Privacy Policy

Spectup, sole proprietorship, Niclas Schlopsna, Geitauer Straße 14, 81379 München, Germany. Email hello@valicon.ai. See our Imprint for full operator information.

Spectup operates valicon.ai as the sole controller within the meaning of GDPR Art. 4(7). For founders who use valicon.ai to host investor data on their own behalf, Spectup acts as a processor for that hosted content under GDPR Art. 28; the founder is the controller in that relationship and we sign a data-processing addendum (DPA) on request.

Founder accounts (you signed up directly):

• Account fields: full name, work email, company name, password (hashed with bcrypt).
• Deal profile: purpose (startup / growth / fund), industry, stage, HQ country, target raise, headline metric (revenue or AUM band), traction signals.
• Files you upload to your data room (decks, financials, legal documents, etc.).
• Billing data when you upgrade to Pro: handled directly by Stripe; we store only the Stripe customer ID and subscription metadata, never your card.
• Referral data: a unique referral code we assign to your workspace, plus an optional link to the workspace that referred you (if you signed up via someone else’s link). Used to credit one-month rewards to the referrer when you upgrade to a paid plan.
• Email preferences: the on/off state of three optional notification categories (first-view alerts, weekly digest, product updates). Always-on transactional emails are listed above.
• Server logs: IP, user agent, timestamps of API calls. Kept 30 days for security forensics.
• Audit log: per-action records of writes you perform inside the workspace (file upload/delete, invite send, NDA template edit, etc.) so you can reconstruct who did what.

Investors visiting a data room:

• Email address provided by the founder when they invited you.
• NDA signature: typed name, timestamp, IP address (kept as legal evidence).
• Activity inside the data room: pages viewed, slides viewed, dwell time per slide, downloads. Shown to the inviting founder only.
• Approximate country derived from IP (city-level, not precise location).
• Browser + device fingerprint to detect forwarded access (per the NDA you sign).

We do not use third-party advertising trackers, social-media pixels, or cross-site analytics. There is no tracking on the public marketing site beyond essential server logs.

• Contract performance (Art. 6(1)(b)) - for everything needed to operate your account: login, hosting your files, sending invites, billing.
• Legitimate interest (Art. 6(1)(f)) - for security logs, abuse detection, and the activity tracking we expose to founders inside their own data rooms (the founder’s legitimate interest in protecting confidential deal materials).
• Consent (Art. 6(1)(a)) - investors actively sign an NDA before entering a data room; that signature acts as the legal basis for the per-investor activity tracking we perform on the founder’s behalf.
• Legal obligation (Art. 6(1)(c)) - invoices and tax records under §147 AO are kept for 10 years.

valicon.ai sets only strictly necessary, first-party cookies that are required to operate the service. Per §25(2) TTDSG and the ePrivacy Directive, these do not require a consent banner.

• dr_session - founder login (HTTP-only, SameSite=Lax, 30-day expiry).
• dr_investor - investor login inside a data room (HTTP-only, SameSite=Lax, 30-day expiry).
• dr_invite - short-lived invite-token state during the NDA flow.

Founder-facing activity analytics inside a data room are collected server-side and tied to the investor’s authenticated session - no client-side fingerprinting beyond what the NDA discloses.

On the public marketing site (valicon.ai) we use Google Analytics 4, property ID G-C8W8MJGMVF, to understand which pages help founders the most. GA4 only loads after you click “Accept” on the cookie banner. If you click “Reject” or dismiss the banner, no Google script is loaded and no GA cookie is set.

When loaded, GA4 may set the following cookies in your browser:

• _ga - distinguishes unique visitors, lifetime up to 2 years.
• _ga_C8W8MJGMVF - session state for our specific property, lifetime up to 2 years.
• _gid - short-term visitor distinction, lifetime 24 hours.

Pseudonymous events (page views, clicks, scroll depth) are sent to Google LLC (US) for processing. We enable IP anonymisation(anonymize_ip: true) so the last octet of your IP is truncated before storage. The legal basis is your consent under GDPR Art. 6(1)(a). You can withdraw consent at any time using the “Cookie settings” link in our footer; this clears thevalicon_consent entry in your browser’s site data, removes any GA cookies, and re-shows the banner. Google’s own privacy notice: policies.google.com/privacy.

Google Analytics is loaded only on the public marketing site. It is never loaded inside the authenticated app, on data-room pages, or in invitation flows. The privacy policy is enforced in code via a path-based blocklist; even with consent, GA does not run on those surfaces.

We use two channels to communicate platform-level updates to founders who have signed up: an in-app notification bell on the dashboard, and transactional product-update emails when an update is time-sensitive (a new feature shipped, a roadshow we’re running, an upcoming change to your plan). Investors visiting a data room never receive either of these; they only see content their inviting founder has placed in the room.

Announcements can be filtered by your workspace profile (industry, stage, purpose, country, raise band). The filter applies to which announcements you see; we never send the announcement about you to third parties. Filter dimensions are derived from data you yourself entered during the welcome wizard or in Settings.

Opt-out: the email half of this channel respects the Product updates toggle in Settings → Notifications. Turning it off stops product-update emails immediately; the in-app bell still surfaces relevant announcements unless you archive them. Always-on transactional emails (verification codes, password resets, the invite emails you send to investors, billing receipts) are required for the service to function and are not controllable here.

We use the following service providers under written data-processing agreements (Auftragsverarbeitungsverträge per Art. 28 GDPR):

• Hosting & database - Railway Corp. (US, EU regions used). Application servers + SQLite storage.
• Transactional email - Resend (Delaware, US, EU sub-processors). Invites, password resets, billing receipts.
• AI inference - Anthropic PBC (US). Block-builder, reply-template suggestions, Ask-AI tab. Prompts are not used by Anthropic to train models per their commercial terms.
• Payments - Stripe Payments Europe Ltd. (Ireland) for billing, Stripe Inc. (US) as the parent. Card data never touches our servers.

All US providers process data under EU Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.

Under GDPR Art. 15-22 you have the right to:

• Access the personal data we hold about you (Art. 15).
• Correct inaccurate data (Art. 16).
• Have your data erased (Art. 17).
• Restrict processing (Art. 18).
• Receive your data in a portable format (Art. 20).
• Object to processing on legitimate-interest grounds (Art. 21).
• Withdraw consent at any time without affecting prior lawful processing.

To exercise any of these rights, email hello@valicon.ai. You can also delete your account from Settings, which deletes your account record and triggers a 90-day backup-purge cycle. You may lodge a complaint with the Bavarian data-protection authority (BayLDA, lda.bayern.de) or any other competent supervisory authority.

• Active account data: kept while the account is active.
• After deletion: 90-day backup retention before permanent purge.
• Server logs (IP, request metadata): 30 days.
• Invoices and billing records: 10 years (§147 AO).
• NDA signatures: kept for the duration of the data room plus 6 years (statute of limitations on contract claims).

Some of our processors are based outside the EU/EEA (see Section 5). We rely on EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework as adequacy bases. We assess each transfer under Schrems II principles before engaging the vendor.

valicon.ai is a B2B product not intended for children under 16. We do not knowingly process data from children.

We update this notice when our processing changes. The current version is always posted at /privacy. Material changes are emailed to active account holders at least 14 days before they take effect.