Privacy Policy

2. Definitions

For purposes of this Policy, the following definitions apply:

• "Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including but not limited to names, email addresses, physical addresses, telephone numbers, financial information, geolocation data, professional credentials, and online identifiers.
• "Sensitive Personal Information" means Personal Information that reveals racial or ethnic origin, religious beliefs, health information, financial account credentials, precise geolocation data, or other categories of information subject to heightened legal protection.
• "User" means any individual who accesses, browses, or uses the Platform, whether as a registered member or unregistered visitor.
• "Member" means a User who has created an account and completed registration on the Platform.
• "Deal" means any investment opportunity, transaction, or capital-raising activity submitted, listed, or facilitated through the Platform.
• "People Map" means the optional location-based networking feature that displays Member locations and facilitates geographic-based connections.
• "Travel Mode" means the feature allowing Members to voluntarily disclose temporary travel locations for networking purposes.
• "AI Services" means third-party artificial intelligence providers, including Anthropic (Claude) and OpenAI, used by the Platform to process content, generate intelligence, and provide analytical features.
• "Email Integration" means the OAuth-based connection to your Gmail or Microsoft Outlook email account that syncs email messages, threads, and metadata to the Platform.
• "Calendar Integration" means the OAuth-based connection to your Google Calendar or Microsoft Outlook calendar that syncs events, availability, and meeting details to the Platform.
• "Video Room" means a video conferencing session hosted on the Platform using third-party video infrastructure (Daily.co).
• "Organization" means a team or company workspace on the Platform that allows multiple Members to share data, pipelines, and collaborative features.
• "Financial Integration" means a connection to your bank account(s) via Plaid that provides transaction data, balances, and account information to the Platform.
• "Virtual Data Room" means the secure document management feature for sharing and controlling access to confidential files.

3. Information We Collect

3.1 Information You Provide Directly

We collect information you voluntarily provide when you:

• Account Registration: Name, email address, password, phone number, professional title, company name, investment focus, accreditation status, and profile photograph.
• Profile Information: Biography, professional credentials, investment preferences, asset classes of interest, geographic focus, deal size preferences, networking objectives, alma mater, and investment thesis.
• Deal Submissions: Deal type, investment amount, target returns, company information, pitch materials, financial documents, term sheets, and related documentation.
• Investor Credentials: Accreditation documentation, verification materials, investment history, portfolio information, and regulatory compliance records.
• Location Data: Home location (city, state, country), work address (city, state, country) for People Map display, and travel destinations and dates (when using Travel Mode). Note: People Map displays your user-entered work address—we do not use GPS or device location tracking.
• Communications: Messages sent through our Platform, channel discussions, connection requests, meeting notes, and any other communications between Members.
• Payment Information: Credit card details, billing address, transaction history, and Stripe customer data for subscription billing and referral rewards (processed through PCI-compliant third-party processors).
• Referral Program Data: Referral codes, referred member information, referral status, and reward claims.
• Feedback and Support: Survey responses, customer support inquiries, product feedback, and bug reports.
• Document Uploads: Files uploaded to virtual data rooms, pitch decks, financial statements, legal documents, and any other documents you submit to the Platform for sharing, analysis, or e-signature.
• Family Office Data: Entity structures (trusts, LLCs, foundations), beneficiary information, estate planning documents, asset holdings, governance policies, philanthropy preferences, and wealth management records you enter into the Family Office Suite.
• Founder Data: Pitch decks submitted for AI analysis, cap table information, financial projections, investor communications, fundraising pipeline status, closing workflow documents, and accounting records including bank connections via Plaid.
• Fund Manager Data: Fund structures, waterfall models, LP commitments, capital call records, distribution schedules, K-1 information, and investor relations communications.
• Lender Data: Loan origination details, portfolio holdings, covenant terms, servicing records, risk assessments, and CECL model parameters.
• Contact Exchange Data: QR code scans, business card information, personal notes about contacts, voice notes, and follow-up reminders captured through the Contact Exchange feature at events.
• Booking Data: Booking page configuration, availability windows, meeting types, and scheduling preferences for member-to-member meetings.
• E-Signature Data: Documents submitted for electronic signature, signature images, signing timestamps, and signer identity verification via DocuSign.
• Intern Portal Data: Program enrollment information, cohort assignments, challenge submissions, mentorship records, learning progress, ambassador status, and referral activities within intern programs.

3.2 Information Collected Automatically

When you access or use the Platform, we automatically collect:

• Device Information: Device type, operating system, browser type, unique device identifiers, mobile network information, and hardware model.
• Usage Data: Pages visited, features used, deals viewed, search queries, click patterns, session duration, interaction frequency, and navigation paths.
• Log Data: IP address, access times, referring URLs, browser configuration, language preferences, and error logs.
• Location Data: Approximate location derived from IP address, and precise geolocation if you enable location services and opt into People Map.
• Engagement Metrics: Deal engagement scores, connection activity, message frequency, response rates, and platform participation levels.
• Gamification Data: Points earned, daily login streaks, leaderboard rankings, badges achieved, seasonal competition participation, and challenge completion records.
• Push Notification Data: Subscription tokens, notification delivery status, notification interaction patterns, and device push notification preferences.
• Attribution Data: UTM parameters, referral sources, campaign identifiers, and conversion tracking data used to understand how you discovered and engaged with the Platform.

3.3 Information from Third Parties

We may receive information from:

• Authentication Providers: Information from identity verification services including authentication tokens, verified email addresses, and social login data (via Clerk).
• Business Partners: Information from network partners, affiliated investment platforms, and professional organizations.
• Public Sources: Publicly available information from professional networks, regulatory filings, company websites, and news sources.
• SEC EDGAR Database: Form D filings, 8-K, 10-K, 10-Q filings, insider trading reports, and related regulatory data from the SEC's Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system. This is public information updated daily.
• Analytics Providers: Aggregated analytics data from third-party services that help us understand Platform usage patterns.
• AI Processing Providers: Anthropic (Claude) and OpenAI process user-submitted content and return AI-generated analysis, intelligence briefs, copilot responses, document summaries, and other outputs. These providers may retain data in accordance with their own data processing policies.
• Video and Media Providers: Daily.co provides video conferencing infrastructure and returns call metadata, participant information, and recording data. Mux handles video transcoding and storage.
• Financial Data Providers: Plaid connects to bank accounts and transmits account details, transaction history, and balances. Alpha Vantage, Finnhub, and CoinGecko provide market data, stock quotes, and cryptocurrency pricing. FRED (Federal Reserve Economic Data) provides economic indicators.
• Contact Enrichment: ProxyCurl enriches contact profiles with publicly available professional data from LinkedIn, including job titles, company information, and professional history.
• Communication Providers: Resend handles transactional and marketing email delivery. WhatsApp Business API facilitates messaging and signal detection where enabled.
• News and Intelligence Sources: GNews, NewsAPI, and other news aggregation services provide market news, industry updates, and intelligence content displayed on the Platform.
• Identity Verification: Stripe Identity processes government-issued IDs and selfies for identity verification purposes.
• Sanctions and Compliance: OFAC (Office of Foreign Assets Control) databases and related compliance services provide sanctions screening results for entities and individuals.

3.4 Information from Email and Calendar Integrations

If you connect your email or calendar accounts through OAuth authorization, we collect and store:

• Email Data: Email messages, thread metadata (sender, recipient, subject, date), message bodies, and attachment metadata from your connected Gmail or Microsoft Outlook account. We sync emails to provide relationship intelligence, communication history, and contextual information within the Platform.
• Calendar Data: Calendar events, meeting titles, attendees, times, locations, and availability from your connected Google Calendar or Microsoft Outlook calendar. We sync calendar data to enable scheduling, booking, and availability features.
• OAuth Tokens: Access tokens and refresh tokens required to maintain the connection to your email and calendar providers. These tokens are encrypted at rest.

YOU CONTROL YOUR EMAIL AND CALENDAR INTEGRATIONS. You may revoke OAuth access at any time through your account settings or directly through your email/calendar provider. Revoking access will stop future syncing but will not automatically delete previously synced data (see Section 12 for deletion requests).

3.5 Information from Video Conferencing

When you join a Video Room on the Platform, we may collect:

• Video and Audio Recordings: If recording is enabled for a Video Room, we capture video, audio, and screen share content from all participants.
• Transcriptions: AI-generated transcriptions of recorded video sessions.
• Participant Metadata: Join/leave times, participant identities, duration of participation, and connection quality metrics.
• Chat Messages: Text messages sent within the Video Room during the session.

BY JOINING A VIDEO ROOM WHERE RECORDING IS ENABLED, YOU CONSENT TO THE RECORDING OF YOUR VIDEO, AUDIO, AND SCREEN SHARE CONTENT. A recording indicator will be visible when recording is active. If you do not consent to recording, you should leave the Video Room.

3.6 Information from Banking and Financial Integrations

If you connect a bank account through Plaid, we may collect:

• Account Information: Bank name, account type, account number (masked), and routing number.
• Transaction Data: Transaction history, amounts, dates, merchant names, and categories.
• Balance Data: Current and available account balances.
• Institution Data: Financial institution name and identifiers.

Banking data is processed by Plaid, a PCI-compliant financial data provider. DFX does not store raw bank credentials. You may disconnect your bank account at any time through your account settings or through Plaid's portal.

4. How We Use Your Information

4.1 Platform Operations

• To create, maintain, and secure your account and authenticate your identity.
• To facilitate deal discovery, matching, and investment opportunities based on your stated preferences.
• To enable Member-to-Member communications, connection requests, and networking features.
• To display your profile, location, and travel information to other opted-in Members on the People Map (when you enable this feature).
• To manage exclusive networking channels and facilitate group discussions among opted-in Members.
• To process transactions, manage subscriptions, and provide customer support.
• To sync and display email communications within the Platform for relationship intelligence and contact context.
• To sync calendar events and manage booking, scheduling, and availability features.
• To host video conferencing sessions, store recordings, and generate transcriptions.
• To connect and analyze banking and financial data for founder accounting, financial projections, and reporting.
• To facilitate electronic signatures and manage document workflows through DocuSign integration.
• To manage family office entity structures, estate planning tools, and wealth management features.
• To operate lender portal features including loan origination, servicing, and portfolio management tools.
• To support fund management features including waterfall modeling, LP communications, and fund accounting.
• To manage intern program enrollment, cohort assignments, challenges, and mentorship workflows.
• To enable organization workspaces with shared pipelines, analyses, and team collaboration features.

4.2 AI-Powered Features (Educational and Informational Purposes Only)

ALL AI-POWERED FEATURES ARE PROVIDED FOR EDUCATIONAL AND INFORMATIONAL PURPOSES ONLY. AI outputs are not investment advice, legal advice, compliance services, or professional guidance of any kind. You should not rely on AI outputs for investment decisions or professional advice.

• To process documents and generate AI-powered intelligence briefs, research reports, and company analyses using third-party AI Services (Anthropic Claude and OpenAI) for educational exploration.
• To power AI Copilot conversations and provide contextual assistance based on your data and queries for informational purposes.
• To deliver personalized morning and daily intelligence briefs based on your watchlist, portfolio, and preferences as educational summaries.
• To analyze pitch decks, financial projections, and term sheets submitted by founders for educational review purposes.
• To score deals, match investors with opportunities, and generate DFX Composite Scores as informational data points only.
• To enrich contact profiles with publicly available professional data via ProxyCurl.
• To generate text-to-speech voice briefs using OpenAI voice synthesis.
• To perform automated compliance and sanctions screening against OFAC databases as informational aids only (not compliance services).
• To detect signals and anomalies in financial data, SEC filings, and market information for educational awareness.

DFX IS NOT RESPONSIBLE FOR ANY AI ERRORS, HALLUCINATIONS, OR INACCURACIES. AI outputs may contain errors, outdated information, or incorrect analysis. You are solely responsible for verifying any AI-generated information before taking action.

4.3 Platform Improvement

• To analyze usage patterns and improve Platform features, user experience, and performance.
• To develop new products, services, and features based on aggregated user behavior.
• To train and improve machine learning models and algorithms for deal matching, recommendation systems, and fraud detection.
• To conduct research, analysis, and testing to enhance Platform functionality.
• To track gamification metrics (points, streaks, leaderboards, badges) and reward engagement.

4.4 Communications

• To send transactional messages, security alerts, and account notifications.
• To deliver marketing communications, newsletters, and promotional content (subject to your preferences).
• To notify you of relevant deals, networking opportunities, and travel matches based on your profile.
• To respond to your inquiries, feedback, and support requests.
• To deliver push notifications to your browser or mobile device (subject to your opt-in).
• To send morning/daily brief emails with personalized intelligence summaries.

4.5 Legal and Security

• To detect, prevent, and investigate fraud, abuse, security incidents, and illegal activities.
• To enforce our Terms of Service, acceptable use policies, and community guidelines.
• To comply with legal obligations, regulatory requirements, and valid legal processes.
• To protect our rights, property, and safety, and those of our Members and the public.
• To perform identity verification and sanctions/compliance screening as required.

4.6 Compliance Screening (Informational Purposes Only)

Compliance-related data processing is used to provide informational screening features including:

• OFAC and sanctions list screening results (for informational awareness only)
• Investor category classification suggestions (not verification or certification)
• Multi-jurisdictional regulatory framework indicators (not compliance opinions)
• AML/KYC screening suggestions (informational aids, not compliance determinations)

These screening results are informational data points only. You must conduct your own independent compliance review and consult with qualified legal and compliance professionals.

5. Information Sharing and Disclosure

5.1 With Other Members

YOU ACKNOWLEDGE AND CONSENT THAT BY USING THE PLATFORM, CERTAIN INFORMATION WILL BE VISIBLE TO OTHER MEMBERS:

• Profile Information: Your name, professional title, company, biography, profile photo, investment preferences, and networking objectives are visible to other registered Members.
• People Map Data: If you opt into People Map, your location (at the precision level you select), travel schedules, and networking availability become visible to other opted-in Members. YOU UNDERSTAND THAT THIS VISIBILITY IS SUBJECT TO A MINIMUM 30-DAY COMMITMENT PERIOD TO PREVENT ABUSE.
• Deal Activity: Your engagement with deals (expressions of interest, questions asked, pipeline status) may be visible to deal sponsors and administrators.
• Channel Communications: Messages posted in networking channels are visible to all channel members.
• Connection Status: Your connection network and mutual connections may be visible to facilitate introductions.
• Organization Data: If you belong to an Organization, your activity, shared analyses, pipeline deals, and team communications may be visible to other Organization members and administrators.
• Verification Status: Your identity verification badge and accreditation status may be visible to other Members to enhance trust.
• Booking Availability: If you enable a booking page, your availability windows and meeting types are visible to Members who access your booking link.

5.2 With Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Cloud Infrastructure: Vercel (hosting, serverless functions, edge network), Supabase (database, storage, real-time subscriptions)
• Authentication: Clerk (user authentication, session management, identity tokens)
• AI Processing: Anthropic/Claude (intelligence briefs, copilot, document analysis, deal scoring), OpenAI (text generation, voice synthesis, embeddings)
• Payment Processing: Stripe (subscription billing, payment processing, identity verification)
• Email Delivery: Resend (transactional emails, marketing emails, notification delivery)
• Video Conferencing: Daily.co (video room infrastructure, recording), Mux (video transcoding, storage, playback)
• Banking Data: Plaid (bank account connections, transaction data, balance information)
• Contact Enrichment: ProxyCurl (LinkedIn profile enrichment, professional data)
• Electronic Signatures: DocuSign (document signing, signature workflows, audit trails)
• Market Data: Alpha Vantage (stock quotes, financial data), Finnhub (real-time market data), CoinGecko (cryptocurrency data), FRED (economic indicators), GNews (news aggregation)
• Mapping Services: Google Maps (geocoding, map display, distance calculations)
• Messaging: WhatsApp Business API (messaging integration where enabled)
• Workflow and Infrastructure: Inngest (background job processing, event-driven workflows), Upstash (rate limiting, caching), Svix (webhook delivery)
• Monitoring: Analytics and error tracking services for Platform performance and reliability

All service providers are bound by contractual obligations to protect your information and use it only for the purposes we specify.

5.2.1 AI Processing Disclosure

When you use AI-powered features (including Intelligence Briefs, AI Copilot, document analysis, deal scoring, pitch deck analysis, morning briefs, and voice briefs), the content you submit—along with relevant contextual data from your profile, deals, and Platform activity—may be transmitted to Anthropic (Claude) and/or OpenAI for processing. These providers:

• Process your data to generate AI outputs (analysis, summaries, scores, recommendations) for educational exploration only
• May retain input data temporarily for abuse monitoring and service improvement, in accordance with their own data processing agreements
• Are contractually prohibited from using your data to train their general-purpose models
• Maintain their own privacy policies and data handling practices, which are separate from this Policy
• May produce outputs that contain errors, inaccuracies, or hallucinated information

YOU SHOULD NOT RELY ON AI OUTPUTS FOR INVESTMENT DECISIONS, PROFESSIONAL ADVICE, OR COMPLIANCE DETERMINATIONS. All AI-generated content requires independent verification. DFX expressly disclaims any liability for decisions made based on AI outputs.

You can review Anthropic's privacy practices at anthropic.com and OpenAI's at openai.com. By using AI-powered features, you consent to this data processing.

5.3 With Business Partners and Affiliates

We may share information with:

• Affiliated investment networks and capital provider communities
• White-label partners operating branded versions of the Platform
• Strategic partners offering complementary services to our Members
• Parent companies, subsidiaries, and corporate affiliates

5.4 For Legal Reasons

We may disclose information when we believe in good faith that disclosure is necessary to:

• Comply with applicable laws, regulations, legal processes, or governmental requests
• Enforce our Terms of Service or other agreements
• Protect the rights, property, or safety of DFX, our Members, or others
• Detect, prevent, or address fraud, security, or technical issues
• Respond to claims that content violates the rights of third parties

5.5 Business Transfers

In the event of a merger, acquisition, bankruptcy, reorganization, sale of assets, or similar transaction, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.6 Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for any purpose, including research, analytics, marketing, and business development.

6. People Map and Location Data

SPECIAL NOTICE REGARDING LOCATION-BASED FEATURES:

6.1 Opt-In Nature

The People Map feature is entirely opt-in. By default, your location is not visible to other Members. You must affirmatively choose to participate by enabling People Map visibility in your profile settings.

6.2 Commitment Period

TO PREVENT ABUSE AND PROTECT THE INTEGRITY OF THE NETWORK, WHEN YOU OPT INTO PEOPLE MAP, YOU COMMIT TO A MINIMUM 30-DAY VISIBILITY PERIOD. You cannot opt out during this period. After 30 days, you may opt out at any time, subject to a 7-day cooldown period before re-enrollment. You acknowledge this commitment before opting in.

6.3 Work Address Display

People Map displays your work address as you enter it in your profile settings. We do not use GPS or device-based location tracking. Your work address is geocoded to display your approximate location on the map. You must enter a work address (city, state, country) before opting into People Map.

6.4 Travel Mode

When you enable Travel Mode and add travel schedules, your travel destination and dates become visible to other opted-in Members. This enables networking opportunities during your travels. Travel schedules are subject to the following limits:

• Maximum 90 active travel days per rolling 180-day period
• Maximum 3 concurrent travel locations
• Travel duration: 1-30 days per trip
• Advance booking: up to 180 days in the future

6.5 Reciprocal Visibility

Only Members who have opted into People Map can view other opted-in Members' locations. Non-opted-in Members cannot see location data. This reciprocal model ensures fair value exchange among participants.

7. Email and Calendar Integration Data

7.1 What Data Is Synced

When you authorize an Email Integration, we sync email messages, threads, metadata (sender, recipient, subject, timestamps), and attachment metadata from your connected account. When you authorize a Calendar Integration, we sync calendar events, meeting titles, attendees, times, locations, descriptions, and your availability.

7.2 How Synced Data Is Used

Synced email and calendar data is used to:

• Provide relationship intelligence by surfacing communication history with contacts and deal participants
• Enable contextual information within deal workflows and contact profiles
• Power scheduling and booking features with real-time availability
• Detect relevant deal-related communications for your pipeline
• Generate AI-powered insights about your professional relationships

7.3 User Controls

You maintain full control over your email and calendar integrations:

• You can revoke OAuth access at any time through your DFX account settings
• You can revoke access directly through your Google or Microsoft account settings
• Revoking access immediately stops future syncing
• Previously synced data is retained per our data retention policy (see Section 12) unless you request deletion
• You can request deletion of all synced email and calendar data by contacting privacy@dealflowxchange.com

7.4 Limited Use Disclosure

Our use of information received from Google APIs adheres to applicable Google API Services User Data Policies, including the Limited Use requirements. We only use Google user data for the purposes described in this Policy, and we do not transfer this data to third parties except as necessary to provide or improve Platform features, comply with applicable laws, or as part of a merger, acquisition, or asset sale.

8. Video and Audio Data

8.1 Recording Consent

Video Rooms on the Platform may have recording enabled. When recording is active, a visual indicator is displayed to all participants. By remaining in a Video Room where recording is active, you consent to the recording of your video, audio, and any screen-shared content.

8.2 What Is Recorded

Recordings may include:

• Video and audio of all participants
• Screen shares and presented content
• In-session chat messages
• AI-generated transcriptions of the recorded session

8.3 Third-Party Processing

Video data is processed by Daily.co (video infrastructure and recording) and Mux (video transcoding, storage, and playback). Transcriptions may be generated using AI Services. These providers process data in accordance with their own privacy policies and our data processing agreements.

8.4 Storage and Deletion

Video recordings are stored for a default retention period of 90 days, unless configured otherwise by the room host or Organization administrator. You may request deletion of recordings in which you participated by contacting privacy@dealflowxchange.com.

9. AI Processing and Automated Decisions

9.1 What Data Is Sent to AI Providers

The following types of data may be sent to Anthropic (Claude) and/or OpenAI for AI processing:

• Deal information and company data for intelligence brief generation
• Your queries and conversations with the AI Copilot
• Documents uploaded for AI analysis (pitch decks, financial statements, term sheets)
• Portfolio and watchlist data for morning/daily brief generation
• SEC filing content for signal detection and analysis
• Contact and relationship data for profile enrichment suggestions
• Text content for voice brief generation (OpenAI TTS)
• Search queries and contextual data for copilot responses

9.2 Automated Decision-Making

The Platform uses automated processing to make certain decisions or recommendations, including:

• Deal Scoring: Automated scoring of deals based on financial metrics, market conditions, and comparable transactions (DFX Composite Score).
• Investor Matching: Automated matching of deals with potential investors based on stated preferences, investment history, and profile data.
• Content Recommendations: Automated recommendations of deals, events, connections, and content based on your activity and preferences.
• Compliance Screening: Automated OFAC/sanctions screening of entities and individuals.
• Anomaly Detection: Automated detection of unusual patterns in financial data, SEC filings, and market indicators.
• Connection Strength: Automated calculation of relationship strength scores based on communication frequency, meeting attendance, and platform interactions.

These automated processes generate recommendations and scores FOR EDUCATIONAL AND INFORMATIONAL PURPOSES ONLY. They do not make binding decisions on your behalf and should not be relied upon for investment decisions, compliance determinations, or professional advice. You retain full control over and sole responsibility for all investment decisions, deal participation, and business actions.

DFX EXPRESSLY DISCLAIMS ANY LIABILITY FOR DECISIONS MADE BASED ON AUTOMATED PROCESSING OUTPUTS, INCLUDING BUT NOT LIMITED TO: deal scores, investor matches, compliance screening results, anomaly detection alerts, and AI-generated recommendations.

9.3 Your Rights Regarding Automated Decisions

If you are located in the EEA, UK, or Switzerland, you have the right under GDPR Article 22 to not be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. You may:

• Request human review of any automated decision
• Express your point of view regarding an automated decision
• Contest an automated decision
• Request an explanation of the logic involved in automated processing

To exercise these rights, contact dpo@dealflowxchange.com.

10. Organization and Team Data

10.1 Data Shared Within Organizations

If you join or create an Organization on the Platform, certain data may be shared with other Organization members:

• Your profile information and role within the Organization
• Shared deal pipelines, analyses, and calculations
• Team task assignments and completion status
• Shared contacts and relationship data
• Team chat messages within Organization channels
• Activity logs visible to Organization administrators

10.2 Administrator Access

Organization administrators may have access to member activity data, shared content, and usage metrics within the Organization workspace. Administrators are responsible for managing access controls and ensuring appropriate use of shared data.

10.3 Leaving an Organization

If you leave an Organization, your personal account data remains yours. However, content you contributed to shared Organization resources (shared pipelines, team analyses, shared notes) may remain accessible to the Organization after your departure.

11. Data Security

We implement comprehensive security measures to protect your information:

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. OAuth tokens, API keys, and financial credentials receive additional encryption layers.
• Access Controls: Role-based access controls, multi-factor authentication, and least-privilege principles govern access to personal data.
• Infrastructure: SOC 2 Ready hosting infrastructure with continuous monitoring, intrusion detection, and automated security patching.
• Audit Logging: Comprehensive audit logs of data access, administrative actions, and security events.
• Incident Response: Documented incident response procedures with notification protocols for security breaches.
• Employee Training: Regular security awareness training for all personnel with access to Member data.
• Financial Data Security: Banking data is processed through PCI-compliant providers. DFX does not store raw bank credentials or full credit card numbers.
• Video Data Security: Video recordings are stored in encrypted storage with access controls limiting visibility to authorized participants and administrators.
• Rate Limiting: API rate limiting via Upstash to prevent abuse and unauthorized data access.

WHILE WE IMPLEMENT INDUSTRY-STANDARD SECURITY MEASURES, NO METHOD OF TRANSMISSION OR STORAGE IS 100% SECURE. WE CANNOT GUARANTEE ABSOLUTE SECURITY OF YOUR INFORMATION.

12. Data Retention

We retain personal information for as long as necessary to:

• Provide Services and maintain your account
• Comply with legal obligations (e.g., tax records for 7 years)
• Resolve disputes and enforce agreements
• Maintain security and prevent fraud
• Support legitimate business interests

Specific Retention Periods:

• Active account data: Retained while account is active plus 3 years after closure
• Transaction records: 7 years from transaction date
• Platform communications (messages, channels): 5 years or as required by law
• Audit logs: 2 years minimum
• Backup data: 90 days after deletion from primary systems
• Synced email data: Duration of active connection plus 90 days after OAuth revocation or disconnection
• Synced calendar data: Duration of active connection plus 30 days after disconnection
• Video recordings: 90 days from recording date (configurable by room host or Organization administrator)
• Video transcriptions: Same retention period as the associated recording
• Banking/financial data (Plaid): Duration of active Plaid connection plus 30 days after disconnection
• AI processing logs (copilot conversations, brief generation): 90 days
• Gamification data (points, streaks, badges): Duration of active account
• Intern portal data: Duration of program enrollment plus 1 year after program completion
• E-signature audit trails: 7 years from signing date
• Contact exchange data: Duration of active account
• Push notification subscription data: Until subscription is revoked or account is deleted

13. Your Rights and Choices

13.1 Access and Portability

You may request a copy of your personal information in a structured, machine-readable format. To submit an access request, contact us at privacy@dealflowxchange.com.

13.2 Correction

You may update or correct your profile information at any time through your account settings. For other corrections, contact us at privacy@dealflowxchange.com.

13.3 Deletion

You may request deletion of your account and associated personal information, subject to:

• Retention obligations for legal, regulatory, or legitimate business purposes
• Information necessary to complete pending transactions
• Information in backup systems (deleted within 90 days)
• Aggregated or de-identified data that cannot identify you
• E-signature audit trails required for legal compliance

13.4 Opt-Out of Marketing

You may opt out of marketing communications by clicking "unsubscribe" in any email or updating your notification preferences. Note that you cannot opt out of transactional or security-related communications.

13.5 People Map Controls

You control your People Map participation through your profile settings, subject to the 30-day minimum commitment period for new opt-ins.

13.6 Integration Controls

You can manage your third-party integrations at any time:

• Email Integration: Revoke OAuth access through DFX settings or your email provider
• Calendar Integration: Disconnect through DFX settings or your calendar provider
• Banking Integration: Disconnect through DFX settings or Plaid's portal
• Push Notifications: Manage through your browser or device notification settings
• WhatsApp: Disconnect through DFX settings

13.7 AI Processing Controls

You can limit AI processing of your data by not using AI-powered features (Copilot, Intelligence Briefs, document analysis). However, certain platform-level AI processing (such as deal scoring and compliance screening) may occur automatically as part of Platform operations. Contact privacy@dealflowxchange.com if you wish to opt out of all automated AI processing.

13.8 Do Not Track

Our Platform does not currently respond to "Do Not Track" browser signals. We may update this practice as industry standards develop.

14. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Enable core Platform functionality, authentication, and security features. These cannot be disabled.
• Preference Cookies: Remember your settings, preferences, portal selection, language, and customizations.
• Analytics Cookies: Collect usage data to improve Platform performance and user experience.
• Marketing Cookies: Track interactions for advertising and remarketing purposes (subject to your consent where required).
• Attribution Cookies: Track referral sources, UTM parameters, and campaign performance for marketing attribution.

You can control cookies through your browser settings. Disabling certain cookies may limit Platform functionality.

15. International Data Transfers

DFX is headquartered in the United States. Your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

• Standard Contractual Clauses: We use EU-approved Standard Contractual Clauses for transfers from the EEA, UK, and Switzerland.
• Data Processing Agreements: Our service providers are bound by data processing agreements with appropriate safeguards.
• Adequacy Decisions: Where applicable, we rely on adequacy decisions by relevant data protection authorities.

BY USING THE PLATFORM, YOU CONSENT TO THE TRANSFER OF YOUR INFORMATION TO THE UNITED STATES AND OTHER JURISDICTIONS AS DESCRIBED IN THIS POLICY.

16. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties with whom we share data.
• Right to Delete: Request deletion of your personal information, subject to exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information. We may share personal information for targeted advertising, which you may opt out of.
• Right to Limit Use of Sensitive Information: Request limitation on use of sensitive personal information, including financial account data, precise geolocation, and email content.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@dealflowxchange.com. We will verify your identity before processing requests.

Categories of Personal Information Collected (CCPA Categories):

• Identifiers: Name, email, phone number, account ID, IP address, device identifiers
• Financial Information: Payment card details, bank account information (via Plaid), transaction history, investment data
• Commercial Information: Deal submissions, investment preferences, subscription records, marketplace interactions
• Internet/Electronic Activity: Browsing history, search queries, Platform interaction data, email metadata (when synced)
• Geolocation Data: Approximate location from IP, work address for People Map, travel destinations
• Audio/Visual Data: Profile photos, video recordings from Video Rooms, voice brief recordings
• Professional/Employment Information: Job title, company, professional credentials, LinkedIn data (via enrichment)
• Education Information: Alma mater, intern program enrollment, learning progress
• Inferences: Deal scores, investor match recommendations, connection strength, engagement metrics, AI-generated analysis
• Sensitive Personal Information: Financial account credentials (Plaid), government ID (identity verification), precise geolocation (if opted in)

17. European Data Subject Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis: We process your data based on: (a) performance of contract, (b) legitimate interests, (c) consent, or (d) legal obligations.
• Right of Access: Obtain confirmation and a copy of your personal data.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure: Request deletion ("right to be forgotten") in certain circumstances.
• Right to Restrict Processing: Limit how we use your data in certain circumstances.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Lodge Complaint: File a complaint with your local supervisory authority.

17.1 Legal Basis for Specific Processing Activities

• Email/Calendar Sync: Consent (you explicitly authorize OAuth connection). You may withdraw consent by revoking access.
• AI Processing (Copilot, Briefs, Analysis): Consent for user-initiated features; legitimate interest for platform-level processing (deal scoring, compliance).
• Video Recording: Consent (by remaining in a recorded Video Room after notification).
• Banking Data (Plaid): Consent (you explicitly authorize Plaid connection).
• Identity Verification: Legitimate interest and legal obligation (compliance requirements).
• OFAC/Sanctions Screening: Legal obligation (anti-money laundering and sanctions compliance).
• Contact Enrichment: Legitimate interest (improving contact data quality from publicly available sources).
• Gamification Tracking: Performance of contract (Platform features).

17.2 Automated Decision-Making (Article 22)

As described in Section 9.2, the Platform uses automated processing for deal scoring, investor matching, compliance screening, and other features. These automated processes do not produce decisions with legal or similarly significant effects on you—they generate recommendations that you may choose to act upon or ignore.

If you believe an automated decision has produced a significant effect on you, you have the right to:

• Obtain human intervention in the decision
• Express your point of view
• Contest the decision
• Receive a meaningful explanation of the logic involved

Contact our Data Protection Officer at dpo@dealflowxchange.com for GDPR-related inquiries.

18. Children's Privacy

THE PLATFORM IS NOT INTENDED FOR USE BY INDIVIDUALS UNDER THE AGE OF 18.

• We do not knowingly collect personal information from children under 18.
• If you are under 18, do not use the Platform or provide any personal information.
• If we learn we have collected information from a child under 18, we will promptly delete it.
• If you believe we have collected information from a child under 18, contact us immediately at privacy@dealflowxchange.com.
• The Intern Portal is designed for individuals aged 18 and older. Participation in intern programs requires age verification.

19. Third-Party Links and Services

The Platform may contain links to third-party websites, applications, or services not operated by us. This Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access. We are not responsible for the privacy practices of third parties.

The Platform integrates with multiple third-party services (listed in Section 5.2) that have their own privacy policies. By using integrated features, you may be subject to the privacy practices of those providers in addition to this Policy.

20. Changes to This Policy

We may update this Policy from time to time. We will notify you of material changes by:

• Posting the updated Policy on the Platform with a new effective date
• Sending email notification to registered Members
• Displaying a prominent notice on the Platform
• Sending push notifications where appropriate and where you have opted in

YOUR CONTINUED USE OF THE PLATFORM AFTER ANY CHANGES CONSTITUTES YOUR ACCEPTANCE OF THE UPDATED POLICY.

21. Contact Information

For questions, concerns, or requests regarding this Policy or our data practices:

22. Acknowledgment and Consent

BY ACCESSING OR USING THE PLATFORM, YOU ACKNOWLEDGE AND AGREE THAT:

22.1 Platform Nature

• DFX is a social networking platform for capital professionals, NOT an investment platform, broker-dealer, funding portal, or investment adviser
• ALL Platform features, tools, content, AI-generated outputs, and services are provided for EDUCATIONAL AND INFORMATIONAL PURPOSES ONLY
• Nothing on the Platform constitutes investment advice, legal advice, tax advice, compliance services, or any other form of professional advice
• You have read and understood this Privacy Policy
• You consent to the collection, use, and disclosure of your information as described herein

22.2 AI and Automated Processing

• AI-powered features send your data to third-party AI providers (Anthropic and OpenAI) for processing
• AI outputs are for educational and informational purposes only and may contain errors, hallucinations, or inaccuracies
• You should not rely on AI outputs for investment decisions, professional advice, or compliance determinations
• DFX is not responsible for AI errors or any decisions you make based on AI-generated content
• The Platform performs automated processing including deal scoring, investor matching, and compliance screening as informational aids only

22.3 Compliance Tools

• Compliance screening features are informational aids only, not compliance services or legal advice
• You are solely responsible for your own regulatory compliance
• DFX does not guarantee regulatory compliance and disclaims any responsibility for compliance failures

22.4 Data Sharing and Integrations

• Other Members may view information you make available through the Platform
• Opting into People Map includes a 30-day minimum visibility commitment
• You consent to the transfer of your data to the United States and other jurisdictions
• No data transmission or storage is 100% secure
• Connecting email, calendar, or banking accounts through OAuth grants DFX access to sync and store data from those services
• Joining a Video Room where recording is enabled constitutes consent to recording
• Organization membership involves sharing certain data with other Organization members and administrators
• Contact enrichment may supplement your profile data with publicly available professional information

22.5 User Responsibility

• You are solely responsible for verifying any information, including AI-generated content, before taking action
• You are solely responsible for all investment decisions, professional decisions, and compliance determinations
• You should consult with qualified legal, tax, financial, and compliance professionals before making any decisions
• You have the opportunity to consult with legal counsel before agreeing to this Policy