This Privacy Policy describes how Founders Arx Inc., a Delaware corporation ("Arx," "we," "our," "us") collects, uses, discloses, and protects information when you use our website, application, and related services (together, the "Service"). It applies to anyone who visits our pages or creates an account.
Arx is built for early-stage founders. The data you put into Arx — your cap table, your SAFEs, your investor pipeline, your financial model — is among the most sensitive information your company holds. We treat it that way.
When you create an Arx account and use the Service, you provide:
When you use the Service, we collect:
If you sign in with Google, we receive your name, email address, and profile photo from Google. If you connect Gmail, we receive an access token scoped to send mail on your behalf and (optionally) read replies to your update threads. These tokens are encrypted at rest with AES-256-GCM using a key separate from your application data.
We use the information we collect to:
We do not use your information to train any AI model that is used by other customers. We do not sell or rent your personal information to anyone.
Workspace data (cap table, data rooms, decks, updates, forecasts) is visible to members of your company workspace based on their assigned role (Owner, Admin, Member).
When you share a data room or deck, recipients receive access via a link. We log their interactions and show that analytics back to you. Recipients can read their own access permissions but cannot read any other workspace data.
We rely on a small number of trusted third parties to operate the Service. Each is bound by a written data processing agreement and is selected for its security posture and minimum-access footprint. The current list — covering Supabase, Vercel, Railway, Stripe, Resend, Google, Google Analytics (when enabled), Anthropic, OpenAI, Perplexity, and optional integrations such as Zoom and Slack — is published at /subprocessors, with the data categories sent to each and the regions where they process it. We notify customers in advance of any material change to that list.
We may disclose information if required by law, by valid legal process, or to protect the rights, property, or safety of Arx, our customers, or others.
If Arx is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.
Arx includes an AI assistant ("Ask Arx") that can read context from your workspace when you enable it. When you use it:
company_id binding, and Row-Level Security policies that protect every other API call protect AI tool calls as well.Arx hosts a Model Context Protocol (MCP) server that lets external AI clients you authorise — for example, Claude Desktop — call a subset of Arx tools on your workspace. When you use MCP:
Optional integrations let Arx interact with services you connect (Gmail, Google Calendar, Zoom, Slack, Stripe, etc.). They are off by default and only engage once you complete the OAuth flow in Settings → Integrations.
gmail.send) and to read threads with partners already in your Investor DB (gmail.readonly). We do not crawl your full inbox. Workspace members see that an email exchange happened (who, when, which fund) — not subjects or bodies. Only you see full content for mail synced from your connected account.calendar.readonly and calendar.events so the booking page can show availability, create meeting events, and sync CRM-matched meetings to your investor pipeline. Meeting metadata is visible to workspace members; disconnecting removes cached activity we stored for your account.All OAuth tokens are encrypted at rest with AES-256-GCM using a key separate from your application data. You can revoke any integration in Settings → Integrations or from the third party's own security console. Upon revocation we delete the tokens and stop sending the provider any further requests. The assistant's ability to read calendar or email data through these integrations also requires the Integrations toggle on the AI access settings to be on; it is off by default.
When you upload files to the data room or pitch deck, we extract text from PDFs server-side so that you can search, attribute viewer attention by page, and (if the relevant AI-access toggle is on) ask the assistant questions about content. File-text extraction has a per-request size limit. Files themselves are stored in Supabase Storage, scoped to your workspace, and served to viewers through signed URLs with short expirations. View-only PDFs shared via the data room display a session watermark with the viewer's email address; downloads from the viewer are disabled by default.
We use strictly necessary cookies and browser storage to keep you signed in and remember your active workspace. On the marketing site, we load Google Analytics 4 only after you accept the cookie banner. Inside the authenticated app, we use first-party event collection (posted to our API) and, when configured, a separate Google Analytics 4 property to measure product usage in aggregate. We do not use third-party advertising or retargeting pixels. Full details — including storage keys and third-party contexts — are at /cookies.
We process data primarily in the United States. Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, the transfer is covered by Standard Contractual Clauses or an equivalent transfer mechanism, including the UK International Data Transfer Addendum where applicable. Supabase offers EU-region projects on request for customers with EU data-residency requirements.
We keep your information while your workspace is active and you have billing access (an active or trialing subscription, as applicable).
If your subscription is canceled or payment lapses and you have not deleted the workspace yourself, the workspace becomes read-only and we retain your data for 90 days from the date billing access lapsed, after which the workspace is permanently deleted from our active systems.
If you delete the workspace via Settings → Security → Delete account & all data, we mark it for deletion immediately. The workspace stays read-only for 30 days so you can export, then is permanently removed. Backups are purged per our infrastructure providers' schedules.
Usage analytics events (page views and sessions) are retained for up to 90 days, then deleted after aggregation into internal metrics. AI operation logs used for reliability may have detailed tool output trimmed after 90 days and be deleted after 12 months.
We work hard to keep your data safe. Highlights:
company_id, with PostgreSQL Row-Level Security as a second-line defence and automated isolation tests on every pull request.Full details, including our Secure SDLC, vulnerability management, and incident response programs, are published on the Trust pages: Security overview, Secure SDLC, Incident response, Infrastructure & dependency management. If you discover a security vulnerability, please report it through /responsible-disclosure or email security@foundersarx.com before disclosing publicly.
Depending on where you live, you may have the right to:
To exercise any of these rights, email privacy@foundersarx.com. We respond within 30 days.
Arx is not intended for use by anyone under 18. We do not knowingly collect information from children. If you believe a child has provided us with information, please contact us and we will delete it.
We may update this policy from time to time. Material changes will be communicated by email to the account owner at least 14 days before they take effect, and the "Last Updated" date at the top of this page will be revised. Continued use of the Service after the effective date constitutes acceptance.
If you have any questions about this Privacy Policy, please reach out:
This document is provided for transparency. It is not legal advice. Specific contractual terms may apply to enterprise customers.