Privacy Policy

Last updated: May 17, 2026

1. Introduction

FundFlow(“we,” “us,” or “our”) operates the website at fundflow.comand the related fundraising platform (the “Service”). This Privacy Policy explains how we collect, use, share, and safeguard your information.

2. Information we collect

Account data: name, email, password (hashed), and basic profile information you choose to add (avatar, phone, LinkedIn, Twitter handle, short bio). If you sign in via an OAuth provider we receive your public profile from that service (email + display name + avatar).

Founder data: company information, pitch deck files, financial models, data-room documents, investor outreach lists, and notes you upload or create within the Service.

Investor data: verification status, thesis, sector and stage preferences, deal-flow notes, and saved deal-room access.

Usage data: log data (IP address, browser type, pages visited, timestamps), feature usage analytics, and cookies (see our Cookie Policy at /cookies if published).

Payment data: handled by Stripe; we never store full card numbers. We retain transaction metadata (amount, subscription tier, billing period).

3. How we use data

  • Create and manage your account.
  • Provide, maintain, and improve the Service.
  • Process payments and send transactional emails (receipts, password resets, deck-view notifications, message digests).
  • Connect founders and investors per the access permissions you set.
  • Respond to support requests.
  • Detect, prevent, and address fraud, abuse, or technical issues.
  • Comply with legal obligations.

We do NOT sell your personal data. We do NOT share founder content (decks, data rooms, financial models) with anyone other than the investors you explicitly grant access to. We do NOT use founder content to train AI models without explicit opt-in.

4. Legal basis for processing (GDPR)

If you are in the European Economic Area, our legal bases include:

  • Contract: processing necessary to provide the Service you signed up for.
  • Legitimate interest: improving the Service, fraud prevention, basic analytics.
  • Consent: marketing emails, optional analytics cookies.
  • Legal obligation: tax records, responding to lawful requests.

You may withdraw consent at any time without affecting prior processing.

5. Sharing data with third parties

We share data with:

  • Stripe (payment processing): card details, billing address, transaction history.
  • Supabase (database + auth): account + content data, encrypted at rest.
  • Vercel (application hosting): logs, request data.
  • Resend (transactional email).
  • Service providers under contract (error monitoring, analytics) with confidentiality obligations.

We disclose data when required by law (court orders, subpoenas, government requests).

6. Data retention

  • Account data: retained while your account is active and for 90 days after deletion.
  • Logs: retained for 30 days unless required for security investigations.
  • Payment records: retained for 7 years for tax compliance.
  • Backups: retained per our backup schedule, max 30 days.

You can delete your account at any time by emailing privacy@fundflow.com — we trigger a hard delete of your account, content, and most associated data within 30 days, with the exception of legally required retention.

7. Your rights

Depending on where you live you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (“right to be forgotten”).
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Withdraw consent.
  • Lodge a complaint with a supervisory authority.

To exercise these rights, email privacy@fundflow.com. We respond within 30 days.

8. International transfers

Your data may be transferred to and processed in the United States or other countries where we or our service providers operate. We rely on Standard Contractual Clauses or equivalent safeguards for transfers from the European Economic Area.

9. Security

  • TLS encryption in transit.
  • AES-256 encryption at rest (Supabase + Stripe).
  • Row-level security on database tables.
  • Per-deal-room access controls so investors only see what you grant them.
  • Audit logging of admin actions.
  • Regular security reviews.

No system is perfectly secure. If you suspect a breach affecting your account, contact us immediately.

10. Children’s privacy

The Service is not directed at children under 18. We do not knowingly collect personal data from children under 18. If you believe we have collected such data, contact us and we will delete it.

11. Changes to this policy

We may update this policy periodically. Material changes will be communicated via the Service or via email at least 14 days before they take effect.

12. Contact

Questions about this policy or your data? Email privacy@fundflow.com.