Data Privacy & Security Policy

1. Introduction

DiligenceGPT™ - StartupFuel Inc. (“DiligenceGPT™”, “we”, “our”, or “us”) is an AI-powered due diligence platform designed for venture capital firms, angel investors, accelerators, private equity firms, family offices, corporate VCs, institutional investors and any private market investors. We process highly sensitive and proprietary materials on behalf of our clients, including data rooms, investment memoranda, financial records, cap tables, legal agreements, and other confidential documents.

Protecting the confidentiality, integrity, and availability of this information is fundamental to our business. This Data Privacy & Security Policy describes how we collect, use, store, encrypt, and safeguard all data submitted to our platform.

We are committed to protecting your privacy. This Policy describes our practices regarding the Personal Data we collect from users of our Sites and the Materials that are made available or enabled via the Sites. Capitalized terms have the meanings given in the Definitions section at the end of this Policy.

This policy applies to all customers, authorized users, and visitors of DiligenceGPT™'s services.

2. Data We Collect

2.1 Client-Submitted Proprietary Data

• Data room contents (e.g., financial models, cap tables, term sheets, pitch decks, investment memos)
• Legal and corporate documents (e.g., shareholder agreements, incorporation records, IP filings)
• Files uploaded directly to the platform (e.g., PDFs, Excel spreadsheets, Word documents, PowerPoint presentations)
• Proprietary deal flow and portfolio company information
• Account registration information (e.g., name, business email address, firm name)

2.2 Automatically Collected Data

• Log data (IP address, browser type, device type, operating system, domain name, and timestamp of your visit)
• Usage analytics (feature usage, timestamps, session duration)
• Error and performance metrics

We gather automatically collected information and may store it in log files. We use this information to analyze trends, administer the Sites, track users' movements around the Sites, and to gather demographic information about our user base.

2.3 Cookies & Tracking Technologies

Cookies. We use cookies to collect information. "Cookies" are text files containing small amounts of information which are downloaded to your device when you visit a website or application. Our Sites use the following types of cookies:

• Essential Cookies: Necessary to provide you with services and features available through our Sites.
• Analytics Cookies: Used to collect aggregated information about how visitors use our Sites, helping us operate more efficiently and gather demographic information.
• Performance Cookies: Collect information about how visitors use the Sites so we can analyze traffic and understand performance.
• Functionality Cookies: Allow our site to remember choices you make and provide enhanced, personalized features.
• Social Media Cookies: Used when you share information or engage with our content via social networking sites.

Pixel Tags. We may use Pixel Tags (also known as clear GIFs, Web beacons, or Web bugs) to track online movements of Web users and to tell us whether e-mails have been opened, helping us eliminate unwanted messages.

Google Analytics. We use Google Analytics to help analyze how users use the Sites. Google Analytics collects only the IP address assigned to you on the date you visit the Sites, not personally identifying information. We do not combine information generated through Google Analytics with your Personal Data.

No Advertisements. We do not use third parties to serve ads on the Site or collect personally identifiable information about your online activities.

2.4 Registered Member Data

If you become a registered member of DiligenceGPT™, we may collect additional Personal Data from you, as well as personal information associated with your investors and other contacts you enter into DiligenceGPT™ (“End Users”), that may include the types of information listed below.

Personal Data from Third Party Sources

In addition to the Personal Data we collect directly from you, we may also collect certain Personal Data from third party sources, some of which may not be publicly available.

3. How We Use Customer Data

In general, we use your Personal Data to support the services we provide to help you manage and grow your firm and support the investor community. Client data is used strictly and exclusively for:

• Processing and analyzing uploaded documents and data room materials
• Generating AI-powered due diligence outputs (e.g., risk assessments, company summaries, red flag reports, investment memos)
• Communicating with you for support and providing you with information on our products and services
• Improving our services, Sites and Materials for your purposes
• Providing platform functionality and user experience
• Maintaining security, system integrity, and audit trails
• Preventing fraudulent activity and otherwise complying with law

Unless you provide permission, your Personal Data will remain confidential unless required by law. We do not sell, license, share, or otherwise disclose client data to any third party for commercial purposes. Client data is never used as a basis for advertising, market research, or any purpose outside the contracted services.

4. AI Model Usage & Training

• Client data, including all documents, data rooms, and proprietary materials, is never used to train DiligenceGPT™'s AI models.
• Where third-party AI infrastructure providers are used (e.g., large language model APIs), we rely exclusively on providers that contractually prohibit the use of submitted data for model training, fine-tuning, or evaluation.
• Data submitted for processing is used solely to generate the requested due diligence output and is not retained by any AI provider beyond the completion of that request.
• DiligenceGPT™ maintains data processing agreements (DPAs) with all AI infrastructure providers to enforce these restrictions.

5. Data Storage & Infrastructure

All client data submitted to DiligenceGPT™ is stored within secure, enterprise-grade cloud infrastructure. Given the highly sensitive and proprietary nature of the materials we handle, we apply the following protections as a baseline standard for all clients.

Encryption

• All data is encrypted in transit using TLS 1.2 or higher (HTTPS)
• All data is encrypted at rest using AES-256 encryption
• Encryption keys are managed using dedicated key management services (KMS), with keys never co-located with the data they protect
• Data room contents and uploaded files are encrypted at the file level upon ingestion

Access & Isolation

• Client data environments are logically isolated from one another
• Access is controlled through strict authentication and authorization mechanisms
• No DiligenceGPT™ employee can access raw client data without a documented, approved business justification and audit trail

Data Residency

• Data is hosted in Canadian cloud regions by default
• Enterprise clients may request specific regional data residency (e.g., U.S.-only or EU-only hosting) as part of their service agreement

6. Data Retention & Deletion

Active Accounts

• Client data and uploaded materials are retained for the duration of the active account or engagement
• Users may delete individual files or entire data rooms directly through the platform at any time
• Deleted files are removed from active systems within 72 hours of deletion request and purged from all caches and processing queues immediately

Account Termination

• All client data will be permanently and irreversibly deleted within 30 days of account termination or contract expiry
• Backup systems are overwritten in accordance with our internal retention schedules, with full deletion completed within 90 days
• A written data deletion confirmation certificate will be issued to the client upon request
• Prior to deletion, clients may request a full export of their data in a standard format

Deletion Requests

Personal Data submitted by you for document generation and other purposes will be retained for such period as may be required to fulfill the purposes set out in this Policy, or such other period as may be required by law. You may request deletion of your Personal Data by us, and we will use commercially reasonable efforts to honor your request, but please note that we may be required by law to keep such information and not delete it. When we delete any information, it will be deleted from the active database, but may remain in our archives for the period described above.

7. Data Ownership

Clients retain full and exclusive ownership of all data, documents, and materials they submit to the DiligenceGPT™ platform, including all proprietary deal information, data room contents, and investment-related files.

DiligenceGPT™ processes client data solely for the purpose of delivering the contracted due diligence services. We make no claim to any intellectual property, commercial rights, or ownership interest in client-submitted materials.

Any AI-generated outputs produced by DiligenceGPT™ based on client data (e.g., reports, summaries, assessments) are the property of the client unless otherwise agreed in writing.

8. Confidentiality & Data Room Security

DiligenceGPT™ is designed specifically to handle the most sensitive categories of financial and investment data. We apply enhanced protections to all data room contents and proprietary materials:

• All data room contents are treated as strictly confidential and are accessible only to the authenticated client and their designated team members.
• Uploaded documents are encrypted at the file level immediately upon ingestion and remain encrypted throughout all processing stages.
• No DiligenceGPT™ employee, contractor, or agent is permitted to read, copy, or use client-submitted documents for any purpose other than resolving a support request explicitly authorized by the client.
• All AI processing of confidential materials occurs within isolated, ephemeral compute environments that are terminated upon completion of each request.
• Clients may configure additional access restrictions, such as IP allowlisting or single sign-on (SSO) enforcement, through the platform's enterprise security settings.
• DiligenceGPT™ employees are subject to binding confidentiality agreements that explicitly cover client data and materials.

9. Access Controls & Security Measures

We implement enterprise-grade security controls across all layers of our infrastructure:

• Role-based access controls (RBAC) with granular permission levels
• Multi-factor authentication (MFA) enforced for all internal systems and administrator accounts
• Least-privilege access principles applied across all engineering and operations roles
• End-to-end audit logging of all data access and processing events
• Real-time monitoring and alerting for anomalous access patterns
• Secure software development lifecycle (SSDLC) practices, including code review and vulnerability scanning
• Network-level protection via infrastructure firewalls, DDoS mitigation, and intrusion detection systems
• Annual third-party penetration testing and security audits

Access to client data is restricted to a minimal set of authorized DiligenceGPT™ personnel with a documented, legitimate operational need. All such access is logged and reviewable.

10. Third Party Service Providers & Subprocessors

DiligenceGPT™ may engage carefully vetted third-party service providers to support our operations, which may include:

• Cloud infrastructure and hosting providers
• AI model and large language model API providers
• Document processing and OCR services
• Identity verification and authentication providers
• Email and platform notification services

All subprocessors are subject to binding contractual obligations regarding confidentiality, data protection, and non-use of client data for any purpose beyond the defined service scope. DiligenceGPT™ maintains a current list of subprocessors available to enterprise clients upon request.

Third Party Integrations

Google Gmail. If you sign up for DiligenceGPT™ with a Gmail address and upon your authorization, DiligenceGPT™ will automatically sync with your Gmail account. This means that DiligenceGPT™ will access your Gmail contacts, emails, calendar, distribution lists, subject lines and URLs of tracked links from your email, if you use the email tracking functionality. We will use Google User Data only to provide or improve user-facing features of DiligenceGPT™. Our use and transfer to any other application of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Google Drive. You have the option to connect your Google Drive account to DiligenceGPT™. If you choose to do so, you will be able to see your files, upload and download your files, and store file contents and titles on DiligenceGPT™.

Third Party Websites. The Sites may contain links to third party websites. When you click on a link to any other website or location, you will leave our Site and go to another site, and another entity may collect Personal Data or Anonymous Data from you. We have no control over, do not review, and cannot be responsible for, these outside websites or their content. We encourage you to read the privacy policies of every website you visit.

11. Incident Response

DiligenceGPT™ maintains a formal Incident Response Plan (IRP) for identifying, containing, and remediating security incidents involving client data. In the event of a confirmed or suspected data breach affecting client data:

• We will initiate our internal incident response procedures immediately upon detection
• We will notify affected clients within 72 hours of confirming a breach, or sooner where legally required
• Notifications will include a description of the incident, data types potentially affected, and steps taken or planned
• We will cooperate with clients and relevant regulatory authorities throughout the investigation
• We will implement corrective and preventative measures to reduce the risk of recurrence

Given the sensitivity of financial and investment data processed on our platform, we treat all potential security events with the highest urgency.

12. Compliance & Jurisdictions

DiligenceGPT™ aligns its practices with applicable data protection and privacy regulations, including:

• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and the proposed Consumer Privacy Protection Act (CPPA)
• Applicable U.S. state privacy laws (including, where applicable, CCPA/CPRA)
• Ontario's Freedom of Information and Protection of Privacy Act (FIPPA) where applicable
• General Data Protection Regulation (GDPR) principles, where EU client data is involved
• Singapore Personal Data Protection Act (PDPA), where applicable
• Other jurisdictional requirements as applicable to our client base

We are actively working toward SOC 2 Type II compliance and other industry-standard security certifications as the company scales. Enterprise clients may request details on our current compliance posture and roadmap.

U.S. State-Specific Notice

Certain U.S. states have enacted comprehensive privacy laws that create additional privacy obligations for businesses and provide their residents with additional privacy rights. In addition to the rights granted in Section 13 below, if you are a resident of a state with enhanced privacy rights, you may also have the right to:

• Opt out of the "sale" or "sharing" of your personal information for the purpose of cross-context behavioral or targeted advertising
• Opt out of profiling or automated decision making. DiligenceGPT™ currently does not engage in any activities that would require enabling such a choice at this time
• Request deletion or restriction of our use of any personal information deemed sensitive under state laws by contacting us at privacy@startupfuel.com

DiligenceGPT™ does not sell any personal information associated with our services.

UK and European Economic Area (EEA) Residents

The EEA and the United Kingdom have each enacted privacy laws. The EU's and the UK's General Data Protection Regulation (collectively, the “GDPR”) create additional privacy obligations for ‘Controllers’ of personal data and provide EU and UK residents with additional privacy rights.

Controller Designation: Under the GDPR, we are designated as a “Controller” of our client personal data. However, in receipt of our clients' End User personal data, we operate as a “Processor”. A list of our subprocessors is available to our Clients on demand.

Cross-Border Data Transfers: DiligenceGPT™ may store personal data in Canada and the United States. If you are a resident of the EEA, UK, or Switzerland, we may transfer to, and store, the data we collect about you in countries other than the country in which the data was originally collected. For business services, we may rely on the Standard Contractual Clauses (“SCCs”) adopted by the European Commission, as well as the UK’s “International Data Transfer Addendum” to the SCCs.

Additional Rights for UK or EEA Residents: If you are a UK or EEA resident, the GDPR grants you the right to lodge a complaint against us with your local data protection authority.

Canada and Singapore Residents

If you reside in Canada or Singapore, you may request to access and/or correct your Personal Data currently in our possession by writing to us. We may transfer your Personal Data to a country or territory outside Canada or Singapore in accordance with requirements prescribed under PIPEDA, Quebec Bill C-27, or the Singapore Personal Data Protection Act ("PDPA") to ensure that we provide a standard of protection to Personal Data so transferred that is comparable to the protection under applicable law.

13. Customer Rights

Clients and authorized users have the following rights with respect to their data:

• Request a complete export or inventory of all data stored on the platform
• Request the deletion of specific files, data rooms, or their entire account data
• Request correction of any inaccurate account or profile information
• Request a written confirmation of data deletion upon account termination
• Withdraw consent for specific data processing activities, subject to operational requirements
• Opt out of receiving marketing email communications at any time by following the unsubscribe instructions in any email you receive from us, or by contacting us directly

SMS / Text Messaging

If you opt in to receive SMS or text messages from DiligenceGPT™, we collect your phone number and a record of your consent. We use your phone number to send you messages related to contact lookups, event management, and support. Message and data rates may apply. Message frequency varies based on your use of the platform. You may opt out at any time by replying STOP to any message. We do not share your phone number with third parties for their marketing purposes.

All data rights requests may be submitted to: privacy@startupfuel.com
DiligenceGPT™ will respond to all data rights requests within 10 business days.

14. Children Under 16

The Sites and the services available on the Sites are not intended for children below 16 and we do not knowingly collect or solicit personal information from anyone under the age of 16. If you are under the age of 16, please do not submit any personal information through the Sites.

15. Certain Disclosures

Mandated Disclosures. Regardless of any choices you make regarding your Personal Data, we may disclose Personal Data if we believe in good faith that such disclosure is necessary (a) in connection with any legal investigation; (b) to comply with relevant laws or to respond to subpoenas or warrants served on DiligenceGPT™; (c) to protect or defend the rights or property of DiligenceGPT™ or users of the Sites; and/or (d) to investigate or assist in preventing any violation or potential violation of the law, this Policy, or our Terms of Use.

Corporate Restructuring. We may share some or all of your Personal Data with entities within our group of companies. We may also share some or all of your Personal Data in connection with or during negotiation of any merger, financing, acquisition or dissolution transaction or proceeding involving sale, transfer, divestiture, or disclosure of all or a portion of our business or assets.

16. Changes to This Policy

StartupFuel Inc. (DiligenceGPT™) may update this Data Privacy & Security Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated to clients via email and platform notification at least 14 days prior to taking effect. Continued use of the platform following such notice constitutes acceptance of the updated policy.

17. Contact Information

Definitions

• "Personal Data" means data that allows someone to identify or contact you, including, for example, your name, address, telephone number, e-mail address, as well as any other non-public information about you that is associated with or linked to any of the foregoing data.
• "Anonymous Data" means data that is not associated with or linked to your Personal Data. Anonymous Data does not, by itself, permit the identification of individual persons.
• "Sites" means our websites and the services offered on those Sites, which includes access and information available on our channels such as LinkedIn, Twitter and Slack.
• "Materials" refers to the information, reports, data, templates, agreements and other materials on the Sites. You automatically agree to this Privacy Policy simply by using or logging into the Sites or using the Materials.
• "End Users" means the investors, contacts, and other individuals whose personal information is entered into the DiligenceGPT™ platform by registered members.