Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account information: Name, email address, and password when you register. If you sign in with Google OAuth, we receive your name, email address, and profile picture from Google.
• Subscription and payment information: Billing details processed through Stripe. DealProfit does not store your full credit card number; Stripe handles payment data under their own Privacy Policy.
• Investment parameters: Your financial assumptions, strategy preferences, target returns, and other investment criteria you enter to personalize your deal analysis.
• Saved content: Deals you save, favorites, search filters, alert preferences, and notes.
• Waitlist and contact forms: Email address and any additional information you provide when joining our waitlist or contacting us.
• Support conversations: Messages and information you share through our live chat (powered by Crisp) or email support.

1.2 Information Collected Automatically

• Usage data: Pages visited, features used, search queries, clicks, time spent, and interactions with the Service. Collected via PostHog, our product analytics platform.
• Device and browser information: IP address, browser type and version, operating system, screen resolution, and device identifiers.
• Cookies and similar technologies: See our Cookie Policy for details.
• Referral data: The URL that referred you to our Service, search engine terms, and campaign identifiers.

1.3 Information from Third Parties

• Google OAuth: If you choose to sign in with Google, we receive your name, email, and profile picture.
• Stripe: Transaction confirmations, subscription status, and payment failure notifications.

2. How We Use Your Information

We use the information we collect to:

• Provide the Service: Analyze deals using your personal parameters, generate ProfitScore and rankings, run Monte Carlo simulations, and deliver personalized results.
• Process payments: Manage subscriptions, process billing through Stripe, and handle refunds.
• Communicate with you: Send transactional emails (account verification, password resets, subscription confirmations, deal alerts) via Resend, our email delivery service.
• Improve the Service: Analyze usage patterns to improve features, fix bugs, and optimize performance. We use PostHog for product analytics and A/B testing.
• Provide support: Respond to your inquiries via live chat (Crisp) or email.
• Ensure security: Detect and prevent fraud, abuse, and unauthorized access.
• Comply with legal obligations: Respond to legal requests and enforce our Terms of Service.

3. Lending Partner Leads

If you choose to explore financing options through the Service, your contact information and relevant loan inquiry details may be shared with third-party lending partners who may contact you with loan offers. This sharing occurs only with your explicit consent — for example, when you click "Get Pre-Qualified" or "Request Rates" within the Financing section of the Service.

DealProfit receives a flat per-lead fee from lending partners for this service. This compensation does not affect the loan terms offered to you. You may opt out of lending partner communications at any time by contacting us or the lending partner directly.

4. How We Share Your Information

We do not sell your personal data. We share information only in the following limited circumstances:

4.1 Service Providers

We use the following third-party service providers to operate the Service:

4.2 Lending Partners

Only when you explicitly consent by requesting financing information, as described in Section 3.

4.3 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or government request, or to protect the rights, safety, or property of DealProfit, our users, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to applicable privacy terms.

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Password security: Passwords are hashed using bcrypt with a high work factor and are never stored in plaintext.
• Authentication: Secure token-based authentication (JWT) with short-lived access tokens and longer-lived refresh tokens.
• Infrastructure: Hosted on AWS with network isolation, encrypted storage, and access controls.
• Payment data: Credit card information is handled entirely by Stripe (PCI DSS Level 1 certified) and never touches our servers.

While we take reasonable measures to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your personal data for as long as necessary to:

• Active account data: Retained for the duration of your account. When you delete your account, personal data is removed within 30 days, except as required by law.
• Payment records: Retained for 7 years to comply with accounting and tax obligations.
• Usage analytics: Aggregated and anonymized analytics data may be retained indefinitely for product improvement. Identifiable analytics data is retained for up to 24 months.
• Support conversations: Retained for up to 24 months after your last interaction.
• Waitlist data: Retained until you unsubscribe or request deletion.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data ("right to be forgotten").
• Portability: Request a machine-readable copy of your data.
• Restriction: Request that we limit how we use your data.
• Objection: Object to certain types of processing, including direct marketing.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@dealprofit.com. We will respond to your request within 30 days.

8. GDPR — European Economic Area Users

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR). The legal bases for our processing of your personal data are:

• Contract performance: Processing necessary to provide the Service you requested (account management, deal analysis, payment processing).
• Legitimate interests: Processing for product improvement, security, and fraud prevention, where our interests do not override your fundamental rights.
• Consent: Processing based on your explicit consent, such as marketing communications and lending partner referrals. You may withdraw consent at any time.
• Legal obligation: Processing required to comply with applicable laws.

Data may be transferred to countries outside the EEA (including the United States, where our infrastructure providers operate). Such transfers are protected by appropriate safeguards, including Standard Contractual Clauses approved by the European Commission. You have the right to lodge a complaint with your local data protection authority.

9. CCPA — California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of personal information we hold about you, subject to certain legal exceptions.
• Right to opt out of sale: We do not sell personal information. However, you have the right to direct us not to sell your personal information.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, contact us at privacy@dealprofit.com. We will verify your identity before processing your request.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice in the Service. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

12. Contact

If you have questions or concerns about this Privacy Policy, or if you wish to exercise your data rights, please contact us:

• Email: privacy@dealprofit.com
• Contact form: dealprofit.com/contact