Privacy Policy

1. Controller / Who We Are

The controller responsible for data processing on this website within the meaning of the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), and applicable data protection laws is:

For the purposes of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), CF Innovation Labs is the “business” that determines the purposes and means of processing your personal information.

2. What Data We Collect

We collect and process the following categories of personal data when you use our website:

Server Log Data

When you visit our website, our hosting provider (Vercel) and CDN provider (Cloudflare) automatically collect and store information in server log files that your browser transmits. This includes your IP address, browser type and version, operating system, referrer URL, pages visited, date and time of your visit, and the amount of data transferred. This data is collected to ensure the secure and stable operation of our website and is not merged with other data sources.

Booking Data

When you schedule a discovery session through our integrated Cal.com booking widget, Cal.com processes your data (such as your name, email address, and any information you provide in the booking form) as an independent controller under their own privacy policy. We receive only the information necessary to conduct the scheduled meeting.

Contact Data

If you contact us by email, we store the data you provide (your email address, name, and the content of your message) for the purpose of processing your inquiry and in case of follow-up questions.

3. How We Use Your Data

We use the personal data we collect for the following purposes:

• •To provide, operate, and maintain our website securely and reliably
• •To respond to your inquiries and facilitate scheduled discovery sessions
• •To detect, prevent, and address technical issues and security threats
• •To comply with legal obligations under applicable EU, UK, and US law

We do not sell, rent, or share your personal data with third parties for their marketing purposes. We do not use your data for automated decision-making or profiling.

4. Legal Basis for Processing

We process personal data only when there is a lawful basis to do so. The following legal bases apply depending on your jurisdiction:

EU / EEA (GDPR Article 6)

• •Legitimate interests (Art. 6(1)(f)) — for server log data collection and website security, to ensure the reliable operation of our website
• •Contract performance (Art. 6(1)(b)) — for processing data related to scheduling and conducting discovery sessions or consultations
• •Consent (Art. 6(1)(a)) — where your explicit consent is obtained before setting any non-essential cookies
• •Legal obligation (Art. 6(1)(c)) — where we are required to process data to comply with applicable laws

United Kingdom (UK GDPR)

The same legal bases listed above apply under the UK GDPR and the Data Protection Act 2018. Where we rely on legitimate interests, we have carried out a legitimate interests assessment to ensure that our processing does not override your fundamental rights and freedoms.

United States

For users in the United States, we process personal information as described in this policy. We do not “sell” or “share” personal information as those terms are defined under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), nor do we engage in “targeted advertising” as defined under other US state privacy laws.

5. Third-Party Services

We use the following third-party services to operate this website. Each service may process personal data as described below:

Vercel (Hosting)

Our website is hosted on Vercel Inc., located in the United States. Vercel processes server log data on our behalf as a data processor. Data transfers from the EU/EEA and UK to the US are protected by the EU-US Data Privacy Framework and EU Standard Contractual Clauses (SCCs). For more information, see Vercel's Privacy Policy.

Cloudflare (CDN and DNS)

We use Cloudflare Inc., located in the United States, for content delivery and DNS management. Cloudflare may process IP addresses and traffic data to deliver our website securely and efficiently. Cloudflare processes this data as a data processor on our behalf. Data transfers from the EU/EEA and UK to the US are protected by EU Standard Contractual Clauses. For more information, see Cloudflare's Privacy Policy.

Cal.com (Booking)

We use Cal.com for scheduling discovery sessions. When you use the booking feature, Cal.com processes your data as an independent controller under their own privacy policy. Cal.com is based in the United States. Data transfers are covered by appropriate safeguards including Standard Contractual Clauses. For more information, see Cal.com's Privacy Policy.

6. International Data Transfers

Our third-party service providers are located in the United States. When your personal data is transferred outside of the European Economic Area (EEA) or the United Kingdom, we ensure that appropriate safeguards are in place to protect your data:

• •EU Standard Contractual Clauses (SCCs) — approved by the European Commission for transfers of personal data to countries outside the EEA
• •UK International Data Transfer Agreement (IDTA) — or the UK Addendum to the EU SCCs, for transfers from the UK
• •EU-US Data Privacy Framework — where applicable, for transfers to certified US organizations
• •Adequacy decisions — where the European Commission or UK Secretary of State has determined that a country provides an adequate level of data protection

7. Cookies

Our website uses cookies — small text files stored on your device by your browser. We use only essential cookies that are strictly necessary for the proper functioning of the website. These cannot be deactivated and include cookies required for load balancing, security, and session management.

We do not use analytics, tracking, or marketing cookies. For complete details on the cookies we use and how to manage them, please see our Cookie Policy.

8. Your Rights

Your rights regarding your personal data depend on the laws that apply to you based on your location. To exercise any of these rights, please contact us at info@cfinnovationlabs.com. We will respond within the time period required by applicable law.

EU / EEA Residents (GDPR)

Under the EU General Data Protection Regulation, you have the following rights:

• •Right of access (Art. 15) — request confirmation of whether we process your personal data, and access a copy of that data
• •Right to rectification (Art. 16) — request the correction of inaccurate personal data or the completion of incomplete data
• •Right to erasure (Art. 17) — request the deletion of your personal data, subject to legal retention obligations
• •Right to restriction of processing (Art. 18) — request the restriction of processing under certain conditions
• •Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, and machine-readable format
• •Right to object (Art. 21) — object to processing based on legitimate interests at any time
• •Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal

UK Residents (UK GDPR)

Under the UK GDPR and the Data Protection Act 2018, you have the same rights as those listed above for EU/EEA residents. If you believe your data protection rights have been breached, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). See Section 14 below for contact details.

California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:

• •Right to know — you can request that we disclose what personal information we have collected, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it
• •Right to delete — you can request deletion of your personal information, subject to certain exceptions
• •Right to correct — you can request correction of inaccurate personal information
• •Right to opt-out of sale or sharing — we do not sell or share your personal information, so this right does not currently apply
• •Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CPRA
• •Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA/CPRA rights

To exercise your rights, email us at info@cfinnovationlabs.com. We will verify your identity before fulfilling your request. You may also designate an authorized agent to make a request on your behalf.

Other US State Privacy Laws

If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), or other US states with comprehensive privacy legislation, you may have similar rights to access, correct, delete, and port your personal data, as well as the right to opt-out of targeted advertising, the sale of personal data, and profiling. We do not engage in any of these activities. To exercise your rights, contact us at info@cfinnovationlabs.com. If your request is denied, you may have the right to appeal under your state's law.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

• •Server logs — automatically deleted after 30 days
• •Contact data — retained for as long as necessary for the purpose of communication and any resulting business relationship, and deleted when no longer needed
• •Booking data — retained by Cal.com according to their own data retention policies

When personal data is no longer needed, we will securely delete or anonymize it. If deletion is not possible (for example, because the data has been stored in backup archives), we will securely isolate the data from further processing until deletion is possible.

10. Data Security

We use industry-standard technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration. All data transmitted between your browser and our website is encrypted using TLS (Transport Layer Security). Our website is served exclusively over HTTPS. We regularly review and update our security practices to ensure the ongoing confidentiality and integrity of your data. However, no method of transmission over the internet or electronic storage is completely secure, so we cannot guarantee absolute security.

11. Children's Privacy

Our website and services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such data as promptly as possible. If you believe we have collected data from a child under 16, please contact us at info@cfinnovationlabs.com.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any updates will be posted on this page with a revised “Last updated” date at the top. Where changes are significant, we will make reasonable efforts to notify you. We encourage you to review this page periodically to stay informed about how we protect your data.

13. Contact / How to Reach Us

For any questions about this privacy policy, to exercise your data protection rights, or to make a complaint about our handling of your personal data, please contact us:

We aim to respond to all data protection requests within 30 days. In complex cases, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for it.

14. Supervisory Authorities

If you believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with a supervisory authority:

EU / EEA

You have the right to lodge a complaint with the data protection supervisory authority in your EU/EEA member state.

United Kingdom

The competent supervisory authority for the United Kingdom is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. You can also contact them via their website at ico.org.uk/make-a-complaint.