Plain English. No security theater. This page says what we collect, where it lives, what we do and do not claim, and how to get your data out or deleted.
During a diagnostic session, Jake collects business information you share verbally. Revenue ranges, team structure, sales channels, operational details, financial gaps. This is captured in notes and feeds into the blueprint generation. We do not record sessions unless you explicitly consent in writing first.
From the website, we collect:
We do not collect: payment card details (Stripe handles), social security numbers, health information, biometrics, or any government IDs.
| System | What it stores | Encryption | Region |
|---|---|---|---|
| Stripe | Payment processing only | TLS in transit, AES 256 at rest | US |
| Calendly | Booking details, your email | TLS in transit, AES 256 at rest | US |
| Netlify Forms | Website form submissions | TLS in transit, encrypted at rest | US |
| Google Analytics 4 | Anonymized page views | TLS, Google infrastructure | US |
| Google Workspace | Diagnostic notes, blueprints | TLS in transit, AES 128 at rest | US |
| Anthropic | Blueprint generation prompts (no PII unless you provide it) | TLS in transit | US |
Your business data is processed across these six services. None of them are obscure. All are mainstream B2B SaaS with established security postures.
| Framework | Status | Why |
|---|---|---|
| GDPR and UK GDPR | Compliant | Privacy notice, lawful basis documented, data subject rights honored, anonymized analytics. |
| CCPA and CPRA | Compliant | Same privacy posture covers California residents. We do not sell personal information. |
| PCI DSS | Compliant via Stripe | We never touch card data. Stripe is PCI Level 1 certified. |
| SOC 2 Type II | Not pursued yet | SOC 2 makes sense when enterprise customers require it as a deal blocker. We are a one-person firm. Pursuing now would cost more than the operational benefit. We can pursue when client demand justifies it. |
| HIPAA | Not applicable | HIPAA applies to handlers of Protected Health Information. VentureFrame is a B2B business consulting service. We do not touch PHI. Claiming HIPAA when not handling PHI is misleading. |
| ISO 27001 | Not pursued | Same logic as SOC 2. Proportionality. Will pursue when enterprise demand justifies. |
Email support@ventureframe.net with subject "Privacy request." Include the email address associated with your account or session.
We respond within 30 days for GDPR requests, 45 days for CCPA. In practice, most requests are handled same day.
Three things you can ask for:
If a data incident happens. Unauthorized access, accidental disclosure, lost credentials. We notify affected parties within 72 hours of discovery, per GDPR Article 33 timing. The notification includes what happened, what data was involved, what we are doing, and what you should do.
There have been zero incidents to date. We track this here so you can verify.
One sentence summary. VentureFrame is a one-person consulting firm that takes data hygiene seriously without pretending to be an enterprise security organization. We comply with the privacy laws that apply, use mainstream SaaS infrastructure with established security postures, and document what we do honestly. We do not claim compliance with frameworks (SOC 2, HIPAA, ISO 27001) that we have not actually audited against.
Questions about anything on this page? Email support@ventureframe.net. Jake reads every message personally.