EPIC
Alliance

Legal · Data Protection

Privacy Policy

Effective date: 25 March 2026 · Last updated: 26 March 2026 Governing law: Luxembourg / GDPR

01 — Data Controller

Who we are

EPIC Alliance is operated by Cristelle Bretnacher, based in Luxembourg (company registration in progress). EPIC Alliance provides organisational assessment and investor visibility tools to early-stage ventures through two products: EPIC Compass and EPIC Connect.

EPIC Alliance acts as the data controller for all personal data collected through its services, as defined under Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR").

Contact:
EPIC Alliance · Cristelle Bretnacher
Luxembourg
team@epic-alliance.io
A formal Data Protection Officer (DPO) has not yet been appointed. Privacy enquiries should be directed to the contact address above.

02 — Data Categories

Data we collect

We collect only the data necessary to provide our services. The table below sets out each category, why we collect it, and the legal basis under GDPR.

Data Service Purpose Legal basis
Email address Compass & Connect Account creation, magic link authentication, delivery of assessment results Contract
Art. 6(1)(b) — necessary to provide the service
Phone number Compass only Optional contact detail stored in organisation profile Consent
Art. 6(1)(a) — collected only if voluntarily provided
Assessment results & EPIC scores Compass Generation of the stage-calibrated leadership report (51 KPIs across 4 pillars) Contract
Art. 6(1)(b) — core service delivery
Organisation profile (investor-visible) Connect Visibility to vetted investors when the organisation explicitly activates this feature Consent
Art. 6(1)(a) — explicit opt-in required; off by default
Benchmark consent status Compass (email gate) Recording whether the organisation has consented to inclusion of anonymised scores in aggregated benchmark reports Consent
Art. 6(1)(a) — separate opt-in checkbox (being implemented)
What we do not collect: We do not collect payment information, government-issued identifiers, special category data (Article 9 GDPR), or any data from minors. We do not use behavioural tracking, analytics pixels, or advertising identifiers.

03 — Sub-Processors

Our data processors

We share your data only with the service providers listed below, who process it in accordance with their respective standard Data Processing Agreements and contractual terms.

SB

Supabase Inc.

Database · Authentication · Magic link emails

Your data is stored on Supabase infrastructure located in the EU region (Paris or Dublin). Supabase Inc. is a US-based company; its US engineering and support teams may access data for operational purposes. This access is governed by Supabase's standard Standard Contractual Clauses (SCCs) under GDPR, ensuring an adequate level of protection. No broad international transfer applies to your stored data, which remains in the EU.

Database URL: ryuwkgonpzjbqxvaldkz.supabase.co

NL

Netlify Inc.

Hosting · Content Delivery Network (CDN)

EPIC Alliance websites are hosted on Netlify, a US-based provider. Netlify serves static files (HTML, CSS, JavaScript) and does not process your personal assessment data. Netlify's CDN may process your IP address and browser metadata transiently to serve content. Netlify complies with applicable data protection requirements for US-based hosting providers operating under SCCs.

Deployment: snazzy-creponne-661dad.netlify.app

BR

Brevo (Sendinblue SAS)

Email delivery · SMTP relay

All transactional emails sent by EPIC Alliance — including magic links, account confirmation emails, and password-related communications — are routed through Brevo's SMTP relay (smtp-relay.brevo.com). Brevo acts as a data processor on our behalf and does not use your email address for its own marketing purposes. Brevo (Sendinblue SAS) is a French company headquartered in Paris; your data remains within the EU under GDPR. The domain epic-alliance.io is authenticated with Brevo via DKIM and SPF.

Sender address: EPIC Alliance <hello@epic-alliance.io>

We do not use third-party email marketing platforms. All transactional emails are triggered by Supabase Auth and delivered via Brevo SMTP. We will update this list if we engage additional processors and will notify you as required by GDPR.

04 — Data Retention

How long we keep your data

Data Retention period
Email address 3 years from the date of last activity, or until account deletion is requested — whichever is earlier
Phone number 3 years from the date of last activity, or until account deletion is requested — whichever is earlier
Assessment results & EPIC scores Retained while the account is active. Deleted promptly upon a verified erasure request (see Section 6)
Organisation profile (investor-visible) Retained while investor visibility is enabled and the account is active. Immediately removed from investor view upon opt-out; deleted from our systems on account deletion
Benchmark consent record Retained for as long as anonymised data derived from the relevant assessment is used in benchmark outputs. The record is deleted no later than 30 days after the associated assessment data is fully removed from benchmark datasets. Consent may be withdrawn at any time — see Section 9

05 — Sharing & Disclosure

Who we share your data with

Investors (EPIC Connect)

Your organisation profile and assessment scores are never visible to investors by default. Visibility is controlled by a dedicated toggle within your account (opt_in setting, off by default). Only organisations that have explicitly activated this feature will appear in the investor discovery interface. You may withdraw visibility at any time from your account settings.

Benchmark reports

EPIC Alliance intends to produce and sell aggregated benchmark reports. These reports use only anonymised and aggregated data from organisations that have given separate, explicit consent for this purpose (see Section 9). No individual organisation is ever identifiable in any published benchmark output. Data from organisations that have not given benchmark consent is never included.

Legal obligations

We may disclose personal data if required to do so by applicable law, court order, or regulatory authority. We will notify you of any such disclosure to the extent permitted by law.

We do not sell, rent, or trade personal data to any third party for their own marketing or commercial purposes. Ever.

06 — GDPR Rights

Your rights

Under GDPR, you have the following rights in relation to your personal data. All requests should be sent to team@epic-alliance.io. We will respond within 30 days.

Right to lodge a complaint

If you believe your data has been processed unlawfully or your rights have not been respected, you have the right to lodge a complaint with the Luxembourg supervisory authority:

Commission Nationale pour la Protection des Données (CNPD)
www.cnpd.lu
15, Boulevard du Jazz · L-4370 Belvaux · Luxembourg

We encourage you to contact us first at team@epic-alliance.io so we can resolve any concern directly and promptly.

07 — Cookies

Cookies and local storage

EPIC Alliance uses session cookies only, set automatically by Supabase Auth to maintain your authenticated session. These cookies are strictly necessary for the service to function and do not require your consent under the ePrivacy Directive.

We do not use:

  • Analytics or tracking cookies (no Google Analytics, Hotjar, Mixpanel, etc.)
  • Advertising or retargeting cookies
  • Third-party social media cookies
  • Persistent fingerprinting technologies

We also use browser localStorage to store data locally on your device during and after the assessment flow. This is persistent browser-local storage — it is not a cookie, not transmitted to third parties, and not used for tracking. The following data may be stored in localStorage until you clear your browser storage or complete the email gate flow (at which point scores are cleared):

  • Email address
  • Phone number (if provided)
  • Name and founder name
  • Organisation / company name
  • City, country, sector
  • Pillar scores (E, P, I, C), assessment answers, stage index
  • Opt-in status and assessment progress flags

None of this data is shared with advertisers, analytics providers, or any third party. It is used solely to carry your progress through the assessment flow across pages.

If we introduce analytics or any non-essential cookies in the future, we will update this policy and implement a consent mechanism before activation.

08 — International Users

Users outside the EEA

General

EPIC Alliance is established in Luxembourg and processes personal data in accordance with the GDPR and Luxembourg law. By using our services, users located outside the European Economic Area (EEA) acknowledge that their personal data will be processed under Luxembourg law and the GDPR framework, which may differ from the data protection laws of their country of residence.

California residents — CCPA notice

If you are a California resident, the California Consumer Privacy Act (CCPA) may grant you additional rights, including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information.

We do not sell personal information. The rights of access, deletion, and portability described in Section 6 of this policy are available to California residents on an equivalent basis. To exercise any of these rights, contact team@epic-alliance.io.

09 — Commercial Use of Data

Benchmark programme

EPIC Alliance intends to produce and sell aggregated benchmark reports providing market-level intelligence on organisational maturity across the EPIC ecosystem. These reports are a separate commercial activity from the EPIC Compass assessment service.

How it works:

  • Participation in the benchmark programme is entirely voluntary.
  • Consent is collected via a separate, unchecked opt-in checkbox at the Compass email gate — it is never bundled with acceptance of Terms or this Privacy Policy (Article 7(4) GDPR).
  • The legal basis for this processing is consent (Article 6(1)(a) GDPR).
  • Only data from consenting organisations is included in benchmark datasets.
  • All benchmark outputs are fully anonymised and aggregated. No individual organisation, score, or profile is identifiable in any published report.
  • Declining benchmark consent has no impact on access to your EPIC Compass report or any other feature.

Withdrawing consent: You may withdraw your benchmark consent at any time by contacting team@epic-alliance.io. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Where withdrawal is received after anonymised data has already been incorporated into a published aggregate report, removal from that specific published output may not be technically possible — however, your data will be excluded from all future benchmark processing.

10 — Policy Updates

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or service features. When we make material changes, we will notify you by email at the address associated with your account at least 14 days before the changes take effect. The updated policy will also be published on this page with a revised effective date.

For non-material updates (corrections, clarifications, formatting), we will update the page without individual notice but will revise the effective date.

Your continued use of EPIC Alliance services following notification of material changes constitutes your acknowledgment of the updated policy. If you do not agree to material changes, you may request account deletion at any time by contacting team@epic-alliance.io.