Privacy Policy

Last Updated: January 2026

This Privacy Policy explains how Mitochondria Ventures B.V. and Kutumbakam Ventures LLP ("Mitochondria", "we", "us") collect, process, and protect personal data in compliance with the EU General Data Protection Regulation (GDPR), the India Digital Personal Data Protection Act, 2023 (DPDP Act), UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

1. Who Is Responsible for Your Data

Depending on the context, Mitochondria acts in different capacities:

For website visitors and business contacts: We act as Data Controller (GDPR) / Data Fiduciary (DPDP Act). We determine why and how your data is processed.

For client operational data processed through ATP: You (the client) are the Data Controller / Data Fiduciary. Mitochondria acts as Data Processor. We process data only according to your instructions.

The applicable contracting entity is specified in the relevant Order Form or Statement of Work:

Mitochondria Ventures B.V. Keizersgracht 391A 1016EJ Amsterdam, The Netherlands

Kutumbakam Ventures LLP 1101, Nandan Probiz Pune 411045, Maharashtra, India

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.

"Client Data" means all data, information, and content processed by ATP on behalf of a client, which may include Personal Data.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

3. Scope of This Policy

This policy applies to:

Visitors to our website (mitochondria.nl)
Business contacts, prospects, and partners
Clients using ATP and related agentic systems

This policy supplements, but does not replace, contractual data processing terms. A Data Processing Addendum (DPA) is available upon request and forms part of the agreement for enterprise clients.

4. Legal Basis for Processing

Under GDPR

We process Personal Data based on:

Consent
Contractual necessity
Legitimate interests
Legal obligations

Under DPDP Act (India)

We process Personal Data based on:

Consent of the Data Principal, or
Legitimate Uses as permitted under the DPDP Act

5. Website and Marketing Data

Data Collected

IP address
Browser and device metadata
Website interaction data
Cookies and analytics data
Contact information you voluntarily provide

Purpose

Website functionality and security
Performance analytics
Responding to enquiries
Communication about our services

Retention

Retained only for as long as necessary to fulfil the stated purpose. Website analytics data is retained for a maximum of 26 months.

6. Client Data Processing (ATP and Services)

When clients use ATP or other Mitochondria systems:

The client is the Data Controller (GDPR) / Data Fiduciary (DPDP)
Mitochondria acts as Data Processor

Processing Principles

Transient processing: Data is processed in real time and not retained by Mitochondria
No training on client data: We do not use client data to train or fine-tune models
Purpose limitation: Data is used solely to deliver contracted services
Client ownership: All operational data remains the client's property

Infrastructure

Processing occurs within secure cloud environments (Azure, AWS) in regions aligned with contractual and regulatory requirements. Specific regions are documented in the Order Form where applicable.

7. Cross-Border Data Transfers

EU Personal Data transferred outside the EEA uses Standard Contractual Clauses (SCCs)
India–EU transfers follow DPDP safeguards and contractual protections
Data localisation requirements are respected where contractually specified

8. Sub-Processors

We may engage vetted sub-processors for cloud infrastructure, security, development, and operational support.

Affiliated entities: Where Mitochondria Ventures B.V. is the contracting entity, development and operational support may be provided by our affiliated entity, Kutumbakam Ventures LLP (India). Such processing is subject to equivalent data protection obligations and appropriate transfer safeguards, including Standard Contractual Clauses.

Sub-processors are bound by contractual confidentiality and data protection obligations that are equivalent to those outlined in this policy. A current list of sub-processors is available upon request.

9. Data Security

We implement appropriate technical and organisational measures to protect Personal Data, including:

Encryption in transit and at rest
Role-based access controls
Regular security assessments
Incident response procedures

For detailed information, see our Security Overview.

10. Data Retention

Website and business contact data: Retained only as long as necessary for the stated purpose.

Client data: Processed transiently; not retained by Mitochondria except where explicitly agreed in the Order Form or required by law.

Security and operational logs: May contain limited metadata and are retained for a defined period for security, audit, and compliance purposes.

11. Cookies

Our website uses cookies to improve functionality and analyse usage.

Essential cookies (required for website operation) are enabled by default.

Analytics cookies are enabled only where required consent is obtained. We are committed to implementing consent mechanisms where required by applicable law.

We do not use advertising or tracking cookies.

12. Data Subject / Data Principal Rights

Under EU GDPR and UK GDPR

You have the right to:

Access your Personal Data
Rectification of inaccurate data
Erasure ("right to be forgotten")
Restriction of processing
Object to processing
Data portability
Lodge a complaint with a supervisory authority

For EU residents, the relevant supervisory authority is in your country of residence. For UK residents, the supervisory authority is the Information Commissioner's Office (ICO).