A
ARX
Features
The Arx workspaceAll features →
01
Investors list
CRM · Pipeline · Intros
02
Pitch deck
Sharing · Analytics · CTAs
03
Bookings
Calendar · Self-serve
04
Data room
Diligence · Per-investor
05
Cap table
Equity · SAFEs · Pro-forma
06
Forecast
Drivers · Benchmarked
07
Investor updates
Gmail · Cadence · Replies
08
Ask Arx (AI)
Agent · Private · MCP
09
Integrations
Gmail · Calendar · Slack
10
Resources
Templates · Playbooks
PricingFounder Guide
Resources
More from Arx
VS
Comparisons
Arx vs every point tool
Changelog
What's new in Arx
Roadmap
What we're building
Contact
Talk to the team
About
Sign inGet started
Legal

Privacy Policy

EFFECTIVE: MAY 1, 2026 · LAST UPDATED: JUNE 22, 2026

This Privacy Policy describes how Founders Arx Inc., a Delaware corporation ("Arx," "we," "our," "us") collects, uses, discloses, and protects information when you use our website, application, and related services (together, the "Service"). It applies to anyone who visits our pages or creates an account.

Arx is built for early-stage founders. The data you put into Arx — your cap table, your SAFEs, your investor pipeline, your financial model — is among the most sensitive information your company holds. We treat it that way.

Contents
  1. Information we collect
  2. How we use information
  3. When we share information
  4. AI features & your data
  5. MCP & external AI clients
  6. Third-party integrations
  7. File processing
  8. Cookies & analytics
  9. International transfers
  10. Data retention
  11. Security
  12. Your rights
  13. Children's privacy
  14. Changes to this policy
  15. Contact us

1. Information we collect

Information you provide

When you create an Arx account and use the Service, you provide:

  • Account information — your name, email address, password (hashed), role title, and timezone.
  • Company information — legal name, state of incorporation, stage, description, keywords, and competitor watchlist.
  • Cap table data — shareholders, options pool, signed SAFE agreements (including PDF documents and side letters), and pro-forma scenarios you save.
  • Data room contents — files (PDFs, spreadsheets, documents, links), folder structures, and the email addresses you share rooms with.
  • Pitch decks — uploaded PDF files and the public-link slugs you generate.
  • Investor records — names, firms, partner contacts, email addresses, statuses, notes, and check amounts.
  • Updates & communications — drafts, sent updates, embedded Loom URLs, and recipient lists.
  • Forecast assumptions — model inputs and scenario data.
  • Billing information — handled by Stripe; we do not store full card numbers. We retain your Stripe customer ID and subscription status.

Information collected automatically

When you use the Service, we collect:

  • Usage data — pages visited, features used, timestamps, and approximate IP-based location.
  • Device data — browser type, operating system, screen size, language.
  • Public-link analytics — when an investor opens a deck or data room you shared, we log their email address (if known), the time, duration of viewing, pages or files accessed, and approximate location. This is the analytics feature you, as a founder, use.

Information from third parties

If you sign in with Google, we receive your name, email address, and profile photo from Google. If you connect Gmail, we receive an access token scoped to send mail on your behalf and (optionally) read replies to your update threads. These tokens are encrypted at rest with AES-256-GCM using a key separate from your application data.

2. How we use information

We use the information we collect to:

  • Provide, operate, and maintain the Service.
  • Authenticate you and secure your account.
  • Send transactional email (sign-up confirmation, password resets, deck-view notifications, weekly digests, billing receipts).
  • Provide the AI assistant features, including generating responses, drafting updates, computing pro-forma scenarios, and answering questions about your data.
  • Detect and prevent abuse, fraud, and unauthorized access.
  • Improve the Service in aggregate (e.g., feature usage trends across all customers, never identifying any individual workspace).
  • Comply with legal obligations.

We do not use your information to train any AI model that is used by other customers. We do not sell or rent your personal information to anyone.

3. When we share information

Within your workspace

Workspace data (cap table, data rooms, decks, updates, forecasts) is visible to members of your company workspace based on their assigned role (Owner, Admin, Member).

With people you share with

When you share a data room or deck, recipients receive access via a link. We log their interactions and show that analytics back to you. Recipients can read their own access permissions but cannot read any other workspace data.

With our service providers

We rely on a small number of trusted third parties to operate the Service. Each is bound by a written data processing agreement and is selected for its security posture and minimum-access footprint. The current list — covering Supabase, Vercel, Railway, Stripe, Resend, Google, Google Analytics (when enabled), Anthropic, OpenAI, Perplexity, and optional integrations such as Zoom and Slack — is published at /subprocessors, with the data categories sent to each and the regions where they process it. We notify customers in advance of any material change to that list.

For legal reasons

We may disclose information if required by law, by valid legal process, or to protect the rights, property, or safety of Arx, our customers, or others.

Business transfers

If Arx is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.

4. AI features & your data

Arx includes an AI assistant ("Ask Arx") that can read context from your workspace when you enable it. When you use it:

  • Tenant isolation. The assistant always operates inside the active workspace. It cannot read data from any other customer's workspace; the same authentication, company_id binding, and Row-Level Security policies that protect every other API call protect AI tool calls as well.
  • You control what is read. Eight category toggles in Settings → Account → AI access (cap table, investors, data room, pitch deck, updates, financial forecast, company information, integrations) gate which categories of workspace data the assistant can include in its requests. Toggles take effect immediately; with a toggle off, the assistant refuses dependent questions.
  • What is sent. Your message, the relevant conversation history stored in this workspace, and only the tool-call results allowed by your toggles (cap table summaries, pipeline rows, deck analytics, extracted text from data-room or pitch-deck files, etc.). We do not send unrelated workspace data "just in case."
  • Providers. Requests are sent to Anthropic (primary) and OpenAI (fallback and embeddings). Both providers are bound by our API agreements, which exclude customer content from being used to train foundation models. Provider-side retention for abuse monitoring is governed by the providers' current API policies.
  • Mutating actions require confirmation. When the assistant proposes an action that would change your data (add a SAFE, share a data room, send an update, etc.), it shows you the proposed change and only executes after you explicitly confirm.
  • Conversation history. Stored in your workspace and visible only to your team members. You can delete a thread at any time.

5. MCP & external AI clients

Arx hosts a Model Context Protocol (MCP) server that lets external AI clients you authorise — for example, Claude Desktop — call a subset of Arx tools on your workspace. When you use MCP:

  • External clients authenticate via OAuth 2.1. Tokens are bound to your workspace; we encrypt refresh tokens at rest with AES-256-GCM using a key stored outside the database.
  • The MCP server applies the same workspace binding, role, and AI-access toggles as the in-app assistant. A toggle that blocks the in-app assistant also blocks the MCP equivalent.
  • Mutating MCP tool calls (creating contacts, sharing rooms, etc.) require explicit confirmation inside the Arx app before they execute.
  • You can revoke any MCP token at any time in Settings → Integrations. Revocation is immediate.
  • The third-party AI client itself has its own privacy policy that governs how it sends prompts to its underlying model provider. Arx is not responsible for the client's handling of data outside of MCP tool calls to our API.

6. Third-party integrations

Optional integrations let Arx interact with services you connect (Gmail, Google Calendar, Zoom, Slack, Stripe, etc.). They are off by default and only engage once you complete the OAuth flow in Settings → Integrations.

  • Gmail. We request the minimum scopes needed to send investor updates from your address (gmail.send) and to read threads with partners already in your Investor DB (gmail.readonly). We do not crawl your full inbox. Workspace members see that an email exchange happened (who, when, which fund) — not subjects or bodies. Only you see full content for mail synced from your connected account.
  • Google Calendar. When you enable bookings, we request calendar.readonly and calendar.events so the booking page can show availability, create meeting events, and sync CRM-matched meetings to your investor pipeline. Meeting metadata is visible to workspace members; disconnecting removes cached activity we stored for your account.
  • Zoom. Used to create a Zoom meeting when a booking is scheduled. Scopes are limited to meeting creation and basic profile read.
  • Slack. Used for notifications and the Arx Slack app. Scopes are limited to the channels you authorise.
  • Stripe. Used for billing and (optionally) connecting your own Stripe account for founder-side revenue analytics.

All OAuth tokens are encrypted at rest with AES-256-GCM using a key separate from your application data. You can revoke any integration in Settings → Integrations or from the third party's own security console. Upon revocation we delete the tokens and stop sending the provider any further requests. The assistant's ability to read calendar or email data through these integrations also requires the Integrations toggle on the AI access settings to be on; it is off by default.

7. File processing

When you upload files to the data room or pitch deck, we extract text from PDFs server-side so that you can search, attribute viewer attention by page, and (if the relevant AI-access toggle is on) ask the assistant questions about content. File-text extraction has a per-request size limit. Files themselves are stored in Supabase Storage, scoped to your workspace, and served to viewers through signed URLs with short expirations. View-only PDFs shared via the data room display a session watermark with the viewer's email address; downloads from the viewer are disabled by default.

8. Cookies & analytics

We use strictly necessary cookies and browser storage to keep you signed in and remember your active workspace. On the marketing site, we load Google Analytics 4 only after you accept the cookie banner. Inside the authenticated app, we use first-party event collection (posted to our API) and, when configured, a separate Google Analytics 4 property to measure product usage in aggregate. We do not use third-party advertising or retargeting pixels. Full details — including storage keys and third-party contexts — are at /cookies.

9. International transfers

We process data primarily in the United States. Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, the transfer is covered by Standard Contractual Clauses or an equivalent transfer mechanism, including the UK International Data Transfer Addendum where applicable. Supabase offers EU-region projects on request for customers with EU data-residency requirements.

10. Data retention

We keep your information while your workspace is active and you have billing access (an active or trialing subscription, as applicable).

If your subscription is canceled or payment lapses and you have not deleted the workspace yourself, the workspace becomes read-only and we retain your data for 90 days from the date billing access lapsed, after which the workspace is permanently deleted from our active systems.

If you delete the workspace via Settings → Security → Delete account & all data, we mark it for deletion immediately. The workspace stays read-only for 30 days so you can export, then is permanently removed. Backups are purged per our infrastructure providers' schedules.

Usage analytics events (page views and sessions) are retained for up to 90 days, then deleted after aggregation into internal metrics. AI operation logs used for reliability may have detailed tool output trimmed after 90 days and be deleted after 12 months.

11. Security

We work hard to keep your data safe. Highlights:

  • Encryption in transit — TLS 1.2+ on every connection.
  • Encryption at rest — provided by our database and storage providers (AES-256).
  • OAuth tokens — encrypted with AES-256-GCM using a key separate from your application data.
  • Tenant isolation — every API request and database query is scoped by your company_id, with PostgreSQL Row-Level Security as a second-line defence and automated isolation tests on every pull request.
  • Authentication — strong password hashing, optional TOTP two-factor authentication, Google OAuth, and password-reset email links.
  • Backups — continuous point-in-time backups on the production database; storage objects versioned.
  • Audit log — material state-changing actions in the product are recorded in a workspace activity log.
  • Watermarks — view-only PDFs shared via the data room show a session overlay with the viewer's email.

Full details, including our Secure SDLC, vulnerability management, and incident response programs, are published on the Trust pages: Security overview, Secure SDLC, Incident response, Infrastructure & dependency management. If you discover a security vulnerability, please report it through /responsible-disclosure or email security@foundersarx.com before disclosing publicly.

12. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your information (we provide a one-click "Delete account" flow).
  • Object to or restrict certain processing.
  • Request a portable copy of your data.
  • Withdraw consent for any optional processing.

To exercise any of these rights, email privacy@foundersarx.com. We respond within 30 days.

13. Children's privacy

Arx is not intended for use by anyone under 18. We do not knowingly collect information from children. If you believe a child has provided us with information, please contact us and we will delete it.

14. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to the account owner at least 14 days before they take effect, and the "Last Updated" date at the top of this page will be revised. Continued use of the Service after the effective date constitutes acceptance.

15. Contact us

If you have any questions about this Privacy Policy, please reach out:

  • Email — privacy@foundersarx.com
  • General — hi@foundersarx.com
  • Security — security@foundersarx.com
  • Mail — Founders Arx Inc. (dba Arx), 548 Market Street, PMB 47812, San Francisco, CA 94104, USA

This document is provided for transparency. It is not legal advice. Specific contractual terms may apply to enterprise customers.

A
ARX

The fundraising operating system. Cap table, CRM, data room, deck, updates, bookings, forecast and an AI that knows your data — guided by best practice.

Features

Investors listPitch deckBookingsData roomCap tableForecastInvestor updatesAsk Arx (AI)IntegrationsResources

Founder Guide

GuidesArticlesAccelerator CohortsIndustry PlaybooksVideos & TalksBook SuggestionsGlossary

Resources

ComparisonsChangelogRoadmapContact

Product

FeaturesPricingStatusSign in

Company

About

Legal

PrivacyTermsCookiesTrust Center
© 2026 Arx, Inc. All rights reserved.EST · MMXXVI · The Fundraising Operating System