Privacy Policy

1. Introduction

DealFlow Ltd ("Company", "we", "us") is committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy describes how we collect, hold, use, and disclose personal information in connection with our platform.

2. Information We Collect

We collect the following categories of personal information:

• Account information: name, email address, organisation name, and role.
• Authentication data: login credentials, multi-factor authentication tokens, and session identifiers.
• Usage data: pages visited, features used, timestamps, IP addresses, browser type, and device information.
• Documents and content: files uploaded to data rooms, notes, deal information, and buyer data you enter into the platform.
• Communication data: support enquiries and in-platform notifications.

We do not collect sensitive information (as defined in the Privacy Act) unless it is reasonably necessary and you have consented.

3. How We Use Your Information

We use your personal information for the primary purpose for which it was collected, including to:

• Provide, maintain, and improve the Service.
• Authenticate your identity and secure your account.
• Process transactions and manage your subscription.
• Send transactional communications such as data room invitations, NDA requests, and activity notifications.
• Monitor platform usage for security, fraud prevention, and performance optimisation.
• Comply with our legal obligations under Australian law.

We will not use or disclose your personal information for a secondary purpose unless you would reasonably expect us to, you have consented, or we are required or authorised by law to do so.

4. Disclosure of Personal Information

We do not sell your personal information. We may disclose personal information to the following categories of recipients:

• Infrastructure providers: cloud hosting, database, and authentication services (e.g., Supabase, Vercel).
• Email services: transactional email delivery providers (e.g., Resend).
• Microsoft 365: when you connect SharePoint or Outlook integrations.
• Legal and regulatory: when required by law, court order, or governmental authority.

We take reasonable steps to ensure that any third party to whom we disclose personal information handles it in accordance with the APPs.

5. Cross-Border Disclosure

Some of our service providers are located outside Australia (including in the United States and the European Union). Before disclosing personal information overseas, we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information, as required by APP 8.

6. Data Room & Document Security

Documents uploaded to data rooms are stored with encryption at rest and in transit. Access is controlled through granular folder-level permissions, and all access events (including views, downloads, and session activity) are logged in a tamper-evident audit trail.

External data room participants are subject to the same access controls. Their activity is tracked and visible to the data room administrator.

7. Data Quality & Security

We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, up-to-date, complete, and relevant (APP 10). We implement industry-standard security measures including:

• Encryption of data in transit (TLS) and at rest.
• Multi-factor authentication (MFA) support for user accounts.
• Role-based access control and granular permission profiles.
• Regular security reviews and monitoring of access patterns.
• Row-level security (RLS) policies ensuring data isolation between organisations.

While we take reasonable steps to protect your information, no method of electronic storage or transmission is completely secure. You are responsible for keeping your account credentials confidential.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. When you delete your account or request data deletion, we will destroy or de-identify your personal information within 30 days, except where retention is required or authorised by Australian law (e.g., audit logs, tax records, legal compliance).

De-identified, aggregated data that can no longer identify you may be retained indefinitely for analytics and service improvement.

9. Access & Correction

Under APPs 12 and 13, you have the right to:

• Access: request access to the personal information we hold about you.
• Correction: request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading.

To make a request, contact us at support@dealflow.ltd. We will respond within 30 days. We may refuse access or correction in certain circumstances permitted by the Privacy Act, and if so, we will provide written reasons.

10. Cookies & Tracking

We use essential cookies to authenticate your session and maintain your preferences. We do not use advertising or third-party tracking cookies.

Session cookies are deleted when you close your browser. Persistent cookies (e.g., theme preference, authentication tokens) are retained until they expire or you clear them.

11. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to destroy or de-identify it promptly.

12. Complaints

If you believe we have breached the APPs or handled your personal information inappropriately, you may lodge a complaint with us at support@dealflow.ltd. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service with a revised effective date. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

14. Contact

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at support@dealflow.ltd.

DealFlow Ltd
Australia