Legal

Privacy Policy

Last updated: April 30, 2026

1. Introduction

EnrichQL ("we," "our," or "us") operates an AI-powered investor discovery platform that helps startup founders find and contact venture capital firms and angel investors. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services. We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Information We Collect

We collect information you provide directly and information generated through your use of our platform:

  • Account Data: Name, email address, and encrypted passwords, stored securely via Supabase Auth.
  • Startup Profile Data: Company name, industry, funding stage, target investor criteria, and value proposition you enter into our Investor Finder tool. This data is used exclusively to power your searches.
  • Payment Data: All payments are processed by Creem.io (our Merchant of Record). We do not store or have access to your complete credit card details. Creem.io handles all sensitive financial data in compliance with PCI-DSS standards.
  • Usage & Search Data: Your search history, results viewed, and credits consumed, associated with your account for billing, support, and product improvement.
  • Device & Technical Data: IP address, browser type, and device information, collected automatically for security, rate limiting, and fraud prevention purposes.

3. How We Process Investor Data

EnrichQL functions as a search and aggregation engine for publicly available investor information. When you run a search, our pipeline performs the following operations:

  1. Multi-Source Database Discovery: We use Apify (a third-party web automation platform) to retrieve publicly accessible investor profiles from various open databases based on your search criteria.
  2. LinkedIn Verification: We use Apify to cross-reference investor data with public LinkedIn profiles to verify current roles and firm affiliation.
  3. AI Enrichment: Retrieved data is processed by Google Gemma 4 (via OpenRouter's AI API gateway) to generate match scores, alignment analyses, and personalized outreach email drafts. Data is not used to train AI models.

All investor data we retrieve is publicly accessible information. We act as a data processor on behalf of our users. We do not sell, license, or share this data with third parties beyond what is necessary to operate the pipeline.

4. Third-Party Services

Your inputs and processed data may be sent to the following sub-processors:

  • Apify: For automated retrieval of publicly accessible investor data and LinkedIn profiles. Apify processes data under their own privacy policy and DPA.
  • OpenRouter: For AI-powered analysis via the Google Gemma 4 model. Data is processed through OpenRouter's API infrastructure and is not used to train AI models.
  • Supabase: For secure database storage, authentication, and row-level security (RLS) hosted on AWS infrastructure (EU/US regions).
  • Creem.io: For payment processing, subscription management, and invoicing as our Merchant of Record.
  • Vercel: For serverless hosting and edge delivery of our Next.js application.

We do not train proprietary AI models on your private queries or personal data.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data on the following legal bases:

  • Contract Performance: Processing necessary to provide the investor discovery service you have subscribed to.
  • Legitimate Interest: Security monitoring, fraud prevention, rate limiting, and platform stability.
  • Legal Obligation: Retention of billing and financial records as required by law.
  • Consent: Where explicitly requested (e.g., marketing communications).

6. Data Retention

We retain your account data for as long as your account is active. Search history and investor results are retained for 90 days, after which they are automatically purged from our databases. You may request immediate deletion at any time. Payment and billing records are retained for as long as required by applicable financial regulations (typically 7 years).

7. Cookies

We use essential cookies only — specifically for authentication and session management via Supabase Auth. These cookies are strictly necessary for the service to function and cannot be disabled. We do not use third-party tracking cookies, advertising cookies, or cross-site analytics cookies.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of your personal data.
  • Rectification: Request correction of inaccurate data.
  • Erasure (“Right to be Forgotten”): Request deletion of your account and all associated data.
  • Portability: Request your data in a machine-readable format.
  • Objection / Restriction: Object to or restrict certain processing activities.
  • CCPA Opt-Out: California residents may request that we do not sell their personal information. We do not sell personal data.

To exercise any of these rights, contact us at support@enrichql.com.

9. Investor Data Opt-Out

If you are an investor or investment professional whose publicly available profile may be retrieved by our users through open databases or LinkedIn searches, you have the right to request that we flag your data for exclusion from future enrichment results. Contact us at support@enrichql.com with the subject line “Data Opt-Out” and include your name, firm, and the URL of the public profile in question.

10. Children's Privacy

Our services are intended exclusively for business use by individuals aged 18 or older. We do not knowingly collect personal information from children. If we become aware that a minor has provided us with personal data, we will take immediate steps to delete it.

11. Security

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest via Supabase, row-level security (RLS) policies ensuring users can only access their own data, HMAC-SHA256 webhook signature verification, IP-based rate limiting on registration and search endpoints, and CSV injection prevention on data exports. No electronic system is 100% secure, but we take all reasonable steps to protect your data.

12. International Transfers

Your data may be processed in the United States and the European Union by our sub-processors (Supabase on AWS, Google Cloud, Vercel). We ensure all international transfers are protected through appropriate safeguards including Standard Contractual Clauses (SCCs) where required by GDPR.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify registered users via email of any material changes at least 14 days before they take effect. Continued use of our services after changes constitutes acceptance of the updated policy.

14. Contact & Data Protection

For privacy-related inquiries, data deletion requests, GDPR/CCPA requests, or questions about this policy, contact us at support@enrichql.com. We aim to respond to all privacy requests within 30 days.