Privacy Policy
Effective Date: April 27, 2026 Last Updated: April 9, 2026
TLDR
We collect only what we need to run the platform. We never sell your data. We never use your cap table, equity, financial, or corporate data for our own commercial purposes. Your data belongs to you — period. This policy explains exactly what we collect, why, and what rights you have.
1. Who We Are
DealCycl, Inc. ("DealCycl," "we," "us," or "our") is a Delaware corporation that operates the DealCycl Investment Lifecycle Management platform at app.dealcycl.com (the "Platform") and the corporate website at dealcycl.com (the "Website"). This Privacy Policy applies to both.
Contact us: Email: privacy@dealcycl.com Website: dealcycl.com/privacy
For GDPR purposes, DealCycl, Inc. is the data controller for personal data we collect directly. When we process data on behalf of our customers (for example, equity holder information stored in a customer's cap table), we act as a data processor.
2. What We Collect and Why
We organize this by context because the Website and the Platform handle data differently.
2.1 Corporate Website (dealcycl.com)
| What We Collect | Why | Legal Basis (GDPR) |
|---|---|---|
| Page views, referral sources, browser type, device type (via Google Analytics) | Understand how people find and use our website | Legitimate interest / Consent (where required) |
| Name, email, company (if you fill out a form) | Respond to your inquiry or demo request | Consent / Legitimate interest |
| Cookies: session cookies and Google Analytics cookies | Website functionality and analytics | Consent (where required) |
The Website does not access or display any Platform data. Google Analytics on the Website collects aggregated, anonymized usage data. We do not use advertising cookies, retargeting pixels, or marketing trackers on the Website.
2.2 The Platform (app.dealcycl.com)
| What We Collect | Why | Legal Basis (GDPR) |
|---|---|---|
| Account information: name, email, password (hashed), company name | Create and secure your account | Contract performance |
| Cap table data: equity holders, share classes, vesting schedules, option grants, SAFEs, convertible notes | Provide the Cap Table module you subscribed to | Contract performance |
| Corporate documents you upload | Store and manage them as part of your subscription | Contract performance |
| Financial metrics you enter or connect via integrations | Power reporting, benchmarking, and AI features | Contract performance |
| Compliance evidence and control data | Provide the Compliance module | Contract performance |
| Usage logs: actions taken, features used, timestamps | Platform security, debugging, and product improvement | Legitimate interest |
| Payment information (processed by Braintree) | Process your subscription payments | Contract performance |
| IP address, browser, device information | Security, fraud prevention, session management | Legitimate interest |
The Platform does not use Google Analytics. The Platform uses only essential cookies required for authentication and session management. No tracking cookies. No analytics cookies. No third-party advertising or marketing cookies.
2.3 Participant Data
When a Full User (for example, a startup founder) manages their cap table on DealCycl, they may add Participants — equity holders, investors, advisors, and others who interact with the platform in a scoped, read-only capacity. The Full User (or their organization) is the data controller for Participant personal data. DealCycl processes this data on their behalf as a data processor.
Participant data typically includes: name, email address, equity position, vesting details, and documents shared with them.
2.4 Data from Integrations (Connectors)
When you connect third-party services (such as QuickBooks, Slack, or 409.ai), data flows between those services and DealCycl according to the permissions you grant. We only access the data you authorize. We do not access data from connected services for any purpose other than providing the feature you enabled.
3. What We Never Do
We want to be explicit:
- We never sell your personal data. Not to data brokers, not to advertisers, not to anyone.
- We never sell, license, or share your cap table, equity, financial, or corporate data. This is a foundational commitment. The Carta CartaX scandal — using confidential cap table data to broker secondary trades without customer permission — is exactly the behavior we built DealCycl to prevent.
- We never use your data to build competing products or services.
- We never use your data to train machine learning models unless you explicitly opt in to a clearly described program.
- We never share your data with other customers without your explicit, informed consent. The consent-based data bridge in our Investor module requires you to affirmatively grant access to specific investors for specific data. You control who sees what, and you can revoke access at any time.
- We never monetize your data in any way. Our revenue comes from subscriptions. That's it.
4. When We Share Data
We share personal data only in these situations:
Service providers. We use a limited number of third-party services to operate the platform — for example, AWS (hosting and infrastructure), Braintree (payment processing), Chargebee (subscription management), and SES (email delivery). These providers process data on our behalf under contracts that require them to protect it and use it only for the services they provide to us.
Consent-based data sharing. If you use the consent-based data bridge (Investor module), the specific data you authorize will be visible to the specific investors you designate. You initiate this, you control it, and you can revoke it.
Legal requirements. We may disclose data if required by law, subpoena, court order, or government request. If legally permitted, we will notify you before disclosure.
Business transfers. If DealCycl is acquired, merges, or sells assets, your data may transfer to the successor entity. We will notify you before any such transfer and give you the opportunity to delete your data.
With your instruction. If you ask us to share data with a specific party (for example, exporting your cap table to your attorneys), we will do so.
5. How We Protect Your Data
Security is in our DNA — our founders spent their careers in security, governance, risk, and compliance.
- Encryption at rest: AES-256 via AWS KMS for all databases, file storage, and backups.
- Encryption in transit: TLS for all connections. No exceptions.
- Tenant isolation: Row-Level Security (RLS) at the database level ensures your data is logically separated from every other customer's data.
- Access controls: Role-based access, MFA, and session management.
- Audit logging: Immutable audit trail for all platform events via CloudTrail, pgAudit, and CloudWatch.
- Infrastructure: Hosted on AWS (us-east-2, Ohio) with SOC 1/2/3, ISO 27001, PCI DSS, FedRAMP, and HIPAA certifications.
- Backups: Automated daily database snapshots with 35-day retention.
- SOC 2: DealCycl is pursuing SOC 2 Type 1 certification using our own Compliance module.
6. Data Retention
We keep your data for as long as your account is active or as needed to provide services to you. Specifically:
- Account data: Retained while your account is active. Deleted within 90 days of account closure, unless we're required by law to retain it longer.
- Platform data (cap tables, documents, etc.): Retained while your subscription is active. Upon cancellation, you have 30 days to export your data. After 30 days, we begin deletion, which completes within 90 days.
- Audit logs: Retained for the period required by applicable law and our SOC 2 obligations (minimum 1 year).
- Payment records: Retained as required by tax and financial regulations.
- Website analytics: Google Analytics data is retained according to Google's standard retention settings (14 months).
7. Your Rights
7.1 Rights for Everyone
Regardless of where you live, you can:
- Access your data at any time through the Platform's export features or by contacting us.
- Correct inaccurate data through the Platform or by contacting us.
- Delete your account and data by contacting us at privacy@dealcycl.com.
- Export your data in standard formats at any time. We will never hold your data hostage.
7.2 Additional Rights Under U.S. State Privacy Laws
If you are a resident of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), or any other state with an applicable consumer privacy law, you have the following additional rights:
- Right to know what personal information we collect, use, and disclose.
- Right to delete your personal information, subject to certain legal exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of the sale of personal information. We do not sell personal information, so there is nothing to opt out of — but we honor this right and provide a mechanism at dealcycl.com/privacy if you want confirmation.
- Right to opt out of targeted advertising. We do not engage in targeted advertising.
- Right to opt out of profiling. We do not profile consumers for decisions that produce legal or similarly significant effects.
- Right to non-discrimination. We will never discriminate against you for exercising your privacy rights.
- Right to appeal. If we deny a privacy request, you can appeal by emailing privacy@dealcycl.com with the subject line "Privacy Appeal."
California-Specific Disclosures (CCPA/CPRA):
- We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA.
- We do not use sensitive personal information for purposes other than providing the services you requested.
- We have not sold personal information of consumers under 16 years of age.
To exercise any of these rights: Email privacy@dealcycl.com. We will verify your identity and respond within 45 days (or the shorter period required by your state's law). If we need more time, we will tell you why and extend no more than an additional 45 days.
7.3 Additional Rights Under GDPR (European Economic Area, UK, and Switzerland)
If you are located in the EEA, UK, or Switzerland, you also have the right to:
- Restrict processing of your personal data in certain circumstances.
- Object to processing based on legitimate interest.
- Data portability — receive your personal data in a structured, machine-readable format.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with your local data protection authority.
Data transfers: If we transfer personal data outside the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms.
Data Protection Officer: You can reach our privacy team at privacy@dealcycl.com. If we appoint a formal DPO, we will update this policy with their contact information.
8. Cookies
Website (dealcycl.com)
- Essential cookies: Session management, security. Always active.
- Analytics cookies: Google Analytics. Activated based on your consent where required by law. You can opt out via your browser settings or the Google Analytics opt-out browser add-on.
Platform (app.dealcycl.com)
- Essential cookies only. Authentication tokens and session identifiers. No analytics cookies. No tracking cookies. No third-party cookies.
We do not use cookie walls (you're never forced to accept non-essential cookies to use the Platform).
9. Children's Privacy
DealCycl is a business platform. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact us at privacy@dealcycl.com and we will delete it.
10. Changes to This Policy
If we make material changes to this policy, we will notify you via email (to the address on your account) and post a notice on the Platform at least 30 days before the changes take effect. Non-material changes (clarifications, formatting) may be made without notice but will always be reflected in the "Last Updated" date.
11. Contact Us
DealCycl, Inc. Email: privacy@dealcycl.com Website: dealcycl.com/privacy
If you have a privacy concern that we haven't resolved to your satisfaction, you have the right to contact your local data protection authority.
Your Company. Your Data. We mean it.