Privacy Policy

This Privacy Policy explains what data Kloup LLC ("Kloup", "we", "our", "us") collects, why we collect it, how long we keep it, and the choices you have. It applies to the Kloup websites, web app, mobile surfaces, APIs, and integrations (the "Service"). Use of the Service is also governed by our Terms of Service; for customers processing personal data subject to GDPR, UK GDPR, LGPD, or similar laws, our Data Processing Agreement applies.

Our position in one sentence: founders own their fundraising data. We treat your workspace as yours, not a training corpus, not a benchmark, and not a product to syndicate.

1. Data we collect

1.1 Account data

When you sign in with Google we receive your email address, name, and profile photo. We never see or store your Google password. Google OAuth tokens (access + refresh) are encrypted at the application layer before being stored and are used only to call the APIs you have explicitly connected.

1.2 Customer Data

Anything you put into your workspace, including:

• Investor pipeline entries, contacts, organisations, rounds, soft commits, term sheet states, and cap table records;
• Investor updates, notes, tasks, reports;
• Files uploaded to the data room and any metadata about views and downloads;
• Calendar events, meeting attendees, and email metadata pulled in via the Google integration;
• Any personal data of contacts you choose to add (which makes you the controller and us the processor of that data).

1.3 Operational telemetry

Standard server logs (request method, path, status code, IP address, user agent, request id) for debugging, abuse prevention, and capacity planning. Retained for 30 days then deleted. We do not run third-party web analytics on signed-in workspace pages, and we do not load advertising pixels or trackers anywhere on the Service.

1.4 Marketing site

The marketing site (kloup.com) uses no third-party analytics, no advertising cookies, and no cross-site tracking. We rely on aggregated request logs from our hosting provider for traffic figures.

2. How we use data

• To provide, secure, maintain, and improve the Service;
• To deliver investor emails you draft (via SendGrid) at your direction;
• To enrich contacts (via Apollo) when you trigger enrichment;
• To generate AI drafts (via Anthropic / OpenAI) when you trigger an AI feature;
• To detect, investigate, and prevent fraud, abuse, and security incidents;
• To communicate with you about the Service, your account, or material changes;
• To comply with legal obligations and to enforce our Terms.

We do not:

• Sell Customer Data, ever.
• Share Customer Data with advertisers, data brokers, or syndication networks.
• Use Customer Data to train shared or third-party AI models.
• Aggregate or anonymise Customer Data to build investor benchmarks, market reports, league tables, or any data product offered to anyone other than the workspace that owns the data.
• Read or browse Customer Data outside of narrow operational paths (incident response, customer-initiated support requests, abuse investigations) — and every such access is logged and reviewable.

3. Legal bases (GDPR / UK GDPR / LGPD)

Depending on the activity, we rely on:

• Contract — to provide the Service you have requested;
• Legitimate interests — to secure the Service, prevent fraud, and improve our product, balanced against your rights;
• Consent — for optional features that require it (e.g. enabling marketing communications);
• Legal obligation — to respond to lawful requests and meet retention duties.

4. Sub-processors and sharing

We share data only with the sub-processors required to run the Service. Each is contractually bound to confidentiality, purpose limitation, and security standards at least equal to ours.

• Cloudflare — hosting and infrastructure (Workers, Pages, D1, R2, KV, Queues, Logpush);
• Google — OAuth, Calendar, Gmail, and Drive APIs at your direction;
• SendGrid — transactional and bulk email delivery;
• Apollo.io — contact enrichment when triggered by you;
• Anthropic and OpenAI — AI drafts and summaries, called under zero-retention / no-training settings where available;
• Stripe — payments processing (we do not store full card numbers).

A current list of sub-processors with addresses, locations, and roles is available to customers under NDA. We notify workspace admins at least 30 days before adding a new sub-processor that processes Customer Data, and you may object on reasonable grounds; if we can't accommodate, you may terminate the affected portion of your subscription with a pro-rated refund.

We may also disclose data when required by law, to protect the rights, safety, or property of Kloup or others, or in connection with a corporate transaction (merger, acquisition, or asset sale) — in which case we will provide reasonable notice and require any successor to honour the commitments in this Policy.

5. Data location and international transfers

Kloup hosts and processes Customer Data primarily in the United States. Production databases (Cloudflare D1), object storage (Cloudflare R2), and the application workers that read and write your data are hosted on Cloudflare's network with primary storage in the eastern United States. Cloudflare's anycast edge serves cached and static assets globally, so a request from Berlin or São Paulo may be answered by a nearby edge node — but the canonical Customer Data record lives in the United States.

Some sub-processors also operate in the United States, the European Union, the United Kingdom, and other regions where they offer their services. Specifically:

• Cloudflare — United States (primary), with global edge presence;
• Google — United States and EU (depending on Customer's Google Workspace configuration);
• SendGrid — United States;
• Apollo.io — United States;
• Anthropic, OpenAI — United States;
• Stripe — United States and Ireland.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States or any other country without an adequacy decision, Kloup relies on the European Commission's Standard Contractual Clauses (Module Two, Implementing Decision (EU) 2021/914) plus the UK International Data Transfer Addendum where applicable. Where the EU-US Data Privacy Framework (and its UK / Swiss extensions) is in force and the relevant sub-processor is certified, we additionally rely on that framework. Brazilian (LGPD) transfers rely on the international-transfer mechanisms permitted under Article 33, typically standard contractual clauses approved by ANPD.

Kloup performs Transfer Impact Assessments (Schrems II) for each destination country, applies supplementary technical measures (encryption in transit and at rest, application-layer encryption of sensitive tokens, minimal-context AI calls), and will challenge disproportionate access requests where lawful. A summary TIA is available to customers under NDA.

6. Retention

• Customer Data is retained for as long as your workspace is active.
• When you delete a workspace, Customer Data is removed from live systems immediately (cascade delete across all tables) and from encrypted backups within 35 days.
• Operational logs: 30 days.
• Authentication and admin-action audit logs: 12 months.
• Billing records: as required by tax and accounting law (typically 7 years).
• You can also delete individual records (contacts, rounds, files, updates) anytime through the app, and request hard-deletion of identifiable backups by emailing privacy@kloup.com.

7. Your rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you;
• Correct or update inaccurate data;
• Export your data in a portable format;
• Delete your data (subject to limited exceptions);
• Object to or restrict certain processing;
• Withdraw consent where processing is based on consent;
• Lodge a complaint with your data-protection authority.

Most rights are self-serve through Settings → Profile and Settings → Data Export. For anything else, email privacy@kloup.com and we will respond within the timelines required by applicable law (typically within 30 days).

8. AI and Customer Data

AI features are opt-in and called only when you trigger them. When you do, we send the minimum context needed to fulfil the request to the chosen model provider. We do not consent to model training on Customer Data and we use zero-retention or no-training settings where the provider offers them. Model output is stored in your workspace as your Customer Data.

9. Cookies and similar technologies

The Service uses a single first-party authentication mechanism (an HTTP-only cookie on the API, plus localStorage on the SPA for token caching). No third-party cookies, no advertising trackers, no fingerprinting, no cross-site tracking. The marketing site uses no analytics cookies.

10. Children

Kloup is a B2B product and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact privacy@kloup.com and we will delete it promptly.

11. Security

See our dedicated Security page for encryption, access controls, monitoring, incident response, and how to report a vulnerability.

12. Changes to this Policy

We will notify you of material changes at least 14 days in advance via email and an in-app banner. The "Last updated" date at the top of this page reflects the current version.

13. Contact

Privacy questions or rights requests: privacy@kloup.com.
Data Protection Officer: dpo@kloup.com.
EU / UK representative on request.