Last Updated January 10, 2025

1. Introduction

Finpilot ("we," "us," or "our") provides artificial intelligence-powered analytics and document processing services specifically designed for institutional allocators, limited partners, and investment professionals ("Services"). This Privacy Policy describes how we collect, use, protect, and handle information in connection with our platform and services.

We are committed to protecting the privacy and confidentiality of our enterprise clients' data and maintaining the highest standards of data security and compliance.

2. Scope and Application

This Privacy Policy applies to:

• Our AI platform and related services

• All client interactions with our platform

• Our corporate website and client portals

This policy applies exclusively to enterprise clients and does not cover consumer services.

3. Information We Process

3.1 Client-Uploaded Content

We process data, information, and content that our enterprise clients provide to, input into, upload to, or generate through our platform ("Client Data"). This includes any and all data, content, materials, or information of any type that clients make available to us or that is created through their use of our services.

3.2 Platform Usage Information

We collect technical information necessary to provide our services, including:

• System logs and performance metrics

• Authentication and access logs

• Technical metadata about uploaded documents

3.3 Account and Administrative Information

We collect business contact information necessary to manage client accounts:

• Organization name and business contact details

• Authorized user credentials and access permissions

• Billing and subscription information

• Support and communication records

4. How We Use Information

4.1 Service Delivery

We use Client Data exclusively to provide our contracted services and platform functionality to clients.

4.2 What We Do NOT Do

We explicitly do NOT:

• Use Client Data to train our AI models

• Share Client Data with other clients or third parties

• Use Client Data for marketing or promotional purposes

• Collect or process personal information of individuals

• Retain Client Data beyond the agreed service period

5. Data Security and Protection

5.1 Security Measures

We implement enterprise-grade security controls including:

• Multi-factor authentication and access controls

• Regular security monitoring and threat detection

• Secure cloud infrastructure with industry-standard certifications

• Regular security audits and penetration testing

5.2 Access Controls

• Strict role-based access controls limit data access to authorized personnel only

• All access is logged and monitored

• Administrative access requires multi-level approval

5.3 Compliance Framework

Our security practices align with:

• SOC 2 Type II standards

• Industry best practices for financial services data protection

6. Data Retention and Deletion

6.1 Retention Period

• Client Data is retained only as long as necessary to provide contracted services

• Upon contract termination, Client Data is deleted within 30 days unless otherwise specified

• System logs and technical metadata are retained for operational purposes only

6.2 Data Deletion

• Clients may request immediate deletion of specific data or entire datasets

• We provide secure data destruction with verification upon request

• Deletion processes ensure data cannot be recovered or reconstructed

7. Data Location and Transfers

• Client Data is processed and stored within United States.

• We do not transfer Client Data outside of approved geographic regions without explicit client consent

• All data transfers comply with applicable cross-border data protection requirements

8. Third-Party Services

8.1 Service Providers

We may engage carefully vetted third-party service providers for:

• Cloud infrastructure and hosting services

• Security monitoring and threat detection

• Technical support and maintenance

8.2 Third-Party Obligations

• All third parties are bound by strict confidentiality and data protection agreements

• Third parties may only access Client Data as necessary to provide contracted services

• We maintain oversight and audit rights over all third-party data handling

9. Client Rights and Controls

9.1 Data Access and Control

Clients maintain full ownership and control of their data, including:

• Right to access all uploaded data and generated insights

• Right to modify, update, or delete data at any time

• Right to export data in standard formats

• Right to restrict or limit data processing activities

9.2 Transparency

• Clients receive detailed information about data processing activities

• Audit logs are available upon request

10. Privacy by Design

Our platform is built with privacy-first principles:

• Data minimization - we collect only data necessary for service delivery

• Purpose limitation - data is used only for specified, contracted purposes

• Storage limitation - data is retained only as long as necessary

• Accountability - we maintain detailed records of all data processing activities

11. Incident Response

In the unlikely event of a security incident:

• Clients are notified within 24 hours of discovery

• We provide detailed incident reports and remediation plans

• We coordinate with client security teams as needed

• We implement additional safeguards to prevent similar incidents

12. Legal Compliance

12.1 Regulatory Compliance

We comply with applicable data protection and financial services regulations, including:

• General Data Protection Regulation (GDPR) where applicable

• California Consumer Privacy Act (CCPA) where applicable

• Financial industry data protection requirements

• Securities and investment regulatory requirements

12.2 Legal Requests

• We will notify clients of any legal requests for their data unless prohibited by law

• We challenge overbroad or inappropriate data requests

• We provide only the minimum data required by valid legal process

13. Updates to This Policy

• We will notify enterprise clients of any material changes to this Privacy Policy

• Changes become effective 30 days after notification unless clients object

• Clients may terminate services if they do not agree with policy changes

14. Contact Information

For privacy-related questions, requests, or concerns:

Finpilot Inc
Email: privacy@finpilot.ai
Address: 1836 Westlake Ave N, Suite 105, Seattle, 98105

15. Enterprise Support

For enterprise clients requiring additional privacy documentation, certifications, or custom data processing agreements, please contact your account manager or our enterprise support team.

Certification Statement: This Privacy Policy reflects our current data handling practices and is supported by our SOC 2 Type II certification and ongoing compliance audits. We stand behind our commitment to protecting client data privacy and security.

This Privacy Policy is effective as of the date listed above and supersedes all previous versions.