This Privacy Policy explains how AstrisNexus processes Personal Data in connection with the use of its Platform. It outlines what data we collect, the purposes for which we use it, and the rights available to Users under the GDPR. Please read it carefully before using our Services.

1. Definitions

Capitalised terms have the meanings given in the AstrisNexus Terms. In addition, the following definitions apply for this Privacy Policy:

2. Our Data-Protection Principles

AstrisNexus processes Personal Data in accordance with the principles set out in the GDPR. These include lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability; and privacy by design and by default. AstrisNexus applies these principles within its ISO 27001-certified Information Security Management System (ISMS).

3. Role of AstrisNexus

AstrisNexus may act as Controller or Processor, depending on the context:

1. Controller: AstrisNexus acts as Controller when processing Personal Data of Clients and Users in connection with account creation, billing and payment management, client communications, support, security monitoring, compliance with legal obligations, and usage analysis to improve the Platform. The legal bases for such processing include performance of a contract, legitimate interest, compliance with legal obligations, and, where applicable, consent (e.g., for optional marketing).

2. Processor: AstrisNexus acts as Processor with respect to Documentation and other data uploaded by Clients to the Platform. In this role, AstrisNexus processes such data solely on the Client’s documented instructions and exclusively for the purpose of providing the Services. This processing is governed by the Data Processing Agreement (“DPA”) between AstrisNexus and the Client.

When AstrisNexus acts as Processor, any rights requests or other communications from Data Subjects will normally be handled by the Client as Controller. AstrisNexus will support the Client in fulfilling such requests in accordance with the DPA.

4. Personal Data We Collect

AstrisNexus collects only the Personal Data necessary to provide and improve the Services, operate the Platform, and meet our legal obligations. This may include:

1. Account & Identification Data: name, job title, email address, phone number, organisation, and country.

2. Platform Usage Data: login records, document activity, clickstream interactions, and access history.

3. Transaction Metadata: sector focus, indicative deal size bracket, and anonymised engagement metrics.

4. Payment & Billing Data: billing address, VAT number, and transaction confirmation details. (Payment card data is processed exclusively by our accredited payment service provider and is not stored by AstrisNexus.)

5. Device & Technical Data: IP address, browser type, operating system, crash reports, device identifiers, and language preferences.

6. Public & Licensed Sources: company registry data (e.g., KvK), sanctions and compliance lists, and commercially licensed datasets.

7. Cookies & Tracking Technologies: as further described in Section 11.

AstrisNexus does not intentionally collect sensitive (special category) Personal Data. If such data is required, it will only be processed with explicit consent or where legally necessary.

The Platform is not directed at individuals under 18, and AstrisNexus does not knowingly collect their Personal Data.

5. Purposes and Legal Bases for Processing

AstrisNexus processes Personal Data only where a valid legal basis applies. The purposes and corresponding legal bases are:

1. Service Delivery: To provide and manage the Services, including account management, document generation, matchmaking, and support. (Art. 6(1)(b) GDPR – contract performance).

2. Security & Abuse Prevention: To monitor system use, detect anomalies, and prevent misuse of the Platform. (Art. 6(1)(f) GDPR – legitimate interest).

3. Service Improvement & Analytics: To enhance functionality, improve AI-driven outputs, and derive aggregated market insights. This is done without accessing or reusing the contents of Client Documentation. (Art. 6(1)(f) GDPR – legitimate interest).

4. Legal & Compliance: To comply with statutory obligations, including accounting, tax, anti-money laundering (AML), know-your-client (KYC), and sanctions screening. (Art. 6(1)(c) GDPR – legal obligation).

5. Communications Monitoring: To track delivery and engagement with service-related emails, ensuring Clients receive important updates. (Art. 6(1)(f) GDPR – legitimate interest).

6. User Rights: To respond to GDPR rights requests, subject to identity verification. (Art. 6(1)(c) and, where applicable, 6(1)(f) GDPR).

7. System Notices: To send essential notices about Platform functionality or material changes. (Art. 6(1)(b) GDPR – contract performance).

8. Marketing (Opt-in): To send newsletters, updates, or invitations where the Client has given consent. (Art. 6(1)(a) GDPR – consent).

6. Automated Decision-Making & AI Transparency

The Platform uses AI modules (Astris™ and Nexus™) to generate draft materials and to suggest potentially aligned Advisors and Investors. Certain features operate in an automated manner; however, Clients always decide whether to act on these outputs, which counterparties to approach, and who may access their Documentation or Engagement Suite.

AstrisNexus does not take legally binding decisions on behalf of any User or Client. All AI outputs are informational only and must be reviewed and validated by the Client. Clients remain solely responsible for exercising their own professional judgment and making final decisions.

AstrisNexus provides a general explanation of the main parameters underlying AI-generated outputs, without disclosing proprietary source code.

7. Sharing & Recipients

AstrisNexus shares Personal Data only where necessary and subject to appropriate safeguards:

1. Sub-processors: With approved sub-processors (e.g., email, hosting, analytics, and support providers) under written agreements that meet GDPR requirements. A current list is maintained in our Trust Centre.

2. Payment Providers: With accredited payment service providers for billing and payment processing. Payment card data is handled exclusively by these providers under PCI-DSS standards.

3. Matched Advisors and Investors: With selected Advisors or Investors, but only after NDA acceptance and with the Client’s explicit authorisation via the Platform.

4. Corporate Transactions: As part of a merger, acquisition, or transfer of AstrisNexus’s business or assets, subject to confidentiality protections.

5. Legal Obligations: With regulatory, supervisory, or judicial authorities where disclosure is required by law.

6. Group Companies: If AstrisNexus operates across multiple legal entities, such entities may act as joint controllers. AstrisNexus B.V. remains the primary point of contact for all data subject rights

AstrisNexus does not sell or trade identifiable Personal Data.

The Platform may contain links to third-party websites. AstrisNexus is not responsible for the privacy practices of such third parties and encourages Users to review their privacy policies before providing Personal Data.

8. International Transfers

AstrisNexus processes Personal Data within the European Union and may, when deemed appropriate, engage trusted providers outside the EU. Where such transfers occur, they take place only under lawful mechanisms and with appropriate safeguards:

1. EU–US Data Privacy Framework: For recipients certified under the EU–US Data Privacy Framework.

2. Standard Contractual Clauses (SCCs): For other third-country recipients, supplemented with additional safeguards where required.

A current list of sub-processors and their data locations is maintained in the AstrisNexus Trust Centre.

9. Retention & Deletion

AstrisNexus retains Personal Data only for as long as necessary to provide the Services, meet contractual obligations, or comply with legal requirements. Specific retention practices include:

1. Client Data: Active account data is deleted within 14 days of a confirmed deletion request.

2. Backups: Redundant backups are automatically purged within 90 days.

3. Audit Logs: Technical and security logs (hashed or otherwise anonymised) are retained under Art. 6(1)(f) GDPR – legitimate interest for monitoring, forensic, and compliance purposes.

4. Marketing Data: Removed without delay upon opt-out or withdrawal of consent.

5. Financial Records: Retained for seven (7) years to comply with statutory accounting and tax obligations under Dutch law.

Clients may request account deletion at any time via the Platform or by contacting [email protected].

Documentation or Opportunities already disclosed to Advisors or Investors via the Platform are outside AstrisNexus’s control. Clients remain responsible for the retention or deletion of such information once disclosed.

10. Security

AstrisNexus maintains an ISO 27001-certified Information Security Management System (ISMS) and applies technical and organisational measures appropriate to the risks associated with processing Personal Data. These include:

1. Encryption of data at rest and in transit.

2. Least-privilege access controls to limit data access strictly to authorised personnel.

3. Multi-factor authentication for administrative and support environments.

4. Regular penetration testing and continuous monitoring of the Platform.

5. Confidentiality and training: all personnel with access to Personal Data are bound by confidentiality undertakings and receive regular information-security training.

While AstrisNexus takes reasonable steps to protect Personal Data, no system can guarantee absolute security. Each User remains responsible for maintaining the confidentiality of its own login credentials, devices, and local security measures.

For contractual uptime commitments and force-majeure exclusions, please refer to the T&C.

11. Cookies & Analytics

The Platform uses cookies and similar technologies to support functionality and improve the user experience. These include:

1. Essential Cookies: Required for core functionality (e.g., session management such as astris_session). These cannot be disabled.

2. Analytics Cookies: Used to analyse Platform usage and improve performance (e.g., astris_anon). These are only set with the User’s consent.

3. Marketing Cookies: Used for third-party analytics and marketing integrations (e.g., Google Analytics). These are only set with the User’s consent.

Non-essential cookies are set only after the User clicks “Accept” in the cookie banner. Consent can be withdrawn at any time through the cookie settings in the Platform or via the User’s browser.

Further details are provided in our Cookie Notice.

12. Your Rights

Users have the following rights under the GDPR in relation to their Personal Data:

1. Access: to obtain confirmation whether their data is being processed and to receive a copy.

2. Rectification: to request correction of inaccurate or incomplete data.

3. Erasure: to request deletion of data where no legal basis for retention applies.

4. Restriction: to request limited processing under certain conditions.

5. Objection: to object to processing carried out on the basis of legitimate interests or for direct marketing.

6. Portability: to receive their data in a structured, commonly used, machine-readable format and transmit it to another Controller.

7. Consent withdrawal: to withdraw consent at any time, where processing is based on consent.

AstrisNexus may require reasonable proof of identity before acting on a request. Responses are provided within one (1) month of receipt. This period may be extended by up to two (2) further months where necessary due to complexity or volume, in which case Users will be informed of the extension.

13. Complaints

Data Subjects may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if they believe their Personal Data has been processed unlawfully.

14. Contact

AstrisNexus B.V.
Strawinskylaan 3051
1077 ZX Amsterdam
The Netherlands

Email: [email protected]

AstrisNexus has not appointed a Data Protection Officer, as it does not meet the thresholds under the GDPR. A designated privacy lead is available at the above contact address for any questions, requests, or concerns regarding this Privacy Policy or the processing of Personal Data.

15. Changes

AstrisNexus reviews this Privacy Policy at least annually and updates it when material changes to processing occur. Users will be notified of material changes at least thirty (30) days in advance, via the Platform or by email. Minor clarifications or administrative updates may be made without prior notice. Continued use of the Platform after the effective date constitutes acceptance of the updated Privacy Policy.

If a Client does not agree to the changes, it may terminate its account in accordance with the Terms.