Legal

Privacy Policy

Effective 13 May 2026

DueVestor is an autonomous due-diligence platform operated from Israel. This policy explains what information we collect about users of our SaaS, why we collect it, how long we keep it, and the rights you have under GDPR (EU/UK), CCPA (California), and the Israeli Protection of Privacy Law. To exercise any right, email [email protected] or use the in-app data-export and erase-account controls.

1. What we collect

Account: name, email, OAuth identifier, optional phone number. Usage: pages viewed, features used, anonymous session ID via the `dv_sid` cookie (only when you consent). Billing: PayPal capture identifiers and transaction amounts (we never see your card). Subject data: the people/companies you choose to research — stored against your account and never shared. Audit trail: a server-side log of every state-changing action you take, retained for two years.

2. How we use it

To run the service you signed up for, to bill you, to improve the product (aggregated analytics only), and to comply with our legal obligations. We do NOT sell your data, we do NOT use your subject data to train a model, and we do NOT run cross-site behavioural advertising.

3. Who we share it with

Sub-processors only: PayPal (payments), Anthropic (LLM inference for report composition — subject data is sent under their no-training contract), Cloudflare (CDN+DNS), RunPod (per-report sandbox compute), SendGrid (email), and GitHub (code hosting; no user data flows there). The current list is at /security. We will notify you 30 days before adding a sub-processor that processes EU personal data.

4. How long we keep it

Account data: until you erase your account. Reports: indefinitely while the project is active, deleted when the project is. Audit log: 2 years (legal retention). Backups: 90 days. When you exercise the right to erase, we soft-delete immediately and hard-delete after a 30-day grace window so you can reverse the decision by emailing [email protected].

5. Your rights

GDPR/UK: access, rectify, erase, restrict, port, object. CCPA: know, delete, opt-out of sale (we don't sell). Israeli PPL: access and correction. Two of these are self-service: GET /api/v1/me/export returns a JSON snapshot of your data; DELETE /api/v1/me/erase starts the erasure flow. For anything else, email [email protected] — we respond within 30 days.

6. Cookies

Essential: `authjs.session-token` (signed-in session), `dv_ref` (affiliate attribution, if applicable). Analytics (opt-in): `dv_sid` anonymous session ID — only set when you accept on the banner. We honor Do-Not-Track and Sec-GPC; if either header is present we skip analytics regardless of banner state.

7. Contact

Privacy/DPO inquiries: [email protected]. Security disclosures: [email protected]. General support: [email protected].