Ventureship
Book a discovery call Join Ventureship
Privacy notice

How we handle your data.

This notice sets out what personal data Ventureship collects, how we use it, and the rights you have over your information. It applies to our website, our forms, and any discovery calls operated by Ventureship Ltd.

Last updated: 9 June 2026
Effective from: 9 June 2026
Version: 1.0

1. About this notice

Ventureship Ltd ("Ventureship", "we", "us", "our") is committed to protecting your personal information and being transparent about what we collect, how we use it, and what your rights are. This notice explains how we handle personal data we collect through our website, our forms, and our discovery calls.

This notice is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If anything in this notice is unclear, contact us at enquiries@ventureship.co.uk and we'll explain.

2. Who we are

Ventureship Ltd is a company registered in England and Wales.

  • Company number: 16954844
  • Registered address: Portland House, Belmont Business Park, Durham, England, DH1 1TW
  • ICO registration number: ZC156473
  • General contact: enquiries@ventureship.co.uk
  • Data protection contact: enquiries@ventureship.co.uk (write "Data request" in the subject line)

For the purposes of UK GDPR, Ventureship is the data controller of the personal data described in this notice.

3. The personal data we collect

We collect personal data only when you choose to share it with us, or when it is technically necessary to operate the website.

When you submit our company discovery form

  • Your name
  • Your role at your employer
  • Your work email address
  • The name of the company you work for
  • The size of the company you work for (selected from a list)
  • A description of the project or challenge you'd like to discuss

When you submit our candidate sign-up form

  • Your name
  • Your email address
  • The university, college, or institution you attend or attended
  • Your stage of study or career
  • Your course, field of study, or current role
  • Your right to work in the UK (or that you're applying for worldwide briefs)
  • Your areas of interest
  • A LinkedIn or portfolio URL (optional)
  • A short personal statement (optional)
  • Your consent to be contacted

When you book a discovery call

  • The above, plus the time and date you've chosen for the call
  • A Google Meet link generated by our scheduling tool

When you visit our website

We use Cloudflare Web Analytics, which collects aggregate, anonymised data about how visitors use our site (page views, country, device type, referrer). It does not use cookies and does not track individuals across sessions.

Special category data

We do not knowingly collect any special category data (such as data about your health, ethnicity, religion, sexual orientation, political opinions, or trade union membership). Please do not provide any in your submissions or during calls.

Children

Our service is intended for adults only (typically university-age and above). We do not knowingly collect data from anyone under 18. If you believe we have collected such data, please contact us and we will delete it.

4. How we collect personal data

We collect personal data:

  • Directly from you, when you submit one of our forms or book a call
  • From your browser, when you visit the website (limited to the analytics described above)
  • From publicly available sources, such as LinkedIn (only when researching a company you've contacted us about, never for cold outreach)

We do not buy personal data from third parties.

5. Why we use your data, and our legal basis

PurposeLegal basis
Responding to your enquiry from the company form Legitimate interest — to communicate with potential business partners who have asked to speak with us
Responding to your candidate sign-up and matching you to relevant cohorts Consent — given via the consent checkbox on the candidate sign-up form. You may withdraw consent at any time by emailing us, and we will delete your sign-up data
Sending you a discovery call confirmation, calendar invite, and reminder Legitimate interest — to confirm a service you have asked us to provide
Operating the discovery call itself Legitimate interest
Sending you information about upcoming Ventureships, briefs, or programmes Consent only. We will not send marketing communications without your explicit consent, and you may withdraw it at any time
Operating, securing, and improving the website Legitimate interest
Complying with our legal obligations (such as accounting and tax record retention) Legal obligation

You can object to processing based on legitimate interest at any time, and we will stop unless we have a compelling reason to continue.

6. Who we share your data with

We do not sell your personal data, ever. We share it only with the processors listed below, and only to the extent strictly necessary for the service they provide on our behalf. Each processor is contractually bound to act on our written instructions, to maintain confidentiality, and to apply appropriate security measures. The independent security certifications of every processor (SOC 2 Type II, ISO 27001 or equivalent) are documented in our internal vendor security register, which we are happy to share on request.

6.1 Summary table

RecipientPurposeLocation
Formspree (Formspree Inc.)Receives and forwards form submissionsUnited States
Cal.com (Cal.com, Inc.)Manages discovery call scheduling and Google Meet link generationEuropean Union and United States
Google (Workspace / Cloud)Email hosting, calendar, Google Meet calls, shared documentsUnited Kingdom and United States
Microsoft 365 (via GoDaddy reseller)Email hosting for @ventureship.co.uk addressesEuropean Union and United Kingdom (regional storage)
Resend (Resend, Inc.)Transactional email delivery (confirmations, reminders) sent from send.ventureship.co.ukUnited States (Amazon SES backend)
Cloudflare (Cloudflare, Inc.)Privacy-respecting website analytics (cookieless) and edge infrastructure when enabledUnited Kingdom and United States
Netlify (Netlify, Inc.) (planned host)Hosts the static website files you visitUnited States
GoDaddy (GoDaddy.com, LLC)Domain registrar and DNS hosting; also resells the Microsoft 365 mailboxUnited States
Our professional advisers, regulators, or law enforcementWhere required by law, court order, or to defend legal claimsUnited Kingdom

6.2 What each processor actually receives

For full transparency, here is the precise scope of data each processor handles for us:

  • Formspree receives everything you submit on a form (name, email, university, course, project description, message, etc.). It does NOT receive your Cal.com booking data, your email correspondence with us, or any data outside the form submission. Formspree holds: SOC 2 Type II. UK GDPR Article 28 DPA in place.
  • Cal.com receives only the data you enter when booking a call (name, email, time slot, optional notes). It does not receive your form submission data, broader correspondence, or other personal data. Cal.com holds: SOC 2 Type II, ISO 27001, HIPAA. UK GDPR Article 28 DPA in place.
  • Google Workspace hosts our Drive folders (where we may keep notes after a discovery call), shared documents, and any backup of submission data we export. It also runs the Meet calls. Google holds: SOC 1/2/3, ISO 27001/27017/27018/27701, FedRAMP. Standard Google Cloud DPA in place.
  • Microsoft 365 (resold via GoDaddy) is the email host for our @ventureship.co.uk inbox. It receives any email correspondence with us, including replies to your form submissions. Microsoft holds: SOC 1/2/3, ISO 27001/27017/27018/27701, FedRAMP. Microsoft Online Services DPA applies automatically.
  • Resend sends transactional emails to you (form confirmations, programme updates). It receives your email address and the email content we send to you. It does NOT receive your form submission body or any data you have not chosen to give us. Resend holds: SOC 2 Type II. Built on Amazon SES, which is SOC 1/2/3, ISO 27001-certified.
  • Cloudflare (once enabled) sees only the aggregated, cookieless analytics about how visitors use our site (page views, country, device type, referrer). It does not see your form submissions, email content, or anything that identifies you personally. Cloudflare holds: SOC 2 Type II, ISO 27001, ISO 27018, PCI DSS Level 1, FedRAMP Moderate. DPA at cloudflare.com/cloudflare-customer-dpa.
  • Netlify (planned production host) will serve the website's static HTML, CSS, and JS files to visitors. It receives technical request metadata (your IP address while a page loads) but no application-level personal data (forms post directly to Formspree, not to Netlify).
  • GoDaddy holds our domain registration and DNS records. The only personal data they hold is our billing contact (Ventureship's, not yours) and the registrant WHOIS data. They do not see your form submissions, email content, or any other personal data.

6.3 Recipient classification

Under UK GDPR, the recipients listed above are data processors acting on our instructions, except for Google and Microsoft (which are also our service providers under their own published DPAs) and the regulators / courts (where they would act under independent legal authority, not as our processors).

6.4 Other partner companies and candidates

In addition to the processors above, when a Ventureship runs we may share relevant data between Partner Companies and Candidates participating in that specific engagement (for example, sharing a Candidate's name and area of interest with a Partner Company so they can be matched to a Cohort). This sharing is always limited to what is necessary for the engagement, governed by the consent you provide on the relevant form, and never used for unrelated marketing. We do not disclose Candidate details to Partner Companies who are not actively engaged in the Cohort that Candidate is in.

7. International data transfers

Some of the recipients above are based outside the UK. Where this happens, we ensure that transfers comply with UK GDPR by:

  • Relying on UK adequacy regulations for transfers to the European Economic Area (where they apply)
  • Using the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) with the UK Addendum for transfers to the United States and other non-adequate countries

If you would like to see the safeguards in place for a specific transfer, contact us and we will provide the relevant documentation.

8. How long we keep your data

We keep personal data only as long as we need to for the purposes set out above. Our standard retention periods are:

  • Company discovery form submissions: 24 months from submission or last interaction, then deleted (unless we are in an ongoing business relationship with you)
  • Candidate sign-up data: 24 months from sign-up or last interaction, then deleted (we will email you before deletion so you can ask us to keep it longer)
  • General contact form messages: 12 months from our final response, then deleted
  • Discovery call notes: we do not record calls. Any notes we take are retained for 24 months from the call
  • Marketing email subscribers: until you withdraw consent (you can unsubscribe at any time using the link in each marketing email)
  • Records required by law (accounting, tax, business records): 6 years after the end of the relevant accounting period, per UK statutory requirements

9. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

  • Right of access — to ask us for a copy of the personal data we hold about you
  • Right to rectification — to ask us to correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — to ask us to delete your data in certain circumstances
  • Right to restrict processing — to ask us to limit how we use your data
  • Right to data portability — to ask us to provide your data in a portable format
  • Right to object — to object to processing based on legitimate interest, including profiling
  • Right to withdraw consent — for any processing based on consent, at any time
  • Right not to be subject to automated decision-making — we do not currently make any decisions about you using solely automated means

To exercise any of these rights, email enquiries@ventureship.co.uk with "Data request" in the subject line, and tell us which right you are exercising. We will:

  • acknowledge your request within three working days;
  • verify your identity (we may ask for a second contact point to confirm it is you, not someone impersonating you);
  • respond substantively within one calendar month of receipt (or up to three months, if your request is particularly complex; we will tell you in advance if we need the extension and why);
  • provide our response in writing in a clear, intelligible format;
  • not charge for exercising your rights, except in the rare case that requests are manifestly unfounded, repetitive, or excessive, in which case we may charge a reasonable administrative fee or decline the request, and we will tell you why.

If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with our supervisory authority, the Information Commissioner's Office (ICO), at ico.org.uk/make-a-complaint. You can also reach them by phone on 0303 123 1113. We would, however, appreciate the chance to address your concerns first — email enquiries@ventureship.co.uk and we will try to put it right.

10. Automated decision-making and profiling

We do not currently use automated decision-making (including AI screening) to make decisions about you. If we ever introduce automated assessment of candidate submissions, we will update this notice and contact relevant candidates separately. We will never rely solely on an algorithm to reject a candidate.

11. Marketing communications

If you have consented to receive marketing emails from us, you will receive occasional updates about Ventureships, briefs, and company news. You can withdraw your consent at any time by clicking the unsubscribe link in any email or by contacting us directly. Withdrawing consent does not affect any communications you have already received.

We will never share your contact details with third parties for their marketing purposes.

12. Cookies and similar technologies

Our website does not currently set any cookies. We use Cloudflare Web Analytics, which does not use cookies and does not track you across sessions. We store your cookie-banner preference using your browser's localStorage so that the banner does not reappear; no cookies are set for this. If we introduce cookies for any other purpose in future, we will update this notice and ask for your consent.

13. Security

We take appropriate technical and organisational measures to protect your personal data, including encryption in transit, restricted access controls, and supplier due diligence. No system is 100% secure, but we work to industry standards.

If we ever experience a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours, and you directly without undue delay where the breach is likely to result in a high risk.

14. Changes to this notice

We may update this notice from time to time. The "Last updated" date at the top will reflect any changes. For material changes, we will notify you directly where we have your contact details and where it is appropriate to do so.

15. How to contact us, or complain to the ICO

For any questions about this notice or your data:

  • Email: enquiries@ventureship.co.uk
  • Subject line: "Data request"
  • Postal address: Portland House, Belmont Business Park, Durham, England, DH1 1TW

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF