Privacy Policy

1. Introduction

C12, LLC, operating as VentureScope ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered due diligence platform, including our website, applications, and related services (collectively, the "Service").

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree with the terms of this policy, please do not access the Service.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, and organization details when you create an account.
• Payment Information: Billing details processed securely through Stripe. We do not store your full credit card number.
• Uploaded Documents: Pitch decks, financial documents, cap tables, and other files you upload for analysis.
• Communications: Messages you send through the platform, including AI chat interactions and assessment comments.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, assessment generation frequency, and interaction patterns.
• Device Information: Browser type, operating system, device identifiers, and IP address.
• Cookies: Session cookies for authentication and preferences. See Section 8 for details.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service, including generating AI-powered investment memos and analyses.
• Process transactions and send related information, including purchase confirmations and invoices.
• Send administrative information, such as updates, security alerts, and support messages.
• Respond to your comments, questions, and customer service requests.
• Monitor and analyze usage trends to improve user experience.
• Detect, prevent, and address technical issues and security threats.

4. AI Processing & Your Data

VentureScope uses third-party AI APIs to analyze your uploaded documents and generate investment assessments. The following describes how this processing works and what protections apply.

4.1 What is sent to AI providers

When you run an assessment, the text extracted from your uploaded documents is sent to an AI provider via their API. By default, this is Anthropic's Claude. If you use Bring Your Own Key (BYOK), content is sent to your chosen provider (Anthropic, OpenAI, Google, or xAI) instead.

For image-heavy documents, image content may also be sent to the AI provider for optical character recognition (OCR).

4.2 Model training

If you use a different AI provider via BYOK, that provider's API privacy terms govern how they handle your data. We recommend reviewing your chosen provider's API privacy policy.

4.3 Security in transit

All API calls to AI providers are made over TLS-encrypted connections. Generated assessments, memos, and scores are stored in your account and accessible only to you and your authorized team members.

5. Subprocessors

We do not sell your personal information. The following third-party vendors process or may access customer data on our behalf. We conduct due diligence on each vendor's security posture before use.

We may also share your information in the following situations:

• Team Members: Within your organization, as configured by your team settings and sharing preferences.
• Legal Requirements: When required by law, regulation, legal process, or governmental request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.
• With Your Consent: When you explicitly authorize sharing, such as sharing assessments via a public report link.

6. Data Security

We implement technical and organizational measures to protect your information, including:

• Encryption in transit: TLS 1.2+ enforced on all connections, with HSTS (2-year duration, preload).
• Encryption at rest: Database and file storage encrypted with AES-256 at the infrastructure level (Supabase).
• BYOK key encryption: Bring-your-own API keys are encrypted at the application layer using AES-256-GCM before database storage.
• Row Level Security: Database-level policies isolate your organization's data from all other organizations.
• Authentication: OAuth only (Google, GitHub, magic link) — no passwords stored by VentureScope.
• Access controls: Role-based permissions (owner, admin, member) on all data operations.

Our infrastructure providers (Vercel, Supabase, Stripe) maintain SOC 2 Type II and/or PCI DSS certifications. No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. For more detail, see our Security page.

7. Document & Data Flows

When you upload a document to VentureScope:

1. The file is stored in a private storage bucket scoped to your organization (Supabase Storage, US).
2. Text is extracted server-side and stored in your document record in the database.
3. When you run an assessment, extracted text is sent to an AI API (Anthropic by default) over TLS.
4. The AI-generated assessment is stored in your account, accessible only to your organization and anyone you explicitly share it with.
5. The original file remains in your private storage bucket until you delete it or close your account.

8. Cookies & Tracking

We use essential cookies required for authentication and platform functionality. We also use PostHog for product analytics — this may set analytics cookies. We do not use third-party advertising cookies or cross-site tracking technologies. You can configure your browser to refuse cookies, but some features of the Service may not function properly.

9. Data Retention

We retain your information according to the following schedule:

• Uploaded documents and extracted text: Retained for the life of the document record. Deleted when you delete the document, delete your company, or close your account.
• AI assessments and analyses: Retained until you delete them or close your account.
• Account data: Retained while your account is active. Upon account deletion, a 30-day recovery window applies; after that, all personal data is permanently deleted from our systems.
• Payment records: Retained as required by applicable law (typically 7 years for tax and accounting purposes).

You may request deletion of your data at any time from your account settings or by contacting us. We will delete or anonymize your information within 30 days of a verified deletion request, unless retention is required by law.

10. Your Rights

Depending on your location, you may have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate or incomplete information.
• Request deletion of your personal information.
• Object to or restrict processing of your information.
• Data portability — receive your data in a structured, machine-readable format (available via Settings → Export Data).
• Withdraw consent where processing is based on consent.

To exercise these rights, contact us at privacy@venturescope.ai or use the self-service tools in your account settings.

11. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will take steps to delete such information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date and, where appropriate, by email notification.

13. Contact Us

VentureScope is a product of C12, LLC.

• Privacy questions: privacy@venturescope.ai
• Security concerns: security@venturescope.ai
• Legal / DPA requests: legal@venturescope.ai