Privacy Policy
Last updated: May 22, 2026
This Privacy Policy explains how F4 Management LLC ("F4 Management LLC," "F4," "we," "us," "our") collects, uses, and shares personal information in connection with the f4.fund website, the F4 Raise directory, the founder match service, VC firm and startup profile pages, claim flows, public deal pages, document share links, the scout referral program, and any related products or services (collectively, the "Services").
If you do not agree with this Policy, please do not use the Services.
1. Who we are and how to contact us
F4 Management LLC is the controller of the personal information collected through the Services.
- Privacy requests and questions: [email protected]
- General contact: [email protected]
2. Information we collect
2.1 Information you provide directly
Account and identity. When you sign in or claim a profile, we collect your name, email address, and your role at your firm or company. We support email magic links delivered by Resend and WebAuthn passkeys, each of which provides us with the identifiers required for that method.
Person and company profile information. We collect information about you and your company that you submit to us — names, titles, biographies, headshots, LinkedIn URLs, Twitter handles, locations, phone numbers, and free-form profile notes (including, where you provide them, fields such as previous companies, education, achievements, and experience history).
Pitch decks and intake materials. When you submit a pitch deck (by file upload or URL) or complete a founder Q&A, claim form, or contact form, we collect those materials and any answers you provide. For URL-hosted decks (e.g., DocSend, Notion), we may render and store extracted slide images and text.
Communications. We process emails you send to us and any forms you submit through the Services.
Payment and tax information. We do not currently process payments through the Services.
2.2 Information we collect automatically
Cookies and similar technologies. We use cookies and local storage to operate the Services. The categories are described in Section 8.
Document-viewer analytics. When you view a document via an F4 share link, we collect a hashed version of your IP address, an IP-derived country/region/city, your user-agent family, per-slide dwell time, and heartbeat timestamps. We use this to give document owners viewer analytics and to detect abuse.
Activity and search events. We log product activity, including searches you run, pages you view, and events relevant to providing the Services.
Analytics. We use PostHog (Section 5) to understand product usage and to capture errors. PostHog sets first-party identifiers in cookies and local storage.
Abuse-prevention identifiers. For claim flows, domain-add requests, and certain account actions, we store a hashed version of your IP address so we can detect abuse without retaining the IP itself.
2.3 Information we collect from third parties
Public web research. To build F4 Raise and our research database, we collect publicly available information about venture firms, founders, and companies from public websites and search APIs (currently Exa, Tavily, Jina, Firecrawl, and ScrapeGraph), and we generate structured firm profiles, sector classifications, and embeddings from this content. This may include information about you in your professional capacity (firm role, public statements, portfolio, LinkedIn URL, etc.).
Referrals. If a scout or another founder refers you, we receive the information they submit about you in connection with that referral.
3. How we use information
We use personal information to:
- Operate the Services, including authenticating you, generating match reports, displaying public profile pages you have claimed, and delivering share-link analytics to document owners.
- Process and analyze your submissions, including extracting structured data from pitch decks, generating embeddings for semantic search, and generating AI summaries and matches.
- Communicate with you, including sending sign-in links, security and account notices, transactional emails, and (with appropriate opt-out controls) outreach and updates.
- Improve and develop the Services, including measuring usage, debugging, performance tuning, and developing new features.
- Maintain safety and integrity, including detecting abuse, verifying claim authority, enforcing our Terms, and complying with legal obligations.
- Comply with law and respond to lawful requests, including subpoenas and court orders.
3.1 AI and automated processing
We use third-party large language model providers (currently OpenAI, Anthropic, and OpenRouter) and other AI tools to power features like deck extraction, match generation, summarization, and search. Our contracts with these providers require them not to use your data to train their foundation models. Your content is, however, transmitted to them in the ordinary course of providing the Services.
Some features involve significant automated decision-making (for example, generating a ranked list of VC matches). These outputs are informational and not legally or significantly consequential on their own; we encourage you to verify them before acting.
4. Legal bases for processing (EEA/UK users)
Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:
- Performance of a contract — to operate the Services you signed up for (e.g., founder match).
- Legitimate interests — to operate, secure, and improve the Services, to maintain a useful research database about venture firms and founders, and to detect abuse. We balance these interests against your rights.
- Consent — for non-essential cookies (where required), marketing communications, and certain optional features. You can withdraw consent at any time without affecting prior processing.
- Legal obligation — to comply with applicable laws.
5. Third-party services and sub-processors
We share personal information with the following categories of third parties to provide the Services. Each provider acts as our sub-processor (or, where applicable, an independent controller) and is bound by appropriate agreements.
| Category | Providers | What they receive |
|---|---|---|
| Hosting and database | Render (US-based hosting and managed PostgreSQL) | All Service data stored in our database |
| Object storage | Cloudflare R2 | Pitch decks, slide images, and other materials you submit |
| Authentication and email | Resend (magic links, transactional mail, outreach mail) | Sign-in tokens, email addresses, transactional and outreach mail we send |
| Large language models | OpenAI, Anthropic, OpenRouter | Text and document content sent to model APIs for processing; foundation-model training is contractually prohibited |
| Web research and extraction | Exa, Tavily, Jina, Firecrawl, ScrapeGraph, Modal | URLs and queries; the public web content we collect about firms and founders |
| Analytics and error tracking | PostHog | Product-usage events, error reports, hashed identifiers |
We do not sell personal information. We do not share personal information with advertising networks or third-party advertisers.
We may also disclose personal information:
- to professional advisors (lawyers, accountants, insurers) under confidentiality obligations;
- in connection with a merger, acquisition, financing, or sale of all or part of F4 Management LLC's business, with notice and protections as appropriate;
- to comply with law, enforce our Terms, or protect our or others' rights, property, or safety.
6. Public profile content
Some Services are designed to be public:
- F4 Raise firm directory displays research about VC firms, including publicly available information about partners.
- Claimed VC firm and startup profiles display the content you choose to publish through the claim flow, with a "provisional" badge for unreviewed edits.
- Public deal pages display deck content you authorize for public viewing.
- Document share links display documents you authorize for viewing by anyone with the link (subject to any password or email-gating you configure).
Content you authorize for public display may be indexed by search engines and cached by third parties outside our control.
7. Retention
We retain personal information for as long as needed to provide the Services and as required by law or legitimate business interests. Specific retention periods include:
- Account data: while your account is active, plus a reasonable period for backups, audit, and dispute resolution.
- Magic-link, claim, and intake tokens: short-lived (typically 24 hours to 30 days, depending on the flow); single-use tokens are consumed on use.
- Founder match reports: retained while the engagement is active and for our research base afterward; you can request deletion at any time.
- Session JWTs: 30-day rolling sessions.
- "Maybe" triage records: automatically expire after 30 days.
- Document-viewer analytics: retained for as long as the share link exists, then for a reasonable period afterward for analytics and abuse review.
- Audit logs: retained for security and compliance purposes for as long as we determine necessary.
- Outreach unsubscribes: retained indefinitely to honor your opt-out.
- Backups: rolling backups are retained per Render's standard retention.
After the applicable retention period, we delete or de-identify the data.
8. Cookies and similar technologies
We use the following categories of cookies and local storage:
- Authentication and security (essential). NextAuth session cookies (scoped to
.f4.fund), CSRF tokens, passkey-challenge cookies, and session cookies for founder intake. These are required to operate the Services and cannot be disabled. - Analytics. PostHog sets a first-party
distinct_idand session identifier in cookies and local storage so we can measure product usage and capture errors. - Preferences. Lightweight cookies and local-storage entries that remember UI state.
We do not currently display a cookie consent banner. If you are in a jurisdiction that requires consent for non-essential cookies, you can block analytics cookies in your browser settings; the Services will still function.
9. Your rights
Depending on where you live, you may have the following rights:
- Access — request a copy of the personal information we hold about you.
- Correction — ask us to correct inaccurate information.
- Deletion — ask us to delete personal information we hold about you.
- Portability — request a machine-readable copy of certain information.
- Restriction or objection — ask us to limit or stop certain processing (including processing based on legitimate interests).
- Withdraw consent — where we rely on consent, withdraw it at any time.
- Opt out of marketing — use the one-click unsubscribe link in our email, or email [email protected]. Transactional email (sign-in, security) continues while your account is active.
- Lodge a complaint with your local data-protection authority.
To exercise these rights, email [email protected]. We may ask you to verify your identity. We will respond within the timeframes required by applicable law.
Information about you in our public research base (for example, a VC firm profile that includes your name and role) is gathered from public sources. You may request removal or correction of that information by emailing [email protected]; we will review such requests in good faith and balance them against the public-interest purpose of the directory.
9.1 California residents
If you are a California resident, the CCPA/CPRA provides additional rights, including the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate information, and the right to limit certain uses of sensitive personal information. We do not sell personal information and we do not "share" personal information for cross-context behavioral advertising as defined by the CPRA.
10. Children
The Services are not directed at children under 18 and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided personal information to us, please contact [email protected] and we will delete it.
11. International transfers
F4 Management LLC is based in the United States. Personal information we collect may be processed in the United States and other countries where our sub-processors operate (for example, Cloudflare's global network and the regions used by our LLM providers). Where required by law, we use appropriate transfer mechanisms (such as Standard Contractual Clauses) to safeguard cross-border transfers.
12. Security
We protect personal information using TLS in transit, encryption at rest in our database and object storage, access controls, hashed IP addresses for abuse-prevention identifiers, hashed claim tokens, audit logging, and standard operational security practices. No system is perfectly secure, and we cannot guarantee absolute security.
If we become aware of a security incident affecting your personal information, we will notify you as required by law.
13. Automated decision-making
We use AI to generate match reports, evaluations, summaries, and other outputs that influence what you see in the Services. These outputs are not used to make legal or similarly significant decisions about you on their own. If you would like a human to review an AI-generated output affecting you, contact [email protected].
14. Changes to this Policy
We may update this Privacy Policy from time to time. We will post the updated Policy at this URL and update the "Last updated" date. Material changes will be highlighted, and where required by law we will give you advance notice. Your continued use of the Services after the updated Policy takes effect constitutes acceptance of the changes.
15. Contact
Questions, requests, and complaints about this Policy or our handling of your personal information:
F4 Management LLC — operator of the f4.fund Services.