TheSeattleFund Data Protection Policy
Last Updated: 08/14/2025
1. Purpose
TheSeattleFund (“we,” “our,” “us”) is committed to protecting the confidentiality, integrity, and availability of all personal and business data we process. This policy outlines our responsibilities and the measures we take to safeguard data in compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable laws.
2. Scope
This policy applies to:
- All employees, contractors, and third-party service providers who process personal data on behalf of TheSeattleFund.
- All data processing activities involving investors, partners, investee companies, and website visitors.
3. Principles of Data Protection
We adhere to the following principles:
1. Lawfulness, Fairness & Transparency – Data is processed lawfully and transparently.
2. Purpose Limitation – Data is collected for specific, explicit, and legitimate purposes.
3. Data Minimization – Only the minimum amount of personal data required is collected.
4. Accuracy – Personal data is kept accurate and up to date.
5. Storage Limitation – Data is retained only as long as necessary.
6. Integrity & Confidentiality – Data is processed securely to prevent unauthorized access, loss, or damage.
7. Accountability – We maintain records and demonstrate compliance with data protection laws.
4. Categories of Data Collected
- Personal Identification Information: Name, contact details, government-issued ID.
- Financial Information: Bank details, payment information, investment records.
- Technical Data: IP addresses, device identifiers, browser data, cookies.
- Business Information: Company details for invested businesses.
5. Data Security Measures
We employ:
- Encryption for data at rest and in transit.
- Secure servers with firewall and intrusion detection systems.
- Multi-factor authentication (MFA) for system access.
- Role-based access controls ensure only authorized personnel can access sensitive data.
- Regular security audits and vulnerability scans.
- Incident response plan for data breaches.
6. Data Subject Rights
Individuals can:
- Access their data.
- Request corrections or deletion.
- Restrict processing.
- Object to certain processing activities.
- Request data portability.
- File a complaint with a supervisory authority.
7. Third-Party Processing
We only engage third-party processors that:
- Provide sufficient guarantees of security and compliance.
- Sign a Data Processing Agreement (DPA).
8. Data Breach Response
In the event of a data breach:
1. Contain and assess the breach immediately.
2. Notify the relevant supervisory authority within 72 hours if required by law.
3. Inform affected individuals without undue delay if there is a high risk to their rights.
4. Document all incidents for compliance records.
9. Training & Awareness
All personnel handling personal data must:
- Complete data protection training.
- Follow secure handling procedures.
- Report suspicious activity immediately.
10. Policy Review
This policy is reviewed annually and updated as needed to reflect regulatory changes or operational adjustments.