Privacy Policy

1. Introduction

AcquiAtlas ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our M&A intelligence platform at https://acquiatlas.com.

By using the Platform, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Platform.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, password, company name, phone number
• Profile Information: Professional role, bio, profile photo
• Business Listings: Business details, financial data, photos, documents
• Messages: Communication content between users
• Payment Information: Billing address, payment method (processed by Stripe)
• Documents: Files uploaded to Virtual Data Rooms

2.2 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent, click patterns
• Device Information: Browser type, operating system, device type, IP address
• Log Data: Access times, error logs, performance metrics
• Cookies: Session cookies, preference cookies, analytics cookies
• Location Data: Approximate location based on IP address

2.3 Information from Third Parties

• OAuth Providers: Profile information from GitHub, Google (if you use social login)
• QuickBooks: Financial data when you connect your QuickBooks account
• Payment Processor: Transaction data from Stripe

3. How We Use Your Information

We use collected information to:

• Provide Services: Operate the Platform, process transactions, manage accounts
• Improve Platform: Analyze usage, develop new features, enhance user experience
• Communicate: Send notifications, updates, marketing (with consent)
• Security: Detect fraud, prevent abuse, ensure platform security
• AI Features: Generate insights, power search, analyze documents
• Compliance: Meet legal obligations, respond to legal requests
• Analytics: Understand user behavior, measure effectiveness

4. AI and Data Processing

4.1 AI-Powered Features

We use OpenAI and other AI services to:

• Extract information from uploaded documents
• Generate summaries and insights
• Power semantic search functionality
• Detect potential red flags in due diligence
• Provide chatbot assistance

4.2 Data Sharing with AI Providers

When you use AI features, your content may be processed by our AI service providers (OpenAI). We have data processing agreements in place that prohibit these providers from using your data to train their models. AI providers only process data to provide the requested service.

4.3 AI Opt-Out

You can opt out of AI processing by adjusting your privacy settings. Note that opting out will limit certain Platform features.

5. Data Sharing and Disclosure

5.1 With Your Consent

We share information when you explicitly consent, such as when you grant another user access to your Virtual Data Room.

5.2 Service Providers

We share data with trusted service providers who help us operate the Platform:

• Supabase: Database hosting, authentication, storage
• OpenAI: AI processing and analysis
• Stripe: Payment processing
• Resend: Email delivery
• Vercel: Hosting and CDN (if applicable)
• Sentry: Error monitoring

5.3 Legal Requirements

We may disclose information if required by law, court order, or government request, or if necessary to protect our rights or the safety of users.

5.4 Business Transfers

If we are acquired or merge with another company, your information may be transferred to the new entity. We will notify you of any such transfer.

5.5 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6. Data Security

We implement comprehensive security measures:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Authentication: Secure password hashing, 2FA support, session management
• Access Control: Role-based access control (RBAC), row-level security (RLS)
• Monitoring: 24/7 security monitoring, intrusion detection
• Auditing: Comprehensive activity logs, access tracking
• Compliance: Regular security audits, penetration testing

While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the security of your account credentials.

7. Your Rights and Choices

7.1 GDPR Rights (EU Users)

If you are in the European Union, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Restrict processing of your data
• Portability: Receive your data in a machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent for data processing

7.2 CCPA Rights (California Users)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it's used
• Request deletion of your personal information
• Opt-out of the sale of personal information (we don't sell data)
• Non-discrimination for exercising your rights

7.3 Exercising Your Rights

To exercise any of these rights:

• Email us at: privacy@acquiatlas.com
• Use the data export feature in your account settings
• Contact our Data Protection Officer (if applicable)

We will respond to verified requests within 30 days.

8. Data Retention

We retain your information for as long as necessary to provide services and comply with legal obligations:

• Account Data: Retained while account is active, plus 90 days after deletion
• Transaction Data: Retained for 7 years (legal requirement)
• Communication Data: Retained for 3 years
• Analytics Data: Retained for 2 years
• Logs: Retained for 90 days

You may request earlier deletion by contacting us, subject to legal requirements.

9. Cookies and Tracking Technologies

9.1 Types of Cookies

• Essential Cookies: Required for authentication and platform functionality
• Analytics Cookies: Help us understand how you use the Platform
• Preference Cookies: Remember your settings and preferences
• Marketing Cookies: (Optional) Used for targeted advertising

9.2 Cookie Management

You can control cookies through your browser settings. Note that disabling essential cookies may affect Platform functionality. Adjust your preferences at: /settings/privacy

10. Children's Privacy

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child, please contact us immediately.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. When we transfer data internationally, we use appropriate safeguards such as:

• Standard Contractual Clauses approved by the European Commission
• Data Processing Agreements with service providers
• Encryption during transfer and storage

12. Third-Party Services

Our Platform integrates with third-party services that have their own privacy policies:

• Supabase: Supabase Privacy Policy
• OpenAI: OpenAI Privacy Policy
• Stripe: Stripe Privacy Policy
• Resend: Resend Privacy Policy

We recommend reviewing these third-party policies. We are not responsible for their privacy practices.

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of discovery
• Notify relevant data protection authorities as required
• Provide information about the breach and mitigation steps
• Offer credit monitoring services if sensitive data was exposed

14. Your Data Protection Rights by Region

14.1 European Union (GDPR)

Legal Basis for Processing: We process your data based on:

• Consent (for marketing, AI processing)
• Contract performance (to provide services)
• Legitimate interests (platform improvement, security)
• Legal obligations (compliance, reporting)

Data Protection Officer: Contact dpo@acquiatlas.com

14.2 California (CCPA/CPRA)

Categories of Information Sold or Shared: None - we do not sell personal information.

Do Not Sell/Share Link: Not applicable as we don't sell data.

14.3 Other Jurisdictions

Users in other regions may have additional rights under local laws. Contact us to exercise your rights.

15. Marketing Communications

We may send you marketing communications about new features, promotions, and updates. You can:

• Opt-out by clicking "Unsubscribe" in any marketing email
• Adjust email preferences in your account settings
• Email us at privacy@acquiatlas.com to opt-out

Note: You cannot opt-out of transactional emails (receipts, account notifications).

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page
• Updating the "Last Updated" date
• Sending an email notification for significant changes
• Requiring re-acceptance for material changes

Your continued use of the Platform after changes constitutes acceptance of the updated policy.

17. Contact Us

For questions about this Privacy Policy or to exercise your privacy rights:

18. Specific Feature Privacy

18.1 Virtual Data Rooms

Documents uploaded to VDRs are:

• Encrypted at rest and in transit
• Access-controlled based on permissions you set
• Watermarked when viewed by others
• Tracked via activity logs for security
• Deleted when you delete the VDR (within 30 days)

18.2 QuickBooks Integration

When you connect QuickBooks:

• We access only the data you authorize (read-only)
• Financial data is encrypted and secured
• You can disconnect at any time
• We do not share your financial data with third parties

18.3 API Usage

API usage data (endpoints called, request rates) is collected for:

• Rate limiting enforcement
• Billing and usage metering
• Security monitoring (detect abuse)
• Platform improvement