Who we are
Epic Foundation is a Malta-based public benefit association. This privacy policy applies to the funding intelligence platform at foundation.epicgrowth.com.
What we collect
| Data | Purpose | Basis |
|---|---|---|
| Email address | Authentication (magic link login) | Contract performance |
| Name (optional) | Display in dashboard | Consent |
| Entity profile (company or organisation) | Grant eligibility matching by AI agents | Contract performance |
| VO registration data (OCVO number, sector, compliance status) | VO-specific grant matching and eligibility verification | Contract performance |
| Project data | Application tracking, budget planning, checklists | Contract performance |
| Uploaded documents | AI profile extraction, application preparation | Consent |
| VO profile claim | Links your account to a voluntary organisation in the public OCVO registry | Consent |
| Agent conversation logs | Auditability, journey event tracking | Legitimate interest |
We do not collect browsing history, IP addresses for profiling, biometric data, or any special category data under GDPR Article 9.
Where we store your data
Database: Hosted on encrypted, managed infrastructure within the European Economic Area. All data remains within the EEA at all times.
Documents: Stored on encrypted cloud infrastructure in the same EEA region. Uploaded files are stored under your user ID and not shared with other users.
Sector registry: We maintain a registry of voluntary organisations using publicly available data from OCVO (cvo.gov.mt) and MCVS (vofunding.org.mt). This contains organisation names, OCVO numbers, sector categories, and compliance status — all public record data. No personal data is stored in this registry. Users may voluntarily claim their organisation, linking their account to a registry record.
Funding data: We collect publicly available grant award records from government sources (MCVS, fondi.eu, EU Financial Transparency System, EEA Grants, Arts Council Malta). This data contains organisation names and award amounts — all public record. It is used to enrich the sector intelligence layer, not for profiling individuals.
Authentication: No passwords are stored. We use magic link email verification. Session tokens are httpOnly cookies (7-day expiry) that cannot be read by JavaScript.
AI processing
Conversations with our AI agents are processed by Anthropic (Claude Sonnet). When you chat with an agent, the following is sent as context:
- Your entity profile — company or organisation details (for eligibility matching)
- Active project details (for contextual advice)
- Recent conversation history (for continuity)
Anthropic does not use your data for model training. Conversations are not stored by Anthropic beyond the API request. See Anthropic's privacy policy for details.
What we do not do
- Sell your data to third parties
- Use your data for advertising or profiling
- Share data with other users
- Train AI models on your data
- Transfer data outside the EEA
Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Cloud infrastructure provider | Hosting, database, file storage | All stored data (EEA region) |
| Anthropic (Claude) | AI agent conversations | Profile + conversation context per request |
| Gmail API | Magic link delivery | Email address only |
| Google Analytics (GA4) | Anonymous usage analytics | Page views (no PII) |
Data retention
Account data: Retained while your account is active. Deleted upon request.
Agent conversation logs: Journey events are retained for 12 months for auditability, then automatically purged.
Magic link tokens: Expire after 15 minutes and are deleted from the database.
Your rights under GDPR
- Access — Request a copy of all data we hold about you
- Rectification — Correct inaccurate data in your profile or projects
- Erasure — Request complete deletion of your account and all associated data
- Portability — Receive your data in a structured, machine-readable format
- Restriction — Request we limit processing of your data
- Objection — Object to processing based on legitimate interest
To exercise any of these rights, contact us through the platform or via the contact details on epicgrowth.com. We will respond within 30 days.
Cookies
| Cookie | Purpose | Duration |
|---|---|---|
| egf-session | Authentication session (httpOnly, Secure, SameSite=Lax) | 7 days |
We use one essential cookie for authentication. No tracking cookies, no advertising cookies, no cookie consent banner needed.
Changes to this policy
We will update this page when our data practices change. Material changes will be communicated via the platform. This policy is versioned in our open source repository.
Contact
For privacy questions or data requests, contact us through the platform or via epicgrowth.com.