Privacy Policy
Last updated: April 10, 2026
1. Introduction
Deadpoint ("we," "us," "our," or "Company") is committed to protecting your privacy and ensuring you understand how we collect, use, and safeguard your personal data.
This Privacy Policy applies to all Deadpoint web properties, including our marketing website at deadpoint.ai and our investor data room at invest.deadpoint.ai (collectively, the "Services"). It describes what data we collect, why we collect it, how we use it, and your rights regarding that data.
Deadpoint is headquartered in Lisbon, Portugal. We build a Strategy Operating System for hedge funds. Our Services are directed at institutional and professional users, not consumers. Please read this policy carefully. If you do not agree with our practices, please do not use our Services.
2. Data Controller
Deadpoint is the data controller responsible for your personal data. For privacy-related inquiries or to exercise your data rights, contact us at privacy@deadpoint.ai. For general questions, reach us at info@deadpoint.ai.
3. What Personal Data We Collect
We collect different categories of data depending on how you interact with our Services.
3.1 Marketing Website (deadpoint.ai)
- Design partner application form: Full name, work email address, fund name, AUM range, and role at your fund. This data is submitted via Formspree, our form processing service.
- Technical data: IP address, browser type, device type, operating system, pages visited, referring URL, and timestamps. Collected automatically by our hosting infrastructure.
3.2 Investor Data Room (invest.deadpoint.ai)
- Account information: Email address, name, firm name, and role. Provided during registration or by an administrator who provisions your access.
- Authentication data: Password (stored hashed, never in plain text), session tokens, email verification status, and OAuth provider identifiers (if you sign in via Microsoft or Google).
- NDA acceptance records: Full name, title, company, electronic signature, timestamp, IP address, and browser information at the time of acceptance.
- Document engagement data: Which documents you view, how long you spend on each document, scroll depth, which sections you read (including time spent per section and viewport visibility), and any documents you download.
- Questions and comments: Questions you ask through our Q&A feature (including any text you highlight from documents), AI-generated answers, and annotations or comments you leave on documents.
- Share requests: If you request to share documents with a colleague, we collect the recipient's name and email, your message, and which documents were requested.
- Access requests: If you request access to the data room, we collect your name, email, firm, and message.
- Technical and session data: IP address, browser type, device type, user agent, session identifiers, and timestamps for all interactions. This data is logged for security, audit, and access control purposes.
3.3 Analytics and Behavioral Data (All Services)
- Product analytics (PostHog): We use PostHog for product analytics, event tracking, and funnel analysis, including both client-side autocapture (page views, clicks, and interactions) and server-side event capture initiated by our backend. PostHog collects event data tied to your interactions with our Services, such as pages visited, features used, and actions taken. PostHog processes this data on our behalf.
- Session recording and heatmaps (Microsoft Clarity): We use Microsoft Clarity to record user sessions, generate heatmaps, and detect interaction patterns (such as rage clicks and dead clicks). Clarity captures your mouse movements, clicks, scrolls, and page interactions. Session recordings may be linked to your email address and access tier for analysis. Clarity does not collect passwords or payment information. You may opt out of Clarity tracking through the cookie consent mechanism on our Services.
- First-party engagement tracking: On the investor data room, we operate our own engagement tracking that records document views, section-level reading behavior, scroll depth, time on page, and download activity. This data is tied to your investor account and is used to understand how investors engage with our materials.
4. How We Use Your Data
We use your personal data for the following purposes:
- Application and access review: To review design partner applications, investor access requests, and determine eligibility for data room access at the appropriate tier.
- Service delivery: To provide access to documents, manage your account, enforce access controls, and deliver our investor data room functionality.
- Communication: To contact you regarding your application or account, send email verification and access codes, and respond to your inquiries.
- Analytics and improvement: To understand how users interact with our Services, identify usability issues, measure engagement with our materials, and improve the user experience. This includes product analytics (PostHog), session recording (Microsoft Clarity), and our own engagement tracking.
- AI-powered Q&A: To answer questions you submit through our document Q&A feature. Your questions and relevant document context are sent to third-party AI providers (see Section 6) to generate responses.
- Security and fraud prevention: To protect our Services from unauthorized access, detect abuse, enforce rate limits, and maintain audit trails.
- Audit and compliance: To maintain records of document access, NDA acceptances, and user activity for legal, regulatory, and audit purposes.
- Legal compliance: To comply with applicable laws, regulations, and legal obligations.
Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|---|
| Design partner application form | Consent (Art. 6(1)(a)) and legitimate interest (Art. 6(1)(f)) |
| Data room account and service delivery | Contract performance (Art. 6(1)(b)) |
| Analytics, session recording, and engagement tracking | Legitimate interest (Art. 6(1)(f)) — improving our Services and understanding user engagement. Where required, consent (Art. 6(1)(a)) obtained via cookie consent mechanism. |
| AI-powered Q&A | Contract performance (Art. 6(1)(b)) — feature you choose to use |
| Security, rate limiting, and audit logging | Legitimate interest (Art. 6(1)(f)) — security and fraud prevention |
| NDA acceptance and compliance records | Legal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f)) |
| Technical data (hosting infrastructure) | Legitimate interest (Art. 6(1)(f)) — website operation and security |
5. Cookies, Tracking, and Consent
5.1 Essential Cookies
These cookies are necessary for our Services to function and cannot be disabled. They do not require consent under GDPR.
- Session cookie: An HTTP-only, secure cookie that maintains your authenticated session on the investor data room. Expires after 7 days.
- Cloudflare cookies: Security and performance cookies set by Cloudflare to protect our Services from attacks and route traffic efficiently.
5.2 Analytics and Tracking (Consent Required)
The following tracking technologies are enabled only with your consent, which you can manage through the cookie consent banner displayed on our Services. You can withdraw consent at any time.
- PostHog: Product analytics and event tracking (client-side autocapture and server-side event capture). Collects interaction events, page views, and feature usage.
- Microsoft Clarity: Client-side session recording, heatmaps, and interaction analytics. Captures mouse movements, clicks, scrolls, and page interactions. Sessions may be identified by your email address and access tier.
Your consent preference is stored locally in your browser. We do not track you across other websites.
5.3 First-Party Engagement Tracking
On the investor data room, we collect engagement data (document views, section reading time, scroll depth, downloads) as part of our core service functionality and for legitimate business purposes. This tracking does not use cookies — it is server-side, tied to your authenticated session, and is integral to how the data room operates.
5.4 Third-Party Resources
Google Fonts: We load typography from Google Fonts (fonts.googleapis.com and fonts.gstatic.com). Your browser sends your IP address and basic request headers to Google's servers. See Google's Privacy Policy.
6. Third-Party Services
We use the following third-party services that may process your data. All third-party processors operate under data processing agreements with Deadpoint.
| Service | Purpose | Data Processed |
|---|---|---|
| Cloudflare | Hosting, CDN, security, DDoS protection, and rate limiting for all Services | IP address, browser info, pages visited, request metadata |
| PostHog | Server-side product analytics, event tracking, and funnel analysis | Interaction events, page views, feature usage, user identifiers |
| Microsoft Clarity | Session recording, heatmaps, and interaction analysis | Mouse movements, clicks, scrolls, page content, email and tier (for session identification) |
| Formspree (US) | Form processing for design partner applications | Name, email, fund name, AUM range, role |
| Resend (US) | Transactional email delivery (verification codes, access notifications) | Email address, name |
| Anthropic (US) | AI language model for document Q&A | Your questions, selected document text, document context. No personal account data is sent. |
| Groq (US) | AI language model for document Q&A (alternative provider) | Your questions, selected document text, document context. No personal account data is sent. |
| OAuth authentication (optional sign-in method) and font delivery | OAuth: provider account identifier, email, name. Fonts: IP address, browser info. | |
| Microsoft | OAuth authentication (optional sign-in method) | Provider account identifier, email, name |
No data sales: We do not sell, trade, or share your personal data with third parties for marketing, advertising, or commercial purposes. We do not use your data to train AI models. We only share data with service providers who process it on our behalf under contractual obligations.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Design partner applications (Formspree) | 24 months, or until a business relationship is established |
| Investor data room accounts | Duration of relationship + 90 days, or until deletion is requested |
| Document engagement data (views, section tracking, downloads) | Duration of relationship + 90 days |
| Q&A chat logs | Duration of relationship + 90 days |
| NDA acceptance records | 7 years (legal and regulatory compliance) |
| Authentication and audit logs | 5 years (regulatory recordkeeping) |
| Analytics data (PostHog, Clarity) | Per provider retention policies (typically 12–24 months) |
| Cloudflare technical logs | 7–30 days (per Cloudflare standard retention) |
| Access requests | 24 months |
Upon request or termination of a business relationship, account data is soft-deleted (marked as deleted) and permanently purged after the applicable retention period. Audit logs and NDA records are retained for their full retention period regardless of account status, as required for legal and regulatory purposes.
8. Your GDPR Rights
If you are located in the European Union or other jurisdiction with similar data protection laws, you have the following rights:
- Right of access: You can request a copy of the personal data we hold about you.
- Right to rectification: You can request that we correct inaccurate or incomplete data. Data room users can also update their own account information directly.
- Right to erasure: You can request deletion of your data, subject to legal retention obligations (e.g., NDA records, audit logs retained for regulatory compliance).
- Right to restriction: You can request that we limit how we process your data while a request is under consideration.
- Right to data portability: You can request your data in a portable, machine-readable format.
- Right to object: You can object to processing based on legitimate interest, including analytics and engagement tracking.
- Right to withdraw consent: Where processing is based on consent (e.g., analytics tracking), you can withdraw consent at any time via the cookie consent settings or by contacting us. Withdrawal does not affect the lawfulness of prior processing.
- Right regarding automated decision-making: We do not make automated decisions with legal or significant effects on individuals. AI-generated Q&A responses are informational only.
- Right to lodge a complaint: You can lodge a complaint with your local data protection authority. In Portugal, this is the National Data Protection Commission (CNPD).
To exercise any of these rights, please contact us at privacy@deadpoint.ai. We will respond within 30 days (or as required by law). We may need to verify your identity before processing your request.
9. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides you with additional rights regarding your personal information:
- Right to know: You may request what personal information we collect, use, disclose, and sell.
- Right to delete: You may request deletion of your personal information, subject to legal exceptions.
- Right to opt out of sale/sharing: We do not sell or share your personal information as defined under the CCPA/CPRA.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your California privacy rights, contact us at privacy@deadpoint.ai.
10. International Data Transfers
Your data may be processed and stored outside your country of residence. Several of our third-party processors are based in the United States (Formspree, Resend, Anthropic, Groq). Cloudflare operates globally.
For transfers of personal data from the EU/EEA or UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary measures where appropriate, and processor commitments to data protection standards equivalent to GDPR. For EU-US transfers, we also rely on the EU-US Data Privacy Framework where applicable.
11. Security
We implement technical and organizational measures to protect your data:
- All traffic is encrypted using HTTPS (TLS).
- Passwords are hashed using industry-standard algorithms and are never stored in plain text.
- Session tokens are stored in HTTP-only, secure cookies.
- Cloudflare provides DDoS protection and Web Application Firewall (WAF) rules.
- Rate limiting is enforced on authentication and access request endpoints to prevent brute-force attacks.
- Role-based access controls restrict data room content to authorized tiers.
- Access to personal data is restricted to authorized personnel only.
- User-submitted content is sanitized to prevent cross-site scripting (XSS).
No method of transmission over the internet is 100% secure. While we implement strong safeguards, we cannot guarantee absolute security.
12. Children's Privacy
Our Services are directed at institutional and professional users and are not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16, we will promptly delete it. Contact us at privacy@deadpoint.ai if you believe this has occurred.
13. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or the Services we offer. We will update the "Last updated" date at the top of this page. For material changes, we will provide notice through our Services or via email to registered data room users. Your continued use of our Services after changes are posted constitutes your acceptance of the updated policy.
14. Contact Us
If you have questions about this Privacy Policy, our data practices, or your privacy rights:
- Privacy inquiries: privacy@deadpoint.ai
- General inquiries: info@deadpoint.ai
- Address: Deadpoint, Lisbon, Portugal
We will respond to your inquiry within 30 days.