Privacy Policy

Last updated: January 1, 2025

Fund Flow, Inc. ("Fund Flow," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use the Fund Flow platform, including our website, web application, APIs, and related services (collectively, the "Service"). Please read this policy carefully.

1. Information We Collect

1.1 Personal Information

We collect personal information that you provide directly when you create an account, invite team members, or add contacts to the Service. This includes:

• Identity data — First name, last name, email address, phone number
• Account credentials — Hashed passwords (plain-text passwords are never stored)
• Profile data — Job title, organization name, profile photo
• Billing data — Payment card information (tokenized via Stripe; Fund Flow does not store raw card numbers), billing address, tax identification numbers

1.2 Workspace Data

Data you or your team members enter into the Service constitutes workspace data:

• Investor and contact records
• Deal terms, projections, and pipeline information
• Loan records and payment histories
• Documents, templates, and attachments
• Email communications synced via Gmail integration
• Notes, tasks, and activity records

1.3 Usage & Technical Data

We automatically collect certain information when you access the Service:

• Log data — IP address, browser type, operating system, referring URLs, pages visited, timestamps
• Device data — Device identifiers, screen resolution, language settings
• Session data — Authentication tokens, session duration, click and navigation patterns
• Performance data — Error reports, load times, and service health telemetry

1.4 AI Interaction Data

When you use AI features, Fund Flow processes the prompts, context, and outputs within your session. This data is used to provide the AI response and is logged in your organization's Activity Log. AI interaction data is scoped to your organization and is not used to train shared AI models.

2. How We Use Your Information

We use the information we collect to:

• Provide the Service — Authenticate users, process transactions, store and retrieve workspace data, and deliver AI features
• Improve the Service — Analyze usage patterns to improve reliability, performance, and product features
• Communicate with you — Send transactional emails (account setup, password resets, billing receipts), product updates, and support responses
• Enforce our Terms — Detect and prevent fraud, abuse, and security threats
• Comply with legal obligations — Respond to lawful requests from government authorities, and maintain records required by applicable law
• Billing & payments — Process subscription fees and manage payment relationships via Stripe

We do not sell your personal data to third parties. We do not use your workspace data (deals, investors, documents) for advertising or marketing purposes.

3. Cookies & Tracking Technologies

Fund Flow uses cookies and similar technologies to operate the Service:

You can control cookie settings through your browser. Disabling essential cookies will prevent you from logging in to the Service. Analytics cookies can be disabled without affecting core functionality.

We do not use third-party advertising cookies or cross-site tracking technologies.

4. How We Share Your Information

We share information only in the following circumstances:

4.1 Service Providers

We engage trusted service providers who process data on our behalf to operate the Service. These providers are contractually bound to use data only as instructed by Fund Flow and to maintain appropriate security controls. Key providers include:

• Supabase — Authentication and database infrastructure
• Stripe — Payment processing
• Google — Gmail integration (OAuth, email sync)
• AI model providers — For processing AI feature requests (data is not retained for training)

4.2 Operator-to-Investor Data Sharing

Operators use Fund Flow to share documents, updates, and portal access with their investors. Data shared by operators with investors (e.g., deal summaries, distribution notices) is a core function of the Service. Operators are responsible for ensuring they have appropriate authorization to share that information.

4.3 Legal Requirements

We may disclose information if required to do so by law, court order, or government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Fund Flow, our users, or the public.

4.4 Business Transfers

If Fund Flow is acquired, merged, or undergoes a significant asset sale, your information may be transferred as part of that transaction. We will provide notice before your information is subject to a different privacy policy.

5. Data Security

Fund Flow implements technical and organizational security measures appropriate to the sensitivity of the data we process:

• Encryption at rest — AES-256-GCM for all stored data including database records and file attachments
• Encryption in transit — TLS 1.3 for all data transmitted between your device and our servers
• Row-level security — Database-enforced access controls that prevent one organization from accessing another's data
• Two-factor authentication — Available and recommended for all user accounts
• Access controls — Role-based permissions limiting what each user can see and do
• Security monitoring — Automated detection of anomalous access patterns and login behavior

No security system is impenetrable. While we take reasonable steps to protect your information, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account and profile data — Retained while the account is active. Deleted within 90 days of account closure.
• Workspace data — Retained while the organization account is active. Exportable at any time before deletion.
• Billing records — Retained for 7 years to comply with tax and financial regulations.
• Security logs — Retained for 12 months.
• AI activity logs — Retained for 12 months.

When data is deleted, it is removed from active databases. Backup copies may persist for up to 30 days before being overwritten per our backup rotation policy.

7. Your Rights & Choices

7.1 Access

You can access most of your personal information through your account profile at any time. For a structured export of all personal data we hold for you, contact privacy@fundflow.com.

7.2 Correction

You can update your personal information (name, email, phone, profile photo) directly from Profile > Settings. For data corrections on records you cannot edit yourself, contact support.

7.3 Deletion

You can delete your account from Settings > Account > Delete Account. This permanently deletes your profile and personal data, subject to legal retention requirements for financial records. For deletion requests related to contact records where you are listed as an investor in someone else's account, contact privacy@fundflow.com.

7.4 Data Export

Operators can export workspace data (contacts, deals, communications) in CSV format at any time from the relevant section of the platform. For a full account data export, contact privacy@fundflow.com.

7.5 Opt Out of Marketing Communications

You can unsubscribe from marketing emails using the unsubscribe link in any marketing message, or by emailing privacy@fundflow.com. Transactional emails (account notifications, billing receipts, password resets) cannot be opted out of while your account is active.

8. International Data Transfers

Fund Flow processes and stores data in the United States. If you are located outside the United States, your data will be transferred to and processed in the U.S. For transfers of personal data from the European Economic Area (EEA) or United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as a lawful transfer mechanism.

9. California Privacy Rights (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know — Request disclosure of the personal information we have collected, used, disclosed, or sold in the past 12 months
• Right to delete — Request deletion of personal information we hold, subject to certain exceptions
• Right to correct — Request correction of inaccurate personal information
• Right to opt out — Fund Flow does not sell or share personal information for cross-context behavioral advertising. No opt-out is required, but you may submit a "Do Not Sell or Share My Personal Information" request to privacy@fundflow.com for documentation purposes
• Non-discrimination — We will not discriminate against you for exercising your California privacy rights

To submit a request under the CCPA or CPRA, email privacy@fundflow.com with the subject line "California Privacy Request." We will respond within 45 days.

10. Children's Privacy

The Service is not directed to children under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that a child under 18 has provided personal information, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. Material changes will be communicated by email or in-app notification at least 30 days before the effective date. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact Us

For questions, requests, or concerns about this Privacy Policy or our data practices:

Fund Flow, Inc. Email: privacy@fundflow.com Legal inquiries: legal@fundflow.com

We aim to respond to all privacy inquiries within 30 days.