Cashpian Privacy Policy
Effective Date: [●], 2026
Last Updated: July 2, 2026
This Privacy Policy explains how [Cashpian, Inc.], a [Delaware] corporation (“Cashpian,” “we,” “us,” or “our”), collects, uses, discloses, and protects information in connection with the Cashpian document vault and data room platform, including our website, web application, and related services (collectively, the “Service”).
Please read this Policy carefully. It applies to three groups of people, treated differently and each defined below: Account Holders, Room Visitors, and individuals whose personal data is referenced within uploaded content. If you do not agree with this Policy, please do not use the Service.
1. Scope and Roles: Controller vs. Processor
This section is unusual for a policy like this — but Cashpian handles two structurally different kinds of information, and conflating them is where data-room privacy policies most often go wrong.
1.1 Cashpian as Controller
For information we collect to operate accounts, run the Service, market to prospective customers, and analyze usage — such as Account & Registration Data, Payment Data, and most Automatically Collected Data described in Section 2 — Cashpian is the data controller (or, under U.S. state law, the “business”). This Policy governs that processing directly.
1.2 Cashpian as Processor / Service Provider
Our customers — the founders, companies, and organizations that create a Cashpian account (each, a “Customer”) — upload documents, cap tables, contracts, employment records, and other files into their vault (“Room Content”). Room Content frequently contains personal data about people who are not Cashpian's customer — for example, a Customer's employees, contractors, investors, counterparties, or, in regulated verticals, clinical trial subjects or patients. With respect to that personal data, the Customer is the controller and Cashpian acts only as a processor (or “service provider”/“processor” under CCPA/CPRA and GDPR terminology), processing Room Content solely on the Customer's instructions and for the purpose of providing the Service. Our processing of Room Content is governed by our Terms of Service and, where applicable, a Data Processing Agreement (“DPA”) with the Customer — not by this Policy. If you are an individual whose personal data appears in Room Content and you have a question about it, please contact the Cashpian Customer who submitted that content; we will support that Customer's response as required by applicable law, but we are generally not able to act on your request directly.
1.3 Room Visitors
When a Customer converts a vault into a data room and shares it with a third party — an investor, banker, acquirer, or their counsel (a “Room Visitor”) — Cashpian collects certain data about that Room Visitor's access directly (see Sections 2.4 and 6). We are an independent controller of that visitor-access data for our own security, fraud-prevention, and product-analytics purposes, while the underlying Room Content remains governed by Section 1.2.
2. Information We Collect
2.1 Account & Registration Data
When you create a Cashpian account, we collect your name, work email address, and — because we authenticate accounts through Google Sign-In — the basic Google profile information Google shares with us (name, email address, profile photo, Google account ID). We do not receive or store your Google password. During our current early-access phase, access is allowlisted; we retain records of allowlist status and invitation history.
2.2 Google Drive Connection Data
If you connect Google Drive, you grant Cashpian a separate, revocable OAuth permission scoped to the files and folders you select. We use this connection to pull copies of selected documents into your vault and to detect re-imports so we do not create duplicates, via content-hash comparison rather than by reading unrelated file content. Your Drive OAuth refresh token is encrypted at rest and used solely to maintain the connection; you may disconnect Drive access at any time in your account settings and directly within your Google Account.
2.3 Room Content
Documents, folders, metadata, tags, and any information you or your team upload or generate within the vault — including corporate, financial, employment, IP, and commercial records. As described in Section 1.2, Cashpian processes Room Content as a processor on the Customer's behalf.
2.4 Data Room Access & Analytics Data
When a data room is shared, we collect information about how it is accessed: the Room Visitor's name and email (typically provided by the Customer when inviting the visitor, or by the visitor when accepting an NDA gate), IP address, device/browser information, which documents and pages were viewed, time spent per page, download or print attempts (including blocked ones), and timestamps. See Section 6 for detail, including how this data is embedded in watermarks.
2.5 Payment & Billing Data
If you subscribe to a paid plan, billing is handled by a third-party payment processor [name TBD — see Appendix]. We do not store full payment card numbers; we retain limited billing metadata (plan tier, billing contact, transaction history, invoice records) needed for account administration and tax/accounting compliance.
2.6 Communications
Records of support requests, onboarding calls, and correspondence with us, including content you choose to share for troubleshooting.
2.7 Automatically Collected Technical Data
Standard web/application logs: IP address, browser and device type, operating system, pages visited, referring URLs, and timestamps, collected via server logs and product-analytics tooling (currently PostHog) for the app and marketing site.
2.8 Cookies and Similar Technologies
We use strictly necessary cookies (session, authentication, security) and product-analytics cookies/local identifiers (PostHog). We do not currently use third-party advertising cookies. See Section 12.
3. How We Use Information
Provide, maintain, and secure the Service, including authentication, vault storage, and data room hosting.
Operate the diligence-readiness engine — matching uploaded documents against checklists, flagging gaps, and, in constrained beta, drafting disclosure-schedule exhibits for counsel review.
Generate view analytics for Customers about their own data rooms.
Detect, investigate, and prevent fraud, unauthorized access, abuse, and security incidents.
Process payments, send billing communications, and maintain business records.
Communicate with you about your account, respond to support requests, and — with consent where required — send product updates.
Improve and develop the Service, including through aggregated or de-identified usage analysis.
Comply with legal obligations and enforce our Terms of Service.
We do not sell personal information, and we do not use Room Content, or any personal data within it, to train, fine-tune, or improve any artificial intelligence or machine learning model — ours or any third party's. See Section 4.
4. How We Use Artificial Intelligence
Certain features — automatic document classification, checklist gap-detection, and, in constrained beta, disclosure-schedule drafting — use a large language model (currently Anthropic's Claude, accessed via Amazon Bedrock) to read and analyze document content.
Processing occurs inside our private AWS Virtual Private Cloud (VPC); document content is not sent over the public internet to reach the model.
We operate under Amazon Bedrock's Zero Data Retention (ZDR) configuration for model invocation — prompt and completion text is not retained by AWS or Anthropic after the request completes, and is not used to train any model.
We maintain a signed Business Associate Agreement (BAA) covering this processing, supporting use by Customers who are themselves subject to HIPAA (e.g., life-sciences Customers uploading clinical or regulatory documents). Maintaining a BAA does not, by itself, make Cashpian a HIPAA-covered entity, and Customers remain responsible for their own HIPAA obligations.
AI-generated output is clearly labeled as a draft or suggestion. It is not legal advice, and disclosure-schedule drafts are intended for review and finalization by the Customer's own counsel before use.
5. How We Share Information
We share information only as described below. We do not sell personal information and do not share personal information with third parties for their own cross-context behavioral advertising.
5.1 Service Providers (Subprocessors)
We use vendors who process data on our behalf, under contractual confidentiality and security obligations, to operate the Service:
| Vendor | Purpose | Data Involved |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, storage (S3), database (RDS/Postgres), queueing, key management (KMS), and AI model access (Bedrock) | Room Content, Account Data, Analytics Data |
| Google (OAuth / Drive API) | Account sign-in and optional Drive import | Account Data, Drive Connection Data, Room Content (if imported) |
| Vercel | Hosting for the web application and backend-for-frontend | Account Data, session tokens |
| PostHog | Product analytics | Automatically Collected Technical Data |
| [Payment processor — TBD] | Billing and payment processing | Payment & Billing Data |
A current, more detailed subprocessor list is available on request at hello@cashpian.com.
5.2 Within a Room, at the Customer's Direction
Room Content is shared with Room Visitors the Customer invites, exactly as instructed by the Customer, including the access controls, staging, and expiration the Customer configures.
5.3 Professional Advisors
We may share information with our own auditors, insurers, and legal and financial advisors, under confidentiality obligations.
5.4 Legal Compliance and Safety
We may disclose information if required by law, subpoena, or legal process, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Cashpian, our Customers, or others, or to detect, prevent, or address fraud, security, or technical issues.
5.5 Business Transfers
If Cashpian is involved in a merger, acquisition, financing due diligence, or sale of assets, information may be disclosed or transferred as part of that transaction, subject to standard confidentiality protections and continued application of this Policy (or a materially equivalent policy) to previously collected data.
6. Data Rooms, Watermarking, and Notice to Room Visitors
Because data rooms routinely include people who never create a Cashpian account, we want to be explicit about what happens when you view one.
6.1 What We Collect About You as a Room Visitor
Your name and email (as provided by the Customer or by you when accepting an access gate/NDA), IP address, approximate location derived from IP, device and browser type, and a detailed page-level access log: which documents you opened, in what order, how long you spent on each page, and any attempted downloads or prints (including ones we block).
6.2 Watermarking
Where enabled by the Customer, documents you view are dynamically watermarked with identifying information — typically your name and/or email, IP address, and a timestamp — visible on the document itself. The purpose is deterrence and traceability of leaks; it is visible to you while viewing and may remain visible if the document is later disclosed without authorization.
6.3 Why We Collect This
This data gives the Customer (the room owner) visibility into engagement with their own disclosure — a core, disclosed feature of the Service (see Section 3) — and secures the room against unauthorized access.
6.4 Who Sees It
Access and analytics data for a given room is visible to the Customer that owns the room and to Cashpian personnel/systems operating the Service. It is not shared with other Room Visitors or with unrelated Customers.
6.5 Your Choices
If you are asked to accept an NDA or enter identifying information to view a room, that gate is configured by the Customer, not Cashpian; declining it will generally prevent access to the room. If you have concerns about a specific room, contact the Customer who invited you; you may also reach us at hello@cashpian.com.
7. International Data Transfers
Cashpian is based in the United States, and our infrastructure (AWS) is currently hosted in [AWS region — TBD]. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your jurisdiction. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for such transfers; details are available on request.
8. Data Retention
Account Data and Room Content are retained for as long as the Customer's account is active, and for a reasonable period afterward to allow account recovery, comply with legal or contractual obligations, resolve disputes, and enforce agreements.
Room Visitor access-log and analytics data is retained for the same period as the underlying room, plus a limited period thereafter for security and audit purposes, unless the Customer requests earlier deletion and no legal obligation requires retention.
Upon account closure, we delete or de-identify personal data within [90] days, except where retention is required by law (e.g., financial/tax records) or necessary to resolve disputes and enforce our agreements. Backups are purged on a rolling cycle and are not used for active processing.
Customers can request deletion of specific Room Content at any time through the Service; deletion propagates to primary storage and is purged from backups on our standard backup-rotation cycle.
9. Security
We maintain administrative, technical, and physical safeguards designed to protect information, including:
Encryption at rest using AWS Key Management Service (KMS) for all stored documents and database records.
Encryption in transit using TLS 1.2 or higher for all data in motion.
No publicly accessible storage buckets; all document storage sits behind authenticated, access-controlled paths.
Network isolation: AI model inference and core application logic run inside a private AWS VPC.
Granular, folder- and room-level access controls, expiring share links, and full audit logging of access to Room Content.
Zero Data Retention configuration and a signed BAA for AI model processing (Section 4).
No system is completely secure, and we cannot guarantee absolute security. If we become aware of a security incident affecting your personal data, we will notify affected parties and relevant authorities as required by applicable law.
10. Your Privacy Rights
10.1 General
Subject to applicable law and the controller/processor distinctions in Section 1, you may have the right to access the personal data we hold about you, correct inaccurate data, request deletion, object to or restrict certain processing, and receive a portable copy of your data. To exercise these rights, contact us at hello@cashpian.com. If your data was submitted to us by a Cashpian Customer as Room Content, we will typically direct your request to that Customer, consistent with Section 1.2.
10.2 European Economic Area, UK, and Switzerland (GDPR / UK GDPR)
Where we act as controller (Section 1.1), our legal bases for processing include performance of a contract with you, our legitimate interests (securing the Service, preventing fraud, improving the product), consent (for optional communications), and compliance with legal obligations. You have the right to lodge a complaint with your local data protection authority.
10.3 California (CCPA/CPRA)
California residents have the right to know what personal information we collect, use, and disclose; to request deletion; to correct inaccurate information; and to opt out of the “sale” or “sharing” of personal information. Cashpian does not sell personal information and does not “share” it for cross-context behavioral advertising, as those terms are defined under the CCPA. We will not discriminate against you for exercising these rights.
10.4 Other U.S. States
Residents of Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws have similar rights (access, correction, deletion, portability, and opt-out of targeted advertising or profiling, where applicable). We do not engage in targeted advertising or the sale of personal information.
10.5 Verification
We may need to verify your identity before acting on a rights request, consistent with applicable law.
11. Children's Privacy
The Service is a business tool intended for use by companies, founders, investors, and their professional advisors. It is not directed to, and we do not knowingly collect personal information from, individuals under 18. If we learn we have collected such information, we will delete it.
12. Cookies and Do-Not-Track
We use strictly necessary cookies to operate authentication and session security, and analytics cookies/identifiers (PostHog) to understand product usage. We do not currently respond to browser “Do Not Track” signals, as no common industry standard for such signals has been adopted.
13. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will provide notice — such as by email to Account Holders or a prominent notice on the Service — before the changes take effect. The “Last Updated” date above reflects the most recent revision.
14. Contact Us
Questions, requests, or complaints about this Policy or our privacy practices can be directed to:
[Cashpian, Inc.]
[Registered address — TBD]
hello@cashpian.com
If you are a Room Visitor with a concern about a specific data room, please also contact the Cashpian Customer who invited you, as they control that content.