legitimate interest in developing the UniVCC coalition and maintaining relevant professional relationships with UVCs, universities, technology transfer offices, limited partners, and partners (Article 6(1)(f) GDPR). You have the right to object to this processing at any time.
- Contacting you about UniVCC activities, including events, research outputs, and membership opportunities. Legal basis: your consent for marketing communications (Article 6(1)(a) GDPR); legitimate interest for direct professional correspondence relevant to your role (Article 6(1)(f) GDPR).
- Delivering membership services and fulfilling our agreements with members and partners. Legal basis: performance of a contract to which you or your organisation is a party (Article 6(1)(b) GDPR).
- Conducting ecosystem research and benchmarking. Legal basis: legitimate interest (Article 6(1)(f) GDPR). Research outputs are published in aggregated and anonymised form; individual identifiers are not published without explicit consent.
- Keeping accurate records of meetings with you, including the use of AI transcription or summary tools. Legal basis: your explicit prior consent (Article 6(1)(a) GDPR), obtained at the start of the meeting. You may withdraw consent at any time.
- Complying with our legal, accounting, and tax obligations. Legal basis: compliance with legal obligations to which we are subject (Article 6(1)(c) GDPR).
- Securing our systems and preventing fraud or abuse. Legal basis: legitimate interest (Article 6(1)(f) GDPR).
- Displaying your name, organisation, role, and logo in public UniVCC materials, including the univccoalition.org website, the UniVCC LinkedIn page and other social media channels, coalition communications, presentations, reports, events, and ecosystem maps. Legal basis: your consent (Article 6(1)(a) GDPR), captured at the point of joining the coalition or in subsequent correspondence. You can withdraw this consent at any time by writing to hello@univccoalition.org, and we will remove your name and logo from active coalition materials within a reasonable period. Historical references already included in previously published materials, reports, podcasts, or event documentation may remain in place.
Legitimate interest assessment: where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure that your rights and freedoms do not override that interest. A copy of the relevant legitimate interest assessment is available on request by contacting privacy@univccoalition.org.
7. Who we share your data with
Your personal data may be shared with the following categories of recipients.
The UniVCC team:
Currently Károly Zoltán Szántó (CEO and Managing Director) and Thijmen Meijer (COO). Access may be extended to future UniVCC employees, contractors, and advisors on a strict need-to-know basis.
Our service providers (processors):
Each service provider acts on our instructions under a written data processing agreement meeting the requirements of Article 28 GDPR.
| Provider | Service | Location of processing |
|---|---|---|
| Attio | Customer relationship management; Attio Notetaker (AI meeting notes and summaries linked to contact records) | United States |
| Typeform | Online forms (embedded on univccoalition.org) | Spain (EU) |
| Google Ireland Limited (Google Workspace) | Email, calendar, document storage; Google Meet "Take notes for me" (Gemini-powered AI meeting summaries) | Ireland (EU), with sub-processors in the United States |
| Calendly | Meeting scheduling (embedded on univccoalition.org) | United States |
| Slack Technologies Limited | Internal messaging | Ireland (EU), with sub-processors in the United States |
Additional processors may be engaged from time to time. An up-to-date list is available on request.
Professional advisors:
Lawyers, accountants, and other professional advisors bound by professional confidentiality obligations.
Public authorities:
Where disclosure is required by law, court order, or regulatory process.
Public coalition materials:
Where you have consented, your name, organisation, and logo may be displayed publicly on univccoalition.org, on our social media channels, and in coalition publications, events, and ecosystem materials. This means the information will be accessible worldwide. You can request removal at any time by writing to hello@univccoalition.org.
- We do not sell your personal data.
- We do not share your personal data with advertising networks.
- We do not publish individual-level data without your explicit consent.
8. International data transfers
Some of our service providers, or their sub-processors, are based outside the European Economic Area (EEA), primarily in the United States. When we transfer your personal data outside the EEA, we rely on the safeguards recognised under Chapter V of the GDPR.
- EU-US Data Privacy Framework. Where the processor is certified under the Data Privacy Framework, we rely on the adequacy decision of the European Commission of 10 July 2023 (Commission Implementing Decision (EU) 2023/1795).
- Standard Contractual Clauses. Where the Data Privacy Framework does not apply, we enter into the Standard Contractual Clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914.
- Transfer impact assessments. Where required, we conduct transfer impact assessments to confirm that the safeguards provide a level of protection essentially equivalent to that of the GDPR.
You can request a copy of the safeguards applicable to transfers of your personal data by contacting privacy@univccoalition.org.
9. How long we keep your data
- Form submissions and enquiries: up to 3 years from our last contact with you, or sooner if you request deletion.
- CRM records of active relationships: for the duration of the relationship, plus 3 years after it ends.
- CRM records of prospects contacted but not engaged: up to 3 years from the last meaningful contact; sooner if you object.
- Records of paid membership: for the duration of membership, plus 8 years, as required by Hungarian accounting and tax law.
- Meeting notes and AI-assisted transcripts: up to 1 year after the meeting, unless you withdraw consent sooner.
- Marketing mailing list entries: until you unsubscribe or withdraw consent.
- Event attendance records: up to 3 years after the event.
- Website technical logs: typically up to 30 days.
- Legal, accounting, and tax records: 8 years, as required by Hungarian law.
- Logos and brand assets provided for coalition use: for the duration of your participation, plus a reasonable period to remove them from active materials following withdrawal.
At the end of the applicable retention period, we delete or irreversibly anonymise the data.
10. Your rights
- Right of access (Article 15). You can ask us to confirm whether we process your personal data and to obtain a copy, along with information about how we use it.
- Right to rectification (Article 16). You can ask us to correct inaccurate or incomplete data about you.
- Right to erasure (Article 17). You can ask us to delete your data where one of the grounds in Article 17 applies, for example where the data is no longer needed, you withdraw consent, or you object to processing.
- Right to restriction of processing (Article 18). You can ask us to limit how we use your data in specific situations, for example while we verify a correction request or assess an objection.
- Right to data portability (Article 20). Where processing is based on consent or contract and carried out by automated means, you can ask us to provide your data in a structured, commonly used, machine-readable format, or to transmit it directly to another controller where technically feasible.
- Right to object (Article 21). You can object to processing based on our legitimate interest at any time. You have an unconditional right to object to processing for direct marketing purposes.
- Right to withdraw consent (Article 7(3)). Where we process your data based on your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Right not to be subject to solely automated decision-making (Article 22). UniVCC does not make decisions about you using solely automated processing that produce legal or similarly significant effects.
11. How to exercise your rights
To exercise any of the rights above, email privacy@univccoalition.org with a brief description of your request. We will respond within one month of receiving your request, as required by Article 12(3) GDPR. Where requests are complex or numerous, we may extend this period by a further two months and will inform you of any extension within one month of receipt.
Where your request is submitted electronically, we will respond electronically unless you ask otherwise.
We may need to verify your identity before acting on your request, in order to protect your personal data.
Exercising your rights is free of charge. We reserve the right to charge a reasonable fee or to refuse to act where a request is manifestly unfounded or excessive, in accordance with Article 12(5) GDPR.
12. Right to lodge a complaint and judicial remedy
If you believe we are not processing your personal data in accordance with the law, you have the right to lodge a complaint with a data protection supervisory authority. You also have the right to an effective judicial remedy.
- Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
- Headquarters: 1055 Budapest, Falk Miksa utca 9-11., Hungary
- Postal address: 1363 Budapest, Pf. 9., Hungary
- Telephone: +36 (1) 391-1400
- Fax: +36 (1) 391-1410
- Email: ugyfelszolgalat@naih.hu
- Website: naih.hu
Other supervisory authorities:
You may also lodge a complaint with the supervisory authority of the Member State of your habitual residence, place of work, or place of the alleged infringement, in accordance with Article 77 GDPR.
Judicial remedy:
You have the right to apply to the competent court of your place of residence or habitual abode, in accordance with Article 79 GDPR.
We would appreciate the chance to address your concerns directly before you contact a supervisory authority or court. If you have any issues with how we handle your data, please write to privacy@univccoalition.org first and we will respond promptly.
13. Cookies and website analytics
Our website uses essential cookies required for the site to function, plus third-party cookies set by embedded content (Typeform forms, Calendly scheduling, and YouTube videos). Non-essential third-party cookies are loaded only after you accept them via our cookie banner.
We do not currently use advertising cookies, cross-site tracking, or social media trackers. If we introduce website analytics or marketing tools in future, we will update this Policy and re-prompt your consent through the cookie banner before setting any new non-essential cookies.
Full details, including the specific cookies set, their purposes, and how to manage your preferences, are available in our separate Cookie Policy at univccoalition.org/cookie-policy.
14. How we protect your data
- Encryption of data in transit (HTTPS, TLS) and at rest
- Access controls limiting data access to authorised team members
- Strong authentication requirements on all work systems
- Firewall, antivirus, and spam protection on the Data Controller's systems
- Password protection on electronic devices
- Regular backups and business continuity planning
- Vendor due diligence and data processing agreements with all processors
- Incident response procedures in the event of a personal data breach
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where the breach is likely to result in a high risk, inform affected individuals without undue delay, in accordance with Articles 33 and 34 GDPR.
We maintain a record of personal data breaches in accordance with Article 33(5) GDPR, including the scope of affected personal data, the range and number of affected Data Subjects, the time, circumstances, and impact of the incident, and the measures taken to resolve it.
15. Children's data
UniVCC's activities are directed at professional audiences. We do not knowingly collect personal data from children under the age of 16. If you believe we hold data from a minor, please contact privacy@univccoalition.org and we will delete it promptly.
16. Changes to this Policy
The Data Controller reserves the right to amend this Policy from time to time to reflect changes in our practices, our service providers, or legal requirements. Any updates will be posted on this page with a revised "last updated" date at the top.
For material changes, we will notify you by email where we have your contact details on file, or through a prominent notice on our website, with reasonable prior notice.
17. Contact us
- Email: privacy@univccoalition.org
- Post: UniPrisma Kft., Révay köz 4, 1065 Budapest, Hungary
This Policy is governed by Hungarian law. Any disputes arising in connection with this Policy shall be subject to the exclusive jurisdiction of the competent Hungarian courts, without prejudice to your right to lodge a complaint with a supervisory authority or to seek a judicial remedy under the GDPR.
Budapest, April 2026