FundMap — Privacy Policy

Product: FundMap ("FundMap," the "Service") Controller / Provider: Signus Solutions Inc. ("Signus," "we," "us," "our") Effective Date: June 9, 2026 Last Updated: June 9, 2026 Version: 1.0

This Privacy Policy explains how Signus Solutions Inc. collects, uses, discloses, retains, and protects personal information in connection with FundMap, and the choices and rights available to you. It is incorporated into and forms part of the FundMap Terms of Use. Capitalized terms not defined here have the meanings given in the Terms of Use.

By using the Service, you acknowledge this Privacy Policy. If you do not agree, do not use the Service.

1. Scope

1.1. This Policy applies to personal information we process about: (a) Users who visit, register for, or use the Service (including founders and firm representatives); and (b) Listed Individuals — investors, partners, and personnel whose business contact and professional information appears in our investment-ecosystem directory.

1.2. This Policy does not apply to: (a) third-party websites, services, or platforms linked to or integrated with the Service (each governed by its own policy); or (b) information you choose to send directly to third parties using the Email Features (those messages are sent by you, from your own account — see Section 6).

2. Who We Are; Roles Under Data-Protection Law

2.1. Signus Solutions Inc. is the entity responsible for the Service.

2.2. Controller / "business." For most processing described here, Signus acts as a controller (GDPR/UK GDPR) and a business (CCPA/CPRA).

2.3. Processor / "service provider." With respect to certain content you upload and actions you direct — for example, the pitch decks you host and share, and the outreach messages you compose and send through your own connected email account — we act as a processor / service provider that processes that data on your instructions to perform the requested function. You are responsible, as controller/business, for your lawful basis to collect and use the recipient and contact information you provide or contact.

3. Information We Collect

We collect the following categories of personal information:

3.1. Information you provide

Account and profile data: name, email address, profile image, role, and authentication identifiers.
Company / founder profile: company name, website, company profile/description, funding stage, raise amount, founder names, and related details (which may be auto-extracted from materials you upload — see 3.3).
User Content: pitch decks and uploaded files, notes, firm submissions and corrections, outreach drafts and templates, and other content you submit.
Communications: information in your messages to us (support, requests, feedback).
Payment-related data: billing identifiers and subscription status. Full payment-card numbers are collected and processed directly by our payment processor (Stripe); we do not store full card numbers. We store a customer identifier and subscription status.

3.2. Connected-account data (Google / Gmail)

When you connect a Google account to use the Email Features, we collect and store, with your consent:

your Google account email address and basic profile/identity information returned by Google;
OAuth credentials, including an access token and a refresh token, and the granted scopes (currently including gmail.send to send messages on your behalf, plus openid/email);
metadata necessary to send messages you compose (e.g., recipients and message content you provide for transmission).

Google API data — Limited Use. Our access to, use of, and transfer of information received from Google APIs adhere to the Google API Services User Data Policy, including the Limited Use requirements. We use Gmail-connection data solely to provide and improve the user-facing Email Features you request (composing and sending messages from your account). We do not use Gmail data for advertising, do not sell it, do not transfer it except as necessary to provide the feature, to comply with law, or as part of a merger/acquisition with notice, and do not allow humans to read it except with your consent, for security/abuse/legal reasons, where required by law, or in aggregated/de-identified form. We request the minimum scopes necessary. We do not request scopes to read, search, or download your mailbox; the gmail.send scope permits sending only.

3.3. Information generated by the Service

AI-derived data: content our AI features extract, summarize, rank, generate, or rewrite from your inputs (e.g., extracted company profile from a deck, deck reviews, drafted outreach text).
Deck-sharing and analytics data: when a deck or review is viewed via a share link, we log viewer IP address, user-agent/device information, view timestamps, and view duration, and whether access succeeded; we use this to provide founder-facing analytics and notifications.
Usage and view tracking: firm-profile views (including for free-tier limits), pages/paths visited, referrer, and an inferred country, associated with your account or with an anonymous identifier.

3.4. Information collected automatically

Device and log data: IP address, browser type, operating system, device identifiers, access times, pages viewed, and referring URLs.
Cookies and similar technologies: including a first-party cookie used to count free-tier views by anonymous visitors, authentication/session cookies, and analytics/tag-management technologies. See Section 9.

3.5. Information about Listed Individuals

For our directory, we collect business and professional information about investors and firm personnel — such as name, title, firm affiliation, business email, business phone, website, LinkedIn/Twitter and similar professional profiles, photo, focus areas, and investment criteria — from publicly available sources, third-party data providers, automated web crawling/scraping, AI-based extraction, and user submissions. This information is collected and presented in a professional, business-directory context.

3.6. Sensitive information

We do not intentionally collect special-category/sensitive personal information (such as government IDs, health, biometric, or financial-account data beyond what the payment processor handles). Please do not submit such information through User Content.

4. How We Use Personal Information

We use personal information to:

(a) provide, operate, maintain, and secure the Service and its features (directory access, deck hosting/sharing, analytics, AI features, and the Email Features);

(b) create and manage accounts and authenticate users;

(d) send messages you compose, from your connected email account, when you direct us to (Email Features);

(e) generate AI-assisted output you request (deck reviews, extractions, drafts, research);

(f) build, maintain, enrich, and improve the investment-ecosystem directory;

(g) provide founder-facing deck analytics and notifications;

(h) communicate with you, including service, transactional, security, and (where permitted) marketing messages;

(i) personalize and improve the Service, develop new features, and perform analytics;

(j) detect, investigate, and prevent fraud, abuse, spam, security incidents, and violations of our Terms;

(k) comply with legal obligations, enforce our Terms, and establish, exercise, or defend legal claims; and

(l) for other purposes disclosed to you or with your consent.

We do not use connected Gmail data for any purpose other than providing and improving the Email Features, as described in Section 3.2.

5. Legal Bases (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

Performance of a contract — to provide the Service and features you request.
Consent — for connecting your Google account and Gmail-send authorization, certain cookies/analytics, and optional marketing; you may withdraw consent at any time.
Legitimate interests — to operate, secure, and improve the Service, maintain the professional directory, prevent abuse, and pursue our business interests, balanced against your rights. With respect to Listed Individuals, our legitimate interest is providing a professional business-information directory.
Legal obligation — to comply with applicable law.

6. The Email Features and Your Responsibilities

6.1. When you use the Email Features, you are the sender and controller of those messages. We process the recipient data and message content you provide solely to transmit the message from your connected account, acting as your processor/service provider.

6.2. You are solely responsible for having a lawful basis to contact each recipient, for the accuracy of recipient data, for the content of each message, and for compliance with all applicable laws (including anti-spam laws such as CAN-SPAM, CASL, and GDPR/ePrivacy marketing rules). See Section 9 of the Terms of Use. We are not responsible for your compliance or for any message you send.

7. How We Disclose Personal Information

We do not sell personal information for money. We disclose personal information as follows:

7.1. Service providers / processors who perform functions on our behalf under contractual confidentiality and data-protection obligations, including:

Cloud hosting and storage (e.g., AWS and associated CDN);
Payment processing (Stripe);
Transactional email delivery for our own service notifications (e.g., Resend);
AI/model providers that process inputs to generate output you request;
Content-extraction / crawling providers used to build the directory;
Analytics and tag management (e.g., Google Tag Manager and analytics tools loaded through it);
Logo/data enrichment providers;
optional queue/cache infrastructure.

7.2. At your direction — e.g., transmitting your outreach messages from your connected email account to the recipients you select, and making a shared deck accessible to anyone with the link (and password, if set).

7.3. Legal and protection — to comply with law, regulation, legal process, or governmental request; to enforce our Terms; and to protect the rights, property, safety, and security of Signus, our users, and the public, and to detect and prevent fraud or abuse.

7.4. Business transfers — in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, in which case personal information may be transferred subject to this Policy or with notice.

7.5. With consent or as otherwise disclosed at the time of collection.

"Sale" / "sharing" under U.S. state laws. We do not sell personal information for monetary consideration. Some U.S. state privacy laws define "sale" or "sharing" broadly to include the use of certain analytics or advertising cookies. To the extent any such activity qualifies, you may exercise the opt-out rights in Section 11. We do not sell or share Gmail/Google user data.

8. International Data Transfers

8.1. We are based in the United States and process data in the U.S. and in other countries where we or our service providers operate. These countries may have data-protection laws different from those in your jurisdiction.

8.2. Where we transfer personal information from the EEA, UK, or Switzerland to countries not deemed adequate, we use appropriate safeguards, such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, together with supplementary measures as needed. You may request a copy of the relevant safeguards by contacting us.

9. Cookies and Tracking Technologies

9.1. We and our providers use cookies, pixels, local storage, and similar technologies to: keep you signed in; remember preferences; enforce free-tier view limits via an anonymous identifier; measure and analyze usage; and secure the Service.

9.2. We use Google Tag Manager to manage tags, which may load analytics (and, if configured, other) technologies. Depending on configuration and your jurisdiction, some of these may be subject to consent requirements.

9.3. Your choices. You can control cookies through your browser settings and, where presented, through our cookie/consent banner. Disabling some cookies may impair functionality. Where required, we obtain consent before placing non-essential cookies and honor recognized opt-out preference signals (such as Global Privacy Control) as required by law.

10. Data Retention

10.1. We retain personal information for as long as necessary to provide the Service, fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

10.2. Specific examples:

Account data — for the life of your account and a reasonable period thereafter.
Gmail OAuth tokens (including refresh tokens) — retained while your connection remains active to enable the Email Features; deleted or invalidated when you disconnect/revoke access, when you delete your account, or after a prolonged period of inactivity.
Uploaded decks and User Content — until you delete them or close your account, subject to backup cycles.
Deck-view analytics logs (including IP/user-agent) — for the period needed to provide analytics, then deleted or aggregated.
Billing records — as required by tax, accounting, and legal obligations.

10.3. Residual copies may persist in backups for a commercially reasonable period and are deleted in the ordinary course. We may retain de-identified or aggregated data indefinitely.

11. Your Privacy Rights

Subject to applicable law and verification of your identity, you may have the following rights.

11.1. EEA/UK and similar jurisdictions (GDPR / UK GDPR)

access to your personal information;
rectification of inaccurate or incomplete data;
erasure ("right to be forgotten");
restriction of processing;
data portability;
objection to processing based on legitimate interests, including direct marketing;
withdrawal of consent at any time (without affecting prior processing); and
the right to lodge a complaint with your supervisory authority.

11.2. United States (California/CPRA and other state laws)

Right to know / access the categories and specific pieces of personal information we collected, the sources, purposes, and recipients;
Right to delete personal information, subject to exceptions;
Right to correct inaccurate personal information;
Right to opt out of any "sale" or "sharing" of personal information and of targeted advertising;
Right to limit use of sensitive personal information (we do not use sensitive personal information for purposes requiring such a limit);
Right to non-discrimination for exercising your rights.

California's "Shine the Light" law: we do not disclose personal information to third parties for their own direct-marketing purposes.

11.3. How to exercise rights

Submit a request to support@signus.ai or via any in-product mechanism we provide. We will verify your request and respond within the time required by applicable law. You may use an authorized agent where permitted. We will not discriminate against you for exercising your rights. If we deny a request, you may appeal as provided by applicable law by contacting support@signus.ai.

11.4. Listed Individuals

If you are an investor or firm representative listed in our directory, you may request access, correction, or removal of your information as described above and in Section 13 of the Terms of Use. Contact support@signus.ai.

12. Your Choices

Account information — update via account settings.
Disconnect Google/Gmail — revoke access in your Google Account security settings or, where available, within the Service. This stops future sending but does not affect already-sent messages.
Marketing — opt out via the unsubscribe link in marketing emails; we will still send necessary transactional/service messages.
Cookies — manage via your browser and our consent controls (Section 9).
Delete account — request deletion as described in Section 11.

13. Security

13.1. We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, server-side storage of sensitive credentials (such as OAuth tokens, which are not exposed to client-side code), and encryption of certain stored secrets (such as deck passwords).

13.2. No method of transmission or storage is completely secure. We cannot guarantee absolute security, and you provide information at your own risk. You are responsible for safeguarding your credentials. In the event of a breach affecting your personal information, we will notify you and authorities as required by applicable law.

14. Children's Privacy

The Service is not directed to and may not be used by anyone under the age of eighteen (18) (or the age of majority where higher). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact support@signus.ai and we will delete it.

15. Automated Processing

We use automated and AI-based processing to extract, enrich, summarize, rank, and generate content, and to enforce usage limits. We do not make decisions producing legal or similarly significant effects about you based solely on automated processing without a lawful basis. AI output may be inaccurate; see the Terms of Use.

16. Third-Party Links and Services

The Service links to and integrates with third-party services with their own privacy practices. We are not responsible for those practices. Review their policies before providing information.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new "Last Updated" date and, for material changes, provide additional notice where required. Your continued use after the effective date constitutes acceptance.

18. Contact Us; Data Protection Contact

Signus Solutions Inc. Attn: Privacy Email: support@signus.ai Website: https://fundmap.ai · https://signus.ai

We have not appointed a Data Protection Officer, as one is not required under applicable law; for all privacy and data-protection matters, please contact support@signus.ai. If and when we are required to designate an EU/UK Representative under Article 27 of the GDPR/UK GDPR, that designation and contact details will be published here.