This Privacy Policy covers how Anvesana collects, uses, and protects personal data. It is separate from our
Terms and Conditions, which govern the contractual relationship between Anvesana and its clients.
1. Who We Are
Anvesana operates an AI-powered M&A due diligence platform ("Platform"). References to "we", "us", or "Anvesana" mean the Platform operator. (Registered entity name and address will be substituted here upon incorporation. Until that time, all data protection enquiries should be directed to the contact below.) For data protection enquiries: [email protected].
2. Data We Collect
2.1 Account and contact data
- Name and work email address (provided at signup or via demo lead form)
- Company name (optional)
- API key (system-generated; linked to your account)
2.2 Engagement data
- Document files you upload (PDF, DOCX, TXT, CSV) and their extracted text
- AI risk analysis results and reports generated from your documents
- Document metadata: title, type, upload timestamp
2.3 Technical data
- IP address of each API request (logged for security and abuse prevention)
- Request timestamps and HTTP method/path (server access logs)
- Browser session token stored in
sessionStorage (cleared on tab close)
2.4 Billing data
- Subscription status and plan tier (stored internally)
- Payment details are processed and held by Stripe Inc. — we do not store card numbers
2.5 Consent records
- When you accept terms of service, deal room access terms, or authorised-use acknowledgments, we record the event type, timestamp, IP address, browser user agent, and your account identifier in a dedicated consent log. This log is append-only and retained for 7 years as evidence of informed consent.
3. Lawful Basis for Processing
- Contract performance (Art. 6(1)(b)): Processing your name, email, API key, and engagement data is necessary to deliver the Platform services you have subscribed to.
- Legitimate interests (Art. 6(1)(f)): IP address logging is processed to detect abuse, prevent fraud, and ensure platform security. We have assessed that these interests are not overridden by your privacy rights given the limited use and controlled access.
- Consent (Art. 6(1)(a)): Where you opt in to marketing communications, we rely on explicit consent. You may withdraw at any time.
For California residents (CCPA): we do not sell personal information. Data is disclosed only to service providers acting on our behalf under written contracts.
Deal documents uploaded to the Platform may contain personal data of third parties (e.g. employees of a target company, counterparties, or directors). The Client, as data controller of such data, is responsible for ensuring an appropriate legal basis exists for processing it through the Platform. Anvesana processes this data solely as a data processor acting on the Client's instructions and only to the extent necessary to deliver the due diligence analysis service.
4. How We Use Your Data
- Provision of the Platform, including AI risk analysis of uploaded documents
- Sending your API key and account information after purchase
- Billing and subscription management via Stripe
- Responding to support requests, bug reports, and feedback you submit
- Platform security monitoring and abuse prevention
We do not use your engagement documents for model training. Where cloud-based AI inference is used, document text is transmitted to the AI provider (currently Anthropic Inc.) under their Data Processing Agreement and is not used for model training. Where local scoring is active, no external transmission occurs. No document content is shared with any other third party other than as set out in Section 5.
5. Sub-processors
- Stripe Inc.: Payment processing. Data: name, email, card details (tokenised). Stripe Privacy Policy and Data Processing Agreement.
- Anthropic Inc.: AI inference for document risk scoring when cloud scoring is active. Data: extracted document text (not original files). Subject to Anthropic's Privacy Policy and Data Processing Agreement. Anthropic does not use API data for model training.
- Railway (hosting infrastructure): Application hosting and compute. All data processed by the Platform transits Railway's infrastructure. Subject to Railway's Data Processing Agreement.
- SMTP provider: Your email address is transmitted to the configured SMTP relay for delivery of your API key and account notifications only.
6. Data Retention
- Engagement documents and analyses: Retained for the duration of your active subscription, plus 30 days after termination to allow export.
- Account data (name, email, API key): Retained for the duration of your subscription and up to 12 months after termination for legal and billing purposes.
- Server access logs (IP addresses, HTTP method/path, timestamps): Retained for 90 days, then deleted. These are distinct from audit logs — see below.
- Audit logs (API actions, upload events, report downloads): Retained for 7 years for regulatory compliance and legal defensibility.
- Consent records (clickwrap log): Retained for 7 years as evidence of informed consent.
- Billing records: Retained for 7 years as required by applicable tax law.
- Demo lead data: Retained for 12 months from collection, then deleted unless converted to a paying account.
7. Your Rights
7.1 Access and portability
Request a machine-readable export of all personal data we hold. Use GET /api/v1/account/export with your API key, or email [email protected].
7.2 Erasure
Request deletion of your account and all associated engagement data. Use DELETE /api/v1/account or email [email protected]. Deletion is processed within 30 days. Billing records required by law are retained for the statutory period.
7.3 Rectification
If any data we hold is inaccurate, contact [email protected]. We will correct it within 14 days.
7.4 Objection and restriction
You may object to processing based on legitimate interests or request restriction while a dispute is resolved. Contact [email protected].
7.5 Withdrawal of consent
Where processing is based on consent (e.g. marketing emails), reply "Unsubscribe" to any platform email or contact us. Withdrawal does not affect lawfulness of prior processing.
7.6 CCPA rights (California residents)
You have the right to know what personal information is collected, request deletion, opt out of sale (we do not sell data), and non-discrimination for exercising these rights. Submit requests to [email protected].
7.7 Complaints
You may lodge a complaint with your local supervisory authority. UK: ICO. EU: your national data protection authority.
8. IP Address Logging
We log the IP address of every API request. Lawful basis: legitimate interests (Art. 6(1)(f)) — IP logging is necessary to detect abuse, enforce rate limits, diagnose errors, and maintain platform security. Logs are retained for 90 days and are not used for profiling, advertising, or shared with third parties except where required by law.
9. Cookies and Local Storage
The Platform does not use tracking cookies or third-party analytics.
- sessionStorage: Your API key is held in the browser's
sessionStorage for the session duration. Cleared automatically when the tab closes. Never transmitted to third parties.
- localStorage: A demo session flag is stored locally. Contains no personal data.
No cookies are set by the Platform.
10. Contact
For privacy enquiries or data subject requests:
- Email: [email protected]
- Acknowledgement within 72 hours; substantive response within 30 days
This policy was last updated June 2026. Material changes will be communicated to active subscribers by email.