Privacy Policy

Effective date: 24 April 2025  |  Last revised: 30 April 2025

This Privacy Policy explains how Ivyplus Ltd (“Ivy+”, “we”, “our”) collects, uses, shares and safeguards personal data when you interact with our services, website or community (the “Services”). It is drafted to comply with:

• UK General Data Protection Regulation (UK GDPR);
• Data Protection Act 2018;
• Privacy and Electronic Communications Regulations 2003 (PECR);
• Any other UK law that applies to personal-data processing.

1. Controller & Representative

Ivyplus Ltd (Company No. 153 967 80), 128 City Road, London, United Kingdom, EC1V 2NX is the data controller for the Services.
Data-Protection Contact: contact@ivyplus.xyz

2. Categories of Data We Process

Data we collect falls under the categories below. We never request special-category data unless explicitly noted and justified (see § 2.7).

1. Identity Data. First & last name, preferred name, date of birth (optional), gender pronouns (optional).
2. Contact Data. University or personal email, postal address, WhatsApp or mobile number.
3. Academic Data. University, college, degree type, graduation year, alumni-status evidence (e.g., digital diploma).
4. Professional Data. Current employer, position, LinkedIn URL, sector tags, investment focus (if any).
5. Usage Data. Login timestamps, pages visited, feature clicks, event RSVPs, message metadata (not message content of private chats).
6. Technical Data. IP address, device ID, OS, browser, timezone, cookie identifiers.
7. Special-Category Data. We may collect limited diversity metrics (ethnicity, gender identity) in anonymised form for equality monitoring. Collection is voluntary and relies on explicit consent (UK GDPR Art. 9(2)(a)).

3. Our Lawful Bases

Under Art. 6 UK GDPR we must have a lawful ground for each purpose. Key examples:

Purpose	Lawful Basis
Evaluate membership application	Contract Art. 6(1)(b)
Operate the member platform & chats	Legitimate interest Art. 6(1)(f)
Send event emails / newsletters	Consent Art. 6(1)(a) & PECR reg. 22
Detect fraud / misuse	Legitimate interest Art. 6(1)(f)
Comply with tax & AML regulations	Legal obligation Art. 6(1)(c)

4. Automated Decision-Making

Ivy+ does not rely solely on automated processing to make legal or similarly significant decisions about you. Candidate screening uses a hybrid model (algorithmic ranking + human committee review). You may request human intervention or challenge a decision (UK GDPR Art. 22).

5. Sharing & International Transfers

Personal data is shared only with subprocessors bound by written contracts conforming to Art. 28 UK GDPR. A current list is available on request and includes: AWS (London, Frankfurt), Vercel (Germany), Upstash (EU), Sendgrid (USA – SCCs), HubSpot (EU data centre).

Transfers outside the UK rely on:

• UK adequacy regulations (e.g., transfers to EEA);
• Standard Contractual Clauses + UK addendum;
• Transfer Risk Assessments per ICO guidance (2022).

6. Data Retention & Deletion

We retain application data for 24 months if an applicant is declined, or the duration of membership + 7 years for accepted members (for tax audit). Logs are pruned after 12 months. Backup archives are encrypted and destroyed on a 35-day rolling basis. Deletion requests are honoured within 30 days except where continued processing is required by law.

7. Security Measures

Controls include TLS 1.3, encryption-at-rest (AES-256), MFA for staff, ISO 27001-certified hosting, weekly vulnerability scans and annual penetration tests. In the event of a personal-data breach likely to result in risk to your rights and freedoms, Ivy+ will notify the ICO within 72 hours and affected individuals without undue delay, in line with Art. 33-34 UK GDPR.

8. Your Data-Subject Rights

You may exercise the following rights free of charge once every 12 months:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure / be forgotten (Art. 17)
• Right to restriction (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21) including direct-marketing opt-out
• Right not to be subject to automated decision-making (Art. 22)

Requests should be sent to contact@ivyplus.xyz. We will respond within one calendar month. Proof of identity may be required.

9. Cookies & Similar Tech

Ivy+ uses first-party cookies for authentication and third-party cookies (e.g., Google Analytics v4 with IP-anonymisation). You can opt out via our cookie banner or change settings in your browser. Full details are provided in our separate Cookie Policy.

10. Children

The Services are not directed to individuals under 18. If we learn we have collected personal data from a child without verifiable parental consent, we will delete it promptly.

11. Complaints

We encourage you to contact our DPO first. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow SK9 5AF, UK (ico.org.uk/make-a-complaint).

12. Changes to This Policy

We may amend this Policy to reflect legal or operational changes. The “Last revised” date will update accordingly and material changes will be announced via email or in-app notification 14 days before they take effect.

© 2025 Ivyplus Ltd — All rights reserved.