Privacy Policy

Last updated: 1 June 2026

This is a working English translation. The binding version is the German Datenschutzerklärung.

General

We process personal data only insofar as this is necessary for the operation of our website and app, enquiries, user accounts, profiles, Cora Score, matching, intros, Cora's Circle, awards, communication, documentation of the success fee or legal obligations. We do not sell personal data. On the pure marketing website, we currently use no marketing cookies and no third-party analytics services. For profiles and matches, selected profile, score, contact and status data may become visible to other participants. You should therefore only share confidential information if you really want to share it.

1. Controller

Responsible for the data processing are currently, until the formal registration of the planned company:

Florian Müller Caroline Klinger Stuwerstraße 28/23-24 1020 Vienna Austria

Email: privacy@cora.community

Cora is in its formation phase. After registration of the planned Flexible Company (FlexKapG, "FlexCo"), these details will be supplemented with the company name, commercial register number, register court, VAT number and management.

When we refer to "Cora", "we" or "us", we mean the controllers named above or, after registration, the then-responsible company.

A data protection officer is not legally required and has not currently been appointed. Please direct data protection enquiries to privacy@cora.community.

2. Scope and data processed

This privacy policy applies to the Cora website, the mobile or web-based app, registration forms, user accounts, profiles, Cora Score, Cora Verified, Cora's Circle, matching, intros, pitches, feed, insight, update, award, communication and documentation functions, and to the associated Cora services under cora.community and its subdomains (e.g. onboarding.cora.community, platform.cora.community, academy.cora.community, score.cora.community as well as partner subdomains such as 2m2m.cora.community).

Depending on use, we may process in particular the following data:

  • Technical data, e.g. IP address or shortened IP address, date and time, browser, operating system, page accessed, referrer, error, log and security information.
  • Contact, registration and login data, e.g. name, email address, role, organisation, voluntary message, website/profile/pitch link, and authentication data. With Google Login, in particular name, email address, Google account ID and possibly profile picture may be processed.
  • User account and app data, e.g. user ID, account ID, status, activations, activities, messages, match, intro and consent histories.
  • Startup, pitch, investor, partner and expert data, e.g. startup name, website, sector, stage, location, team, market, product, technology, traction, KPIs, financing, investment interests, pitch links, documents and updates.
  • Cora Score, AI, classification, badge and matching data, insofar as the relevant functions are used or shared.
  • Data on the success fee, billing and proof, e.g. startup ID, investor ID, match ID, terms version, accepted conditions, transaction status, investment amount, tranche, invoice, payment status and correspondence.

Please do not transmit special categories of personal data, e.g. health data, political opinions, religious beliefs or biometric data, unless this is expressly necessary and legally permissible. If you transmit third-party data to Cora, you must be authorised to do so.

Cora is aimed at an entrepreneurial and professional audience (founders, startups, investors, experts, partners) and not at children. Use requires the necessary legal capacity.

Data about third parties (Art. 14 GDPR): In some functions, you enter personal data about other people, e.g. co-founders, team members or contact persons (such as name, role or title, LinkedIn profile or contact details). We do not receive this data directly from the data subject, but from you. We process it to provide the respective function (e.g. team display, profile, matching, intro). You are responsible for being authorised to transmit it and for informing the data subjects where necessary. Data subjects can exercise their rights under Section 10 at any time via privacy@cora.community; the source of such data is the respective users who enter it.

3. Purposes and legal bases

We use personal data above all for the operation, security and stability of the website, app and platform, processing enquiries, registration and user accounts, profiles, pitches, updates, Cora Score, AI-assisted classification, matching, intros, visibility, Cora's Circle, awards, communication, documentation of consents, review and billing of the success fee, abuse prevention, legal defence and legal obligations.

Processing is based in particular on the following legal bases:

  • Art. 6(1)(b) GDPR, where processing is necessary for pre-contractual measures, the provision of the platform, a user relationship, matches, intros or agreements on the success fee.
  • Art. 6(1)(c) GDPR, where we must comply with legal obligations, in particular retention, accounting, tax or information obligations.
  • Art. 6(1)(f) GDPR, where we pursue legitimate interests, e.g. secure operation, abuse prevention, proof, billing, enforcement of claims, platform quality and product improvement.
  • Art. 6(1)(a) GDPR, where we obtain your consent, e.g. for certain voluntary publications, newsletters or non-essential cookies.

You can withdraw consent at any time with effect for the future. Processing carried out up to the withdrawal remains lawful.

4. Website, login, service providers and AI

When you visit the website, we process technical data so that the website can be displayed, operated securely, errors analysed and abuse prevented.

  • Hosting and delivery: The website and apps are provided via Vercel. Technical connection, log and device data may be processed.
  • Database, authentication and storage: User accounts, profiles and content are stored in a database provided by Supabase; Supabase also handles authentication.
  • Media: Images and videos (e.g. profile pictures, logos, pitch videos) are stored and delivered via Cloudflare Images and Cloudflare Stream. To defend against bots and abuse, we use Cloudflare Turnstile; technical data including the IP address may be processed.
  • Email delivery: We send transactional emails (e.g. confirmations, security notices) via Resend.
  • Marketing emails: Only with your explicit consent (Art. 6(1)(a) GDPR) do we occasionally send you product updates or offers by email (also via Resend). You can withdraw this consent at any time — via the "Marketing emails" toggle in Settings or the unsubscribe link in every such email. Transactional and security emails are unaffected.
  • Rate limiting: To protect against abuse, we use Upstash; short-lived counters based on user ID or IP are processed.
  • Error and security monitoring: For stability and error analysis, we use Sentry. We generally transmit only a pseudonymous user ID and scrubbed error data, no email address.
  • Cookies and consent: Fonts are currently delivered locally or via the infrastructure used by Cora. Across all Cora properties we use a shared cookie consent: your choice is stored in a cora_consent cookie on the .cora.community domain, so it applies to the website and all subdomains (e.g. onboarding., platform.) and the notice isn't shown again; a random identifier cora_anon_id lets a choice made before login be linked to your account. Strictly necessary cookies (e.g. sign-in, security, storing your cookie choice) are always on. Functional preference cookies (e.g. language, appearance, "stay signed in") are set when you use the relevant feature, to remember your settings; they are first-party only and not used for tracking. We currently set no analytics or marketing cookies, neither on the marketing website nor in the apps; if we introduce any in future, we obtain your consent beforehand. You can change your choice anytime via "Cookie settings" in Settings.
  • Google Login: If you sign in via Google, we use Google Sign-In / Google Identity Services. We receive from Google the data required for sign-in, account creation and access security, in particular name, email address, Google account ID and possibly profile picture. Google may carry out its own data processing over which we have no full control.
  • AI service providers: For certain functions, in particular for structuring profile information, AI-assisted classification, support of the Cora Score, text analysis, matching preparation or the AI assistant, we use AI service providers, currently in particular OpenAI and Anthropic, insofar as the respective function is used. We transmit only the content required for the respective function. Where possible, we configure AI services so that customer data is not used to train general models.
  • Payment processing: Insofar as paid functions are used, payment processing may take place via Paddle.

Cookies and identifiers used:

Name Purpose Type Storage duration
sb-…-auth-token Sign-in and session management (Supabase) strictly necessary session / until logout
cora_consent Stores your cookie consent (chosen categories); shared across .cora.community consent / functional up to 180 days
cora_anon_id Anonymous identifier to link a pre-login consent choice functional up to 180 days
lang, cora-theme Remembers your language and appearance functional up to 1 year
"Stay signed in" Keeps your session across browser restarts functional up to 1 year
Other strictly necessary cookies Session, security and flow cookies (e.g. remembering completed steps) to operate the service strictly necessary session to a few days
Cloudflare Turnstile Protection against bots and abuse at sign-in security-related transient
Paddle (where used) Payment processing functional session-based

In addition, we log each consent decision (chosen categories, version, timestamp, IP address and browser identifier) server-side, in order to demonstrate consent under Art. 7 GDPR. On the pure marketing website, no tracking or marketing cookies are set at present.

A complete, continuously maintained list of the processors used, including purpose, region and transfer basis, can be found in our sub-processor overview.

If analytics, marketing cookies, pixels, heatmaps, social media plugins or comparable technologies are used in the future, we will update this privacy policy and, where necessary, obtain consent beforehand.

5. Profiles, Cora Score, AI classification and matching

When you create a profile, pitch or update, we process the information you provide in order to display your profile, structure information, provide the Cora Score, manage Cora Verified and enable suitable matches or intros.

The Cora Score may use AI-assisted classification and rule-based or deterministic evaluation. The score, classifications and badges serve for orientation and structuring. They are not a guarantee of quality, success, financeability, investment worthiness, creditworthiness, legal admissibility or the economic development of a startup.

At present, we do not make any decision based solely on automated processing with legal effect or similarly significant impact within the meaning of Art. 22 GDPR. If you believe that a score, classification or badge is incorrect, you can contact us and request a review or correction.

Depending on the function and visibility setting, name, role, organisation, contact details, startup profile, pitch, KPIs, updates, Cora Score, badge status, matching signals and communication status may become visible to selected startups, investors, partners, experts, jury members or community members. Recipients who receive data outside the Cora platform generally act on their own responsibility. Therefore, do not share confidential information if you do not wish to share it.

If you make your profile or organisation visible for discovery, the shared content can become publicly visible — including to visitors who are not logged in — and may be indexed by search engines. This visibility is disabled by default and can be turned off again at any time in the settings.

For Cora's Circle, awards, pilot programmes or jury processes, we process the application, profile, pitch, score, badge, communication and participation data required for this.

6. Success fee, billing and proof

Under Cora's terms, a success fee may arise for matches, intros or other business initiations enabled by Cora. The negotiation and execution of investments, financings, holdings or cooperations takes place outside the Cora platform. Details on the amount, due date and party liable to pay arise from the respectively applicable terms, fee conditions or separate agreements.

For traceability, review and billing, we may in particular process the user account, startup ID, investor ID, match ID, intro ID, persons and organisations involved, the time of registration or match acceptance, terms version, accepted conditions, IP address, status of conversations or transactions, transaction type, transaction amount, tranche, invoice, payment status and correspondence.

We use this data to document the inclusion of the terms and success-fee conditions, to review, calculate and bill justified claims, to assert or defend against claims, and to fulfil tax and company-law obligations.

7. Recipients, service providers and third-country transfers

Depending on the function, data may be processed or become visible to internally responsible persons at Cora, technical service providers, hosting, database, security, monitoring, form, email, communication, authentication, CRM, AI, payment, invoicing or accounting service providers, tax and legal advisers, as well as authorities or courts, insofar as this is necessary or legally required.

The service providers used or possibly used may include in particular Supabase, Vercel, Cloudflare, Upstash, Sentry, Resend, Google, OpenAI, Anthropic and Paddle, insofar as the respective function is used. A continuously updated overview (provider, purpose, region, transfer basis) can be found in our sub-processor list. In addition, data may become visible to selected startups, investors, business angels, funds, partners, experts, talent, jury members or community members where this is necessary for profiles, matches, intros, awards or shared functions.

Some service providers may be located outside the EU/EEA or process data there, in particular in the USA (currently above all the AI service providers OpenAI and Anthropic, Google and Cloudflare). Our database and authentication infrastructure (Supabase), rate limiting (Upstash), monitoring (Sentry), email delivery (Resend) and payment processing (Paddle) are currently operated in the EU. Insofar as personal data is transferred to third countries, we rely on appropriate safeguards under Art. 44 et seq. GDPR, e.g. adequacy decisions, the EU-U.S. Data Privacy Framework, standard contractual clauses and supplementary protective measures. Service providers acting as processors are engaged on the basis of a data processing agreement where required.

8. Storage period

We store personal data only for as long as necessary for the respective purposes or for as long as statutory retention obligations, legitimate proof interests or possible claims exist. After that, we delete or anonymise the data, unless there is a further legal basis.

We generally store contact and form enquiries until they are finally processed and for a reasonable proof period. We store user account, profile, pitch, score and match data for the duration of active use or visibility and thereafter only insofar as necessary for proof, security, legal defence or legal obligations.

Specifically, we delete accounts whose setup was never completed no later than 18 months after registration, and accounts that have been inactive for a longer period no later than 36 months after the last activity. Before any such deletion we notify you by email and grant a period of at least 30 days during which you can keep your account by signing in; any activity resets this period. We generally delete support and feedback submissions 36 months after they are resolved. We retain consent and audit logs for proof purposes for up to three years as a rule.

We generally store data on the success fee, invoices and tax-relevant documents for the statutory retention periods, in Austria regularly seven years, and beyond that for as long as they are required for pending proceedings, audits or open claims. We store consent histories for as long as necessary to prove the consent and to defend against or assert claims.

9. Data security and obligation to provide

We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration or disclosure. These include in particular encrypted transmission via HTTPS/TLS, access restrictions, role-based permissions and technical security measures of our infrastructure and platform providers. Nevertheless, no data transmission or storage on the internet can be guaranteed to be completely risk-free.

You are generally not obliged to provide personal data. However, certain data is required so that we can process your enquiry, create a user account, provide profiles, calculate the Cora Score, enable matches, document intros or carry out success-fee and billing processes. Without this data, individual functions cannot be used or can only be used to a limited extent.

10. Your rights

Under the GDPR, you have in particular the rights to access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interests, and withdrawal of consent with effect for the future. You also have the right not to be subject to a decision based solely on automated processing under Art. 22 GDPR, where the statutory conditions are met.

In the logged-in areas, you can also export a copy of your data and delete your account yourself under "Settings → Privacy".

To exercise your rights, an informal email to privacy@cora.community is sufficient. We may request additional information where this is necessary for unambiguous identification.

11. Right to lodge a complaint

If you believe that the processing of your personal data infringes data protection law, you can lodge a complaint with a data protection supervisory authority. For Cora, the Austrian Data Protection Authority is generally competent:

Österreichische Datenschutzbehörde Barichgasse 40-42 1030 Vienna Austria Website: www.dsb.gv.at Email: dsb@dsb.gv.at

12. Changes to this privacy policy

We may adapt this privacy policy if our website, app, platform functions, service providers, legal requirements or actual data processing change. We provide the current version on our website.