DealRoom (“we,” “us,” or “our”) operates the dealroom.so platform (the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and what rights you have regarding your data.
1. Information We Collect
1.1 Account Information
When you create an account, we collect your name, email address, phone number (optional), LinkedIn profile URL, and organization details. If you sign in via Google or LinkedIn OAuth, we receive your public profile information from those providers.
1.2 Deal and Transaction Data
Information you provide while using the platform, including deal materials, confidential information memoranda, NDA signatures, letters of intent, document uploads, questions, and chat messages. Seller-provided deal materials may include sensitive business records such as financial statements, tax information, customer lists, employee-related materials, operating metrics, contracts, and other confidential transaction documents.
1.3 Behavioral and Usage Data
We collect data about how you interact with the Service: pages visited, documents viewed or downloaded, time spent on sections, session identifiers, click events, and engagement patterns. This data helps advisors understand buyer interest and helps us improve the platform.
1.4 Device and Network Information
We automatically collect your IP address, browser type and version, operating system, device type, approximate geolocation (city/country derived from IP), referrer URL, and UTM campaign parameters.
1.5 Electronic Signatures
When you sign an NDA or LOI on the platform, we capture your typed or drawn signature, your IP address, user agent, and a timestamp. A cryptographic hash of the signed document content is stored to ensure integrity.
1.6 Payment Information
Payment card details are collected and processed directly by Stripe. We do not store full card numbers on our servers. We retain your Stripe customer ID and subscription status for billing purposes.
2. How We Use Your Information
- Provide and operate the Service— manage your account, facilitate deal progression, enable document sharing, and support buyer-advisor communication.
- Fraud detection and platform integrity— verify user identity and detect suspicious activity using IP, email, and phone fraud scoring via IPQualityScore (IPQS).
- Analytics and improvement— understand how users interact with the platform to improve features, performance, and user experience.
- Communication— send transactional emails (NDA confirmations, deal notifications, OTP codes), respond to support inquiries, and deliver buyer deal alerts.
- Legal compliance— maintain records required for legal, tax, or regulatory obligations, including signed NDAs and LOIs.
- AI-assisted features— generate deal summaries, parse uploaded LOI documents, and assist advisors with content creation.
3. Third-Party Services
We share data with the following categories of third-party service providers, each operating under their own privacy policies:
- Anthropic— AI processing for deal content generation and LOI parsing. Uploaded LOI files and deal content may be sent to Anthropic to extract or generate requested content. We minimize submitted data where feasible, and AI-processed content is not used by DealRoom to train foundation models.
- Stripe— payment processing and subscription management. Stripe receives your name, email, and payment card details.
- PostHog— product analytics and session tracking. PostHog receives pseudonymized usage events associated with an account identifier, device information, and page view data.
- IPQualityScore (IPQS)— fraud detection. IPQS receives IP addresses, email addresses, and phone numbers to generate risk scores.
- Resend— transactional email delivery. Resend receives recipient email addresses and message content.
- Twilio— SMS delivery for verification codes. Twilio receives phone numbers and OTP message content.
- Convex— backend infrastructure and database hosting. All application data is stored on Convex's cloud infrastructure.
- Vercel— frontend hosting and edge network delivery.
4. Data Retention
- Account data— retained for the lifetime of your account. Deleted or anonymized within 30 days of an account deletion request, except where retention is required for legal, security, audit, or transaction recordkeeping obligations.
- Deal engagement data— retained for the duration of the deal plus 12 months after deal closure for reporting purposes.
- NDA and LOI records— retained for 7 years after execution to satisfy legal and compliance obligations, even after account deletion. Direct database identifiers and searchable PII fields are anonymized upon deletion request where feasible, but executed PDFs, signature evidence, content hashes, and related audit records may be retained until the retention period expires or a legal hold is released.
- Legal holds— records subject to litigation, regulatory inquiry, security investigation, or transaction dispute may be retained for longer while the hold remains in effect.
- Behavioral tracking data— retained for 24 months, then automatically purged.
- Fraud detection records— IP and risk score data is cached for 24 hours and retained in aggregate for 12 months.
5. Your Rights
Depending on your jurisdiction, you may have some or all of the following rights:
- Right of access— request a copy of all personal data we hold about you. You can export your data directly from your account settings, or contact us.
- Right to deletion— request that we delete your personal data. You can initiate deletion from your account settings. Certain data, including executed NDAs, LOIs, access logs, and records under legal hold, may be retained in full or anonymized form for legal compliance, audit, security, dispute resolution, or transaction recordkeeping.
- Right to rectification— request correction of inaccurate personal data.
- Right to data portability— receive your data in a structured, machine-readable format.
- Right to object— object to certain types of processing, including behavioral tracking and profiling.
- Right to restrict processing— request that we limit how we use your data while a complaint or request is being resolved.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
6. Behavioral Tracking and Opt-Out
DealRoom collects behavioral data (page views, document interactions, session activity) to help advisors understand buyer engagement, support seller portal workflows, and improve the platform. Buyer and seller users may opt out of optional behavioral tracking. If you wish to opt out, you can do so from your account settings or by contacting us at [email protected]. Please note that opting out of tracking may limit certain platform features that rely on engagement data (e.g., engagement scores visible to advisors).
7. Cookies and Similar Technologies
We use the following types of cookies:
- Essential cookies— required for authentication, session management, and platform functionality. These cannot be disabled.
- Analytics cookies— used by PostHog to collect anonymous usage statistics. You can opt out of these via your browser settings or by contacting us.
- Fraud prevention cookies— used to generate device fingerprints and visitor IDs for fraud detection purposes.
We do not use advertising or marketing cookies. We do not sell your data to third parties.
8. GDPR (European Economic Area)
If you are located in the European Economic Area (EEA), the legal bases for our processing of your personal data are:
- Contract performance— processing necessary to provide the Service you have signed up for.
- Legitimate interests— fraud prevention, platform security, and analytics to improve the Service.
- Legal obligations— retention of NDA and signature records as required by law.
- Consent— where required, such as for optional behavioral tracking.
You have the right to lodge a complaint with your local data protection authority if you believe your data has been processed unlawfully.
DealRoom uses [email protected] as its data protection contact. If an EU representative or Data Protection Officer becomes legally required for a specific processing activity, this policy will be updated with that contact.
9. CCPA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):
- Right to know— request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to delete— request deletion of your personal information, subject to certain exceptions.
- Right to non-discrimination— we will not discriminate against you for exercising your privacy rights.
- Right to opt out of sale— we do not sell personal information. No opt-out is necessary.
To exercise your CCPA rights, contact us at [email protected].
10. International Data Transfers
Your data may be transferred to and processed in the United States, where our infrastructure providers (Convex, Vercel, Stripe) are headquartered. We ensure appropriate safeguards are in place, including standard contractual clauses where required, to protect your data during international transfers.
11. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 18, we will delete that data promptly.
12. Breach Notification
If DealRoom becomes aware of a personal data breach, we will assess the scope, risk, and affected users. Where legally required, we will notify the appropriate supervisory authority and affected individuals within the timelines required by applicable law.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.
14. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
DealRoom
Email: [email protected]
Website: dealroom.so