← FirstStone
Legal NoticePrivacyTermsCookies

Privacy Policy

Last updated: 9 de julio de 2026

Contents

  1. Data controller
  2. Who this applies to
  3. What data we process
  4. Purposes and legal bases
  5. Third-party data you manage
  6. Artificial intelligence
  7. Recipients and sub-processors
  8. International transfers
  9. Retention periods
  10. Your rights
  11. California residents (CCPA)
  12. Security
  13. Minors
  14. Changes to this policy
  15. Contact

In short: your data is used to provide the FirstStone service, we never sell it, we work with serious providers under contract (Supabase, Stripe, Anthropic, Google, Unipile, and others listed below), and you can exercise your rights at any time by writing to contact@firststone.vc.

1. Data controller

The controller responsible for processing your personal data is:

  • SYRIUS CAPITAL LLC, a company incorporated in the State of New Mexico (USA)
  • EIN: 98-1865579
  • Address: 2105 Vista Oeste NW, Ste E 3166, Albuquerque, NM 87120, United States
  • Privacy email: contact@firststone.vc

SYRIUS CAPITAL LLC operates the FirstStone platform (firststone.vc and first-stone.vercel.app), which brings together the Incubator (AI-powered idea validation), Accelerator (AI mentorship, investor network, and investor pages), and Settr (AI sales assistant for LinkedIn) modules.

2. Who and what this policy applies to

This policy applies to:

  • Visitors of the public site firststone.vc.
  • Registered users of the Platform (founders and their teams).
  • People whose data a user manages through the Platform (for example, LinkedIn prospects, captured leads, or investor contacts). In that case FirstStone acts as the data processor, and the user is the controller, as we explain in section 5.

For users resident in the European Union or the European Economic Area, we apply Regulation (EU) 2016/679 (GDPR) and, in Spain, Organic Law 3/2018 (LOPDGDD). For California residents, see section 11.

3. What data we process

3.1. Account and profile data

  • Name, email address, and password (stored encrypted, never in plain text).
  • Profile data and information about your company or project that you choose to share: business description, sector, goals, your "company memory," and any documents or materials you upload.

3.2. Content and conversations

  • Conversations with the AI assistants (Mentor, Incubator, Settr) and the content you generate or edit on the Platform (ideas, reports, post drafts, messages, landing pages).

3.3. LinkedIn integration (via Unipile)

  • If you connect your LinkedIn account, we process, through the connectivity provider Unipile, the data needed to act on your behalf: your profile, connections, posts, comments, invitations, and messages (read and sent). The connection is voluntary and you can disconnect it at any time from the Platform.

3.4. Optional integrations you connect

  • You can voluntarily connect other tools (for example calendar, CRM, accounting, analytics, email, or banking) to give the assistants context. We only read the data each integration needs while you keep it connected, and you can disconnect it whenever you want.
  • If you use voice notes, the audio is transcribed by our provider Groq (Whisper models), and we use ElevenLabs to generate voice.
  • If you take part in the affiliate program, identity verification (KYC) and the screening required by anti-money-laundering regulations are carried out through our provider Didit.

3.5. Payment data

  • Payments are processed through Stripe. FirstStone does not store full card numbers: we receive from Stripe customer and subscription identifiers, payment status, and, where applicable, the card's last digits and brand.

3.6. Technical and usage data

  • Standard technical data: IP address, device and browser type, language, pages visited, and server activity and error logs.
  • Product analytics with PostHog for logged-in users: navigation, clicks, errors, and session recording with all text fields masked (we never see what you type). You can turn it off in your account settings.
  • Anti-bot verification (Cloudflare Turnstile) on sign-up forms.

3.7. Communications

  • Transactional and service emails (sent via Resend) and, if you activate the Telegram bot, the notifications we send to your Telegram account.
  • Messages you send us through support or our contact email.

3.8. Advertising (Meta Ads and Google Ads)

  • If we run advertising campaigns, we may use pixels and conversion-measurement tools from Meta (Facebook/Instagram) and Google. These technologies will only be activated on the public site if you accept advertising cookies in the consent banner (see Cookie Policy).

4. Purposes and legal bases

PurposeDataLegal basis (GDPR)
Create and manage your account and provide the service (Incubator, Accelerator, and Settr modules, including AI generation)Account, profile, content, conversationsPerformance of the contract (Art. 6.1.b)
Operate your LinkedIn account on your behalf (reading and sending messages, posting, prospecting)LinkedIn integration dataPerformance of the contract (Art. 6.1.b); the connection is always voluntary
Charge subscriptions and credits, invoice, and prevent payment fraudPayment data and Stripe identifiersPerformance of the contract (Art. 6.1.b) and legal obligation (Art. 6.1.c)
Platform security: preventing abuse, bots, and unauthorized accessTechnical data, logs, Turnstile verificationLegitimate interest (Art. 6.1.f)
Product analytics and support (PostHog, with masked fields and an opt-out option)Usage data of logged-in usersLegitimate interest (Art. 6.1.f), with the right to object and to opt out in Settings
Service emails and operational notices (including Telegram if you activate it)Email, Telegram IDPerformance of the contract (Art. 6.1.b)
Advertising and conversion measurement (Meta and Google pixels, when campaigns exist)Advertising cookies and identifiersConsent (Art. 6.1.a), via the cookie banner
Handle your inquiries and the exercise of your rightsContact details and details of your inquiryLegal obligation (Art. 6.1.c) and legitimate interest (Art. 6.1.f)

When the legal basis is consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

5. Third-party data you manage with FirstStone

Some Platform features, especially Settr and the investor network, let you process personal data of third parties: LinkedIn prospects (names, profiles, messages), captured leads (names, emails, professional details), and investor contacts.

Regarding that data:

  • You are the data controller: you decide who to contact, with what message, and for what purpose.
  • FirstStone acts as the data processor (Art. 28 GDPR): we process that data only following your instructions through the Platform, with the security measures described in this policy, never for our own purposes, and we delete or return it when you close your account. The sub-processors we use are listed in section 7.
  • As the controller, it is your responsibility to ensure you have a legal basis to process and contact those people, inform them when appropriate, honor their opt-out requests, and comply with anti-spam regulations and the terms of the platforms you use (e.g. LinkedIn). The Terms and Conditions detail these obligations.
  • If a person whose data you manage through FirstStone sends us a rights request, we will forward it to you and work with you to handle it.

Investor database. Separate from that is the investor directory that FirstStone makes available to users in Accelerator: we compile it ourselves from public and professional sources (corporate websites, registries, public professional profiles) and we are responsible for that processing, based on our legitimate interest in offering professional contact information in the context of raising investment. If you are an investor and appear in that directory, you can exercise your rights, including erasure, by writing to contact@firststone.vc.

6. Artificial intelligence

  • To generate content and analysis, your text and company context are sent to AI model providers: Anthropic (Claude models) and Google (Gemini and Veo models). For voice features we use ElevenLabs.
  • We use these services through their commercial APIs, under terms that do not allow our content to be used to train their models.
  • FirstStone does not make decisions based solely on automated processing that produce legal effects on you or similarly significantly affect you (Art. 22 GDPR). AI outputs are suggestions that you review and decide whether or not to use.

7. Recipients and sub-processors

We do not sell your data. It is only shared with us by the providers we need to deliver the service (processors and sub-processors), under data processing agreements (DPAs):

ProviderServiceLocationSafeguards
SupabaseDatabase, authentication, and storageUSA / EUDPA
VercelApplication hosting and deliveryUSADPA
StripePayment and subscription processingUSA / EUDPA
AnthropicAI models (Claude)USATerms and DPA
GoogleAI models (Gemini, Veo)USA / EUDPA
UnipileLinkedIn connectivity (messages, posts, prospecting)EU (France)Policy and DPA
ElevenLabsVoice synthesisUSAPolicy and DPA
GroqVoice note transcription (Whisper)USAPrivacy policy
DiditIdentity verification (KYC/AML) for the affiliate programEUPrivacy policy
DataForSEOMarket data (demand, competition) for Incubator research — none of it your personal dataUSAPrivacy policy
ResendTransactional email deliveryUSADPA
TelegramNotification bot (only if you activate it)GlobalPrivacy policy
PostHogProduct analytics and masked session recordingUSADPA
CloudflareAnti-bot verification (Turnstile)GlobalDPA
Meta (future)Advertising and conversion measurement — only with your consentUSA / EUData terms
Google Ads (future)Advertising and conversion measurement — only with your consentUSA / EUData terms

Additionally, if you connect optional integrations (for example Google Calendar, Gmail, Notion, GitHub, HubSpot, Pipedrive, Holded, QuickBooks, Shopify, Slack, Mixpanel, Google Analytics, or banking providers such as Mercury or Enable Banking), we will exchange the strictly necessary data with each one, under their own terms, only while you keep the connection active.

We may also share data with public authorities when there is a legal obligation to do so, and with professional advisors (legal, accounting) under confidentiality when necessary.

8. International transfers

SYRIUS CAPITAL LLC is established in the United States, and several of our providers process data in the USA. When data from users in the European Economic Area is transferred outside the EEA, we apply the safeguards under Chapter V of the GDPR:

  • Standard Contractual Clauses (SCCs) from the European Commission (Decision 2021/914), incorporated into the DPAs we sign with the listed providers.
  • EU-U.S. Data Privacy Framework for providers certified under it, as a complementary adequacy decision.
  • Supplementary security measures (encryption in transit and at rest) described in section 12.

You can request more information about the safeguards applied by writing to contact@firststone.vc.

9. Retention periods

CategoryRetention period
Account, profile, company memory, conversations, and contentFor as long as your account is active. When you delete it, this data is erased or anonymized within a maximum of 30 days (plus the backup cycle, up to an additional 30 days).
LinkedIn integration data and prospect/lead dataFor as long as you keep the integration or keep this data in your account; it is deleted along with your account, or sooner if you delete or disconnect it.
Billing and payment dataThe periods required by applicable tax and commercial regulations (generally, up to 6 years).
Technical and security logsUp to 12 months.
Product analytics (PostHog)According to the provider's retention settings; you can turn it off in Settings.
Rights requests and legal correspondenceAs long as needed to demonstrate that they were handled (up to 3 years).

10. Your rights

If the GDPR applies to you, you have the right to:

  • Access: to know what data of yours we process and to obtain a copy.
  • Rectification: to correct inaccurate or incomplete data.
  • Erasure: to ask us to delete your data (the "right to be forgotten").
  • Objection: to object to processing based on legitimate interest (including analytics).
  • Portability: to receive your data in a structured, commonly used format.
  • Restriction: to ask us to temporarily suspend processing in legally established cases.
  • Withdraw consent at any time, when that is the basis for processing.

To exercise these rights, write to contact@firststone.vc from your account email (or by proving your identity). We respond within a maximum of one month. You can also delete your account directly from the Platform settings and turn off analytics from there too.

If you believe we have not properly handled your rights, you can file a complaint with your data protection authority. In Spain, the Spanish Data Protection Agency (aepd.es).

11. California residents (CCPA/CPRA)

If you live in California, we recognize your CCPA/CPRA rights, which include:

  • The right to know what personal information we collect, use, and share.
  • The right to request deletion of your personal information.
  • The right to correct inaccurate information.
  • The right to opt out of the "sale" or "sharing" of personal information: we do not sell personal information. If we use advertising pixels in the future (which may be considered "sharing" under the CPRA), they will only be activated with your consent and you can reject them from the cookie banner.
  • The right not to be discriminated against for exercising your rights.

You can exercise these rights at contact@firststone.vc.

12. Security

We apply appropriate technical and organizational measures, including:

  • Encryption of data in transit (TLS) and at rest at our infrastructure providers.
  • Passwords stored with secure hashing; authentication managed by Supabase Auth, with two-factor authentication (2FA) support.
  • Role-based access control and per-account data isolation (row-level security policies in the database).
  • Anti-bot verification at sign-up and anti-abuse limits on automation features.
  • Minimization principle: providers only receive the data necessary for their function.

If a security breach occurs that poses a risk to your rights, we will notify the competent authority and, where applicable, the affected individuals, in accordance with Articles 33 and 34 of the GDPR.

13. Minors

FirstStone is a professional service intended for people over 18. We do not direct the service at minors, nor do we knowingly process their data. If we discover an account belonging to someone under 18, we will delete it. If you believe a minor has given us data, write to us at contact@firststone.vc.

14. Changes to this policy

We may update this policy to reflect legal, technical, or service changes. We will publish the current version on this page along with its update date, and if a change is material, we will notify you by email or via a prominent notice on the Platform before it takes effect.

15. Contact

For any questions about privacy and data protection: contact@firststone.vc · SYRIUS CAPITAL LLC, 2105 Vista Oeste NW, Ste E 3166, Albuquerque, NM 87120, United States.

© 2026 SYRIUS CAPITAL LLC · FirstStone

Legal NoticePrivacyTermsCookies