Privacy Policy

Effective Date: April 1, 2026

CandaceAI ("we," "us," or "our") operates the CandaceAI platform at candaceai.com. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our services.

1. Information We Collect

Account Information

When you create an account, we collect your name and email address. If you sign up or sign in using a third-party provider (Google or LinkedIn), we receive your name, email address, and profile picture from that provider.

Deal and Document Data

As a business brokerage platform, we store information you provide about deals, including financial data, business descriptions, and documents you upload to data rooms. This data is accessible only to authorized parties as configured by deal advisors.

Usage Data

We collect analytics data about how you interact with the platform, including pages visited, features used, and session information. This data is collected through Amplitude and is used to improve the platform experience.

Cookies and Session Data

We use session cookies to keep you signed in. These cookies contain a session token and are essential for the platform to function. We do not use advertising or third-party tracking cookies.

2. How We Use Your Information

• To provide, maintain, and improve the CandaceAI platform
• To authenticate your identity and manage your account
• To facilitate deal management, document sharing, and NDA workflows
• To send transactional emails (password resets, NDA notifications, deal updates)
• To analyze usage patterns and improve platform features
• To provide AI-powered features such as deal summaries and document analysis

3. AI-Powered Features

CandaceAI uses artificial intelligence to assist with deal analysis, document processing, and other features. When AI processes your data, personally identifiable information is redacted before being sent to AI providers. We never send raw personal data (names, emails, Social Security numbers, etc.) to AI services. AI processing is logged for audit purposes, but prompt and response content is never stored in logs.

4. Third-Party Services

Authentication Providers

If you choose to sign in with Google or LinkedIn, those providers share your basic profile information (name, email, profile picture) with us according to the permissions you grant during the sign-in process. We do not access your contacts, messages, or other data from these providers.

Service Providers

We use third-party services to operate the platform, including cloud hosting (Vercel, Neon), email delivery (Resend), analytics (Amplitude), and background job processing (Inngest). These providers process data on our behalf under contractual obligations to protect your information.

5. Data Sharing

We do not sell your personal information. We share data only in these circumstances:

• Within deals: Information you add to a deal is visible to other authorized parties (advisors, buyers, sellers) as configured by deal permissions.
• Service providers: As described above, to operate the platform.
• Legal requirements: When required by law, subpoena, or court order.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.

6. Data Security

We implement industry-standard security measures to protect your data, including encrypted connections (TLS), secure password hashing (bcrypt), row-level database security policies, and role-based access controls. Document access is verified through data room permissions, not URL parameters alone.

7. Data Retention

We retain your account data for as long as your account is active. Deal data is retained according to brokerage requirements. When data is removed, it is soft-deleted (archived) and may be retained in backups for a limited period. You may request full deletion of your account and associated data at any time.

8. Your Rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Delete your account and personal data
• Export your data in a portable format
• Withdraw consent for optional data processing

To exercise any of these rights, contact us at the address below.

9. Children's Privacy

CandaceAI is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date. Continued use of the platform after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or your personal data, please contact us at:

Email: privacy@candaceai.com