Skip to content
thestart,
Home Book a 30-minute call
Legal

Privacy notice

Last updated 15 July 2026

This page explains what personal data we hold, why we hold it, and the rights you have over it. It is written to be read. If anything is unclear, email marc@thestart.agency and you will get a straight answer.

Who we are

The Start is operated by Marc Andres, a self-employed professional (autónomo) in Sabadell (Barcelona), Spain. For data protection law, the GDPR and Spain's LOPDGDD (Organic Law 3/2018), that makes Marc Andres the controller of the personal data this notice describes.

Contact for anything in this notice: marc@thestart.agency.

The data we hold

Four kinds, and only four.

  • Your visit to this site. Browsing sets no cookies unless you accept the optional Google Analytics set on the banner; if you do, we see anonymised page statistics (which pages are read, on what kind of device), never who you are. Decline and nothing is set. The only cookie we set without asking is the one that keeps you signed in, and only if you choose to make a Grants Finder account; our cookie policy describes it in full. Like any website, the servers that deliver the page use your IP address to send it to you. The site also loads its fonts from Google; see the Google Fonts note below.
  • What you send us. If you email us, or later join a waitlist or sign up for alerts on this site, we keep your name, your email address, your organisation if you share it, and what you wrote. We use it to reply, and to send you what you asked for.
  • Professional contact details for our outreach. We write to people who lead charities and other good causes. For that, we hold publicly available professional details: your name, your role, your work email address, and public facts about your organisation.
  • Your Grants Finder account, if you make one. Your sign-in details, the profile you build about your organisation, the grants you save, mark as applied or pass on, and, while you are signed in, how you use the finder: what you search, which pages you view, and which grant records you open. The section below, "Your Grants Finder account", says exactly what we do and do not do with it.

Where outreach details come from

You may hear from us without ever having written to us. When that happens, Article 14 of the GDPR says we must tell you where your details came from. So, plainly: they come from public registers, such as the UK Charity Commission register, and from your organisation's own website. We do not buy contact lists.

Why we hold it

The law asks for a lawful basis for each use of personal data. Ours are:

  • Consent, for waitlists and any alerts you sign up for. You can withdraw it at any time, and we stop.
  • Legitimate interests, for professional outreach to people at organisations, in their working role, about work that could serve their cause. You can object at any time, and we stop. See your rights below.
  • Contract, for clients: we process what we need to deliver the work we agreed with you. The same basis runs your Grants Finder account: making one asks us to match grants to your profile and remember your marks, so we process what that takes.
  • Legitimate interests, again, for making the finder better: learning from how signed-in organisations use it, and from how applications turn out, as the next section describes. You can object at any time, and we stop.
  • Legal obligation, for the business records Spanish tax and accounting law makes us keep.

Your Grants Finder account

The finder is free, and it is honest about what it learns. When you make an account and sign in, this is the whole picture:

  • What we collect. The profile you build about your organisation; the grants you save, mark as applied, or pass on; and how you use the finder while signed in: your searches, the pages you view, and the grant records you open.
  • What it is for. Three things, and only three. To make your matches fit, so the finder hands you what serves your cause, not a generic list. To improve the finder itself, by seeing which pages help and which confuse. And to learn what works: we cross what account holders marked as applied with the award results funders later publish in public registers, so the finder learns which funders choose what.
  • What we never do. Your account data is never shown, sold or given to anyone else, and never used for advertising. Any lesson the machine learns from it is stripped of your name and your organisation's name before it teaches anything beyond your own account. We do not use your finder activity to send you marketing you did not ask for.
  • Profiling, named plainly. Learning your organisation's priorities from what you search, save and apply to is profiling under the GDPR. It decides one thing: what the finder shows you. It makes no decision about you with legal or similarly significant effects, and a person is behind anything that matters.
  • How long. Signed-in usage data (searches, pages viewed, records opened) is kept in a form that identifies you for at most twelve months, then de-identified or deleted. Close your account and your profile and marks are deleted within a month, except the little the law makes us keep.
  • No extra cookies. All of this works through your sign-in session, the one ts_session cookie the cookie policy describes. The finder's learning happens on our servers, from the pages you ask for while signed in. It sets no analytics cookie and reads nothing else from your device.

The legal bases: contract for running your account and its matching, and legitimate interests for improving the finder and the learning described above. You can object to that learning at any time, keep your account, and the finder still works; email marc@thestart.agency or say so from your account.

If we send you a proposal

When we prepare a proposal for your organisation, we serve it on a private link made only for you. Because the link is yours alone, our server can see when the page is opened. We use that for one thing: knowing the proposal reached you, so we can time a polite follow-up instead of guessing. The proposal page sets no cookies and installs nothing in your browser; the record is made on our side, from the request your browser sends like any web page. If you would rather we did not, say so and we stop. That is your right to object, and where it touches direct marketing it is absolute.

AI, named plainly

We use AI systems to prepare research and drafts. Today that is Claude, built by Anthropic. Two things matter here:

  • A human approves anything before it is sent. Nothing goes out on automatic.
  • Under our terms with the provider, our data is not used to train their models.

Who sees your data

We do not sell personal data. We share it only with the services we use to run the business, each under its own data protection terms: our email service (Google Workspace) and our AI provider (Anthropic). Beyond that, only if the law requires it.

Where your data travels

Our AI provider processes data in the United States. That happens under safeguards the EU approves: standard contractual clauses and, where it applies, an adequacy decision. Data about people in the UK reaches us in Spain under the UK and EU adequacy decisions. We watch those rules, and if they change, we change with them.

How long we keep it

  • Business records, such as contracts, invoices, and the correspondence that belongs with them: Spanish accounting and tax law makes us keep these for six years. Then we delete them.
  • Prospect details, meaning people we wrote to who did not become clients: deleted or suppressed when you ask. If you ask us to stop emailing you, we keep the minimum needed to make sure we never email you again. That is the suppression list, and it exists to protect you.

Your rights

You can ask us, at any time and for free:

  • to see the data we hold about you (access);
  • to correct it (rectification);
  • to delete it (erasure);
  • to pause or limit what we do with it (restriction);
  • to receive it in a usable electronic format (portability);
  • to object to how we use it (objection).

One right is absolute. If you object to direct marketing, we stop. No questions, no conditions. That is Article 21 of the GDPR, and we honour it in full.

To use any of these rights, email marc@thestart.agency. We reply within a month.

You can also complain to a supervisory authority. Ours is the Spanish data protection authority, the AEPD (www.aepd.es). If you are in the UK, you can also contact the ICO (ico.org.uk).

How to stop our emails

Any of these works, and all of them are free:

  • Reply to any email from us with STOP or unsubscribe.
  • Email marc@thestart.agency with the subject Unsubscribe.
  • Or just say it in your own words in a reply. We read replies.

Your opt out is honoured before the next batch of emails goes out. Your address goes on a suppression list, kept for each engagement we run, so the same engagement never emails you again. If you want nothing from us at all, say so, and we suppress you across everything we operate.

The short version. Say stop, in any words, and we stop. Before the next send.

Google Fonts

This site loads its two typefaces from Google Fonts. When a page loads, your browser fetches the font files from Google's servers, so Google sees your IP address and standard browser details. That request sits under Google's own privacy policy. Cookies are set only with your consent; our cookie policy has the rest.

Decisions about you

We do not make automated decisions about you that carry legal or similarly serious effects. People decide. The finder's matching profiles your organisation's needs to sort grant lists, as described above; it carries no such effects.

Changes to this notice

When this notice changes, the date at the top changes with it. Real changes get flagged plainly on this page, not buried.

Back to the home page

thestart, the start,·thestart.agency

More funding for the work that matters, in secure, human hands.

Privacy·Terms·Cookies