Privacy Policy

1.Information We Collect

1.1 Account Information

When you create an account, we collect information necessary to establish and maintain your account, including:

• Email address
• Full name
• Password (stored as a cryptographic hash; we never store plaintext passwords)
• Organization or fund name (optional)
• Billing information (processed and stored by our payment processor, Stripe)

1.2 Company Research Data

The core function of DueDrill is to help you conduct due diligence on companies. In the course of using the Service, you may create, upload, or generate the following types of data:

• Company profiles and names you research
• Due diligence notes, scores, and assessments across our 16-category framework
• AI-generated research findings from third-party AI providers
• Investment memos and reports you generate
• Imported data files (JSON, CSV, or other structured data)

You retain full ownership of all company research data you create or upload. We do not claim any intellectual property rights over your data.

1.3 API Keys

DueDrill allows you to connect your own API keys for AI research providers (Perplexity, Anthropic/Claude, OpenAI/GPT-4, Groq). When you provide these keys:

• API keys are encrypted at rest using AES-256 encryption
• Keys are transmitted only over HTTPS/TLS-encrypted connections
• Keys are used solely to make API calls on your behalf and are never shared with third parties
• You can delete your API keys at any time through your account settings
• We do not log or store the content of API requests or responses beyond what is necessary to display results to you

1.4 Usage and Analytics Data

We automatically collect certain technical and usage information when you access the Service:

• Device type, browser type, and operating system
• IP address (anonymized for analytics purposes)
• Pages and features accessed, time spent on pages
• Referring URLs and navigation paths
• Error logs and performance metrics
• Feature usage patterns (e.g., which AI providers are used, frequency of report generation)

2.How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To operate, maintain, and deliver the features and functionality of DueDrill, including AI-powered research, scoring, and report generation.
• Account Management: To create, authenticate, and manage your account, process payments, and communicate with you about your subscription.
• Service Improvement: To analyze usage patterns, identify bugs, improve AI research quality, and develop new features. We use aggregated, anonymized data for this purpose.
• Security: To detect, prevent, and address fraud, abuse, security risks, and technical issues.
• Communications: To send you transactional emails (account verification, password resets, billing receipts), service announcements, and, with your consent, marketing communications.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.

We do not sell, rent, or trade your personal information to third parties. We do not use your company research data to train AI models or for any purpose other than providing the Service to you.

3.Third-Party Services

DueDrill integrates with the following third-party services to deliver its functionality. Each service has its own privacy policy governing data it processes:

3.1 Supabase (Authentication & Database)

We use Supabase for user authentication, database storage, and cloud synchronization. Your account data and research data (when cloud sync is enabled) are stored in Supabase-managed infrastructure. Supabase processes data in accordance with its privacy policy and employs industry-standard security measures including encryption at rest and in transit.

3.2 Stripe (Payment Processing)

We use Stripe to process subscription payments. We do not directly handle, store, or have access to your full credit card number. Stripe is PCI DSS Level 1 certified — the highest level of certification in the payment card industry. Stripe's use of your data is governed by its privacy policy.

3.3 AI Research Providers

When you run AI-powered research, your queries are sent to the AI provider you select (Perplexity, Anthropic, OpenAI, or Groq) using your own API keys. We send only the minimal information necessary to generate research results (company name, research context). Each AI provider processes queries according to its own privacy policy and terms of service. We recommend reviewing their respective policies.

3.4 Analytics

We may use privacy-focused analytics tools to understand how the Service is used. Analytics data is aggregated and anonymized and is not used to identify individual users.

4.API Key Security

We take the security of your API keys extremely seriously. Our API key handling practices include:

• Encryption at Rest: All API keys are encrypted using AES-256 before being stored in our database.
• Encryption in Transit: API keys are transmitted exclusively over HTTPS/TLS-encrypted connections.
• No Sharing: We never share, sell, or expose your API keys to any third party. Keys are used only to make API calls on your behalf.
• User Control: You can view, update, or delete your stored API keys at any time from your account settings.
• Access Controls: API keys are accessible only through authenticated, authorized requests from your account.
• No Logging: We do not log API keys in application logs, error reports, or analytics systems.

5.Data Retention

We retain your data in accordance with the following practices:

• Account Data: Retained for as long as your account is active. Upon account deletion, your personal data is permanently deleted within 30 days.
• Research Data: You maintain full control over your company research data. You can export all data at any time (JSON format) and delete individual companies or your entire dataset at any time.
• API Keys: Deleted immediately upon your request or upon account deletion.
• Usage Analytics: Aggregated analytics data is retained for up to 24 months. Anonymized data may be retained indefinitely for statistical purposes.
• Billing Records: Retained as required by applicable tax and financial regulations (typically 7 years).
• Backups: Database backups containing your data are automatically purged within 90 days of data deletion.

6.Cookies and Local Storage

DueDrill uses a minimal, privacy-focused approach to cookies and browser storage:

• Authentication Session Cookie: A strictly necessary cookie is set to maintain your login session. This cookie is essential for the Service to function and cannot be disabled while using the Service.
• Local Storage: We use browser local storage to cache application preferences and improve performance. This data remains on your device and is not transmitted to our servers.
• No Tracking Cookies: We do not use advertising cookies, retargeting pixels, or third-party tracking cookies.

7.Your Rights Under GDPR (European Economic Area)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request correction of inaccurate personal data.
• Right to Erasure: You have the right to request deletion of your personal data, subject to certain legal exceptions.
• Right to Restriction: You have the right to request that we restrict processing of your personal data in certain circumstances.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON) and to transfer it to another controller.
• Right to Object: You have the right to object to processing of your personal data for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time.

Our legal basis for processing personal data includes: (a) performance of our contract with you (providing the Service), (b) our legitimate interests (improving the Service, security), and (c) your consent (marketing communications). To exercise any of these rights, contact us at yuri@grandkruventures.com. We will respond to your request within 30 days.

8.Your Rights Under CCPA (California)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes, and the categories of third parties with whom we share data.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell your personal information. As such, there is no need to opt out. If this practice ever changes, we will provide a clear opt-out mechanism.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, contact us at yuri@grandkruventures.com. We will verify your identity before processing your request and respond within 45 days.

9.International Data Transfers

Grand Kru Ventures is based in Israel with operations in the United States. Your data may be transferred to and processed in countries outside your country of residence, including:

• Israel: Where our company is headquartered. Israel has been recognized by the European Commission as providing an adequate level of data protection.
• United States: Where certain infrastructure providers (Supabase, Stripe, AI providers) may process data.

Where data is transferred to countries that have not received an adequacy determination from the European Commission, we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms to ensure your data receives an adequate level of protection. Supabase infrastructure is hosted in secure, SOC 2-compliant data centers.

10.Data Security

We implement industry-standard technical and organizational measures to protect your data, including:

• All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• Sensitive data (API keys, passwords) is encrypted at rest using AES-256 encryption
• Database access is restricted through role-based access controls and row-level security policies
• Regular security audits and vulnerability assessments
• Employee access to production data is limited to authorized personnel on a need-to-know basis

While we strive to protect your personal information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to promptly notifying affected users in the event of a data breach, in accordance with applicable laws.

11.Children's Privacy

The Service is intended for professional and business use and is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe that a child under 18 has provided us with personal information, please contact us at yuri@grandkruventures.com.

12.Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last Updated” date at the top of this page
• Notify you via email (for material changes) at least 30 days before the changes take effect
• Display a prominent notice within the Service

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

13.Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: