invested.io
Login

Privacy Policy

Effective Date: May 8, 2026

1. Introduction

invested.io LLC (“invested.io,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website at invested.io, use our software-as-a-service platform (the “Service”), or otherwise interact with us.

This Privacy Policy applies to all users of our Website and Service, including Operator Users (e.g., startup founders and company administrators who connect data sources and manage company metrics), Investor Users (e.g., angel investors, venture capitalists, and fund managers who view portfolio company data), and visitors to our Website.

By using the Website or Service, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. This Privacy Policy should be read together with our Terms and Conditions.

2. Information We Collect

2.1 Information You Provide to Us

  • Account Information: When you register for an account, we collect your name, email address, company name, role or title, phone number (optional), and account credentials.
  • Company and Financial Data (Operators): Operator Users may input or connect company financial and operational data and other business metrics.
  • Payment Information: If you subscribe to a paid plan, we collect billing information such as your name, billing address, and payment method. Payment processing is handled by third-party processors (e.g., Stripe), and we do not store full credit card numbers on our systems.
  • Communications: When you contact us for support or otherwise communicate with us, we collect the content of those communications.

2.2 Information Collected Through Third-Party Integrations

When you connect Third-Party Integrations to the Service, we collect data from those sources on your behalf. The types of data collected depend on the integration and may include:

  • Accounting Software (e.g., QuickBooks, Xero): Chart of accounts, transactions, journal entries, invoices, bills, revenue data, and expense categories.
  • Banking and Financial Services (via Plaid): Account identifiers, account balances, and transaction history. We access this data through Plaid’s secure API. You can review Plaid’s privacy policy at plaid.com/legal and manage your connections through Plaid Portal.
  • CRM Systems (e.g., HubSpot, Salesforce): Customer and deal data, pipeline information, contract values, and sales metrics.
  • HRIS Platforms: Employee headcount, departmental structure, and related workforce data.
  • Billing Software (e.g., Stripe): Subscription data, recurring revenue information, churn data, and billing metrics.
  • Cap Table Tools (e.g., Carta, Pulley): Equity ownership structure, share classes, dilution data, and related capitalization information.

2.3 Information Collected Automatically

  • Usage Data: We collect information about how you interact with the Service, including pages viewed, features used, actions taken, time spent, and navigation paths.
  • Device and Technical Data: We collect information about the device and browser you use to access the Service, including IP address, device type, operating system, browser type, and screen resolution.
  • Cookies and Similar Technologies: We use cookies, web beacons, and similar tracking technologies to collect usage information and improve the Service. You can manage cookie preferences through your browser settings. We honor the Global Privacy Control (GPC) signal as an opt-out of any data sales or sharing for targeted advertising.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: To operate the Service, compute metrics and dashboards, provide AI-generated analysis and insights, facilitate data sharing between Operators and authorized Investors, and process payments.
  • AI and Automated Processing: To analyze your data using artificial intelligence and large language models to generate insights, metrics computations, summaries, and recommendations. See Section 5 for additional details on AI processing.
  • Improving the Service: To understand how users interact with the Service, identify areas for improvement, develop new features, and generate Benchmark Data (aggregated and de-identified).
  • Communications: To send you service-related communications, respond to your inquiries, and (with your consent where required) send marketing or promotional communications. You may opt out of marketing communications at any time.
  • Security and Compliance: To protect the security and integrity of the Service, detect and prevent fraud, and comply with applicable legal obligations.
  • Legal Obligations: To comply with applicable laws, regulations, and legal processes.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

  • Between User Types: When an Operator grants an Investor access to their data through the Service, we facilitate the sharing of the Operator’s company metrics and data to the authorized Investor. Operators control which Investors may access their data.
  • Third-Party Service Providers: We share information with third-party companies that provide services on our behalf, including cloud hosting and infrastructure providers, payment processors (e.g., Stripe), banking data connectivity (e.g., Plaid), AI and machine learning providers (e.g., Anthropic, OpenAI), analytics and monitoring services, and customer support tools. These providers are contractually obligated to use your information only as necessary to provide services to us and in accordance with this Privacy Policy.
  • Legal Requirements: We may disclose your information when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have regarding your information.
  • With Your Consent: We may share your information with third parties when you have given us explicit consent to do so.
  • Benchmark Data: We may share aggregated, de-identified Benchmark Data that does not identify any individual user or company. Benchmark Data is not personal information.

5. Artificial Intelligence and Automated Processing

The Service uses artificial intelligence, machine learning, and large language models (“AI Technologies”) to process your data and generate insights. This section describes how AI Technologies are used and your rights with respect to that processing.

5.1 How AI Processes Your Data

AI Technologies may be used to analyze financial and operational data you provide or connect to the Service in order to compute business metrics across categories such as revenue, expenses, balance sheet, customers, sales, team, fundraising, and compliance. AI is also used to generate narrative summaries, insights, and recommendations based on your data, identify trends, anomalies, and patterns, and produce benchmarking comparisons using aggregated, de-identified data.

5.2 Third-Party AI Providers

We may transmit certain data to third-party AI providers for processing. When we do so, we require these providers, by contract, to process your data only as instructed by us and in accordance with our data protection requirements. Specifically, third-party AI providers are prohibited from using your Customer Data to train, improve, or develop their general-purpose models.

5.3 No Use of Customer Data for Model Training

invested.io does not use your Customer Data to train general-purpose AI or machine learning models. Your data is processed by AI Technologies solely to provide the Service to you.

5.4 Limitations of AI

AI-generated outputs may contain errors, inaccuracies, or omissions. You should independently verify all AI-generated content before relying on it. For more information, see Section 10 of our Terms and Conditions.

5.5 Automated Decision-Making

The Service uses automated processing to compute metrics and generate analysis. However, the Service does not make automated decisions that produce legal or similarly significant effects on you. All outputs are informational and intended to support — not replace — human decision-making. To the extent applicable law provides you with rights regarding automated processing or profiling, you may exercise those rights by contacting us at privacy@invested.io.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. The following table provides general retention guidelines:

Data Category Retention Period
Account and profile data Duration of account + 30 days
Financial metrics and dashboards Duration of account + 90 days
Bank connection data (Plaid) Until disconnected + 30 days
Cap table data Duration of account + 7 years
Payment and billing data 7 years (tax/financial compliance)
Usage logs and analytics 24 months (rolling)
AI processing inputs/outputs 90 days
Security and audit logs 12 months
Marketing consent records Duration of consent + 3 years

When data is no longer needed, it is securely deleted or de-identified in accordance with industry-standard practices.

7. Data Security

We take the security of your information seriously and implement commercially reasonable administrative, technical, and physical safeguards to protect your data against unauthorized access, use, alteration, and destruction. These measures include encryption of data in transit (TLS) and at rest (AES-256), access controls and authentication requirements, regular security monitoring and logging, and contractual security obligations imposed on third-party service providers.

While we strive to protect your personal information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, and you provide information at your own risk.

8. Your Rights and Choices

8.1 Your Rights

Depending on your location and applicable law, you may have some or all of the following rights with respect to your personal information:

  • Right to Know and Access: You may request information about the categories and specific pieces of personal information we have collected about you, the sources, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Correction: You may request that we correct inaccurate personal information.
  • Right to Deletion: You may request that we delete your personal information, subject to certain exceptions.
  • Right to Data Portability: You may request a copy of your personal information in a portable, machine-readable format.
  • Right to Opt Out: You may opt out of the sale or sharing of your personal information for targeted advertising. Note: invested.io does not currently sell personal information or share it for targeted advertising.
  • Right to Restrict Processing: In certain circumstances, you may request that we restrict the processing of your personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

8.2 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@invested.io with the subject line “Privacy Request” and a description of the right you wish to exercise. We will respond to your request within the timeframe required by applicable law (generally 45 days from receipt, with the possibility of a 45-day extension for complex requests, in which case we will notify you of the extension and the reason for it). For requests submitted under the EU General Data Protection Regulation, we will respond within 30 days.

8.3 Identity Verification

To protect your information from unauthorized access, we will verify your identity before processing your request. Verification typically involves confirming information that matches your account, including the email address on file. For sensitive requests such as deletion or data portability, we may require additional verification, including responding to a confirmation email sent to your registered address or providing information that only the account holder would reasonably know.

We will not use information collected for identity verification for any other purpose, and we will retain it only as long as necessary to verify your request and document our compliance with applicable law.

8.4 Fees

We do not charge a fee for the first request you submit in any 12-month period. For requests that are repeated, manifestly unfounded, or excessive in light of a response we have already provided, we may charge a reasonable fee that reflects the administrative cost of responding, or we may decline to act on the request. If we charge a fee or decline a request on this basis, we will explain our reasoning to you in writing.

8.5 Authorized Agents

You may designate an authorized agent to submit a request on your behalf. We may require the agent to provide written authorization signed by you and may contact you directly to verify the request. California consumers may designate an authorized agent in accordance with the California Consumer Privacy Act.

8.6 Appeals

If we decline your request in whole or in part, we will explain our reasoning in writing. You may appeal our decision by emailing privacy@invested.io with the subject line “Privacy Appeal” within 60 days of our response. We will respond to appeals within 45 days of receipt, with a possible 60-day extension for complex appeals, in which case we will notify you of the extension and the reason for it.

Our appeal response will inform you of the action taken or not taken in response to the appeal and the reasons for our decision. If we deny your appeal, we will provide information about how to file a complaint with the Oregon Attorney General’s office or the applicable data protection authority in your jurisdiction.

8.7 Right to Lodge a Complaint

In addition to your right to appeal, you may at any time lodge a complaint with the Oregon Attorney General’s office (https://justice.oregon.gov/consumer/) or the applicable data protection authority in your jurisdiction.

9. State-Specific Privacy Rights

9.1 Oregon (Oregon Consumer Privacy Act)

If you are an Oregon resident, you have the rights described in Section 8, including the right to access, correct, delete, and obtain a portable copy of your personal data, as well as the right to opt out of targeted advertising, profiling in furtherance of decisions that produce legal or similarly significant effects, and the sale of personal data. You also have the right to obtain a list of the specific third parties to whom we have disclosed your personal data.

If we deny your request in whole or in part, you have the right to appeal our decision in accordance with Section 8.6. We will respond to your appeal within 45 days, with a possible 60-day extension for complex appeals. If we deny your appeal, you may file a complaint with the Oregon Attorney General’s consumer protection division at https://justice.oregon.gov/consumer/.

To exercise your rights, contact us at privacy@invested.io.

9.2 California (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know what personal information is collected, used, shared, and sold; the right to delete personal information; the right to opt out of the sale or sharing of personal information; the right to correct inaccurate personal information; the right to limit the use and disclosure of sensitive personal information; and the right to non-discrimination for exercising your rights. Financial data may constitute Sensitive Personal Information under California law. We honor the Global Privacy Control (GPC) signal.

California consumers may designate an authorized agent to submit requests on their behalf in accordance with Section 8.5. To exercise your rights, contact us at privacy@invested.io or submit a request through our Website.

9.3 Other U.S. States

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, and other states with comprehensive privacy laws may have similar rights. We are committed to honoring the privacy rights of all users in accordance with applicable law. If you are a resident of any of these states and wish to exercise your privacy rights, please contact us at privacy@invested.io.

10. For European Users

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following additional provisions apply:

Legal Basis for Processing

We process your personal data on the following legal bases: performance of a contract (to provide the Service); legitimate interests (to improve the Service, ensure security, and conduct analytics, where our interests do not override your rights); consent (where you have given explicit consent, such as for marketing communications); and legal obligation (to comply with applicable laws).

Additional Rights

In addition to the rights described in Section 8, you have the right to object to processing based on legitimate interests, the right to restrict processing, the right to withdraw consent at any time (without affecting the lawfulness of prior processing), and the right to lodge a complaint with your local data protection authority.

International Data Transfers

Your personal data may be transferred to and processed in the United States, where our servers are located. We rely on applicable data transfer mechanisms, including the EU-U.S. Data Privacy Framework and Standard Contractual Clauses approved by the European Commission, to ensure adequate protection of your data.

Data Protection Agreements

Enterprise customers may request a Data Processing Agreement (DPA) by contacting privacy@invested.io.

Response Timeline

We will respond to privacy requests submitted under the GDPR within 30 days, with a possible 60-day extension for complex requests.

11. Third-Party Integrations and Links

The Service integrates with third-party platforms and may contain links to third-party websites. When you connect a Third-Party Integration, you are authorizing both invested.io and the third-party provider to exchange data as described in this Privacy Policy and the third party’s own privacy policy. We are not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party services you connect to the Service.

12. Children’s Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

13. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate the Service, remember your preferences, understand usage patterns, and improve the user experience. You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service.

We respect your choices regarding tracking. We honor the Global Privacy Control (GPC) signal and Do Not Track (DNT) signals where supported by applicable law.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. For material changes, we will provide notice by email to the address associated with your account and by posting a prominent notice within the Service at least thirty (30) days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

15. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities as required by applicable law, including within 72 hours where required by GDPR and within the timeframes required by applicable U.S. state breach notification laws.

16. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

invested.io LLC
Email: privacy@invested.io
Website: invested.io

For general legal inquiries: legal@invested.io

Last updated: May 8, 2026