1. Information We Collect
We collect information that you provide directly to us, including:
- Account Information: Name, email address, password, and company information when you create an account. When you sign in with Google OAuth, we automatically download and store your Google profile picture in our secure file storage (Vercel Blob) for use in our platform. When you connect your Zoom or Google Meet account, we collect OAuth credentials (access tokens and refresh tokens) which are encrypted with AES-256-GCM before storage.
- Profile Information: Information you add to your profile, such as your role (founder, investor, or advisor) and profile image
- Content: Documents, files, chat messages, Zoom and Google Meet meeting transcripts, and other content you upload or import to our platform
- Communication Data: Information from your interactions with our AI system, including voice recordings and chat transcripts
- AI Usage Metrics: Comprehensive tracking of all AI operations including: AI model used, prompt characteristics (length, documents attached, embeddings used), token usage (input, output, cached), and whether Google Search grounding was used. This data is used for cost monitoring, service optimization, and platform analytics.
- Usage Data: Information about how you use our service, including page views, file interactions, and analytics data collected through Vercel Analytics and Speed Insights
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve our services
- Process your transactions and manage your account
- Power our AI features, including document analysis and chat functionality
- Send you technical notices, updates, security alerts, and support messages
- Respond to your comments, questions, and customer service requests
- Monitor and analyze trends, usage, and activities in connection with our services
- Detect, prevent, and address technical issues and fraudulent activity
3. Information Sharing and Disclosure
We may share your information in the following circumstances:
- With your consent: We share information when you explicitly grant access through invitations to investors, advisors, or co-founders. All invitations require acceptance before access is granted, and you maintain full control over who can access your startup information.
- Service providers: We work with third-party service providers to perform services on our behalf, such as hosting (Vercel), analytics (Vercel Analytics and Speed Insights), file storage (Vercel Blob), AI processing (Google Gemini), and meeting transcription (Zoom, Google Meet)
- Legal requirements: We may disclose information if required by law or in response to valid legal requests
- Business transfers: In connection with any merger, acquisition, or sale of company assets
We do not sell your personal information to third parties.
For detailed information about our data processors and GDPR-compliant safeguards, please see our Data Processing Agreement (DPA).
4. Data Security
We take reasonable measures to protect your information from unauthorized access, use, or disclosure. However, no internet or electronic storage system is 100% secure. We implement:
- Encryption of data in transit (TLS/HTTPS) and at rest
- AES-256-GCM encryption for sensitive credentials (OAuth tokens with 96-bit IV)
- bcrypt password hashing with cost factor 12 for strong password protection
- CSRF protection using constant-time comparison to prevent timing attacks
- Comprehensive Content Security Policy (CSP) and security headers
- Rate limiting to prevent abuse (Upstash Redis with sliding window algorithm)
- Input validation and sanitization to prevent SQL injection and XSS attacks
- Regular security assessments and audits
- Role-based access controls (RBAC) and permission-based authentication
- Secure cloud infrastructure (Vercel, Neon PostgreSQL with pgvector)
Data Breach Notification: In the unlikely event of a data breach, we will notify affected users and relevant authorities as required by law. For detailed information about our incident response procedures, see our Data Breach Notification Process.
To report a security concern, contact: security@fulldeal.ai
5. Privacy Protections and Anonymization
We implement privacy-by-design principles throughout our platform:
- Activity Log Anonymization: To protect user privacy, activity logs anonymize all investor, advisor, and founder names when viewed by non-admin users. Founders see activities like "An investor opened a file" or "An advisor viewed a document" without revealing specific identities. Only system administrators can view full names in activity logs for support and security purposes.
- Fundraising Data: Fundraising information (target amounts, valuation, cap, discount, currency) is optional and only shared when you explicitly provide it. This information is included in your startup profile and AI assistant context to help answer investor questions, but you control what you disclose.
- User Privacy: Each user's chat history is private to them. Investors and advisors cannot see other users' conversations or personal files. All chat interactions are isolated and secure.
- Controlled Access: All document and data access is permission-based through explicit invitations. You maintain full control over who can access your materials.
6. Data Retention
We retain your information for as long as your account is active or as needed to provide you services. You may delete your account at any time, and we will delete your personal information within 30 days, except where we are required to retain it for legal compliance or legitimate business purposes.
7. Your Rights
You have the right to:
- Access, update, or delete your personal information
- Object to or restrict certain processing of your data
- Data portability (receive your data in a structured format)
- Withdraw consent where we rely on it
- Lodge a complaint with a supervisory authority
8. AI and Machine Learning
Our platform uses artificial intelligence and machine learning to analyze documents, generate responses, and provide insights. Your data may be processed by third-party AI services (Google Gemini) to provide these features. We use enterprise-grade AI services that do not train models on your data.
AI Usage Tracking:
We comprehensively track all AI operations for cost monitoring, service optimization, and platform analytics. This includes:
- AI model versions used for each operation
- Prompt characteristics (system prompt length, total prompt length, documents attached, embeddings/RAG results used)
- Token usage metrics (input tokens, output tokens, cached tokens for cost calculation)
- Google Search grounding usage (when the AI searches the web for current information)
- Operation types (chat messages, file descriptions, FAQ generation, etc.)
This data is stored in both your chat message records and a dedicated AI metrics table. All AI usage data is included in your GDPR data export and can be deleted when you delete your account.
9. Analytics and Performance Monitoring
We use Vercel Analytics and Vercel Speed Insights to monitor and improve the performance and user experience of our platform. These services collect:
- Page views and navigation patterns
- Performance metrics (page load times, web vitals)
- Device and browser information
- Referral sources
Vercel Analytics is privacy-friendly and does not use cookies or track personal information across websites. All data is aggregated and anonymized. For more information, see Vercel's Analytics Privacy Policy.
10. Cookies
We use cookies and similar tracking technologies to manage authentication and essential platform functionality. You can control cookies through your browser settings or our cookie preference center.
Types of Cookies We Use:
- Necessary Cookies: Required for authentication, security, and basic platform functionality. These cannot be disabled.
- Analytics Cookies: Help us understand how visitors use our platform (Vercel Analytics - privacy-friendly, no personal data tracking). You can opt-out of these.
- Functional Cookies: Enable enhanced features and personalization. You can opt-out of these.
You can manage your cookie preferences at any time from your Profile Settings under "Your Data Rights (GDPR)" section, or by clearing your browser's local storage and revisiting our site.
For more information about cookies and how to manage them, visit www.allaboutcookies.org.
11. International Data Transfers
Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your information in accordance with this privacy policy.
12. Children's Privacy
Our service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18.
13. Changes to This Policy
We may update this privacy policy from time to time. Any changes will become effective when we post the revised policy on this page. We will update the "Last updated" date at the top of this policy. Your continued use of our services after any changes constitutes your acceptance of the new privacy policy. We encourage you to review this policy periodically.
14. Contact Us
If you have any questions about this privacy policy or our data practices, please contact us at:
FullDeal AI
Email: privacy@fulldeal.ai