Privacy Policy

Last Updated: May 2026

This Privacy Policy explains how Mitochondria Ventures B.V. and Kutumbakam Ventures LLP collect, process, and protect personal data. It is designed to address obligations under the EU General Data Protection Regulation ("GDPR"), the United Kingdom General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), and the India Digital Personal Data Protection Act 2023 ("DPDP Act"), as well as other applicable data protection laws.

1. Who Is Responsible for Your Data

Depending on the context and the engagement, Mitochondria acts in different capacities under different regimes:

For website visitors, business contacts, prospects, and our own personnel, Mitochondria acts as Data Controller (under GDPR and UK GDPR) and Data Fiduciary (under the DPDP Act). We determine why and how personal data is processed.

For client operational data processed through our AI Systems, the Client is the Data Controller / Data Fiduciary, and Mitochondria acts as Data Processor. We process data only according to Client instructions.

The applicable contracting entity for any engagement is determined by commercial and operational factors and is specified in the relevant Order Form or Statement of Work. The contracting entities are:

  • Mitochondria Ventures B.V., 1016EJ Amsterdam, The Netherlands

  • Kutumbakam Ventures LLP, Pune 411045, Maharashtra, India

Where Mitochondria Ventures B.V. is the contracting entity, it acts as Data Processor and may engage Kutumbakam Ventures LLP as sub-processor for engineering, development, and operational support, governed by intra-group data protection agreements incorporating the EU Standard Contractual Clauses where applicable. Where Kutumbakam Ventures LLP is the contracting entity, it acts as Data Processor in its own right.

2. Definitions

"AI Systems" means the agentic AI systems provided by Mitochondria, including the underlying orchestration framework and the specific systems deployed under engagement-specific names as identified in the Order Form.

"Client Data" means all data, information, and content processed by Mitochondria's AI Systems on behalf of a Client, which may include Personal Data.

"Data Principal" has the meaning given in the DPDP Act and refers to the individual to whom personal data relates.

"Data Subject" has the meaning given in the GDPR and UK GDPR and refers to the individual to whom personal data relates.

"Personal Data" means any information relating to an identified or identifiable natural person, and includes "personal data" as defined under the GDPR, UK GDPR, and the DPDP Act.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

3. Scope of This Policy

This policy applies to:

  • Visitors to our website (mitochondria.nl and any related domains)

  • Business contacts, prospects, and partners

  • Clients using our AI Systems

  • Personnel of Mitochondria, in respect of personal data we process about them in our capacity as employer or contracting party

This policy supplements, but does not replace, contractual data processing terms. A Data Processing Agreement is executed with all Clients processing personal data of regulated Data Subjects or Data Principals and forms part of the agreement.

4. Legal Basis and Lawful Use

Under GDPR and UK GDPR

We process Personal Data based on one or more of the following legal bases under Article 6(1):

  • Consent of the Data Subject

  • Performance of a contract with the Data Subject

  • Compliance with a legal obligation

  • Legitimate interests pursued by Mitochondria or a third party

Under the DPDP Act

We process Personal Data based on:

  • The consent of the Data Principal, given in accordance with Section 6 of the DPDP Act, or

  • Certain Legitimate Uses as permitted under Section 7 of the DPDP Act, including for the performance of a function under law, the provision of a service requested by the Data Principal, employment-related purposes, and other specified uses.

5. Categories of Personal Data We Process

In the operation of our website and business, we may process the following categories of Personal Data:

  • Identification and contact information (name, email address, postal address, phone number)

  • Professional information (job title, company, professional interests)

  • Website interaction data (IP address, browser and device metadata, pages visited)

  • Cookies and analytics data, where consent is obtained

  • Communication content where you correspond with us

We do not process special categories of personal data within the meaning of GDPR Article 9, nor data relating to criminal convictions and offences within the meaning of GDPR Article 10, in respect of website visitors and business contacts. Where we process such categories in respect of our personnel, we do so under the applicable legal basis and with appropriate safeguards.

In the operation of our AI Systems on behalf of Clients, the categories of Personal Data Processed are determined by the Client's Order Form and the underlying engagement. Mitochondria does not Process such Personal Data for any purpose other than the provision of the contracted AI Systems.

6. Purposes of Processing

For website visitors and business contacts, we Process Personal Data for the following purposes:

  • Operating, securing, and improving our website

  • Responding to enquiries and providing information about our AI Systems

  • Communicating with prospects and Clients

  • Managing our business relationships and contracts

  • Complying with our legal obligations

For Clients using our AI Systems, we Process Client Data only for the purposes set out in the Order Form and on the documented instructions of the Client.

7. Client Data Processing through Our AI Systems

When Clients use Mitochondria's AI Systems:

  • The Client is the Data Controller / Data Fiduciary

  • Mitochondria acts as Data Processor

Processing Principles

  • Transient processing. Client Data is Processed in real time and is not retained at rest by Mitochondria except where explicitly agreed in the Order Form or required by law.

  • No training on Client Data. We do not use Client Data to train, fine-tune, or improve any model, and we do not aggregate Client Data across engagements.

  • Purpose limitation. Client Data is used solely to deliver contracted services.

  • Client ownership. All operational Client Data remains the Client's property.

Infrastructure

Processing occurs within secure cloud environments contracted by the relevant Mitochondria entity, principally Microsoft Azure tenants configured to operate within the European Economic Area for engagements where Mitochondria Ventures B.V. is the contracting entity. Specific regions and configurations are documented in the Order Form where applicable.

8. Cross-Border Data Transfers

The location where Personal Data is Processed is determined on an engagement-specific basis, taking into account the Client's regulatory environment, applicable sovereign data residency requirements, and the operational design of the Services. Mitochondria's personnel are located in the Netherlands, the United Kingdom, and India, and may access Personal Data in the course of providing the Services in accordance with the safeguards described in this section. The specific Processing location and any sovereign requirements applicable to a given engagement are documented in the relevant Order Form.

Transfers of EEA Personal Data outside the EEA rely on the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914, supplemented by appropriate technical and organisational measures. A Transfer Impact Assessment has been conducted in respect of transfers to India and is available to Clients on request.

Transfers of UK Personal Data outside the United Kingdom rely on the Standard Contractual Clauses as supplemented by the UK International Data Transfer Addendum, or on the UK International Data Transfer Agreement, as applicable, except where the destination is a country covered by a UK adequacy regulation.

Transfers of Personal Data from India are made in accordance with the cross-border transfer provisions of the DPDP Act and any restrictions notified by the Central Government from time to time. As of the date of this policy, no notified restriction prevents the transfers we make. Where sectoral law (including, without limitation, rules of the Reserve Bank of India, the Securities and Exchange Board of India, or the Insurance Regulatory and Development Authority of India) imposes localisation requirements applicable to a specific engagement, those requirements are observed.

9. Sub-Processors

We engage vetted sub-processors for cloud infrastructure, security, development, and operational support.

Where Mitochondria Ventures B.V. is the contracting entity, development and operational support may be provided by Kutumbakam Ventures LLP as sub-processor, governed by intra-group data protection agreements incorporating the EU Standard Contractual Clauses.

Sub-processors are bound by contractual confidentiality and data protection obligations equivalent to those imposed on us. A current list of sub-processors is available upon request.

10. Data Security

We implement appropriate technical and organisational measures to protect Personal Data, including:

  • Encryption in transit using TLS 1.2 or higher

  • Encryption at rest where persistent storage is contractually required

  • Role-based access controls and multi-factor authentication

  • Regular security assessments and reviews

  • Incident response procedures

Kutumbakam Ventures LLP operates an Information Security Management System certified to ISO/IEC 27001:2022. The information security controls applicable to engagements contracted through Mitochondria Ventures B.V. are inherited from the certified ISMS through intra-group data protection agreements. Mitochondria intends to bring the operations of Mitochondria Ventures B.V. within the scope of an external ISO/IEC 27001:2022 certification within the next twelve months.

11. Data Retention

  • Website and business contact data: Retained only as long as necessary for the stated purpose. Website analytics data is retained for up to 26 months.

  • Client Data: Processed transiently; not retained at rest by Mitochondria except where explicitly agreed in the Order Form or required by law.

  • Security and operational logs: May contain limited metadata and are retained for a defined period for security, audit, and compliance purposes.

12. Cookies

Our website uses cookies to improve functionality and analyse usage. Essential cookies (required for website operation) are enabled by default. Analytics cookies are enabled only where required consent is obtained. We do not use advertising or tracking cookies.

13. Your Rights

Under GDPR and UK GDPR

You have the right to:

  • Access your Personal Data

  • Rectification of inaccurate data

  • Erasure (the "right to be forgotten")

  • Restriction of Processing

  • Object to Processing

  • Data portability

  • Withdraw consent where Processing is based on consent

  • Lodge a complaint with a supervisory authority

For EU residents, the relevant supervisory authority is the data protection authority of your country of residence. The supervisory authority for Mitochondria Ventures B.V. is the Autoriteit Persoonsgegevens (Netherlands). For UK residents, the supervisory authority is the Information Commissioner's Office (ICO).

Under the DPDP Act

You have the right to:

  • Access information about Processing of your Personal Data, including a summary of the Personal Data being Processed and the Processing activities undertaken

  • Correction, completion, updating, and erasure of your Personal Data

  • Withdraw consent given to Processing

  • Grievance redressal in respect of any act or omission affecting your rights

  • Nominate another individual to exercise your rights in the event of your death or incapacity

  • Lodge a complaint with the Data Protection Board of India

14. How to Exercise Your Rights

To exercise any of the rights described above, or to make a complaint regarding the Processing of your Personal Data, please contact us at privacy(at)mitochondria.nl. For Data Principals exercising rights under the DPDP Act, our designated Grievance Officer is reachable at privacy(at)mitochondria.nl.

We will respond to all requests within the timelines required by applicable law: within 30 days under GDPR and UK GDPR, and within the timelines specified under the DPDP Act and the rules made thereunder.

15. Updates to This Policy

This policy may be updated periodically. Material changes will be communicated via our website and, where appropriate, by direct notice. The "Last Updated" date at the top of this policy indicates when it was most recently revised.

16. Contact

For any questions regarding this Privacy Policy or our Processing of Personal Data, please contact us.