Introduction
DealLens ("we", "us", "our") operates the DealLens platform, an AI-powered credit intelligence service for financial professionals. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our website and platform (collectively, the "Service"). We are committed to protecting your privacy and handling your data with transparency and care.
This Policy applies to all users of the Service, including individual subscribers, organizational administrators, and any person who visits our marketing website at deallens.ai. By using the Service, you agree to the collection and use of information as described in this Policy. If you do not agree with our practices, please do not use the Service.
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or via an in-app notice before the changes take effect. Your continued use of the Service after any changes become effective constitutes your acceptance of the revised Policy. For questions or concerns about our privacy practices, please contact us at [email protected].
Information We Collect
We collect information that you provide directly to us when you create an account, subscribe to the Service, or contact us for support. This includes: your name, work email address, organization name, job title or role, and any other information you choose to provide during registration or in communications with us. We also collect and process payment-related information, which is handled directly by our payment processor, Stripe — we do not store full credit card numbers on our systems.
We automatically collect certain usage and technical data when you interact with the Service. This includes: pages visited and features used within the platform; search queries and filters applied; watchlist contents and company additions (to deliver the Service to you); IP address, browser type, browser version, and operating system; device identifiers and screen resolution; and session duration and click patterns used to diagnose errors and improve user experience.
We also collect log data from our servers and infrastructure, including timestamps of requests, error logs, and audit trails of administrative actions. This data is used to maintain the security and integrity of the Service and to investigate incidents. Log data is retained for a rolling 12-month period. We do not knowingly collect personal information from individuals under the age of 18.
How We Use Your Information
We use the information we collect to provide, operate, and improve the Service. Specifically, we use your account information to authenticate you, manage your subscription, process payments, and deliver the features you have subscribed to. We use usage data to understand how different features are being used so that we can prioritize improvements and fix issues. We never share individual usage profiles with other clients.
We use your contact information to send you product updates, feature announcements, security notifications, and alerts relevant to your watchlist. You can opt out of marketing communications at any time by clicking the unsubscribe link in any email or contacting us at [email protected]. Transactional and security-related communications cannot be opted out of while your account is active, as they are necessary for the proper functioning of the Service.
We may use aggregated, anonymized, and de-identified usage data — which cannot reasonably be used to identify you or your organization — to analyze platform-wide trends, publish aggregate insights, and develop new product capabilities. We do not sell your personal information to third parties. We do not use your specific portfolio holdings, watchlists, or credit analysis outputs to train AI models that are shared with or made available to other clients.
Data Isolation and Client Confidentiality
The confidentiality of your investment activity is fundamental to our business. Your watchlists, portfolio company lists, notes, annotations, and credit analysis outputs are strictly isolated from other DealLens clients. We do not cross-reference, share, combine, or expose one client's data to another client under any circumstances. Our platform architecture enforces client-level data segregation at the database layer, the API layer, and within our AI inference pipelines.
We do not use your specific investment decisions, portfolio compositions, or credit analysis work product to train or fine-tune AI models that are deployed to other clients. If we ever train models using client-derived data, we will obtain your explicit consent and provide mechanisms to opt out. Any AI improvements made using anonymized aggregate signals are applied only to generally applicable capabilities, such as covenant extraction accuracy across all public filings.
Our employees and contractors who have access to production systems are subject to strict confidentiality obligations and access is logged and audited. Access to client data is limited on a need-to-know basis and is reviewed periodically. We will notify affected clients promptly in the event of a confirmed data breach that may affect their information, in accordance with applicable law.
Third-Party Services
We use a limited set of trusted third-party sub-processors to deliver the Service. These sub-processors are contractually required to maintain appropriate technical and organizational security measures and are prohibited from using your data for any purpose other than providing services to DealLens. Our current sub-processors include: Supabase (database hosting and user authentication); Stripe (payment processing and subscription management); Google (Gemini AI model inference — only public filing content is transmitted, no private portfolio data or credentials); and PostHog (product analytics — aggregated, pseudonymized usage patterns only).
When you use AI-powered features within the Service, such as covenant extraction or credit report generation, relevant content from public SEC filings is transmitted to our AI inference infrastructure for processing. We do not transmit your private watchlist data, notes, or organizational information to external AI providers unless you explicitly request an analysis that includes such content, in which case you will be clearly informed.
We do not disclose your personal information to third parties except as necessary to provide the Service, as required by law or valid legal process, to protect the rights and safety of DealLens, our users, or the public, or in connection with a merger, acquisition, or sale of assets, in which case we will notify you via email or in-app notice. We do not sell, rent, or trade personal information to data brokers or advertising networks.
Data Retention
We retain your account information and any data you have created within the Service for as long as your account remains active. Following termination or expiration of your account — whether initiated by you or by DealLens — we retain your account data for a period of 90 days to enable account recovery and to resolve any outstanding disputes or billing questions. After this 90-day period, your personal data and any private data created in the Service will be permanently deleted from our production systems.
Usage logs, audit trails, and security event records are retained for a rolling 12-month period, after which they are automatically purged. Aggregated, de-identified analytics data may be retained indefinitely as it cannot be used to identify you. Payment transaction records are retained for a period of seven years as required for financial compliance and tax record-keeping purposes.
You may request deletion of your personal data at any time by contacting [email protected]. We will process deletion requests within 30 days. Please note that deletion of your account will terminate your access to the Service and we cannot recover deleted data after the request is fulfilled. Certain data may be retained beyond your deletion request where required by law or legitimate legal obligation.
Security
We implement technical and organizational security measures designed to protect your information against unauthorized access, disclosure, alteration, and destruction. All data stored in our systems is encrypted at rest using AES-256 encryption. All data transmitted between your browser and our servers is protected using TLS 1.3. Database backups are encrypted and stored in geographically separate locations.
Access to our production systems is restricted to a small number of authorized personnel, all of whom are subject to confidentiality obligations. All administrative access is logged, and logs are reviewed periodically for anomalous activity. We use role-based access controls to limit the scope of access for each individual. We do not use shared credentials for production system access.
We conduct regular internal security reviews. We have an incident response process in place. In the event of a security incident affecting your data, we will notify you in accordance with applicable breach notification laws. While we take these measures seriously, no security system is impenetrable, and we cannot guarantee the absolute security of information transmitted over the internet.
Your Rights
Depending on your jurisdiction, you may have certain rights regarding your personal information. These may include: the right to access a copy of the personal data we hold about you; the right to correct or update inaccurate personal information; the right to delete your account and associated personal data; the right to restrict or object to certain processing activities; the right to data portability — to receive your data in a structured, machine-readable format; and the right to opt out of marketing communications at any time.
California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what categories of personal information we collect and the purposes for which they are used, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as defined under CCPA/CPRA. European Economic Area and United Kingdom residents have rights under GDPR, including the right to lodge a complaint with a supervisory authority.
To exercise any of these rights, please contact us at [email protected]. We will respond to verifiable requests within 30 days. We may need to verify your identity before fulfilling certain requests. We will not discriminate against you for exercising your privacy rights.
Cookies
We use cookies and similar tracking technologies to operate and improve the Service. Essential cookies are required for authentication, session management, and security. These cookies cannot be disabled without breaking core functionality of the platform and are placed automatically when you log in. They expire when your session ends or after a configurable period.
We use analytics cookies through PostHog to understand aggregate patterns in how users interact with the platform — for example, which features are used most frequently and where users encounter friction. These analytics cookies collect pseudonymized identifiers and do not contain personally identifiable information in isolation. You may disable non-essential analytics cookies in your browser settings, with no impact on your access to the Service's core features.
We do not use advertising cookies, cross-site tracking, or third-party behavioral profiling on our platform. Our marketing website may use first-party analytics to measure the effectiveness of content. If you have questions about our use of cookies, please contact [email protected].
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below. We take all privacy inquiries seriously and will respond as promptly as possible, and in any event within the timeframes required by applicable law.
For general privacy questions and rights requests: [email protected]. For legal matters, data processing agreements, and enterprise privacy inquiries: [email protected]. Our mailing address is DealLens, Tel Aviv, Israel.
If you believe we have not addressed your concern adequately, you may have the right to lodge a complaint with your local data protection authority. Residents of the European Union may contact the relevant supervisory authority in their member state.