Last updated: June 1, 2026
PrimeVDR is a secure investor data room platform for founders. In the context of GDPR, PrimeVDR acts as a data processor for personal data that founders (data controllers) collect from their investors through our platform.
Contact us at privacy@primevdr.com.
Founder account data: Email address and name from your authentication provider (Amazon Cognito). Used to identify you and send service notifications.
Investor contact data: Email, name, and firm of investors you invite. Stored on your behalf so we can deliver access links and track engagement. You are the controller of this data.
Engagement events: Page views, dwell time, downloads, heartbeats from investor sessions. Collected to power your engagement analytics. IP addresses are stored only as salted SHA-256 hashes; raw IPs are never persisted.
Documents: PDFs you upload are stored encrypted in Amazon S3 (AES-256 SSE-KMS) and never shared with third parties.
We process founder data on the basis of contract performance (providing the service you signed up for). Investor engagement data is processed on the basis of legitimate interests (providing analytics to the data room owner).
All data is stored in AWS infrastructure (US regions). Data in transit is protected by TLS 1.2+. Documents are encrypted at rest. Secrets are stored in AWS Secrets Manager, never in source code or config files.
Our database uses row-level security (RLS) to enforce strict tenant isolation; one organisation cannot access another's data.
We do not sell or rent personal data. We share data only with:
Investors whose data has been collected by a founder through PrimeVDR may request erasure of their personal data. We support GDPR erasure by nulling PII (name and email) on the recipient record while preserving the anonymised, hashed audit trail.
Founders may also delete investor records at any time from their room settings, which triggers automatic deletion of any per-recipient document derivatives.
To exercise data rights, contact privacy@primevdr.com.
Founder account data is retained for the lifetime of your account plus 30 days. Engagement event data is retained indefinitely as an immutable audit log. Investor PII can be erased on request; the audit trail is preserved in anonymised form.
PrimeVDR uses only essential cookies: a session token for authenticated founder sessions, and a short-lived JWT cookie for investor inbox sessions. We do not use third-party analytics or advertising cookies.
We may update this policy. Material changes will be communicated by email to registered founders.