Privacy Policy.

Your deal data is confidential. This policy explains what personal data we handle, the role we play, the lawful basis for each use, where data sits, and the controls and rights you have.

Last updated: June 2026

1. Introduction and scope

DealTracker is an AI-native system of record for M&A and financing transactions, operated by DealTracker Technologies, Inc. ("DealTracker," "we," "us," or "our"). This Privacy Policy explains how we handle personal data in connection with our marketing website at getdealtracker.com, the DealTracker application, and our sales, support, and business operations.

This policy applies to visitors to our website, prospective customers and the people we engage with during sales and evaluation, and the administrators and authorized users of customer workspaces. It describes the personal data DealTracker handles, why and how we handle it, who we share it with, where it is stored, and the rights you have.

The critical split. This policy governs personal data for which DealTracker is responsible: account, operational, website, and marketing data. It does not govern the confidential client matter content that a law firm uploads to its workspace (deals, documents, obligations, parties, and the personal data inside them). For that matter content, the law firm is the controller and DealTracker is its processor. Our handling of matter content is governed by the customer agreement and the Article 28 Data Processing Agreement (DPA), not by this policy. If you are an individual whose personal data appears in a law firm's matter on DealTracker, please direct your privacy requests to that firm.

Where this policy and a signed agreement or DPA differ, the signed instrument governs.

2. Who we are and our roles

The entity responsible for the controller-side processing described in this policy is:

DealTracker Technologies, Inc.
A Delaware corporation, United States.
Privacy contact: privacy@getdealtracker.com
Legal contact: legal@getdealtracker.com
Security contact: security@getdealtracker.com

2.1 Controller versus processor: our dual role

DealTracker operates in two distinct roles, and the distinction matters more here than in almost any other section, because our customers are law firms and in-house legal teams handling privileged client matter.

Everywhere this policy refers to "personal data we collect" or "your data," we mean controller-side data unless we say otherwise. Where we describe matter content, we do so to explain the boundary, not to claim a controller's discretion over it.

3. Definitions

4. Personal data we collect

The categories of personal data we handle, and the role in which we handle each, are set out below.

4.1 Account and contact data (we are controller)

When a customer provisions and uses a workspace, we collect the name, business email address, organization, role, and account preferences of administrators and authorized users. We need this to create accounts, authenticate users, provide support, and administer the relationship.

4.2 Billing data (we are controller)

For paid subscriptions we collect billing contact details and the information needed to invoice and collect payment under the order form. We do not store full payment-card numbers on our systems.

4.3 Usage and device metadata (we are controller)

We collect operational metadata generated when the service is used: sign-in times, feature usage, IP address, browser and device type, and security and audit events such as record create, update, and delete actions (actor and timestamp). We use this to operate, secure, and improve the service. Product analytics, where used, run on aggregate, non-identifying metrics and receive no matter content.

4.4 Customer matter content (we are processor)

Matter content (deals, uploaded documents and their versions, obligations, parties, terms, notes, calendar mappings, and the personal data inside them) is processed by DealTracker only as a processor on the firm's instructions. This category is governed by the customer agreement and the DPA, not by this policy, and is listed here only so the full picture is clear. Client documents a firm uploads can contain third-party personal data and may incidentally contain special-category data the firm chooses to process for its matter; that content is processed for the controlling firm and inherits the document store's lifecycle. We do not extract, index by, or derive products from such categories.

4.5 Email and calendar metadata (we are processor, optional integration)

If a customer enables the optional Outlook integration, we store, for each linked message, a pointer row of metadata only: sender name and address, subject, received-at timestamp, conversation identifier, a deep link back to the message in the firm's own Microsoft 365 tenant, and an optional preview snippet capped at 255 characters. For linked calendar items we store the event subject, start, end, and the mapping to a deal milestone or obligation. We never store email bodies or attachments. When a lawyer opens a linked email in DealTracker, the body is fetched live from the firm's tenant and held in memory for that request only; it is never written to our stores.

4.6 Cookies and analytics data (we are controller)

On the marketing website we use privacy-preserving, cookieless analytics that do not set cookies, do not fingerprint, and do not profile visitors. In the application we use a single session cookie for authentication. See Section 16 for detail.

4.7 Marketing and prospect data (we are controller)

For prospects and business contacts, we handle the name, business email, organization, role, and the content of communications you send us, together with limited information about your interest in DealTracker. We may also receive business-contact information from publicly available sources or business-information providers to support our sales and outreach.

We do not intentionally collect special-category personal data (GDPR Article 9) or criminal-offence data (Article 10) for our own controller purposes, and we do not ask for it.

5. How we collect personal data

We collect personal data in the following ways:

6. How we use personal data

As a controller, we use personal data for the purposes below. Each purpose is mapped to a GDPR / UK GDPR legal basis in Section 7.

We process matter content (as processor) only to provide the service on the controlling firm's documented instructions, and never for the controller-side purposes above.

7. Legal bases for processing (GDPR / UK GDPR)

For individuals in the EEA, the United Kingdom, and Switzerland, we rely on the Article 6 lawful bases set out below for our controller-side processing. Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms.

PurposeLegal basis (GDPR Article 6)
Provide and operate the service to account holders and authorized usersPerformance of a contract, Art. 6(1)(b) (or our legitimate interest in serving our customer where the individual is not the contracting party, Art. 6(1)(f))
Provide support and send service and security noticesPerformance of a contract, Art. 6(1)(b); legitimate interests, Art. 6(1)(f) (operating and supporting the service)
Billing, invoicing, and account administrationPerformance of a contract, Art. 6(1)(b); legal obligation, Art. 6(1)(c) (tax and accounting records)
Security, fraud prevention, audit, and incident responseLegitimate interests, Art. 6(1)(f) (keeping the service and its data secure); legal obligation, Art. 6(1)(c) where applicable
Maintain, debug, and improve the service using aggregate, non-identifying dataLegitimate interests, Art. 6(1)(f) (improving and securing our product)
Marketing and outreach to prospects and business contactsConsent, Art. 6(1)(a) where required; otherwise legitimate interests, Art. 6(1)(f) (promoting our business to relevant professional contacts), subject to your right to object
Cookieless website analyticsLegitimate interests, Art. 6(1)(f) (understanding website performance without tracking or profiling individuals)
Legal compliance and defense of legal claimsLegal obligation, Art. 6(1)(c); legitimate interests, Art. 6(1)(f) (establishing, exercising, or defending claims)

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. Where we rely on legitimate interests, you may object as described in Section 14. For matter content, the lawful basis is determined by the controlling firm, not by DealTracker.

8. AI and model processing

DealTracker includes AI features that draft, summarize, extract, and answer questions over deal content. Because our customers handle privileged client material, our AI data handling is deliberate and constrained. The commitments below are the canonical statements for our website; the full treatment is in our AI governance documentation, available on request.

8.1 Where the models run

AI inference runs on two foundation-model families served inside Microsoft Azure in the customer's pinned data-residency region: OpenAI GPT via the Azure OpenAI Service, and Anthropic Claude via Azure AI Foundry. Microsoft Azure is the processor for all inference. In production, DealTracker makes no direct API calls to OpenAI or Anthropic; both are reached only as model providers hosted inside Azure, and inference does not leave the residency region. DealTracker selects the best model per task, configured per service and verified at publish; the model bound to a given feature is documented and declared. There is no silent fallback: a feature runs on its declared model and errors rather than rerouting, so a request is never quietly sent to a different model or provider, and if a bound model is unavailable the call returns an error. A customer may opt out of a specific provider.

8.2 No training on your data

Your documents and deal data are never used to train, fine-tune, or improve any model, whether by DealTracker, Microsoft, OpenAI, or Anthropic. This is contractual, resting on Microsoft's enterprise Azure AI service terms, not a setting we toggle. Matter document content may be processed on either model path (OpenAI via Azure OpenAI or Anthropic via Azure AI Foundry) under each provider's no-training Covered Models terms, used only to perform that request, not retained beyond it, and never used to train a model. If we ever offer bespoke model customization, it would require written opt-in, would produce a model used only for the requesting firm, and would not be shared.

8.3 Retention of AI inputs and outputs

Within our own stores, the raw model request and response are held in memory only for the duration of the call and are not persisted to any durable store. Agent conversation context lives in a short-lived cache under a 24-hour time-to-live and is purged automatically; it is never written to the database. Outside our stores, Azure OpenAI may, under its standard terms, retain prompts and completions for up to 30 days for abuse monitoring and policy enforcement, within the customer's region, access-restricted, not subject to routine human review, and not used to train any model. We are pursuing contractual Zero Data Retention with Microsoft to remove that window; it is not yet in force, so you should plan against the 30-day window today.

8.4 Human review and not legal advice

The agent can retrieve, summarize, and propose an action, but it cannot commit one. No deal record, obligation, contact, or other matter data changes until an authenticated, authorized user confirms the specific change, and that confirmation gate is enforced server-side. AI output is informational and is not legal advice. It may contain errors or omissions and must be reviewed by a qualified person before reliance. A lawyer remains responsible for the work product.

Output that is statistically similar across customers is a property of the underlying foundation models and does not represent any customer's specific content.

No solely automated decisions (GDPR Article 22). DealTracker does not carry out solely-automated decisions producing legal or similarly significant effects. Every consequential change requires human confirmation through the server-side confirmation gate described above, so a person, not the agent, makes the decision.

9. Disclosure of personal data

We do not sell personal data, and we do not share it for cross-context behavioral advertising. We disclose personal data only as described below:

10. Sub-processors

We engage a small set of sub-processors to provide the service. Each is engaged under a written agreement with data-protection terms, bound to confidentiality, and limited to using customer data only to provide its service to us. Our current sub-processors are:

Sub-processorFunctionData it processesRegion
Microsoft Azure (Microsoft Corporation)Application compute, primary database, document storage, backups, secrets, and GPT inference via Azure OpenAIAll customer data, plus the prompt and response for AI-assisted featuresCustomer's pinned region; Azure OpenAI inference stays in region
Anthropic, PBCClaude inference, reached through Azure AI Foundry (Microsoft is the processor; Anthropic is the model provider behind it)The prompt and response for a Claude request, which may include matter document content under Anthropic's no-training Covered Models terms, used only to perform the request and not retained beyond itCustomer's pinned region, inside Azure AI Foundry
Okta, Inc. (Okta Customer Identity Cloud, formerly Auth0)Sign-in, OIDC token issuance, and MFAIdentity data only: email, name, user and tenant identifiers, authentication and MFA events; no deal, document, or matter contentIdentity tenant follows the data region
Azure Communication Services (Microsoft Corporation)Transactional email: invitations, password and MFA notices, system alertsRecipient address and the text of the system message; no deal, document, or matter contentCustomer's pinned region

We maintain this list and give at least 30 days' advance notice before adding a sub-processor that will process customer data, or materially changing how an existing one does, during which an eligible customer may object as set out in the agreement. An emergency replacement needed to keep the service secure or available may take effect on shorter notice, with notice as soon as practicable. To subscribe to change notices, email security@getdealtracker.com. The same register, with the effective date of each entry, is reproduced in the Article 28 DPA, which is the binding version.

11. International data transfers

DealTracker Technologies, Inc. is incorporated in the United States and serves customers in the EU, the United Kingdom, and elsewhere. Data-residency options are central to our posture.

EU and US Azure regions are available, selected per customer at onboarding and pinned in the agreement. Each customer selects its data region during onboarding, with that choice pinned in the customer agreement. For the selected region, the application database, document storage, caches, backups, and AI inference all sit inside that Azure region, and the identity tenant follows the data region. When data stays inside the selected region, no cross-border transfer mechanism is engaged for that processing. Matter data, backups, and AI inference are never moved silently across regions. Multi-region high availability and disaster recovery remain on the roadmap.

Where personal data is transferred across a border, including some controller-side operations and any cross-border element in the inference or transactional-email paths, we rely on appropriate safeguards:

We apply supplementary technical and organizational measures, such as encryption in transit and at rest, as appropriate. These instruments are available for execution as part of the DPA. To review the SCC modules or the IDTA before signing, contact privacy@getdealtracker.com.

12. Data retention

We keep personal data only for as long as we need it for the purpose we collected it, plus any period required to meet legal, accounting, or reporting obligations or to establish, exercise, or defend legal claims.

12.1 Erasure, backups, and certificate of destruction

On a verified deletion request, personal data is removed from our live structured stores within 30 days, subject to any legal hold. Removed records then age out of our encrypted backups automatically as the backup window rolls forward; our database point-in-time-restore window is 35 days, and document storage carries a 30-day soft-delete recovery window before permanent destruction. We do not restore from backup to reintroduce data a customer asked us to delete, and any operational restore re-applies pending erasure instructions before data returns to service. True time to full destruction everywhere is the live-store window plus the backup roll-off, and we state both rather than collapse them. On request, we issue a written, signed certificate of destruction confirming deletion across all stores, naming the date, the stores covered, the live-store completion date, and the backup roll-off date. It is available to every customer.

13. Data security

We maintain technical and organizational measures appropriate to the risk, including:

Where DealTracker acts as processor, we notify personal-data breaches without undue delay and within 72 hours of confirmation, in line with the Article 28 DPA.

We maintain controls aligned to the AICPA SOC 2 Trust Services Criteria; our Type 2 audit is in progress, with the report expected after the observation period, and the auditor letter is available on request. Our Azure and Okta attestations apply today. No method of transmission or storage is perfectly secure, so while we work to protect personal data we cannot guarantee absolute security. Fuller detail is on our Security page and in our trust center at trust.getdealtracker.com.

14. Your data protection rights (GDPR / UK GDPR)

If you are in the EEA, the United Kingdom, or Switzerland, you have the following rights over the personal data for which DealTracker is the controller, subject to the conditions and exemptions in applicable law:

To exercise these rights for controller-side data, contact privacy@getdealtracker.com. We will verify your identity and respond within the timeframes required by law (generally one month under the GDPR, extendable for complex requests). We do not charge a fee for a reasonable request.

If your data is in a law firm's matter content, DealTracker is the processor and the firm is the controller. We do not respond to data subjects directly for that content; we assist the controlling firm in meeting its obligations on its verified instruction. If you contact us directly about matter content, we will route you back to the controlling firm. Please direct access, rectification, erasure, restriction, portability, and objection requests for matter content to that firm.

15. U.S. state privacy rights (CCPA/CPRA and other states)

This section applies to residents of California and, where indicated, other U.S. states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, and others). Capitalized terms have the meanings given in the applicable statute.

15.1 Our status

For matter content that a customer puts into its workspace, DealTracker acts as a service provider (California) or processor (other states) and processes that information only on the business's behalf and instructions under our agreement. For account, billing, usage, website, and marketing data, DealTracker acts as a business (controller).

15.2 Categories of personal information, sources, purposes, and disclosures

In the preceding 12 months, in our role as a business, we have collected the following categories of personal information:

Category (CCPA)CollectedSourcesBusiness purposeDisclosed to
Identifiers (name, business email, account and device identifiers, IP address)YesYou, your organization, automatic collection, third-party providersProvide and secure the service, support, billing, marketingSub-processors (Section 10)
Commercial information (subscription and billing records)YesYou, your organizationBilling and account administrationSub-processors, professional advisors
Internet or network activity (usage and audit metadata)YesAutomatic collectionOperate, secure, debug, and improve the serviceSub-processors
Professional information (organization, role)YesYou, your organization, business-information providersProvide the service, sales and outreachSub-processors
Electronic communications content (messages you send us)YesYouSupport and relationship managementSub-processors

We do not collect Social Security numbers, driver's license numbers, financial-account login credentials, precise geolocation, or biometric information as a business, and we do not seek to collect sensitive personal information for our own purposes.

15.3 No sale and no sharing

DealTracker does not sell personal information and does not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA and equivalent state laws. We have not sold or shared personal information in the preceding 12 months. Because we do not sell or share, there is no "Do Not Sell or Share My Personal Information" action required, and we honor opt-out preference signals such as Global Privacy Control consistent with our no-sale, no-share posture.

15.4 Sensitive personal information

We do not use or disclose sensitive personal information for purposes that would trigger a right to limit its use under the CPRA. We do not collect sensitive personal information for our own controller purposes.

15.5 Your consumer rights

Subject to verification and the exceptions in the applicable law, you have the right to:

15.6 How to submit a request, and authorized agents

To submit a consumer request, email privacy@getdealtracker.com. We will verify your identity using the information we hold before responding, and we will respond within the timeframes required by law. You may use an authorized agent to submit a request on your behalf; we will require proof of the agent's authorization and may require you to verify your own identity directly. California residents may also have rights under California's "Shine the Light" law regarding disclosures for third-party direct marketing; we do not disclose personal information to third parties for their own direct marketing.

15.7 Matter content

If your personal information appears in a law firm's matter content on DealTracker, the firm is the business and DealTracker is its service provider. Please direct your consumer rights requests for that information to the firm; we will assist the firm as required.

16. Cookies and tracking technologies

We keep tracking to a minimum and use no third-party tracking cookies.

Because we do not use advertising cookies, cross-site tracking, or profiling, there is no advertising consent banner to manage, and there is nothing to opt out of for sale or sharing. We honor browser-level signals such as Global Privacy Control and Do Not Track consistent with our no-tracking posture.

17. Children's data

DealTracker is a business-to-business service for law firms and in-house legal teams and is not directed to children. We do not knowingly collect personal data from anyone under the age of 16 (or under the applicable age of consent for data processing in their jurisdiction), and the service is not intended for individuals under 18. If we learn that we have collected personal data from a child without appropriate consent, we will delete it. If you believe a child has provided us personal data, contact privacy@getdealtracker.com. This commitment is consistent with the U.S. Children's Online Privacy Protection Act (COPPA) and the parental-consent requirements of the GDPR.

18. Third-party websites and links

Our website and the service may link to or integrate with third-party websites and services that we do not control, including a customer's own Microsoft 365 tenant for the optional Outlook integration. This policy does not cover those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy notices of any third-party site or service you use.

19. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make a material change, we will update the "Last updated" date above and email workspace administrators at least 30 days before the change takes effect. We keep prior versions of this policy and can provide an archived version on request. Your continued use of the service after a change takes effect constitutes acceptance of the updated policy.

20. Contact us and representatives

For questions about this policy, your personal data, the DPA, or to exercise a right, contact us:

Postal contact: DealTracker Technologies, Inc., a Delaware corporation, United States.
Registered office: 131 Continental Dr, Suite 305, Newark, Delaware 19713, United States.
Principal place of business: 172 Floyer Road, Small Heath, Birmingham, B10 9NA, United Kingdom.

You may lodge a complaint with a supervisory authority. In the European Union this is your local data protection authority; in the United Kingdom it is the Information Commissioner's Office (ICO).

An EU representative under Article 27 of the GDPR is being designated under our privacy program; once appointed, its contact details will be published here. Until then, you may direct any matter that would otherwise go to the representative to privacy@getdealtracker.com.