Startium (Varsity Ventures Ltd) respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you visit our website or use one of our software applications (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.

This privacy policy is made up of the following sections:

• Who we are and our approach to personal data
• The personal data we collect about you
• How your personal data is collected
• How we use your personal data
• Disclosures of your data
• International Transfers
• Data Security
• Data Retention
• Third party sites
• Your rights
• Cookie statement
• Changes to this Privacy Policy

Who we are and our approach to personal data

Varsity Ventures Ltd is registered in Northern Ireland with company number NI679551 and our registered office Unit 143 North City Business Centre, 2 Duncairn Gardens, Belfast, Northern Ireland, BT15 2GG.

We trade under the brand name of ‘Startium’ throughout this policy, but at all times are making representations and commitments as the legal entity Varsity Ventures Ltd (in full compliance with the Companies (Trading Disclosure) Regulations 2008).

All references to ‘our’, ‘us’ or ‘we’ within this policy are deemed to refer to Startium, our subsidiaries or affiliates. Startium is the data controller for this website and has responsibility for the proper functioning of our suite of software products. If you are a user of one of our software products, you are only able to be a user because we have been asked by your organisation (university, college or support org), also known as our ‘Platform Partner’ to grant you access. Therefore, we act as a data processor for any personal data about you provided by you or your organisation (our ‘Platform Partner’) who is responsible as your data controller.

We have appointed Christopher Shannon, Director of Startium as our Data Protection Officer for the company. He is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights as explained below please contact us at this email address: chris.shannon@startium.co.uk

This Privacy Policy governs the processing of personal data which is collected by Startium during its operations. It aims to give you information on how we collect and process your personal data through your use of our software products, use of this website, and use of any platform or tools we provide for your use. It includes any data you may provide when you register with us and take a username and operate an account with us.

It also describes the choices available to you regarding our use of your personal information and how you can access and update this information. Startium operates in accordance with the latest data protection principles enshrined in Article 5 of the General Data Protection Regulation (EU) 2016/679 as these are applied in the UK[1] – including the principles of purpose-limitation, storage-limitation, data accuracy, data security and integrity and data minimisation.

It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

The personal data we collect about you

We collect personal and non-personal data from you when you use our Services. Personal Data is data that includes a personal identifier like your name, email or address, phone number, IP address or device identifier, or is data that could reasonably be linked back to you. It also may include demographic information, geolocation information, educational information, or commercial information as described below.

• Identity Data includes first name, last name, username or similar identifier and title.
• Contact Data includes address, delivery address if different, email address, social media handles and telephone numbers.
• Commercial Data includes business name, business address, business email address, business status, business type, investment and revenue data, employment data, business plans, website URL, social media handles and telephone numbers.
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
• Profile Data includes log-on credentials, password, your interests, preferences, support needs, feedback and survey responses (to the extent we utilise these from time to time).
• Usage Data includes information about how you use our website and the tools within out suite of software products.
• Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific tool or feature on one of more of software products. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

How your personal data is collected

We use different methods to collect data from and about you. We collect data as follows:

• During account creation: We receive personal data about you when you create a user account, update your profile, respond to questions, or complete forms on our website or using our software products. We also receive personal data about you from our customers who include universities, colleges and business support organisations.
• From you, your account and your profile: You can choose to share additional information with us, such as a personal and business email address, phone number, business details, commercial information and support needs. You can also share information with us by answering questions about your interests and business plans that will be covered by this Privacy Policy and our Terms of Service. You can also share this information by updating your profile, uploading documents that include personal information, or answering questions or surveys delivered to you via email or presented to you on our software products. We will not use your phone number to send any commercial or marketing messages to you.
• ‍From Platform Partners: Our Platform Partners (Universities, Colleges and Business Support Organisations) share information about members of their entrepreneurial ecosystem (students, alumni, staff, programme participants, businesses, business advisors, contacts and mentors) with us so we can provide them with services that they use to manage their programmes and entrepreneurship services. Each Platform Partner chooses what it shares, which may include your name, mailing and email address, course, graduation date, business details and support needs. The Platform Partner that you are associated with in order to create a profile on any of our software products is the Data Controller for this data and it is only processed by Startium at the Partner’s direction.
• From automated technologies or interactions: As you interact with our website or any of our software products, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see our cookie statement included in this privacy policy below for further details.
• From our websites: If you use and interact with our websites, we automatically collect some Personal Data about your device and your usage of our websites through cookies, web beacons or similar technologies. Such Personal Data may be less obvious Personal Data such as your Internet Protocol (IP) addresses or username.
• From Zoom and video conference recordings: Sometimes personal data is taken from video calls. Recordings will then be stored securing and after two weeks of inactivity (views) the default position is that they are then permanently deleted. Unless consent has been collected to retain recordings for a longer period of time or indefinitely.
• From surveys and testimonials: We may in future use surveys. The aim is to only receive and process the Personal Data about you that you choose to provide in any kind of survey or that you kindly provide as publishable feedback through a testimonial or commendation placed on our website. We only use this information to make our company more effective.

How we use your personal data

We will only use your personal data when the law allows us to. We have set out in the table below all the ways we are allowed to process your personal data under the GDPR, followed by a summary of the key “lawful bases” which apply most to Startium.

Processing Personal Data under Data Protection Law: The 6 Lawful Bases

Consent
Contractual Necessity
Legal Obligations
Vital Interest
Public Interest
Legitimate Interests

We use, process and store your Personal Data to provide the services outlined in our Terms of Use and to connect you with support, events and opportunities relevant to you, your business and your support needs. Our lawful bases for processing your data and the purpose for processing it is as follows:

To fulfil our contract with you: By creating an account on one of our software products, we will be required to collect, store, use and otherwise process information about you for any purposes deemed necessary for your use of our software products and for the performance of your agreement with Startium including:

• Providing services such as allowing you to make appointments with university staff and/or business support professionals, to provide you with suggested events and opportunities that are relevant to you and your business, engage with platform partner resources, and so on.
• Delivering notifications about events, opportunities and important communications from platform partners by email in accordance with your account settings and communication preferences.

With your Consent: For some uses, we will obtain consent from you to provide additional services. Such uses include:

• Allowing you to choose to share your profile publicly, with other users and to be introduced using the profile information you have set as public information.
• Contacting you about additional features or Platform Partner services you might be interested in.
• Personalising tools that make up our software products. For example, we may suggest opportunities or events to you based on the business, education or the demographic information you provide.

For our legitimate interests: Processing of your personal data may also be necessary for the pursuit of our legitimate interests – but only where the processing is not unwarranted and will not cause a prejudicial effect on your rights and freedoms, or legitimate interests. Examples are:

• Processing your data along with other users’ data to provide activity and engagement reports to Platform Partners.
• Researching new ways to improve our software products.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Disclosures of your data

With respect to personal data, we will only share your personal data with third parties under the following circumstances:

• With your consent. For example, you may choose to make your profile public so that your associated Platform Partner (university, college or business support organisation) can introduce you to contacts and mentors or so you can appear in a directory of users from multiple Platform Partners visible to all public users and Platform Partners.
• With your associated Platform Partner. To have an account on any of our software products, you need to be associated with one of our Platform Partners. We share all information with your associated Platform Partner so that they and we together can provide services to you. Your associated Platform Partner is also a Controller of the Data collected through our software products.
• With vendors that are contractually engaged to provide us with services, such as cloud service providers and other services for maintaining our systems, email management and analytics. Also, software developers, IT support service providers, business advisors, legal specialists and third-party tools which track user behaviour across our suite of software products. These companies are obligated by contract to safeguard any personal data they receive from us.

See below the third-party vendors used by Startium:

With respect to non-personal data, which is data that itself cannot reasonably be linked back to you or data that is combined with other data in a way that cannot reasonably be linked back to you. We use and share your non-personal, de-identified or aggregated data in a variety of ways to help our Platform Partners and the public understand trends in entrepreneurship and new venture creation through analytics reports, statistics and other metrics and guides. For example, to understand:

• What percentage of new ventures from certain university are started by undergraduates.
• Whether a certain course or programme is producing more sustainable businesses than others.
• How popular certain event and opportunities are at different stages of the business start up journey.
• How many introductions have been made over a selected period of time to different support organisations within a specific partners’ ecosystem.

If we are involved in a merger, reorganization, dissolution or other fundamental corporate change, we will use reasonable efforts to notify you of any transfer of Personal Data to an unaffiliated third party.

Additionally, Startium may share such anonymous usage data on an aggregate basis in the normal course of operating our business for example, we may share information publicly to show trends about the general state of the university and higher education sectors or the uptake in our products and tools over a sustained period of time.

International Transfers

Startium stores the personal data described in this Privacy Policy inside the UK and in the European Economic Area (“EEA”). We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy, GDPR and UK GDPR at all times.

Our software products use a range of established international service providers to operate our services, some of whom may carry out processing outside of the EEA. We ensure through our supplier contracts that if data is exported then it is protected to the standards required by UK legislation. If you would like more details on this, please contact our appointed Data Protection Officer at chris.shannon@startium.co.uk

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instruction and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. Startium follows industry leading security procedures that meet the ten steps to cyber security outlined by the UK government. All data processed by Startium is encrypted at rest and in transmission. Startium uses TLS 1.2 or above for data in transmission and AES 128 or higher for data at rest.

Startium uses security certificates as far as possible for all development tasks, any locally stored passwords used for user authentication follow OWASP guidelines. Every build of the platform is checked against the OWASP guidelines and a database of known/common web vulnerabilities.

Data Retention

We will retain User Provided data for as long as you use our software product and for a reasonable time thereafter. We will retain Automatically Collected information for up to 24 months and thereafter may store it in aggregate for the purpose of analytics and our legitimate business interests. If you’d like us to delete User Provided Data that you have provided via one or more of our software products, please contact our Data Protection Officer at chris.shannon@startium.co.uk

Please note that some or all of the User Provided Data may be required in order for our software products to function properly. As a corporately responsible business, mindful of the data protection principle of storage-limitation and data-minimisation, we perform a disposal and archiving exercise at least once per annum, at which all data sets will be reviewed and obsolete data will be deleted from our systems (including our back up facilities).

Third party sites

Our websites contain links to other websites operated by third parties. Please note that this Privacy Policy applies only to the personal information that we collect through our sites or services, and we cannot be responsible for personal information that third parties may collect, store and use through their website. Please check their individual policies before you submit any information to those websites.
Your rights

You have certain rights in respect of your personal information:

• The right of access to your personal data;
• The right to correct or rectify any inaccurate personal data;
• The right to restrict or oppose processing of personal data;
• The right to erase your personal data; and
• The right to personal data portability and
• The right to lodge a complaint with the relevant Supervisory Authority.

When Startium processes your data at the direction of your associated Platform Partner we act as their Processor and comply with requests they send us. You become a user of Startium by agreeing to this Privacy Policy and our Terms of Use..

You may contact our Data Protection Officer with questions or requests regarding your personal information. Please note that we may request additional information from you to verify your identity before we disclose any personal or account information.

Cookie Statement

Startium uses (i) Strictly necessary (essential) (ii) Functional (iii) and Analytical (measuring performance) types of cookies.

Cookies may be delivered by us directly to you (first-party cookies) or delivered by one of our partners. Cookies can be either session cookies or persistent cookies. Session cookies enable sites to recognise and link the actions of a user during a browsing session and expire at the end of each session. Persistent cookies help us recognise you and these are stored on your system or device until they expire, although you can delete them before the expiry date.

We also use web beacons on our websites and in email communications. For example, we may place web beacons in marketing emails that notify us when you click on a link in the email that directs you to one of our websites. Such technologies are used to operate and improve our websites and email communications.

We use cookies for the following reasons:

For our products:

• To help us improve End Users’ experience
• To fulfil API calls and integration requests to connect to various accounts
• To help with data protection and spot fraudulent activity

For our websites:

• To remember preferences and settings
• To identify errors on the site and assess performance
• To help us understand traffic data relating to our site, e.g. time and date of visit

Opt-Out from the setting of cookies on your individual browser
Where available, you may opt-out from the collection of non-essential device and usage data on your web browser by managing your cookies at the individual browser level.

While some internet browsers offer a “do not track” or “DNT” option that lets you tell websites that you do not want to have your online activities tracked, these features are not yet uniform and there is no common standard that has been adopted by industry groups, technology companies or regulators.

In light of changes to cookies practices in 2021 (with respect to the disablement of third-party cookies on some browsers) we include below an updated list of the more popular browser types with hyperlinks showing how to adapt their cookie settings accordingly:

• Google Chrome
• Microsoft Edge
• Mozilla Firefox
• Microsoft Internet Explorer
• Apple Safari

Changes to this Privacy Policy

This Privacy Policy was last updated on 30th June 2023.

[1] As transposed by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 – otherwise known as UK GDPR.