Privacy Policy

DealTriage Inc.("DealTriage", "we", "our", or "us") operates the DealTriage platform at https://dealtriage.ai and https://app.dealtriage.ai. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

1. Information We Collect

1.1 Account Information

When your organization subscribes to DealTriage, we collect:

• Full name
• Business email address
• Organization name
• Role or title within your organization

1.2 Email Data

With your explicit consent and OAuth authorization, we connect to your email provider (Gmail or Microsoft Outlook) to:

• Read incoming and sent emails for AI-powered deal classification
• Extract deal-related information (company names, deal stages, buyer details)
• Classify emails as deal-related or non-deal-related

Important: We access emails solely for deal management purposes. We do not read, store, or process emails unrelated to your deal pipeline. Email OAuth tokens are encrypted at rest.

1.3 Deal and Business Data

Information you create or that our AI extracts within the platform:

• Deal names, stages, and pipeline data
• Buyer and contact information
• NDA tracking, CIM distribution, and bid information
• Management presentation schedules
• Due diligence tracking
• Team member assignments

1.4 Device and Security Data

To protect your account, we collect:

• Device fingerprint (browser type, screen resolution, timezone, platform)
• IP address
• Login timestamps and authentication events
• Multi-factor authentication (MFA) status

1.5 Usage Data

• Pages visited within the platform
• Features used (chat, deal views, email sync)
• API request metadata (timestamps, response times)

2. How We Use Your Information

We use the information we collect to:

• Provide and operate the DealTriage platform (performance of contract)
• Classify emails using AI to organize your deal pipeline (performance of contract)
• Authenticate your identity and protect your account (legitimate interest — security)
• Detect and prevent unauthorized access through device fingerprinting and anomaly detection (legitimate interest — security)
• Send security alerts for new device logins and account lockouts
• Monitor platform health and performance
• Respond to support requests
• Comply with legal obligations

We do NOT:

• Sell your personal data to third parties
• Use your email content for advertising
• Share your deal data with other organizations
• Train AI models on your proprietary deal information
• Profile you for marketing purposes

3. Data Isolation and Multi-Tenancy

DealTriage is built with complete data isolation between organizations and users:

• Row-Level Security (RLS): every database query is automatically filtered by your organization and user ID at the PostgreSQL level.
• User-level privacy:within the same organization, each user's emails, deals, and classifications are private to that individual.
• Organization administratorscan manage users and billing but cannot access any user's email content, deal pipeline, or AI classifications.
• DealTriage staff can manage organizational accounts but cannot view user data.

4. Data Security

We implement enterprise-grade security measures, including:

• Web Application Firewall (WAF) with OWASP Core Ruleset at the edge
• DDoS protection and bot management
• TLS 1.3 encryption for all traffic in transit
• AES-256 encryption at rest for all persistent storage
• Multi-factor authentication (MFA) support
• Device fingerprinting and anomaly detection
• Account lockout after repeated failed login attempts
• HMAC-SHA256 request signing between frontend and backend
• Content Security Policy (CSP) headers
• Application-level encryption for email OAuth tokens
• SIEM/XDR intrusion detection with real-time security event correlation
• Comprehensive audit logging of all administrative actions

5. Email Access and Consent

5.1 Microsoft Outlook

We access your Outlook mailbox using OAuth 2.0 via the Microsoft Graph API with the following delegated permissions only:

• Mail.Read — read your email messages so we can classify deal-related activity. Read-only; we do not modify, send, or delete any email on your behalf.
• User.Read — read your basic profile (name, email, tenant) to associate the mailbox with your DealTriage account.
• offline_access — maintain access with a refresh token so you do not need to re-authenticate on every sync cycle.

We do not request Mail.ReadWrite,Mail.Send, or any write-scope permission. DealTriage is read-only with respect to your mailbox.

You can revoke access at any time via:

1. DealTriage → Settings → Email → Disconnect, or
2. Microsoft Account → Privacy → Apps and services → remove DealTriage consent.

5.2 Google Gmail

We access your Gmail mailbox using OAuth 2.0 with thegmail.readonly scope. We do not request send permissions. You can revoke access via DealTriage Settings or your Google Account security page.

6. Subprocessors

DealTriage engages a limited set of vetted subprocessors to deliver the service. All subprocessors are contractually bound to confidentiality, security, and data-protection obligations consistent with this Policy.

We publicly name the subprocessors that are directly part of the authorization flow you consent to, or that process email content on our behalf:

• Microsoft Corporation — Microsoft Graph API, email access with your OAuth consent (United States).
• Google LLC — Gmail API, email access with your OAuth consent (United States).
• OpenAI, L.L.C.— AI-based email classification. Email content is sent to OpenAI for real-time classification only. Per OpenAI's API Terms, content submitted via the API is not used to train their models and is retained only for the limited period necessary for abuse monitoring (United States).

In addition, DealTriage relies on category providers for core infrastructure:

• A managed cloud database & authentication provider (United States / AWS region).
• An application-hosting provider (United States).
• A global edge-network provider for DNS, CDN, WAF, and DDoS protection.
• A managed security-monitoring provider hosted within the European Union.

Enterprise customers under a Data Processing Addendum (DPA) may request the current list of named infrastructure subprocessors by emailing [email protected]. We provide prior notice of any new or replacement subprocessors added to the list.

We do not share your deal content or email data with any third party except as necessary to provide the service (for example, sending email content to OpenAI for classification). We never sell your data, never share it for advertising, and never share it across customer organizations.

7. Data Retention

• Account information: duration of subscription plus 30 days after termination.
• Email classifications, deal pipeline, buyer data: duration of subscription plus 30 days.
• Raw email content: not persisted — processed in memory for classification, then discarded.
• Email OAuth tokens: until disconnected or the subscription ends.
• Security audit logs and authentication events: 90 days.
• Device fingerprints: 90 days from last login.

Upon subscription termination we delete all organization data within 30 days. You may request immediate deletion at any time by contacting [email protected].

8. Your Rights

Depending on your jurisdiction (including GDPR for EU residents and PIPEDA for Canadian residents), you may have the following rights:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate personal data.
• Deletion — request deletion of your personal data.
• Portability — receive your data in a structured, machine-readable format.
• Restriction — restrict processing of your personal data.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — revoke consent for email access at any time (disconnect your email provider in Settings).

To exercise any of these rights, contact [email protected].

9. International Data Transfers

Your data may be processed in Canada, the United States, the European Union (Germany), and other locations where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where applicable and service provider security certifications.

10. Children's Privacy

DealTriage is a business-to-business platform designed for investment banking professionals. We do not knowingly collect information from individuals under 18 years of age.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website, emailing organization administrators, or displaying an in-app notification.

12. Contact Us

If you have questions about this Privacy Policy or our data practices:

• Email: [email protected]
• Website: https://dealtriage.ai
• Registered entity: DealTriage Inc., Ontario, Canada

This Privacy Policy is effective as of April 22, 2026.