Privacy
Privacy Policy
Effective 2026-05-08 · Plain English first, precise terms below.
The short version
- We rank public companies, not people. Inputs are the public GitHub events API, Wikidata, and SSRN — not individual user activity.
- Free subscribers give us only an email address; we use it to send the weekly digest and the optional drip sequence.
- Paid subscribers add a Stripe customer ID; Stripe handles payment data — we never see card numbers.
- Pseudonymous analytics via PostHog EU. We do not set persistent identifiers across sites and we honor DNT: 1.
- No selling, no behavioural advertising, ever. CCPA "do-not-sell" is moot — there's nothing to sell.
- Email signal@gitdealflow.com for access, deletion, or DPA execution.
1 · Who we are
VC Deal Flow Signal (also "GitDealFlow", "we") operates the website at signals.gitdealflow.com, the dashboard, the MCP server @gitdealflow/mcp-signal, the Chrome extension, and the weekly email digest. Contact: signal@gitdealflow.com. Founder identity and contact details: /about.
2 · What we collect
Three categories, each with a different basis under GDPR Art. 6:
- Subscriber data — email address (free + paid), Stripe customer ID (paid), share-token records (when you create a "share my receipts" link). Legal basis: contract (Art. 6(1)(b)) for paid; consent (Art. 6(1)(a)) for free email opt-in.
- Server logs — request URL, IP, user-agent. Stored 30 days at Vercel (the hosting provider). Legal basis: legitimate interest (Art. 6(1)(f)) in operating the service.
- Pseudonymous analytics — page-view counters, sector popularity. PostHog EU; person profiles are identified-only (anonymous visitors never get a profile). Legal basis: legitimate interest.
3 · What we do NOT collect
- No payment card numbers (Stripe handles, PCI-DSS Level 1).
- No password fields — we authenticate paid features via API keys and Stripe magic links, not user-passwords.
- No sensitive categories (health, biometric, ethnic, political, etc.).
- No childrens' data — service not directed at users under 16.
- No cross-site tracking pixels.
4 · Subprocessors
We use a small set of third-party processors. Full list with roles, regions, certifications and DPAs: /subprocessors (machine-readable: /.well-known/subprocessors.json). Headline: Stripe (payments), Vercel (hosting EU primary), Resend (email), PocketBase on Hetzner Helsinki (subscriber DB), PostHog EU (analytics), Cloudflare (apex DNS).
5 · International transfers
Primary processing region is the EU (Vercel fra1, Hetzner Helsinki, PostHog Frankfurt). Failover and US-only subprocessors (Stripe, Resend, GitHub, Coinbase, Anthropic) operate under Standard Contractual Clauses Module Two. Details in /.well-known/dpa.json.
6 · Retention
- Subscriber email — until unsubscribe + 12 months (then deletion).
- Stripe customer record — lifetime of subscription + 7 years (tax law).
- Server logs — 30 days (Vercel default).
- Analytics events — 30 days, no PII.
7 · Your rights
Under GDPR / UK-GDPR / CCPA you can ask us to access, correct, port, restrict, or delete your data. Email signal@gitdealflow.com with the address you signed up under; we'll respond within 30 days (typically 5 business days). Free unsubscribe is one click in any email footer.
8 · Security
HSTS preload, CSP, strict TLS, MFA on every admin tool. Vulnerability disclosure program at /disclosure; security contact in /.well-known/security.txt. Breach notification SLA is 72 hours per GDPR Art. 33.
9 · Changes to this policy
We will email all subscribers at least 30 days before any change that materially expands what we collect or who processes it. Version history is published at /changelog.
10 · Supervisory authority
If you believe we have mishandled your data, you may complain to your local data protection authority. Our default supervisory authority is the Hellenic Data Protection Authority (HDPA), since the operator is based in Greece.