SoloSearcher

Privacy Policy

Draft v1 — Subject to counsel review before launch. This document is a baseline draft. Your legal counsel must review and approve it before registration is opened to additional users.

Effective Date: April 21, 2026

Last Updated: April 21, 2026

1. Introduction and Controller

This Privacy Policy describes how [Operating Entity — fill in legal name] ("we," "us," or "our") collects, uses, discloses, and protects information about you when you use the SoloSearcher dashboard ("Service").

Data Controller: [Operating Entity], [Address Placeholder], Delaware, United States.

For privacy inquiries, contact: privacy@[domain placeholder]

2. Scope

This policy applies to:

  • Users who log in to the dashboard (currently invite-only)
  • Visitors to public pages on this domain (e.g., this legal page)
  • Third parties whose information appears in deal records entered by users (e.g., broker contacts, business seller contacts)

3. Information We Collect

3.1 User Account Data (via Clerk)

Authentication is handled by Clerk, Inc. When you sign in, Clerk collects and provides us with:

  • Email address
  • Display name (if set)
  • Session tokens and device identifiers
  • Login timestamps and IP addresses

Note: The Service currently uses Clerk test-tier keys. Before broader user onboarding, production Clerk keys will be provisioned and Clerk's standard data processing agreement will be in full effect.

3.2 Deal and Pipeline Data (User-Uploaded)

You enter deal data directly into the Service:

  • Company profiles: name, location, industry, revenue, EBITDA, asking price, status in pipeline
  • Broker and brokerage contact information
  • Outreach activity logs (emails sent, calls made, notes)
  • Qualitative notes and analysis inputs

3.3 Uploaded Documents

You may upload financial and deal documents (CIMs, tax returns, P&Ls, balance sheets) to the Service. These are:

  • Stored in Cloudflare R2 object storage (encrypted at rest)
  • Processed by our financial extraction pipeline, which uses Claude (Anthropic) to parse and structure data
  • Indexed only within your tenant — not shared with other users

3.4 AI Interaction Data

When you trigger AI analysis skills, the following data is transmitted to Anthropic's Claude API:

  • Company financial data and deal metrics
  • Qualitative notes and prior analysis results
  • Prompts generated by our analysis skill system

Every AI invocation is logged in our ai_invocations database table with timestamp, model, token counts, cost estimate, and skill type. This log is used for cost tracking and auditability — not for marketing or profiling.

3.5 Usage and Diagnostic Data

  • PostHog (product analytics): If configured, PostHog may collect page views, feature interaction events, and session replays. PostHog is currently deployed but may be in a limited-collection mode. You will be notified if session replays are enabled.
  • Vercel (hosting): Vercel logs request metadata (URL, status code, IP, user agent, function execution time) as part of normal hosting operations.
  • Server-side logs do not persist beyond Vercel's standard retention window.

3.6 QuickBooks Data

If you authorize QuickBooks integration, we retrieve financial reports (Profit & Loss, Balance Sheet, Cash Flow) on your behalf. This data is:

  • Stored in our database associated with the relevant company record
  • Never shared with third parties beyond the subprocessors listed in this policy
  • Revocable by disconnecting the integration at any time

4. How We Use Your Information

| Purpose | Legal Basis | |---------|-------------| | Providing and operating the Service | Contract performance | | AI analysis of deal data | Contract performance + legitimate interest | | Cost tracking (AI invocation logging) | Legitimate interest | | Security monitoring and fraud prevention | Legitimate interest | | Compliance with legal obligations | Legal obligation | | Future anonymized benchmark analytics (opt-in only — not yet built) | Consent (will be requested separately when this feature launches) |

We do not use your deal data for:

  • Training AI models (see Section 6 on Anthropic's handling)
  • Marketing to third parties
  • Sale to data brokers

5. Subprocessors

We share data with the following third-party subprocessors. A full subprocessor list with data-flow details is maintained at /legal/subprocessors.

| Subprocessor | Purpose | Location | |---|---|---| | Clerk, Inc. | Authentication and session management | United States | | Neon, Inc. | PostgreSQL database (all user data at rest) | United States | | Vercel, Inc. | Application hosting, edge functions, request logs | United States / Global CDN | | Cloudflare, Inc. (R2) | Document and file storage | United States | | Anthropic, PBC | AI analysis (Claude API) | United States | | PostHog, Inc. | Product analytics | United States | | Intuit, Inc. (QuickBooks) | User-initiated financial data pull | United States | | Brave Software, Inc. | Website enrichment for company research | United States | | Hunter.io (Anadeea SRL) | Email discovery for broker/contact research | Romania / EU |

6. Anthropic and AI Processing

We use Anthropic's Claude API to power AI analysis features. When you trigger an analysis:

  • Deal data and prompts are transmitted to Anthropic's API endpoints
  • Anthropic processes this data to generate analysis outputs
  • Anthropic does not use API-submitted data for model training under their standard API usage policy
  • All transmissions occur over TLS

You can review Anthropic's privacy policy at anthropic.com/privacy.

7. NDA-Grade Data Handling

CIMs and financial documents frequently contain confidential business information. Our handling:

  • Tenant isolation: All deal data is associated with a user account via database-enforced foreign keys. No cross-user data access is possible at the query layer.
  • Encryption in transit: All data transmitted between your browser, our servers, Cloudflare R2, and Neon is encrypted via TLS.
  • Encryption at rest: Cloudflare R2 provides encryption at rest for uploaded documents. Per-user database encryption (DEKs) is planned and will be in place before broader user onboarding (see our security roadmap).
  • Append-only audit log: Key mutations are recorded in an immutable audit log enforced at the database level.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

| Right | Status | |-------|--------| | Access — obtain a copy of your data | Available on request; self-serve export planned (T7) | | Correction — fix inaccurate data | Available via dashboard UI | | Deletion — request account deletion | Available on request; 7-day grace period applies | | Portability — receive data in machine-readable format | Planned (JSON export, T7) | | Restriction — limit processing of your data | Available on request | | Objection — object to legitimate-interest processing | Contact us at privacy@[domain placeholder] |

CCPA (California): California residents have the right to know what personal information we collect, to delete it, and to opt out of its sale. We do not sell personal information.

GDPR (EEA/UK): If you are located in the EEA or UK, you have the rights described above plus the right to lodge a complaint with your supervisory authority.

To exercise any right, email privacy@[domain placeholder]. We will respond within 30 days.

9. Data Retention

| Data Category | Retention Period | |---|---| | Active account data | Retained while account is active | | Account data after deletion | 7-day grace period, then purged | | AI invocation logs | 1 year from invocation | | Authentication events | 2 years | | Uploaded financial documents | Retained while account is active; deleted on account deletion | | Vercel request logs | Per Vercel's standard retention (typically 30 days) |

10. Security

We implement the following security measures:

  • TLS encryption for all data in transit
  • Cloudflare R2 server-side encryption for uploaded documents
  • Database-enforced tenant isolation via composite foreign keys
  • Append-only audit log for key mutations
  • Session token management via Clerk (with MFA support)
  • Least-privilege database access (application user cannot drop tables)

Planned (not yet in production):

  • Per-user database encryption keys (DEKs)
  • IP allowlisting (T-series roadmap)

11. Cookies and Tracking

The Service sets the following cookies:

  • Clerk session cookie: Required for authentication. Session-scoped or persistent based on your login settings.
  • PostHog cookie: Set if PostHog analytics is active. Used for anonymous session tracking.

We do not use advertising cookies or third-party tracking cookies.

12. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact privacy@[domain placeholder].

13. International Transfers

Our servers and subprocessors are primarily located in the United States. If you access the Service from the EEA, UK, or another jurisdiction with data transfer restrictions, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms where required.

14. Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict of law principles. GDPR and CCPA obligations apply to the extent required by those laws.

15. Changes to This Policy

We will notify you of material changes by updating the "Last Updated" date and, where required, by email notification or in-app notice. Continued use of the Service after changes become effective constitutes acceptance.

16. Contact

Privacy inquiries: privacy@[domain placeholder]

Mailing address: [Operating Entity], [Address Placeholder], Delaware, United States

Version: v1 · Effective: 2026-04-21