1. Introduction and scope
DealTracker is an AI-native system of record for M&A and financing transactions, operated by DealTracker Technologies, Inc. ("DealTracker," "we," "us," or "our"). This Privacy Policy explains how we handle personal data in connection with our marketing website at getdealtracker.com, the DealTracker application, and our sales, support, and business operations.
This policy applies to visitors to our website, prospective customers and the people we engage with during sales and evaluation, and the administrators and authorized users of customer workspaces. It describes the personal data DealTracker handles, why and how we handle it, who we share it with, where it is stored, and the rights you have.
The critical split. This policy governs personal data for which DealTracker is responsible: account, operational, website, and marketing data. It does not govern the confidential client matter content that a law firm uploads to its workspace (deals, documents, obligations, parties, and the personal data inside them). For that matter content, the law firm is the controller and DealTracker is its processor. Our handling of matter content is governed by the customer agreement and the Article 28 Data Processing Agreement (DPA), not by this policy. If you are an individual whose personal data appears in a law firm's matter on DealTracker, please direct your privacy requests to that firm.
Where this policy and a signed agreement or DPA differ, the signed instrument governs.
2. Who we are and our roles
The entity responsible for the controller-side processing described in this policy is:
DealTracker Technologies, Inc.
A Delaware corporation, United States.
Privacy contact: privacy@getdealtracker.com
Legal contact: legal@getdealtracker.com
Security contact: security@getdealtracker.com
2.1 Controller versus processor: our dual role
DealTracker operates in two distinct roles, and the distinction matters more here than in almost any other section, because our customers are law firms and in-house legal teams handling privileged client matter.
- DealTracker as processor (GDPR) / service provider (CCPA). For the client documents that a firm uploads and the personal data inside them, plus the deal, obligation, party, calendar, and email-metadata records a firm creates in its workspace, the law firm is the controller and DealTracker is the processor. The firm decides why and how the personal data of its clients, counterparties, and the individuals named in matter content is processed. We process that content only on the firm's documented instructions, only to run the service, and never for our own purposes. We do not use matter content to train, fine-tune, or evaluate any model, to build profiles, or to derive a separate product. This processing is governed by the customer agreement and the Article 28 DPA.
- DealTracker as controller (GDPR) / business (CCPA). For a separate, smaller set of data that we determine the purposes and means of, DealTracker is the controller. This is account and contact data for a firm's administrators and users, billing information, our security and operational logs, website and analytics data, and the data of prospects and website visitors. This policy describes that controller-side processing.
Everywhere this policy refers to "personal data we collect" or "your data," we mean controller-side data unless we say otherwise. Where we describe matter content, we do so to explain the boundary, not to claim a controller's discretion over it.
3. Definitions
- Personal data / personal information means any information relating to an identified or identifiable natural person, as defined under the GDPR, the UK GDPR, and applicable U.S. state privacy laws.
- Controller means the party that determines the purposes and means of processing personal data. Under U.S. state laws the equivalent term is business.
- Processor means a party that processes personal data on behalf of, and on the instructions of, a controller. Under U.S. state laws the equivalent term is service provider.
- Data subject / consumer means the individual to whom personal data relates.
- Processing means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- Customer means a law firm, in-house legal team, or organization that has subscribed to the DealTracker service.
- Authorized user means an individual a customer permits to access its DealTracker workspace.
- Matter content / customer data means the deals, documents, obligations, parties, terms, notes, calendar items, email metadata, and other content a customer puts into its workspace, together with the personal data inside it. DealTracker processes matter content as a processor.
- Sub-processor means a third party we engage to process personal data in the course of providing the service.
- GDPR means the EU General Data Protection Regulation; UK GDPR means the United Kingdom version of it; CCPA/CPRA means the California Consumer Privacy Act as amended by the California Privacy Rights Act.
4. Personal data we collect
The categories of personal data we handle, and the role in which we handle each, are set out below.
4.1 Account and contact data (we are controller)
When a customer provisions and uses a workspace, we collect the name, business email address, organization, role, and account preferences of administrators and authorized users. We need this to create accounts, authenticate users, provide support, and administer the relationship.
4.2 Billing data (we are controller)
For paid subscriptions we collect billing contact details and the information needed to invoice and collect payment under the order form. We do not store full payment-card numbers on our systems.
4.3 Usage and device metadata (we are controller)
We collect operational metadata generated when the service is used: sign-in times, feature usage, IP address, browser and device type, and security and audit events such as record create, update, and delete actions (actor and timestamp). We use this to operate, secure, and improve the service. Product analytics, where used, run on aggregate, non-identifying metrics and receive no matter content.
4.4 Customer matter content (we are processor)
Matter content (deals, uploaded documents and their versions, obligations, parties, terms, notes, calendar mappings, and the personal data inside them) is processed by DealTracker only as a processor on the firm's instructions. This category is governed by the customer agreement and the DPA, not by this policy, and is listed here only so the full picture is clear. Client documents a firm uploads can contain third-party personal data and may incidentally contain special-category data the firm chooses to process for its matter; that content is processed for the controlling firm and inherits the document store's lifecycle. We do not extract, index by, or derive products from such categories.
4.5 Email and calendar metadata (we are processor, optional integration)
If a customer enables the optional Outlook integration, we store, for each linked message, a pointer row of metadata only: sender name and address, subject, received-at timestamp, conversation identifier, a deep link back to the message in the firm's own Microsoft 365 tenant, and an optional preview snippet capped at 255 characters. For linked calendar items we store the event subject, start, end, and the mapping to a deal milestone or obligation. We never store email bodies or attachments. When a lawyer opens a linked email in DealTracker, the body is fetched live from the firm's tenant and held in memory for that request only; it is never written to our stores.
4.6 Cookies and analytics data (we are controller)
On the marketing website we use privacy-preserving, cookieless analytics that do not set cookies, do not fingerprint, and do not profile visitors. In the application we use a single session cookie for authentication. See Section 16 for detail.
4.7 Marketing and prospect data (we are controller)
For prospects and business contacts, we handle the name, business email, organization, role, and the content of communications you send us, together with limited information about your interest in DealTracker. We may also receive business-contact information from publicly available sources or business-information providers to support our sales and outreach.
We do not intentionally collect special-category personal data (GDPR Article 9) or criminal-offence data (Article 10) for our own controller purposes, and we do not ask for it.
5. How we collect personal data
We collect personal data in the following ways:
- Directly from you. When you create or use an account, contact us, request a demo, complete a form, subscribe to updates, or correspond with our sales, support, or security teams.
- Automatically. Through the operation of the service and website: sign-in and usage metadata, IP address, device and browser information, security and audit events, and cookieless website analytics.
- From your organization. A workspace administrator may create accounts for, or invite, other authorized users, providing their name and business email.
- From third parties. From our identity provider when a user authenticates, from business-information providers and publicly available sources for sales and marketing, and from sub-processors that operate parts of the service on our behalf.
- On the controller's instruction. Matter content reaches us when a customer's authorized users upload or create it in their workspace. We act as processor on those instructions.
6. How we use personal data
As a controller, we use personal data for the purposes below. Each purpose is mapped to a GDPR / UK GDPR legal basis in Section 7.
- Provide and operate the service. Create and authenticate accounts, deliver workspace functionality, and make the application available to authorized users.
- Support. Respond to questions, troubleshoot issues, and communicate about the service, including service and security notices.
- Billing and administration. Invoice, collect payment, and administer the customer relationship under the order form.
- Security, integrity, and fraud prevention. Monitor for, detect, investigate, and respond to security incidents, abuse, and unauthorized access; maintain audit trails.
- Improve and develop the service. Understand how the service is used, in aggregate and non-identifying form, to maintain, debug, and improve it. We do not use customer matter content to train or fine-tune AI models.
- Marketing and outreach. Communicate about DealTracker with prospects and business contacts, where permitted, and let you opt out at any time.
- Legal and compliance. Comply with our legal obligations, enforce our agreements, establish, exercise, or defend legal claims, and respond to lawful requests.
We process matter content (as processor) only to provide the service on the controlling firm's documented instructions, and never for the controller-side purposes above.
7. Legal bases for processing (GDPR / UK GDPR)
For individuals in the EEA, the United Kingdom, and Switzerland, we rely on the Article 6 lawful bases set out below for our controller-side processing. Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms.
| Purpose | Legal basis (GDPR Article 6) |
|---|---|
| Provide and operate the service to account holders and authorized users | Performance of a contract, Art. 6(1)(b) (or our legitimate interest in serving our customer where the individual is not the contracting party, Art. 6(1)(f)) |
| Provide support and send service and security notices | Performance of a contract, Art. 6(1)(b); legitimate interests, Art. 6(1)(f) (operating and supporting the service) |
| Billing, invoicing, and account administration | Performance of a contract, Art. 6(1)(b); legal obligation, Art. 6(1)(c) (tax and accounting records) |
| Security, fraud prevention, audit, and incident response | Legitimate interests, Art. 6(1)(f) (keeping the service and its data secure); legal obligation, Art. 6(1)(c) where applicable |
| Maintain, debug, and improve the service using aggregate, non-identifying data | Legitimate interests, Art. 6(1)(f) (improving and securing our product) |
| Marketing and outreach to prospects and business contacts | Consent, Art. 6(1)(a) where required; otherwise legitimate interests, Art. 6(1)(f) (promoting our business to relevant professional contacts), subject to your right to object |
| Cookieless website analytics | Legitimate interests, Art. 6(1)(f) (understanding website performance without tracking or profiling individuals) |
| Legal compliance and defense of legal claims | Legal obligation, Art. 6(1)(c); legitimate interests, Art. 6(1)(f) (establishing, exercising, or defending claims) |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. Where we rely on legitimate interests, you may object as described in Section 14. For matter content, the lawful basis is determined by the controlling firm, not by DealTracker.
8. AI and model processing
DealTracker includes AI features that draft, summarize, extract, and answer questions over deal content. Because our customers handle privileged client material, our AI data handling is deliberate and constrained. The commitments below are the canonical statements for our website; the full treatment is in our AI governance documentation, available on request.
8.1 Where the models run
AI inference runs on two foundation-model families served inside Microsoft Azure in the customer's pinned data-residency region: OpenAI GPT via the Azure OpenAI Service, and Anthropic Claude via Azure AI Foundry. Microsoft Azure is the processor for all inference. In production, DealTracker makes no direct API calls to OpenAI or Anthropic; both are reached only as model providers hosted inside Azure, and inference does not leave the residency region. DealTracker selects the best model per task, configured per service and verified at publish; the model bound to a given feature is documented and declared. There is no silent fallback: a feature runs on its declared model and errors rather than rerouting, so a request is never quietly sent to a different model or provider, and if a bound model is unavailable the call returns an error. A customer may opt out of a specific provider.
8.2 No training on your data
Your documents and deal data are never used to train, fine-tune, or improve any model, whether by DealTracker, Microsoft, OpenAI, or Anthropic. This is contractual, resting on Microsoft's enterprise Azure AI service terms, not a setting we toggle. Matter document content may be processed on either model path (OpenAI via Azure OpenAI or Anthropic via Azure AI Foundry) under each provider's no-training Covered Models terms, used only to perform that request, not retained beyond it, and never used to train a model. If we ever offer bespoke model customization, it would require written opt-in, would produce a model used only for the requesting firm, and would not be shared.
8.3 Retention of AI inputs and outputs
Within our own stores, the raw model request and response are held in memory only for the duration of the call and are not persisted to any durable store. Agent conversation context lives in a short-lived cache under a 24-hour time-to-live and is purged automatically; it is never written to the database. Outside our stores, Azure OpenAI may, under its standard terms, retain prompts and completions for up to 30 days for abuse monitoring and policy enforcement, within the customer's region, access-restricted, not subject to routine human review, and not used to train any model. We are pursuing contractual Zero Data Retention with Microsoft to remove that window; it is not yet in force, so you should plan against the 30-day window today.
8.4 Human review and not legal advice
The agent can retrieve, summarize, and propose an action, but it cannot commit one. No deal record, obligation, contact, or other matter data changes until an authenticated, authorized user confirms the specific change, and that confirmation gate is enforced server-side. AI output is informational and is not legal advice. It may contain errors or omissions and must be reviewed by a qualified person before reliance. A lawyer remains responsible for the work product.
Output that is statistically similar across customers is a property of the underlying foundation models and does not represent any customer's specific content.
No solely automated decisions (GDPR Article 22). DealTracker does not carry out solely-automated decisions producing legal or similarly significant effects. Every consequential change requires human confirmation through the server-side confirmation gate described above, so a person, not the agent, makes the decision.
9. Disclosure of personal data
We do not sell personal data, and we do not share it for cross-context behavioral advertising. We disclose personal data only as described below:
- Sub-processors and service providers. To the third parties that help us operate the service (hosting, AI inference, identity, and transactional email), each bound by a data-protection agreement and limited to using the data only to provide its service to us. See Section 10.
- AI infrastructure providers. To Microsoft Azure, and through it to the OpenAI and Anthropic model layers, for the inference described in Section 8, inside the customer's residency region and under the no-training commitment.
- Professional advisors. To our auditors, lawyers, accountants, and insurers where reasonably necessary and under confidentiality.
- Legal, regulatory, and safety. Where required by law, legal process, or a lawful request, or to protect the rights, property, or safety of DealTracker, our customers, or others. As a processor, we direct law-enforcement and regulatory requests for matter content to the controlling firm where lawful.
- Business transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to this policy and applicable law; we will notify affected customers as required.
- With your direction or consent. Where you ask us to share data, or otherwise consent.
10. Sub-processors
We engage a small set of sub-processors to provide the service. Each is engaged under a written agreement with data-protection terms, bound to confidentiality, and limited to using customer data only to provide its service to us. Our current sub-processors are:
| Sub-processor | Function | Data it processes | Region |
|---|---|---|---|
| Microsoft Azure (Microsoft Corporation) | Application compute, primary database, document storage, backups, secrets, and GPT inference via Azure OpenAI | All customer data, plus the prompt and response for AI-assisted features | Customer's pinned region; Azure OpenAI inference stays in region |
| Anthropic, PBC | Claude inference, reached through Azure AI Foundry (Microsoft is the processor; Anthropic is the model provider behind it) | The prompt and response for a Claude request, which may include matter document content under Anthropic's no-training Covered Models terms, used only to perform the request and not retained beyond it | Customer's pinned region, inside Azure AI Foundry |
| Okta, Inc. (Okta Customer Identity Cloud, formerly Auth0) | Sign-in, OIDC token issuance, and MFA | Identity data only: email, name, user and tenant identifiers, authentication and MFA events; no deal, document, or matter content | Identity tenant follows the data region |
| Azure Communication Services (Microsoft Corporation) | Transactional email: invitations, password and MFA notices, system alerts | Recipient address and the text of the system message; no deal, document, or matter content | Customer's pinned region |
We maintain this list and give at least 30 days' advance notice before adding a sub-processor that will process customer data, or materially changing how an existing one does, during which an eligible customer may object as set out in the agreement. An emergency replacement needed to keep the service secure or available may take effect on shorter notice, with notice as soon as practicable. To subscribe to change notices, email security@getdealtracker.com. The same register, with the effective date of each entry, is reproduced in the Article 28 DPA, which is the binding version.
11. International data transfers
DealTracker Technologies, Inc. is incorporated in the United States and serves customers in the EU, the United Kingdom, and elsewhere. Data-residency options are central to our posture.
EU and US Azure regions are available, selected per customer at onboarding and pinned in the agreement. Each customer selects its data region during onboarding, with that choice pinned in the customer agreement. For the selected region, the application database, document storage, caches, backups, and AI inference all sit inside that Azure region, and the identity tenant follows the data region. When data stays inside the selected region, no cross-border transfer mechanism is engaged for that processing. Matter data, backups, and AI inference are never moved silently across regions. Multi-region high availability and disaster recovery remain on the roadmap.
Where personal data is transferred across a border, including some controller-side operations and any cross-border element in the inference or transactional-email paths, we rely on appropriate safeguards:
- The EU Standard Contractual Clauses (2021 modules), as our primary transfer mechanism, with the modules selected to match the relationship.
- The UK International Data Transfer Addendum (IDTA) to the EU SCCs, where the UK GDPR applies.
- The EU-U.S. Data Privacy Framework (DPF), and its UK extension where applicable, where a recipient is certified under it and the DPF is the appropriate basis for a given transfer.
- Adequacy decisions, where the destination benefits from one.
We apply supplementary technical and organizational measures, such as encryption in transit and at rest, as appropriate. These instruments are available for execution as part of the DPA. To review the SCC modules or the IDTA before signing, contact privacy@getdealtracker.com.
12. Data retention
We keep personal data only for as long as we need it for the purpose we collected it, plus any period required to meet legal, accounting, or reporting obligations or to establish, exercise, or defend legal claims.
- Account and authorized-user data is kept for the life of the workspace plus a defined post-termination window, then deleted or anonymized.
- Billing records are kept for the period required by applicable tax and accounting law.
- Usage, security, and audit metadata is kept for the period needed to operate and secure the service and to meet our obligations, then aged out.
- Marketing and prospect data is kept until you opt out or the contact is no longer relevant, after which it is removed or suppressed.
- Matter content (as processor) is retained for the life of the engagement on the controlling firm's instruction, and its retention and deletion are governed by the customer agreement and the DPA.
- AI agent conversation context is held under a 24-hour cache time-to-live and purged automatically; it is never written to durable storage.
12.1 Erasure, backups, and certificate of destruction
On a verified deletion request, personal data is removed from our live structured stores within 30 days, subject to any legal hold. Removed records then age out of our encrypted backups automatically as the backup window rolls forward; our database point-in-time-restore window is 35 days, and document storage carries a 30-day soft-delete recovery window before permanent destruction. We do not restore from backup to reintroduce data a customer asked us to delete, and any operational restore re-applies pending erasure instructions before data returns to service. True time to full destruction everywhere is the live-store window plus the backup roll-off, and we state both rather than collapse them. On request, we issue a written, signed certificate of destruction confirming deletion across all stores, naming the date, the stores covered, the live-store completion date, and the backup roll-off date. It is available to every customer.
13. Data security
We maintain technical and organizational measures appropriate to the risk, including:
- Encryption. AES-256 at rest on every store under Microsoft-managed keys, and TLS 1.2 or higher in transit on every connection. Integration tokens are encrypted at rest by the Azure platform; an additional application-layer column encryption with a separate Key Vault key is committed and not yet live.
- Tenant isolation. Each customer organization is a workspace, and every read and write is scoped to the caller's workspace on the server, at the data-access layer, before the query reaches the database.
- Access control. Server-side role-based access control resolved from the authenticated session; least-privilege, approval-gated, logged employee access to production, with no standing access to matter content for routine support.
- Identity. Authentication delegated to Auth0 (Okta), with the browser holding only a session cookie and tokens validated server-side on every request. MFA is enforced for enterprise sign-in by identity-provider policy.
- Resilience. Managed database with point-in-time restore, and document soft-delete with versioning.
Where DealTracker acts as processor, we notify personal-data breaches without undue delay and within 72 hours of confirmation, in line with the Article 28 DPA.
We maintain controls aligned to the AICPA SOC 2 Trust Services Criteria; our Type 2 audit is in progress, with the report expected after the observation period, and the auditor letter is available on request. Our Azure and Okta attestations apply today. No method of transmission or storage is perfectly secure, so while we work to protect personal data we cannot guarantee absolute security. Fuller detail is on our Security page and in our trust center at trust.getdealtracker.com.
14. Your data protection rights (GDPR / UK GDPR)
If you are in the EEA, the United Kingdom, or Switzerland, you have the following rights over the personal data for which DealTracker is the controller, subject to the conditions and exemptions in applicable law:
- Access to the personal data we hold about you, and information about how we process it.
- Rectification of inaccurate or incomplete personal data.
- Erasure of your personal data in certain circumstances.
- Restriction of processing in certain circumstances.
- Portability of personal data you provided to us, in a structured, commonly used, machine-readable format.
- Objection to processing based on legitimate interests, and to direct marketing at any time.
- Withdrawal of consent at any time, where we rely on consent, without affecting prior processing.
- Not to be subject to a solely automated decision producing legal or similarly significant effects. DealTracker does not make such decisions; every consequential change requires human confirmation through the server-side confirmation gate described in Section 8.
- Complaint to a supervisory authority. In the EU you may lodge a complaint with your local data protection authority; in the United Kingdom, with the Information Commissioner's Office (ICO).
To exercise these rights for controller-side data, contact privacy@getdealtracker.com. We will verify your identity and respond within the timeframes required by law (generally one month under the GDPR, extendable for complex requests). We do not charge a fee for a reasonable request.
If your data is in a law firm's matter content, DealTracker is the processor and the firm is the controller. We do not respond to data subjects directly for that content; we assist the controlling firm in meeting its obligations on its verified instruction. If you contact us directly about matter content, we will route you back to the controlling firm. Please direct access, rectification, erasure, restriction, portability, and objection requests for matter content to that firm.
15. U.S. state privacy rights (CCPA/CPRA and other states)
This section applies to residents of California and, where indicated, other U.S. states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, and others). Capitalized terms have the meanings given in the applicable statute.
15.1 Our status
For matter content that a customer puts into its workspace, DealTracker acts as a service provider (California) or processor (other states) and processes that information only on the business's behalf and instructions under our agreement. For account, billing, usage, website, and marketing data, DealTracker acts as a business (controller).
15.2 Categories of personal information, sources, purposes, and disclosures
In the preceding 12 months, in our role as a business, we have collected the following categories of personal information:
| Category (CCPA) | Collected | Sources | Business purpose | Disclosed to |
|---|---|---|---|---|
| Identifiers (name, business email, account and device identifiers, IP address) | Yes | You, your organization, automatic collection, third-party providers | Provide and secure the service, support, billing, marketing | Sub-processors (Section 10) |
| Commercial information (subscription and billing records) | Yes | You, your organization | Billing and account administration | Sub-processors, professional advisors |
| Internet or network activity (usage and audit metadata) | Yes | Automatic collection | Operate, secure, debug, and improve the service | Sub-processors |
| Professional information (organization, role) | Yes | You, your organization, business-information providers | Provide the service, sales and outreach | Sub-processors |
| Electronic communications content (messages you send us) | Yes | You | Support and relationship management | Sub-processors |
We do not collect Social Security numbers, driver's license numbers, financial-account login credentials, precise geolocation, or biometric information as a business, and we do not seek to collect sensitive personal information for our own purposes.
15.3 No sale and no sharing
DealTracker does not sell personal information and does not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA and equivalent state laws. We have not sold or shared personal information in the preceding 12 months. Because we do not sell or share, there is no "Do Not Sell or Share My Personal Information" action required, and we honor opt-out preference signals such as Global Privacy Control consistent with our no-sale, no-share posture.
15.4 Sensitive personal information
We do not use or disclose sensitive personal information for purposes that would trigger a right to limit its use under the CPRA. We do not collect sensitive personal information for our own controller purposes.
15.5 Your consumer rights
Subject to verification and the exceptions in the applicable law, you have the right to:
- Know and access the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of recipients.
- Delete personal information we have collected, subject to legal exceptions.
- Correct inaccurate personal information.
- Opt out of sale or sharing (not applicable, as we do not sell or share).
- Limit the use of sensitive personal information (not applicable, as we do not use it for purposes that trigger this right).
- Non-discrimination for exercising your rights; we will not deny service, charge a different price, or provide a different level of service because you exercised a right.
15.6 How to submit a request, and authorized agents
To submit a consumer request, email privacy@getdealtracker.com. We will verify your identity using the information we hold before responding, and we will respond within the timeframes required by law. You may use an authorized agent to submit a request on your behalf; we will require proof of the agent's authorization and may require you to verify your own identity directly. California residents may also have rights under California's "Shine the Light" law regarding disclosures for third-party direct marketing; we do not disclose personal information to third parties for their own direct marketing.
15.7 Matter content
If your personal information appears in a law firm's matter content on DealTracker, the firm is the business and DealTracker is its service provider. Please direct your consumer rights requests for that information to the firm; we will assist the firm as required.
16. Cookies and tracking technologies
We keep tracking to a minimum and use no third-party tracking cookies.
- One session cookie. The application uses a single HttpOnly, Secure, domain-scoped session cookie (
__dt_session) for authentication. It is strictly necessary to keep you signed in. - Cookieless analytics. The marketing website uses Umami, a privacy-preserving analytics tool that sets no cookies, does not fingerprint, and does not profile visitors. It produces aggregate, non-identifying metrics only.
- No session-replay, heatmaps, or advertising trackers. We do not use session-replay or heatmap tools, and we do not run advertising or cross-site tracking technologies.
Because we do not use advertising cookies, cross-site tracking, or profiling, there is no advertising consent banner to manage, and there is nothing to opt out of for sale or sharing. We honor browser-level signals such as Global Privacy Control and Do Not Track consistent with our no-tracking posture.
17. Children's data
DealTracker is a business-to-business service for law firms and in-house legal teams and is not directed to children. We do not knowingly collect personal data from anyone under the age of 16 (or under the applicable age of consent for data processing in their jurisdiction), and the service is not intended for individuals under 18. If we learn that we have collected personal data from a child without appropriate consent, we will delete it. If you believe a child has provided us personal data, contact privacy@getdealtracker.com. This commitment is consistent with the U.S. Children's Online Privacy Protection Act (COPPA) and the parental-consent requirements of the GDPR.
18. Third-party websites and links
Our website and the service may link to or integrate with third-party websites and services that we do not control, including a customer's own Microsoft 365 tenant for the optional Outlook integration. This policy does not cover those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy notices of any third-party site or service you use.
19. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make a material change, we will update the "Last updated" date above and email workspace administrators at least 30 days before the change takes effect. We keep prior versions of this policy and can provide an archived version on request. Your continued use of the service after a change takes effect constitutes acceptance of the updated policy.
20. Contact us and representatives
For questions about this policy, your personal data, the DPA, or to exercise a right, contact us:
- Privacy, DPA, and data-subject requests: privacy@getdealtracker.com
- Legal and contractual matters: legal@getdealtracker.com
- Security and vulnerability reports: security@getdealtracker.com
Postal contact: DealTracker Technologies, Inc., a Delaware corporation, United States.
Registered office: 131 Continental Dr, Suite 305, Newark, Delaware 19713, United States.
Principal place of business: 172 Floyer Road, Small Heath, Birmingham, B10 9NA, United Kingdom.
You may lodge a complaint with a supervisory authority. In the European Union this is your local data protection authority; in the United Kingdom it is the Information Commissioner's Office (ICO).
An EU representative under Article 27 of the GDPR is being designated under our privacy program; once appointed, its contact details will be published here. Until then, you may direct any matter that would otherwise go to the representative to privacy@getdealtracker.com.