Last updated: 2026-05-15

With the following privacy policy we inform you about the types of personal data (hereinafter also "data") that we, Visionaries Club GmbH ("we", "us", "our"), process, for which purposes and to what extent, when you visit tomorrow.vc and the subpages reachable from it (hereinafter together the "online offering"). It is provided in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and, where applicable, the Swiss Federal Act on Data Protection (revFADP / Schweizer DSG). All terms used are intended to be gender-neutral.

The controller responsible for the processing of personal data on this website within the meaning of Art. 4 (7) GDPR is: Visionaries Club GmbH Brunnenstraße 24 10119 Berlin Germany Email: hi@tomorrow.vc Managing Directors: Robert Lacher, Sebastian Pollok, Roland Geeraedts. We have not appointed a Data Protection Officer because we are not legally required to do so under Art. 37 GDPR / § 38 BDSG. For any privacy-related question you may contact us directly at the address above.

The following overview summarises the categories of personal data we process, the categories of data subjects concerned and the purposes of the processing. Each item is described in more detail in the dedicated sections below. Categories of personal data processed - Inventory data (e.g. names, addresses, email addresses) for newsletter subscriptions and contact requests - Contact data (e.g. email addresses, telephone numbers) where you reach out to us - Content data (e.g. text or media submitted via email, contact form or applications) - Usage data (e.g. pages viewed, time on page, click paths, device type, operating system, screen size, interactions with content and features) - Meta-, communication and procedural data (e.g. IP addresses, timestamps, request identifiers, salted hashes used for analytics counting) - Log data (server log files documenting access to our website) - Application data (CV, cover letter, profile data, work history) where you apply to a position through the embedded job board Categories of data subjects - Visitors and users of our online offering - Communication partners who contact us - Subscribers to our newsletter - Applicants who apply via the embedded job board - Users of our social-media profiles (LinkedIn, Medium) Purposes of processing - Provision of our online offering, hosting and delivery of content - Information security, prevention of misuse and DDoS mitigation - Reach measurement and improvement of our content (analytics) - Communication with visitors, prospects and applicants - Pre-contractual measures and contract performance for applications and enquiries - Direct marketing via newsletter on the basis of consent - Public relations / brand presence on social-media platforms - Compliance with statutory retention obligations (commercial and tax law)

We process personal data only on a valid legal basis under Art. 6 (1) GDPR: - Consent (Art. 6 (1) (a) GDPR) – e.g. for the newsletter subscription. Consent can be withdrawn at any time with effect for the future. - Performance of a contract or pre-contractual measures (Art. 6 (1) (b) GDPR) – e.g. for handling enquiries about (potential) business relationships and for job applications submitted through the embedded job board. - Compliance with a legal obligation (Art. 6 (1) (c) GDPR) – e.g. retention of records under commercial and tax law. - Legitimate interests (Art. 6 (1) (f) GDPR) – e.g. operating, securing and improving our website, server log analysis, privacy-friendly analytics and our presence on social media. Our legitimate interest is balanced against your rights and freedoms; you have a right to object on grounds relating to your particular situation (see "Your rights"). National law in Germany. In addition to the GDPR, German data-protection rules apply, in particular the Bundesdatenschutzgesetz (BDSG). The BDSG contains supplementary rules on, among other things, the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, transmissions and automated decision-making including profiling. State-level data-protection laws may also apply. Swiss FADP / DSG. Where the Swiss Federal Act on Data Protection applies, this policy is intended to satisfy the corresponding information duties as well. For readability we use the terms of the GDPR ("processing" of "personal data", "legitimate interest", "special categories of data") even where the Swiss DSG uses different terminology ("Bearbeitung" of "Personendaten", "überwiegendes Interesse", "besonders schützenswerte Personendaten"). The legal meaning under the Swiss DSG is unaffected.

We take appropriate technical and organisational measures in accordance with Art. 32 GDPR to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the likelihood and severity of the risks to your rights and freedoms. These measures include in particular: - Transport encryption (TLS/HTTPS). All connections to our website are encrypted in transit using TLS, indicated by the "https://" scheme and the lock icon in your browser. We do not serve any traffic over unencrypted HTTP. - Access controls. Administrative access to the systems behind this website is limited to authorised personnel and protected by strong authentication. - Data minimisation and purpose limitation. We only collect data needed for the specific purpose described in this policy and avoid collecting personally identifiable information where pseudonymous or aggregate data is sufficient (see "Analytics – Plausible"). - Privacy by design and by default (Art. 25 GDPR). Privacy considerations are taken into account when selecting and configuring hardware, software and processes. - Processor agreements. Where third parties process personal data on our behalf, we conclude data-processing agreements pursuant to Art. 28 GDPR with binding instructions, confidentiality obligations and security requirements. - Procedures for data-subject requests and breach response. We have procedures in place to handle your requests (access, erasure, etc.) and to respond to potential data-breach incidents in line with Art. 33–34 GDPR.

We only share personal data with third parties where this is necessary to operate our website, to fulfil a contract with you, where you have consented, or where we are legally obliged to do so. Typical recipients are: - Hosting provider – Fly.io (see section 11) - Analytics provider – Plausible Insights OÜ (see section 12) - Job-board provider – JBoard (see section 13) - Newsletter provider – see section 14 - Social-media platforms where we maintain a presence – LinkedIn and Medium (see section 15) - Public authorities and courts, where we are legally required to disclose data - Tax advisors, auditors and lawyers bound by professional confidentiality, where their involvement is required by law or by our legitimate interests Where these providers act as processors on our behalf, we have entered into data-processing agreements pursuant to Art. 28 GDPR. We do not sell personal data and we do not use it for cross-context behavioural advertising.

Some of the providers we use may process data outside the European Economic Area (EEA), in particular in the United States. Where this is the case, we ensure an adequate level of data protection in line with Chapter V GDPR: - EU–U.S. Data Privacy Framework (DPF). For transfers to the USA we rely primarily on the adequacy decision of the European Commission of 10 July 2023 recognising the DPF as a safe legal framework for transfers to certified U.S. organisations. A list of certified organisations is available at dataprivacyframework.gov. - EU Standard Contractual Clauses (SCCs). As an additional safeguard, and as a fallback should the DPF be invalidated or should a recipient not be certified, we have concluded EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR with the relevant providers. This dual safeguard means that your data remains protected even if the legal landscape around US transfers changes. - Adequacy decisions and supplementary measures. For transfers to other third countries we rely on Commission adequacy decisions where they exist, on SCCs, on your explicit consent (Art. 49 (1) (a) GDPR) or on the other derogations listed in Art. 49 GDPR, and we implement supplementary technical and contractual measures where required. For each individual service named in this policy we indicate whether it is certified under the DPF and whether Standard Contractual Clauses are in place. You may request a copy of the applicable safeguards by writing to hi@tomorrow.vc. Further information about adequacy decisions and international transfers is available from the European Commission at commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

We only store personal data for as long as necessary to fulfil the purposes described in this policy or as required by applicable law. Once the purpose ceases to apply and no statutory retention obligation prevents deletion, we delete or anonymise the data. Standard retention periods - Server log files – stored for a maximum of 30 days and then deleted or anonymised. Data whose further retention is necessary to investigate a specific incident is exempted from deletion until the incident is finally resolved. - Analytics data (Plausible) – aggregated and pseudonymous; the daily salted hash used to count unique visitors is rotated every 24 hours, so individuals cannot be re-identified across days. - Email correspondence and contact-form messages – retained for as long as needed to handle your request and any follow-up, and thereafter for the period of any applicable statutory retention obligation. - Newsletter subscription records – retained as long as your consent remains active. After withdrawal we retain a minimal record (e.g. email address on a suppression list) on the basis of Art. 6 (1) (f) GDPR for up to three years from the end of the year of withdrawal in order to demonstrate that the original consent was given and to honour your objection to further contact. - Job-application data – handled in accordance with the JBoard processing notice and § 26 BDSG; if no employment relationship is established, application data is generally deleted within six months of the conclusion of the procedure, unless you have consented to longer retention (e.g. in a talent pool). - Statutory retention – business letters, invoices and tax-relevant documents are retained for up to 6 or 10 years in accordance with §§ 257 HGB and 147 AO. Start of retention periods. Where a retention period does not start on an expressly defined date and is at least one year long, it begins automatically at the end of the calendar year in which the triggering event occurred. For ongoing contractual relationships the triggering event is the effective date of termination or other end of the legal relationship. Longest applicable period prevails. Where multiple retention periods apply to the same data, the longest applicable period is decisive. Data retained solely on the basis of a statutory retention obligation is processed only for the purposes that justify the retention.

Under the GDPR you have the following rights with regard to personal data we process about you: - Right of access (Art. 15 GDPR) – to obtain confirmation as to whether we process personal data concerning you and, if so, a copy of that data and the further information listed in Art. 15. - Right to rectification (Art. 16 GDPR) – to have inaccurate or incomplete data corrected. - Right to erasure (Art. 17 GDPR) – to have your data deleted where the legal requirements are met. - Right to restriction of processing (Art. 18 GDPR). - Right to data portability (Art. 20 GDPR) – to receive data you have provided in a structured, commonly used and machine-readable format, or to have it transmitted to another controller. - Right to object (Art. 21 GDPR) – at any time, on grounds relating to your particular situation, to processing based on Art. 6 (1) (f) GDPR, including profiling. Where personal data is processed for direct marketing, you have the right to object at any time without giving reasons; we will then stop processing your data for those purposes. - Right to withdraw consent (Art. 7 (3) GDPR) – where processing is based on consent, you can withdraw it at any time with effect for the future. The lawfulness of processing before withdrawal is not affected. - Right to lodge a complaint (Art. 77 GDPR) – see section 9. To exercise any of these rights, please contact us at hi@tomorrow.vc. We will respond within the statutory time limits and free of charge. To verify your identity we may ask for additional information.

You have the right to lodge a complaint with a data-protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR). The authority competent for us is: Berliner Beauftragte für Datenschutz und Informationsfreiheit Alt-Moabit 59-61 10555 Berlin, Germany datenschutz-berlin.de A list of all German supervisory authorities is available at bfdi.bund.de/anschriften. In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch.

This policy applies to the website tomorrow.vc and the subpages reachable from it. Where third-party services are embedded on our site or where we maintain a presence on third-party platforms, the privacy policies of those providers also apply; we link to them in the relevant sections below.

Our website is hosted by Fly.io (Fly.io, Inc., 2261 Market Street #4990, San Francisco, CA 94114, USA). When you visit the site, your browser automatically transmits technical data (so-called server log data) to Fly.io's infrastructure, which is necessary to deliver the website to your device. The data processed in this context typically includes: - IP address of the requesting device - Date and time of the request - Requested URL and HTTP method - HTTP status and amount of data transferred - User agent (browser type and version, operating system) - Referrer URL Legal basis: Art. 6 (1) (f) GDPR – our legitimate interest in providing a stable, secure and functional website. Retention: Server log files are deleted or anonymised within 30 days, unless their continued retention is necessary to investigate a specific security incident. Third-country transfer. Fly.io operates servers in different regions worldwide. We have selected an EU region for our deployment, but Fly.io is a U.S. company and operational data (e.g. for support purposes) may be processed in the USA. The transfer is safeguarded by EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR concluded with Fly.io. More information: fly.io/legal/privacy-policy.

We do not use cookies on this website. We also do not use any comparable client-side storage technologies (local storage, session storage, IndexedDB, fingerprinting or tracking pixels) for advertising, profiling or cross-site tracking. Because no consent under § 25 (1) TDDDG is required and no processing under Art. 6 (1) (a) GDPR takes place on the basis of cookies, we do not display a cookie banner. Third-party services embedded in our website (e.g. the job-board widget described in section 13 or content shown on our social-media profiles described in section 15) may, however, set cookies on their own pages. Where you click through to those services, their cookie and privacy policies apply.

To understand how our website is used and to improve it, we use Plausible Analytics, a privacy-focused analytics tool provided by Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia. Plausible runs entirely without cookies and without any client-side identifiers, and does not collect personally identifiable information. All data is aggregated and stored on EU-based servers operated by Plausible. Specifically, Plausible records the following information about visits to our site: - Page URL - HTTP referrer - Country, region and city derived from the IP address at a coarse level - Browser, operating system and device type - Screen size - A daily, salted one-way hash derived from your IP address and user agent, used solely to count unique visitors within a 24-hour window. The salt is rotated every 24 hours, the raw IP address is never stored, and the hash cannot be used to track you across days. This is an effective IP-masking / pseudonymisation measure within the meaning of Art. 4 (5) and 32 GDPR. Legal basis: Art. 6 (1) (f) GDPR – our legitimate interest in measuring traffic and improving our content. Given that no cookies are set, no identifiers are stored on your device and no personally identifiable information is collected, our balancing of interests concludes that this processing does not override your rights and freedoms. Right to object. You may object to this processing at any time by writing to hi@tomorrow.vc or by enabling "Do Not Track" / a similar privacy signal in your browser. Third-country transfer: none. Plausible processes data exclusively in the EU (Estonia and Germany). More information: plausible.io/data-policy.

On parts of our website (in particular jobs.tomorrow.vc) we embed a job-board widget provided by JBoard (JBoard OÜ, Estonia). When the widget loads, your browser establishes a direct connection to JBoard's servers in order to retrieve the listings. As part of this connection, JBoard may receive technical data such as your IP address, user agent, the page on which the widget is embedded and timestamps. JBoard may also set its own cookies on its domain in order to operate the application form. Legal basis – browsing job listings: Art. 6 (1) (f) GDPR – our legitimate interest in providing visitors with up-to-date career information. Legal basis – applying for a position: Art. 6 (1) (b) GDPR (pre-contractual measures taken at your request) in conjunction with § 26 (1) BDSG. The application data (CV, cover letter, contact details, profile information) is processed by JBoard and by the respective hiring company at Visionaries Club GmbH or one of our portfolio companies. Where you provide special categories of data within the meaning of Art. 9 GDPR (e.g. health information, religion), the legal basis is § 26 (3) BDSG and, where required, your consent pursuant to Art. 9 (2) (a) GDPR. Retention of application data. If no employment relationship is established, application data is generally deleted within six months of the conclusion of the application process, unless you have consented to longer retention (e.g. in a talent pool) or unless we are required to retain the data to defend against possible legal claims under the General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz – AGG). Processor agreement. We have concluded a data-processing agreement with JBoard pursuant to Art. 28 GDPR governing JBoard's processing of personal data on our behalf. Third-country transfer: JBoard is established in the EU; transfers to third countries that may occur within JBoard's sub-processor chain are safeguarded by EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR. More information: jboard.io/privacy.

We offer a newsletter so you can stay informed about our work, portfolio companies and events. The newsletter is sent only to subscribers who have explicitly opted in. We use a double opt-in procedure: after entering your email address, you receive a confirmation email containing a link that you must click to activate the subscription. This procedure is used to verify that the email address actually belongs to you and to prevent third parties from subscribing you without your consent. Data processed for the newsletter - Email address (required) - First name / name (optional, used for personalised salutation) - Date and IP address of the subscription and of the confirmation click, retained as proof of consent (Art. 7 (1) GDPR) - Aggregate, non-personalised statistics on opens and clicks where supported by our newsletter provider, used only to evaluate the overall performance of campaigns Legal basis: Art. 6 (1) (a) GDPR (consent) in conjunction with § 7 (2) Nr. 3 UWG. You may withdraw your consent at any time, with effect for the future, by clicking the unsubscribe link contained in every newsletter or by writing to hi@tomorrow.vc. Retention after unsubscribe. When you unsubscribe, we delete your data from the active recipient list. We retain a minimal record (in particular your email address on a suppression list and the documentation of the original consent) for up to three years after the end of the year in which you unsubscribed, on the basis of Art. 6 (1) (f) GDPR. This serves the legitimate interest of being able to demonstrate that consent was originally given (Art. 7 (1) GDPR) and to honour your objection to future contact (so that we do not accidentally re-add you in the future). Newsletter provider. The newsletter is sent through Mailchimp (Intuit Inc., 2700 Coast Avenue, Mountain View, CA 94043, USA). Mailchimp processes the subscriber data on our behalf on the basis of a data-processing agreement pursuant to Art. 28 GDPR. Where data is transferred to the USA, the transfer is safeguarded by the EU–U.S. Data Privacy Framework (Intuit is DPF-certified) and EU Standard Contractual Clauses. More information: https://mailchimp.com/legal/privacy/.

We maintain profiles on social-media platforms in order to communicate with users active there and to share information about our work. When you interact with our profiles, the providers of those platforms process your data on their own infrastructure and may use it for market-research and advertising purposes, including the creation of usage profiles based on your behaviour. Such profiles can then be used to display ads inside and outside the platforms that supposedly match your interests. We have no control over the data processed by the platforms themselves and refer you to the privacy notices of the respective providers for details. Legal basis: Art. 6 (1) (f) GDPR – our legitimate interest in communicating with users and presenting our work to a wider audience. Third-country transfer. Data may be processed outside the EU/EEA. This may make it harder to enforce your rights. The providers below have either certified themselves under the EU–U.S. Data Privacy Framework or rely on EU Standard Contractual Clauses. LinkedIn (joint controllership for "Page Insights"). Our LinkedIn page is operated by: LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland Website: linkedin.com Privacy policy: linkedin.com/legal/privacy-policy In line with the judgement of the Court of Justice of the European Union of 5 June 2018 (C-210/16) and the corresponding agreement offered by LinkedIn (the "Page Insights Joint Controller Addendum", legal.linkedin.com/pages-joint-controller-addendum), we are joint controllers with LinkedIn Ireland for the collection of statistics ("Page Insights") about visitors to our LinkedIn page. The data collected for this purpose includes information about content viewed and interactions, device information (IP address, operating system, browser type, language settings, cookie data) and profile information (job function, country, industry, seniority, company size, employment status). LinkedIn has committed in this agreement to take the primary responsibility for fulfilling data-subject rights; you can therefore exercise your rights regarding Page Insights directly with LinkedIn. Your rights of access, erasure, objection and complaint are not restricted by this arrangement. Legal basis: Art. 6 (1) (f) GDPR. Transfer mechanism: DPF (LinkedIn Corporation is DPF-certified) and Standard Contractual Clauses (legal.linkedin.com/dpa). Opt-out for personalised advertising: linkedin.com/psettings/guest-controls/retargeting-opt-out. Medium. We maintain a publication on Medium operated by: A Medium Corporation 548 Market St, PMB 42061 San Francisco, CA 94104, USA Website: medium.com Privacy policy: policy.medium.com/medium-privacy-policy When you visit our Medium publication, Medium processes data about you on its own responsibility. Legal basis for our maintenance of the publication: Art. 6 (1) (f) GDPR. Transfer mechanism: DPF (Medium is DPF-certified) and, where applicable, EU Standard Contractual Clauses.

If you contact us by email (e.g. at hi@tomorrow.vc), via a contact form or via a direct message on one of our social-media profiles, the information you provide will be processed solely for the purpose of handling your request and any follow-up communication. This typically includes your name, contact details and the content of your message. Legal basis: Art. 6 (1) (b) GDPR where your request relates to a (potential) contract; otherwise Art. 6 (1) (f) GDPR – our legitimate interest in answering enquiries addressed to us. Retention: We retain such correspondence for as long as necessary to handle the request and to comply with statutory retention obligations. Business correspondence relevant under commercial or tax law is retained for up to 6 or 10 years (§§ 257 HGB, 147 AO). Other correspondence is deleted once it is no longer needed.

Our website contains links to external websites (for example to portfolio companies, social-media platforms, third-party services or news outlets). We have no control over the content or privacy practices of these external sites and are not responsible for them. Following a link triggers a request from your browser to the third-party site, which may collect data on its own responsibility. Please review the privacy policies of any external site you visit.

We may update this privacy policy from time to time to reflect changes in our services, in the providers we use or in applicable law. The current version is always available on this page; the date at the top of the policy indicates when it was last revised. Where a change requires your active cooperation (in particular renewed consent) or is otherwise material to you, we will inform you separately. Where this policy lists addresses or contact details of companies or organisations, please note that such information may change over time and we ask you to verify it before making contact.

This section summarises the key terms used in this privacy policy. Where the terms are defined in law (in particular in Art. 4 GDPR), the statutory definitions apply; the explanations below are intended for clarity only. - Personal data – any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to that person's physical, physiological, genetic, mental, economic, cultural or social identity (Art. 4 (1) GDPR). - Processing – any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, dissemination, restriction, erasure or destruction (Art. 4 (2) GDPR). - Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 (7) GDPR). In this policy, the controller is Visionaries Club GmbH. - Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4 (8) GDPR), e.g. our hosting, analytics, job-board and newsletter providers. - Joint controllership – two or more controllers jointly determine the purposes and means of processing (Art. 26 GDPR). In this policy, this applies to "Page Insights" statistics on our LinkedIn page. - Inventory data – essential information needed to identify and administer contract partners, user accounts and similar relations (e.g. name, address, customer or user ID). - Contact data – information that allows us to communicate with you (e.g. email address, postal address, telephone number, social-media handle). - Content data – information generated when creating, editing or sending content (e.g. messages, attachments, applications). - Usage data – information about how you use our online offering (e.g. pages viewed, time spent, click paths, device and browser characteristics, interactions with features). - Meta-, communication and procedural data – information describing the context, origin and structure of other data (e.g. IP addresses, timestamps, identifiers, request metadata). - Log data – records of events or activities in our systems (e.g. server log files documenting requests, errors and access). - Application data – information that you provide when applying for a position (e.g. CV, cover letter, profile data, work history). - Reach measurement (web analytics) – the evaluation of visitor traffic to an online offering, typically based on aggregated and pseudonymous information about the behaviour and interests of visitors. - IP-masking / pseudonymisation – a security and data-protection measure in which a direct identifier such as an IP address is shortened or replaced with a one-way salted hash so that the original identifier is no longer accessible (Art. 4 (5), 32 GDPR). - Standard Contractual Clauses (SCCs) – standardised contractual safeguards adopted by the European Commission for international transfers of personal data (Art. 46 (2) (c) GDPR). - EU–U.S. Data Privacy Framework (DPF) – legal framework adopted by the European Commission on 10 July 2023 that allows the transfer of personal data from the EU to certified U.S. organisations on the basis of an adequacy decision.