Privacy Policy

How Hilberts AI Capital collects, uses, and protects your personal data.

Last updated: March 1, 2025

1. Introduction and Identity of the Data Controller

This Privacy Policy explains how Hilberts AI Capital (“we,” “us,” or “our”) collects, processes, stores, and protects personal data when you visit our website at hilbertsai.org, when you contact us directly, or when you engage with us in connection with potential or actual investment activities.

Hilberts AI Capital is the data controller for the personal data described in this Privacy Policy. We are a seed-stage venture capital firm incorporated and operating within the European Union. As such, we are subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable national data protection laws of the EU member states in which we operate.

If you have questions about this Privacy Policy or wish to exercise your rights under applicable data protection law, you may contact us at:

Hilberts AI Capital
Data Protection Contact
Email: privacy@hilbertsai.org

We take the privacy of our website visitors, founders, co-investors, limited partners, and other contacts seriously and are committed to handling personal data responsibly, transparently, and in compliance with applicable law.

2. Definitions

For the purposes of this Privacy Policy, the following definitions apply:

  • Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Processing means any operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, dissemination, erasure, or destruction.
  • Data controller means the natural or legal person who determines the purposes and means of processing personal data.
  • Data processor means a natural or legal person who processes personal data on behalf of the data controller.
  • Data subject means the natural person to whom personal data relates.
  • Consent means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of personal data relating to them.

3. Categories of Personal Data We Process

We process personal data in the following categories, depending on the nature of your relationship with us:

3.1 Website Visitors

When you visit hilbertsai.org, we may process the following categories of data through our analytics and operational systems:

  • IP address (processed in anonymised or pseudonymised form where technically possible)
  • Browser type and version
  • Operating system
  • Referring website URL
  • Pages visited, time spent on pages, and navigation paths
  • Date and time of visits
  • Cookie identifiers (where consent has been obtained)

This data is collected through server logs and, where you have consented, through analytics cookies. Please refer to our Cookie Policy for detailed information about how we use cookies.

3.2 Contact Form and Email Communications

When you contact us through our contact form or by email, we process:

  • Your name
  • Your email address
  • Your organisation or company name (if provided)
  • Your job title or role (if provided)
  • The content of your message
  • Any attachments you send (which may include additional personal data)
  • The date and time of your communication

3.3 Founders and Entrepreneurs

If you are a founder or entrepreneur who submits a pitch or engages with us in the context of a potential investment, we may process:

  • Identifying information: name, contact details, nationality, and professional background
  • Professional history: employment history, educational background, academic publications, and patent filings
  • Company information: company name, registration details, corporate structure, and financial information
  • Investment documentation: pitch decks, financial projections, cap tables, and due diligence materials
  • Reference information: names and contact details of references you provide
  • Communications: notes and records from meetings, calls, and email exchanges

3.4 Limited Partners and Investors

In the context of our fund operations and investor relations, we may process personal data relating to limited partners and other investors, including:

  • Legal name, nationality, and tax identification information
  • Contact details including address, email, and telephone number
  • Financial information required for anti-money laundering (AML) and know your customer (KYC) compliance
  • Investment documentation and fund reporting data
  • Bank account and wire transfer information for capital calls and distributions

3.5 Professional Contacts and Network

In the ordinary course of our venture capital activities, we maintain records relating to professional contacts including co-investors, advisors, service providers, and members of the broader startup ecosystem. For these contacts, we typically process:

  • Name, employer, and job title
  • Email address and telephone number
  • Notes on professional interactions and areas of expertise
  • Public information about professional activities and affiliations

4. Legal Bases for Processing

We process personal data only where we have a valid legal basis to do so under the GDPR. The legal bases we rely on include:

4.1 Consent (Article 6(1)(a) GDPR)

Where you have freely given, specific, informed, and unambiguous consent to the processing of your personal data, we rely on consent as our legal basis. Consent is the primary legal basis for processing data through non-essential cookies and for sending marketing communications. You have the right to withdraw consent at any time, and withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4.2 Contract (Article 6(1)(b) GDPR)

Where processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract, we rely on this legal basis. For example, processing contact details and communication history in the context of a potential or actual investment relationship.

4.3 Legal Obligation (Article 6(1)(c) GDPR)

Where processing is necessary for compliance with a legal obligation to which we are subject — including AML/KYC obligations under applicable financial services regulations — we rely on this legal basis.

4.4 Legitimate Interests (Article 6(1)(f) GDPR)

We rely on legitimate interests as a legal basis for processing where we have a genuine business purpose that is not overridden by your fundamental rights and freedoms. Our legitimate interests include: operating and improving our website and services; maintaining contact with professional contacts and the startup ecosystem; managing our investment pipeline; and preventing fraud. We have conducted legitimate interests assessments where appropriate and will make these available on request.

5. How We Use Personal Data

We use personal data for the following purposes:

  • Operating our website: Maintaining website security, monitoring performance, diagnosing technical issues, and providing a functional browsing experience.
  • Responding to enquiries: Responding to messages sent through our contact form or email.
  • Investment activities: Evaluating investment opportunities, conducting due diligence, managing investments, and maintaining relationships with portfolio companies and their teams.
  • Fund operations: Administering our fund, managing LP relationships, complying with regulatory obligations, and preparing investor reports.
  • Regulatory compliance: Complying with AML, KYC, and other applicable financial services regulations.
  • Communications: Sending newsletters, event invitations, and other communications to contacts who have opted in to receive them.
  • Analytics: Understanding how our website is used to improve its content and functionality, subject to your cookie preferences.

6. Data Sharing and Recipients

We do not sell personal data to third parties. We may share personal data with the following categories of recipients in the ordinary course of our activities:

  • Service providers: Third-party vendors who provide IT infrastructure, website hosting, email delivery, analytics, legal and accounting services, and other operational services. These providers act as data processors on our behalf and are bound by data processing agreements that require them to protect the data we share with them.
  • Co-investors and syndicate members: In the context of investment due diligence and syndication, we may share information about founders and companies with co-investors on a confidential basis, with the consent of the relevant individuals where required.
  • Regulatory and legal authorities: Where we are required by law or court order to disclose personal data, we will do so.
  • Professional advisors: Legal counsel, accountants, and auditors who provide services to us in connection with our fund operations and legal compliance.

We do not transfer personal data to countries outside the European Economic Area (EEA) unless we have appropriate safeguards in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or an adequacy decision by the European Commission for the destination country.

7. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, and no longer than required by applicable law. Our general retention practices include:

  • Website visitor data: Server log data is retained for a maximum of 12 months. Cookie data is retained for the period specified in our Cookie Policy.
  • Contact and correspondence data: Retained for up to 3 years after the last communication, or longer if the communication relates to a business relationship or investment activity.
  • Investment pipeline data: Data relating to investment opportunities that were not pursued is retained for up to 5 years. Data relating to active investments is retained for the duration of the investment and for 10 years after the investment is fully realised.
  • LP and investor data: Retained for the duration of the fund and for a minimum of 10 years after the fund is wound up, in compliance with applicable financial services regulations.
  • AML/KYC data: Retained for a minimum of 5 years after the end of the business relationship, as required by applicable AML regulations.

Where retention is required by legal obligation, we will retain data for the full statutory retention period even if it would otherwise have been deleted.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Article 15): You have the right to request a copy of the personal data we hold about you and information about how it is being processed.
  • Right to rectification (Article 16): You have the right to request correction of inaccurate personal data or completion of incomplete personal data.
  • Right to erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected, or where you withdraw consent and there is no other legal basis for processing.
  • Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while we verify a rectification request or pending resolution of an objection.
  • Right to data portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
  • Right to object (Article 21): You have the right to object to processing based on legitimate interests at any time, on grounds relating to your particular situation. You also have an absolute right to object to processing for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with the supervisory data protection authority in your EU member state of residence, work, or the place of the alleged infringement.

To exercise any of these rights, please contact us at privacy@hilbertsai.org. We will respond to requests within one month of receipt. Where requests are complex or numerous, we may extend this period by a further two months, and we will notify you of any such extension within one month of receiving your request.

We will not charge a fee for responding to requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act on the request.

9. Security of Personal Data

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

  • Encryption of data in transit using TLS/HTTPS protocols
  • Access controls and authentication requirements for systems that process personal data
  • Regular security assessments and vulnerability testing of our website and systems
  • Employee training on data protection and information security
  • Contractual data processing agreements with all third-party service providers who process personal data on our behalf
  • Incident response procedures for identifying, reporting, and addressing personal data breaches

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach and, where required, notify the affected individuals without undue delay.

10. Cookies and Similar Technologies

Our website uses cookies and similar tracking technologies. Detailed information about the cookies we use, their purposes, and how to manage your cookie preferences is provided in our Cookie Policy. We use a cookie consent banner to obtain your consent for non-essential cookies before placing them on your device.

11. Third-Party Links

Our website may contain links to third-party websites, including our portfolio companies and co-investors. We are not responsible for the privacy practices of these third-party websites, and this Privacy Policy does not apply to them. We encourage you to review the privacy policies of any third-party websites you visit.

12. Children's Privacy

Our website and services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe that we have inadvertently collected personal data from a minor, please contact us at privacy@hilbertsai.org and we will take steps to delete that data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or regulatory guidance. When we make material changes, we will update the “Last updated” date at the top of this policy and, where appropriate, provide notice through our website or direct communication.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal data. Continued use of our website after any changes to this policy constitutes acceptance of the updated policy.

14. Contact and Complaints

If you have questions, concerns, or complaints about this Privacy Policy or our data processing practices, please contact us at:

Hilberts AI Capital
Data Protection Contact
Email: privacy@hilbertsai.org

If you are not satisfied with our response, or if you believe our processing of your personal data is unlawful, you have the right to lodge a complaint with the supervisory data protection authority in your EU member state of habitual residence, your place of work, or the place where the alleged infringement occurred. A list of EU supervisory authorities is available on the European Data Protection Board website at edpb.europa.eu.