Your data, your control

Ven, Inc. is a Delaware corporation with its principal office at 6900 E Green Lake Way N Apt 244, Seattle, WA 98115-5499, United States. Ven operates Ven Marketplace (vencover.com and related services), a software platform that introduces and helps coordinate communication between energy and infrastructure project owners, capital providers, and risk-transfer providers.

For the purposes of the EU and UK General Data Protection Regulation (“GDPR” and “UK GDPR”), Ven is the controller of personal information about visitors and account holders. With respect to project content, documents, and communications submitted by an organization (a “Customer”), Ven acts as a processor on the Customer's behalf. For Customers subject to GDPR, UK GDPR, or other comparable privacy laws, Ven will execute its standard Data Processing Addendum upon request.

Ven Marketplace is a private, business-to-business platform. Account creation requires submission of a registration request, and access to the marketplace is granted only after Ven's administrators review and approve your organization (see our Terms of Service for details).

This Policy applies to personal information we process in connection with the Ven Marketplace platform, our marketing pages, and any related communications. It applies worldwide. Where a regional law gives you additional rights — for example, the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), the GDPR, the UK GDPR, Brazil's LGPD, or Canada's PIPEDA — those rights are addressed in the regional addenda below.

3.1 Account & identity information.

We use Clerk to provide authentication. When you create an account we receive your name, work email, password hash, multi-factor authentication factors (where enabled), and login event metadata. We do not store passwords in plain text.

Sign in with Google. If you choose to sign in with Google, we receive your name, email address, profile picture, and a unique Google account identifier from Google through our authentication provider (Clerk). We request only the basic identity scopes (openid, email, and profile). We do not request access to Gmail, Google Drive, Google Calendar, Google Contacts, or any other Google service data. Ven's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

3.2 Organization & profile data.

When you join or create an organization on the platform we collect your role, the organization name, member list, and profile details you choose to provide.

3.3 Project & document content.

You may upload documents, project facts, milestones, and other content. Files are stored in isolated, per-project folders on Box.com under access tokens scoped to the project. Document version history is preserved.

3.4 Communications.

We process the discussions, messages, and form submissions you send through the platform. Messages may pass through admin moderation before delivery. We retain a soft- deleted copy of messages and document versions for audit-trail purposes (see Section 7).

3.5 Usage, device, and log data.

We automatically collect IP address, user-agent, referrer, pages visited, in-product events, performance metrics, and crash data. We use this to operate, secure, debug, and improve the Service. Form submissions are logged with IP and user-agent for audit purposes.

3.6 Cookies and similar technologies.

We use a small number of categories:

• Strictly necessary — set by Clerk to keep you signed in and to protect the session. The platform cannot function without these.
• Functional — remember preferences such as the active organization.
• Analytics & product improvement — set by PostHog to understand how the platform is used. PostHog is configured with person_profiles: ‘identified_only’ so anonymous visitors are not given persistent profiles.
• Session replay — PostHog session recording is enabled in production with input masking turned on (maskAllInputs: true) and a global mask selector ([data-ph-mask]) that lets us redact sensitive UI regions. Replays are used for debugging and product research; they are not used for advertising or sold to third parties.

Most browsers let you block or delete cookies. Blocking strictly-necessary cookies will break sign-in. We honor Global Privacy Control (“GPC”) signals where applicable.

• To provide, operate, secure, and improve the Ven Marketplace platform.
• To enforce organization-scoped access (RLS), audit access to documents, and detect abuse.
• To send transactional emails (sign-in, invites, project updates).
• To power AI features (research assistant, document summarization, semantic search) on an isolated per-project basis. Each project has its own Google Gemini FileSearchStore index; queries are scoped to a single project and do not cross project boundaries. Document content is processed transiently for each inference request. Long-term retention by AI providers is governed by their applicable terms (today, Google's Generative AI standard terms, which include short-term abuse-monitoring logs); we are migrating to a Zero-Data-Retention enterprise tier as described in our /security roadmap. We do not, and we contractually prohibit our AI sub-processors from, using Customer Content to train or fine-tune foundational models.
• To provide customer support and respond to your inquiries.
• To comply with legal obligations, enforce our agreements, and protect the rights, property, and safety of Ven, our users, and the public.
• With your consent or at your direction (for example, when you choose to share a project with a counterparty).

When the GDPR or UK GDPR applies, we rely on the following legal bases: (a) performance of a contract with you or your organization; (b) our legitimate interests in operating, securing, and improving the Service, fighting fraud, and developing our business, balanced against your rights; (c) your consent where required (for example, certain optional cookies); and (d) compliance with a legal obligation.

6.1 Service providers / sub-processors.

We share information with vendors that help us run the Service, under written contracts that restrict their use of the data. The current list is published on /security and includes (without limitation) Vercel (hosting and edge), Supabase (database), Clerk (authentication, including Google identity sign-in), Box.com (document storage), Google Cloud / Gemini (AI processing and per-project FileSearchStore vector indexes), SendGrid (transactional email), PostHog (product analytics and session replay), and Upstash (edge rate-limiting). We will provide reasonable advance notice before adding a material new sub-processor.

6.2 Marketplace counterparties.

The platform is a marketplace. When you choose to participate in a discussion, share a project, or transact with another organization on the platform, the personal and project information you choose to share will be visible to the participants in that discussion or transaction.

6.3 Licensed third parties.

Ven is a software and solutions provider. We do not hold an insurance broker, producer, MGA/MGU, surplus lines, reinsurance intermediary, securities, investment- adviser, or banking license. Any regulated activity (such as insurance placement, binding, underwriting, securities offering, capital markets distribution, or investment advice) is performed by independent, separately licensed third parties brought into a transaction as and when applicable. When you engage a licensed third party through the platform, the information you share with them is governed by their own privacy practices.

6.4 Legal, safety, and compliance.

We may disclose information if we believe in good faith it is necessary to comply with applicable law, valid legal process (including subpoenas and court orders), governmental requests, or to protect the rights, property, or safety of Ven, our users, or others.

6.5 Corporate transactions.

In connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, personal information may be transferred to a successor or affiliate, subject to this Policy or a successor policy with materially equivalent protections.

We retain personal information for as long as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Messages and document versions are soft-deleted with audit-trail preservation, consistent with the practices described on /security. When you ask us to delete your information we will do so subject to retention required by law and our legitimate-interest record-keeping (for example, defense of legal claims).

We implement administrative, technical, and physical safeguards designed to protect personal information, including database-level row-level security (RLS), TLS 1.3 in transit, AES-256 at rest, server-side processing of secrets, role-based access control, and rate limiting. The current control set, sub-processors, and compliance roadmap are documented at /security. No security program is perfect. You are responsible for keeping your credentials confidential.

Ven is based in the United States and our infrastructure providers operate primarily from the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and other jurisdictions where our service providers operate. Where required for transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum), supplemented by the technical measures described on /security.

Depending on where you live, you may have the right to (a) access the personal information we hold about you, (b) correct inaccurate information, (c) request deletion, (d) request portability of certain information, (e) object to or restrict certain processing, (f) withdraw consent where processing is based on consent, and (g) opt out of any “sale” or “sharing” (we do neither). You can exercise these rights by emailing daphne@vencover.com. We may need to verify your identity before responding. We will not discriminate against you for exercising a privacy right.

You may also authorize an agent to make a request on your behalf, subject to verification. If we deny your request, you may appeal by replying to our denial.

11.1 California (CCPA / CPRA).

In the prior 12 months we have collected the following categories of personal information about California residents: identifiers (name, email, IP address); commercial information (transaction history); internet/network activity (browsing and event data); professional/employment information (role, organization); and inferences derived from the above. We use the categories for the business purposes described in Section 4 and we share them with the categories of recipients in Section 6. We do not sell or share personal information for cross-context behavioral advertising. California residents may exercise the rights described in Section 10 and may submit a verifiable consumer request via daphne@vencover.com. We honor Global Privacy Control signals where technically feasible.

11.2 EEA, United Kingdom, and Switzerland (GDPR / UK GDPR).

The legal bases on which we process personal information are described in Section 5. You have the right to lodge a complaint with your local supervisory authority. Ven does not currently maintain an establishment in the EU or UK; we will appoint a representative under Article 27 GDPR (and the equivalent UK provision) when required.

11.3 Brazil (LGPD).

Data subjects in Brazil have the rights set out in Article 18 of the LGPD, which broadly track the rights described in Section 10.

11.4 Canada (PIPEDA).

Individuals in Canada may submit access and correction requests via daphne@vencover.com.

The Ven Marketplace platform is a business-to-business service intended for use by individuals who are at least 18 years old and acting on behalf of an organization. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact daphne@vencover.com and we will delete it.

We may update this Policy from time to time. When we do, we will revise the “Last updated” date above. If the changes are material, we will provide additional notice (for example, an in-product banner or an email to your account address). Your continued use of the Service after the new Policy takes effect constitutes acceptance of the updated Policy.

For questions about this Policy or to exercise a privacy right: