1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between FullDeal AI ("we", "us", "Data Controller") and you ("Customer", "Data Subject") for the use of our services.
This DPA reflects our commitment to comply with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion
- Data Controller: FullDeal AI, which determines the purposes and means of processing Personal Data
- Data Processor: Third-party service providers that process data on our behalf
- Sub-processor: Any Data Processor engaged by us to process Personal Data
- Data Subject: You, the individual whose Personal Data is processed
3. Scope and Role
FullDeal AI acts as a Data Controller for the Personal Data you provide when using our services. We determine the purposes and means of processing your data.
When you use our platform to share information with investors, advisors, or co-founders through invitations, you may act as a Data Controller for that shared data, and we may act as a Data Processor on your behalf. All invitations require explicit acceptance before data is shared.
4. Legal Basis for Processing
We process your Personal Data based on the following legal bases under Article 6 of the GDPR:
a) Consent (Article 6(1)(a))
- Analytics cookies
- Functional cookies
- Marketing communications (when applicable)
b) Contract Performance (Article 6(1)(b))
- Account creation and authentication
- Service delivery (chat, file storage, AI features)
- Processing transactions
- Customer support
c) Legitimate Interests (Article 6(1)(f))
- Security and fraud prevention
- System monitoring and performance optimization
- Service improvements and development
d) Legal Obligation (Article 6(1)(c))
- Compliance with legal and regulatory requirements
- Tax and accounting obligations
- Response to lawful requests from authorities
5. Sub-processors
We engage the following sub-processors to help provide our services. All sub-processors are required to provide adequate safeguards for Personal Data and have appropriate data processing agreements in place:
Vercel Inc.
- Service: Hosting, file storage (Vercel Blob), analytics, performance monitoring
- Location: United States (with global CDN)
- Data Processed: All platform data including user accounts, files, chat messages, analytics
- GDPR Compliance: Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework certified
- Website: vercel.com/legal/privacy-policy
Google LLC
- Service: AI processing (Gemini API), OAuth authentication
- Location: United States (with global data centers)
- Data Processed: Chat messages, document content for AI analysis, OAuth profile data (name, email, profile images - automatically downloaded and stored in our file storage), web search queries (when Google Search grounding is triggered)
- GDPR Compliance: Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework certified, Google Cloud Data Processing Amendment
- Data Usage: Google does not train AI models on customer data when using Gemini API with enterprise accounts
- Website: policies.google.com/privacy
Neon Database (PostgreSQL)
- Service: Database hosting
- Location: EU and US regions (customer choice)
- Data Processed: All structured data (accounts, files metadata, relationships)
- GDPR Compliance: Standard Contractual Clauses (SCCs), EU hosting available
- Website: neon.tech/privacy-policy
Upstash (Optional - Rate Limiting)
- Service: Redis for rate limiting
- Location: Global (customer choice of region)
- Data Processed: IP addresses, rate limit counters (temporary)
- GDPR Compliance: EU data residency available
- Website: upstash.com/privacy
Zoom Video Communications Inc.
- Service: Meeting transcription import via OAuth
- Location: United States (with global data centers)
- Data Processed: OAuth credentials (encrypted with AES-256-GCM), meeting transcripts (when imported by user)
- GDPR Compliance: Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework certified
- Data Usage: OAuth tokens refreshed automatically. Transcript data downloaded on-demand and stored in our infrastructure (Vercel Blob). User can disconnect at any time.
- Required Scopes: cloud_recording:read:meeting_transcript, cloud_recording:read:list_user_recordings, user:read:user
- Website: zoom.us/privacy
Google LLC (Google Meet)
- Service: Meeting transcription import via OAuth
- Location: United States (with global data centers)
- Data Processed: OAuth credentials (encrypted with AES-256-GCM), conference transcripts with speaker names (when imported by user)
- GDPR Compliance: Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework certified
- Data Usage: OAuth tokens refreshed automatically. Transcript data (including participant names) downloaded on-demand and stored in our infrastructure (Vercel Blob). User can disconnect at any time.
- Required Scopes: meetings.space.readonly, email
- Note: Only conferences where user is organizer are accessible. Transcripts automatically deleted by Google 30 days after conference ends.
- Website: policies.google.com/privacy
Note: We will notify you of any changes to our list of sub-processors by updating this page. If you object to a new sub-processor, you may terminate your account within 30 days of notification.
6. Data Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Technical Measures:
- Encryption in transit (TLS/HTTPS) and at rest (AES-256 for files)
- AES-256-GCM encryption for sensitive OAuth credentials with 96-bit initialization vectors (IV)
- bcrypt password hashing with cost factor 12 for strong password protection
- CSRF protection using constant-time comparison to prevent timing attacks on all state-changing operations
- Rate limiting via Upstash Redis with sliding window algorithm to prevent abuse and DOS attacks
- Comprehensive Content Security Policy (CSP) and security headers (X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy)
- Input validation and sanitization to prevent SQL injection and XSS attacks
- Secure authentication with Auth.js (NextAuth) and JWT tokens
- Role-based access control (RBAC) with permission-based authentication
- Regular security updates and patches
- Secure cloud infrastructure (Vercel hosting, Neon PostgreSQL with pgvector extension)
Organizational Measures:
- Access controls and authentication for team members
- Regular security training
- Incident response procedures
- Regular backups with encryption
- Monitoring and logging of system access
- Data minimization principles
7. Data Retention
We retain Personal Data as follows:
- Active Accounts: Data retained while account is active
- Deleted Accounts: Personal data deleted within 30 days of account deletion request
- Backups: May persist in backups for up to 90 days, then permanently deleted
- Legal Holds: Data subject to legal obligations retained as required by law
- Anonymized Data: Aggregated, anonymized analytics data may be retained indefinitely
8. International Data Transfers
Your Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States.
We ensure appropriate safeguards are in place for such transfers:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs with all sub-processors handling EEA data
- EU-US Data Privacy Framework: Our primary sub-processors (Vercel, Google) are certified under the EU-US Data Privacy Framework
- Adequacy Decisions: We only transfer data to countries with EU adequacy decisions where possible
9. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required)
- Notify affected Data Subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- Document all breaches, including facts, effects, and remedial actions taken
- Implement measures to mitigate the breach and prevent future occurrences
To report a suspected security incident, contact us immediately at: security@fulldeal.ai
For detailed information about our breach notification procedures, see our Data Breach Notification Process.
10. Your Rights as a Data Subject
Under GDPR, you have the following rights regarding your Personal Data:
- Right of Access (Article 15): Request copies of your Personal Data
- Right to Rectification (Article 16): Request correction of inaccurate data
- Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
- Right to Restriction (Article 18): Request restriction of processing
- Right to Data Portability (Article 20): Receive your data in a machine-readable format
- Right to Object (Article 21): Object to processing based on legitimate interests
- Right to Withdraw Consent (Article 7(3)): Withdraw consent at any time
- Right to Lodge a Complaint: File a complaint with your supervisory authority
To exercise any of these rights, visit your Profile Settings or contact us at privacy@fulldeal.ai.
11. Supervisory Authority
If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection authority.
You can find your local supervisory authority at: European Data Protection Board - Members
12. Data Protection Officer
For questions about this DPA or our data protection practices, please contact:
13. Changes to this DPA
We may update this DPA from time to time to reflect changes in our practices or legal requirements. Any material changes will be notified to active users via email. The "Last updated" date at the top of this page will be updated accordingly.