// legal
Privacy Policy
Last updated: June 2026
1. Who we are and how to contact us
UnicornBurn is a startup failure intelligence platform for VCs and investors, built on a structured dataset of documented business failures with associated risk-matching and portfolio-monitoring tools.
Data controller: Unicorn Burn LTD
71-75 Shelton Street, Covent Garden
London, WC2H 9JQ
United Kingdom
Data Protection Officer: legal@unicornburn.com
2. What data we process, why, and on what legal basis
2.1 Autopsy dataset — individuals in their business role
The UnicornBurn dataset contains information about closed or liquidated companies. In some cases, this information includes the names of founders, CEOs or other executives acting in their public business role.
Data sources: verified public sources — specialist press, corporate registries (BORME, Companies House, Receita Federal, SEC EDGAR), court rulings, official announcements, interviews published by third parties, and public open datasets (Crunchbase open data, layoffs.fyi, and other publicly available startup failure datasets).
Legal basis: legitimate interest (Art. 6.1.f GDPR). The processing is proportionate to the educational and analytical purpose of the platform. Individuals appear exclusively in their public business role, not in their private lives.
Your right to object: if you are a person mentioned in the dataset and believe the processing is not justified, you may request a review, correction or deletion of your information at hello@unicornburn.com. We will respond within 30 days.
2.2 Claim My Autopsy — founders who claim their entry
If you are the founder of a company that appears in the dataset and choose to claim your autopsy, we collect:
- Contact data: email, full name
- Identity verification: document or credential proving your connection to the company (LinkedIn, corporate registry, verified corporate email)
- Startup data: additional information you voluntarily provide about your company's history, causes of failure and closure
Legal basis: explicit consent (Art. 6.1.a GDPR), which you grant when initiating the claim process.
Important: if you provide data about third parties (employees, co-founders, investors), you are responsible for ensuring those people have been informed. Do not include personal data about third parties that is not already public knowledge.
Retention: we retain this data while your autopsy is published. If you request deletion, we will remove your entire entry from the dataset, including any additional data you provided.
2.3 Account registration
When you create an account, we collect: email address, full name, organisation name and role (e.g. VC analyst, fund partner).
Legal basis: performance of contract (Art. 6.1.b GDPR) — these details are necessary to provide the Intelligence service, manage your account and issue invoices where applicable.
Purpose: account authentication, billing, product communications and, where applicable, team seat management.
Retention: while your account is active + 12 months after cancellation.
2.4 Platform usage data
When you use the platform, we generate and process: risk assessments you run, portfolio companies you add, alerts you configure, reports you generate, and anonymised interaction events (page views, feature usage).
Legal basis: legitimate interest (Art. 6.1.f GDPR) — necessary to provide, improve and secure the service.
Retention: while your account is active + 12 months after cancellation. Anonymised and aggregated usage data may be retained indefinitely for product improvement.
2.6 Billing
When you subscribe to a paid plan, we collect: full name or company name, tax address, tax identification number, billing email.
Payment processor: we use Stripe as a data processor for payment processing. Stripe acts under a Data Processing Agreement (DPA) compliant with GDPR. Your card or payment method details are processed directly by Stripe and never pass through our servers.
Stripe may transfer data to servers in the United States under appropriate safeguards (Standard Contractual Clauses). More information: stripe.com/privacy.
Legal basis: performance of contract (Art. 6.1.b) and legal obligation to retain invoices (Art. 6.1.c). Retention: 7 years, in accordance with applicable tax legislation.
2.7 Use of data with third parties
Aggregated and anonymised data: we may share with third parties statistics and analyses of platform usage patterns in a fully anonymised and non-reidentifiable format. This use does not require additional consent because the data is not personal.
Non-anonymised individual data: if in the future we wish to share identifiable user data with third parties, we will do so only under the following conditions: we will inform you clearly, specifically and separately; we will request your explicit consent through an active affirmative action (unchecked checkbox by default); you will be able to decline without this affecting your access to the platform; every third party receiving your data will sign a Data Processing Agreement (DPA).
We will never sell your personal data to third parties.
3. Data processors
We use the following third-party processors, each operating under a Data Processing Agreement (DPA). Processors outside the UK/EU operate under Standard Contractual Clauses (SCC) approved by the European Commission (Art. 46 UK GDPR / EU GDPR), or equivalent UK International Data Transfer Agreements (IDTA) where applicable.
| Provider | Function | Country / Safeguards |
|---|---|---|
| Supabase | Database | EU (Frankfurt) |
| Vercel | Hosting and CDN | USA (SCC) |
| Stripe | Payment processing | USA (SCC) |
| Resend | Transactional email | USA (SCC) |
SCC = Standard Contractual Clauses (EU). IDTA = International Data Transfer Agreement (UK equivalent).
4. Your rights
Under UK GDPR and EU GDPR you have the right to: access, rectification, erasure, portability, objection, restriction, withdrawal of consent.
- Access — obtain a copy of the data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure— request deletion of your data ("right to be forgotten")
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Restriction — request that we limit how we use your data
- Withdrawal of consent — withdraw consent at any time without affecting prior processing
To exercise any of these rights: hello@unicornburn.com. Response time: maximum 30 calendar days.
If you are not satisfied with our response, you may lodge a complaint with your national data protection authority. For users in the United Kingdom: Information Commissioner's Office (ico.org.uk). For users in Spain: Agencia Española de Protección de Datos (aepd.es).
5. Cookies
We use only strictly necessary cookies for platform operation (session, language preferences). We do not use advertising cookies or third-party tracking cookies.
6. Security
We apply appropriate technical and organisational measures:
- Encryption in transit (HTTPS/TLS)
- Role-based access control at the database level
- Service key authentication on internal APIs
- Restricted access to production data
7. Minors
The platform is intended exclusively for individuals aged 18 and over. We do not knowingly collect data from minors.
If you are aware that a minor has provided data without parental consent, please contact us at hello@unicornburn.com.
8. Changes to this policy
If we make material changes, we will notify you by email at least 14 days in advance. Continued use of the platform after that period implies acceptance of the changes.
9. Contact
Data Protection Officer: legal@unicornburn.com