Privacy Policy
Last updated: May 6, 2026 · Policy version v2.0
Data Protection Officer: dpo@dataroomsnap.com
DataRoom Snap (“we,” “our,” or “us”) operates an AI-powered due diligence intelligence platform designed for hedge funds, private equity firms, venture capital analysts, and M&A teams. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services. Please read this policy carefully. By accessing or using DataRoom Snap, you agree to the terms of this Privacy Policy.
1. Information We Collect
1.1 Account Information
When you create an account, we collect your name, email address, organization name, and role. If you subscribe to a paid plan, billing information is collected and processed by our payment provider, Stripe. We do not store full credit card numbers on our servers.
1.2 Uploaded Documents
You may upload documents such as PDFs, pitch decks, 10-K filings, CIMs, and financial models for analysis. These documents are stored securely in our infrastructure and are used solely to provide the analysis services you request.
1.3 Analysis Data
We store the extracted analysis results, including KPIs, red flags, analyst memos, and other outputs generated from your uploaded documents.
1.4 Usage Data
We automatically collect information about how you interact with our platform, including pages visited, features used, analysis requests, timestamps, browser type, operating system, and IP address.
2. How We Use Your Information & Lawful Basis
Under the EU and UK General Data Protection Regulation (GDPR), every use of personal data must rely on a lawful basis. The table below maps each category of data we process to a purpose and a GDPR Article 6 lawful basis.
| Data category | Purpose | Lawful basis |
|---|---|---|
| Account & authentication data (email, name, org, password hash, MFA secret) | Provide and secure the service | Contract (Art. 6(1)(b)) |
| Document content & deal data | Generate AI analysis the customer requested | Contract (Art. 6(1)(b)) |
| AI-generated outputs (KPIs, memos, red flags) | Deliver and persist analyst-facing results | Contract (Art. 6(1)(b)) |
| Audit log entries | Security monitoring, breach detection, regulatory evidence | Legal obligation (Art. 6(1)(c)) & legitimate interest (Art. 6(1)(f)) |
| Product analytics (PostHog) | Understand usage to improve UX | Consent (Art. 6(1)(a)) — opt-in via cookie banner; opt-out in /settings |
| Error reporting (Sentry) | Detect and triage application errors | Legitimate interest (Art. 6(1)(f)); opt-out in /settings |
| Marketing communications | Product news, feature announcements | Consent (Art. 6(1)(a)) — explicit opt-in only |
| Support tickets | Respond to customer enquiries | Contract (Art. 6(1)(b)) |
| Billing data | Process payments & meet tax / accounting law | Contract (Art. 6(1)(b)) & legal obligation (Art. 6(1)(c)) |
Where processing relies on consent, you may withdraw consent at any time via /settings without affecting the lawfulness of processing carried out before withdrawal.
3. AI Processing and Document Analysis
DataRoom Snap uses AI models provided by Anthropic (Claude) to analyze your uploaded documents. The following principles govern our AI processing:
- Your documents are processed by AI solely to deliver the analysis you request. They are not used to train, fine-tune, or improve any AI models.
- Document contents are transmitted to Anthropic's API over encrypted connections for analysis and are not retained by Anthropic after processing.
- We do not share your document contents with any third party other than for the purpose of AI analysis as described above.
4. Third-Party Services
We use the following third-party services to operate our platform. Each service processes only the minimum data necessary to fulfill its function. The complete and continuously-maintained list (with locations, DPA links, and 30-day change-notification terms) is published at /trust.
Supabase
Database hosting, user authentication, and file storage. User data and uploaded documents are stored in Supabase infrastructure with row-level security.
Anthropic (Claude)
AI-powered document analysis. Document contents are sent to Anthropic's API for processing. Anthropic does not retain your data after analysis.
Stripe
Payment processing and subscription management. Stripe handles all credit card and billing information. We do not store full payment details.
Vercel
Application hosting and content delivery. Vercel processes standard web request data including IP addresses and user agent strings.
5. Data Security
We implement industry-standard security measures to protect your data. All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Our database uses row-level security to ensure strict data isolation between organizations. Access to production systems is restricted and audited. While no method of electronic transmission or storage is 100% secure, we take reasonable measures to protect your information from unauthorized access, alteration, disclosure, or destruction.
6. Data Retention
Retention periods are set by category. We do not keep personal data for longer than is necessary for the purpose for which it was collected.
| Category | Retention |
|---|---|
| Active account & deal data | For the life of the customer agreement |
| Deleted documents / deals | Soft-deleted immediately; cryptographically purged within a 30-day window via an automated daily cron job |
| Closed account (user-initiated) | Personal data and documents purged within 30 days unless legal hold applies |
| Audit log entries | 7 years (regulatory / SOC 2 / forensic-investigation requirement) |
| Billing & tax records | 7 years (legal obligation under tax & accounting law) |
| Backups (point-in-time) | 35 days (Supabase PITR window) |
| Marketing analytics | 13 months (PostHog default; no rolling extension) |
Enterprise customers may negotiate custom retention schedules in their order form.
7. Your Rights (GDPR Articles 15–22)
If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR. You can exercise most of them yourself in /settings → Privacy. For requests we cannot self-serve, file a Data Subject Request via dpo@dataroomsnap.com. We respond within 30 days (extendable once by 60 days for complex requests, with notice).
- Art. 15 — Right of access: download a CSV / ZIP export of all personal data we hold about you. Self-serve in /settings.
- Art. 16 — Rectification: edit inaccurate profile data in /settings or contact support for fields you cannot edit yourself.
- Art. 17 — Erasure (right to be forgotten): delete your account and all associated personal data. Soft-delete is immediate; cryptographic purge completes within 30 days via daily cron.
- Art. 18 — Restriction of processing: pause analytics and error-reporting on your data via the cookie banner or in /settings.
- Art. 20 — Data portability: machine-readable export (CSV + JSON in a single ZIP) for re-import elsewhere.
- Art. 21 — Right to object: object to processing based on legitimate interest (e.g. error reporting). Contact the DPO.
- Art. 22 — Automated decision-making: DataRoom Snap does not make solely-automated decisions producing legal or similarly significant effects on you. AI outputs are advisory; humans remain in the loop.
You also have the right to lodge a complaint with your local supervisory authority (e.g. CNIL in France, ICO in the UK, the Datatilsynet in Norway). We would prefer to resolve your concern first — please contact dpo@dataroomsnap.com.
7a. International Data Transfers
DataRoom Snap is operated from the United States. By default, your data is stored and processed in the United States (Supabase / AWS us-east-1; Vercel; Anthropic). When we transfer personal data of EEA, UK, or Swiss residents outside their region, we rely on:
- Standard Contractual Clauses (SCCs) (EU Commission Decision 2021/914) executed with each sub-processor, supplemented by the UK ICO International Data Transfer Addendum and the Swiss FDPIC adaptation.
- Transfer impact assessments for each sub-processor, on file and available to Enterprise customers under NDA.
- EU residency option (Enterprise): customer data, documents, and audit logs can be pinned to Supabase EU regions (Frankfurt / Dublin) so personal data does not leave the EEA. Activated per-org with the
data_regionflag. Anthropic Claude API calls remain in scope of SCCs; opt-out of AI processing is also available for fully-EU-resident customers.
A copy of the SCCs we have executed is available on request to dpo@dataroomsnap.com.
8. Cookies and Tracking
We classify every cookie we set under one of four categories: Necessary, Analytics, Error reporting, and Marketing. The first time you visit DataRoom Snap from the EEA, UK, or Switzerland, the cookie banner asks you to consent on a per-category basis. You can change your choice any time at /cookies or from your account at /settings. Necessary cookies cannot be disabled because the application cannot function without them (auth session, CSRF protection, share-link gating).
For the full list of cookie names, third parties, and retention periods, see our Cookie Policy.
9. Children's Privacy
DataRoom Snap is a professional financial analysis platform and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the platform after changes are posted constitutes your acceptance of the revised policy. We encourage you to review this page periodically.
11. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:
Data Controller
DataRoom Snap
Privacy: dpo@dataroomsnap.com
Support: support@dataroomsnap.com
Security: security@dataroomsnap.com
EU / UK Representative (Art. 27)
To be appointed
DataRoom Snap is in the process of appointing a GDPR Article 27 representative in the EU and UK. EEA, UK, and Swiss residents may direct any privacy enquiry in the interim to dpo@dataroomsnap.com. The appointed representative’s name and address will be published on this page once executed.