Privacy Policy
Draft v2 — Subject to counsel review. This document is a baseline draft rewritten for the multi-user shared-baseline model. Legal counsel should review and approve it before broad availability.
Effective Date: July 9, 2026
Last Updated: July 9, 2026
1. Introduction and Controller
This Privacy Policy describes how [Operating Entity — fill in legal name] ("we," "us," or "our") collects, uses, discloses, and protects information when you use SoloSearcher ("Service").
Data Controller: [Operating Entity], [Address Placeholder], Delaware, United States.
For privacy inquiries, contact: privacy@solosearcher.com
2. The Two Zones: Shared Baseline and Your Private Workspace
SoloSearcher is built on a deliberate two-zone data model. Understanding it explains almost everything else in this policy.
2.1 The shared baseline
Every user sees the same shared baseline: a database of small businesses assembled from lawfully redistributable public records — principally U.S. Small Business Administration PPP loan data released under the Freedom of Information Act, U.S. Census Bureau statistics, and business-registry records — plus deterministic estimates we derive from those records (such as estimated financials and fit scores; see Section 7). Shared-baseline records describe businesses, not Service users. Where a public record includes an individual's name in a business capacity (for example, a business owner named in a public loan record), we handle it as described in Section 8.
You cannot edit the shared baseline directly. If you believe a shared fact is wrong, the Service provides a report-a-correction path; corrections are reviewed and applied by the operator, and every applied correction is recorded in an audit log.
2.2 Your private workspace
Everything you add is private to you. Your notes, ratings, statuses, contacts, uploaded documents, extracted financials, saved views, search preferences, AI session history, and every other record you create are visible only to your account. Other users never see them, and they are never merged into the shared baseline.
3. Information We Collect
3.1 Account data (via Clerk)
Authentication is handled by Clerk, Inc. When you sign in, Clerk collects and provides us with your email address, display name (if set), session tokens and device identifiers, and login timestamps and IP addresses.
3.2 Private workspace data (user-provided)
Data you enter or upload into your private workspace, including company notes and ratings, pipeline statuses, contact records, uploaded documents (CIMs, tax returns, financial statements), and financial figures you record.
3.3 Waitlist and payment verification (via Stripe)
If you join the waitlist and complete card verification for a founding reservation, payment card details are collected directly by Stripe, Inc. — card numbers never touch our servers. We store only Stripe's customer and verification identifiers alongside your waitlist entry.
3.4 AI interaction data
When you run AI analysis inside the Service, the relevant company data and prompts are transmitted to Anthropic's Claude API. Every AI invocation is logged with timestamp, model, token counts, and cost — for cost tracking and auditability, not marketing or profiling.
If you connect your own AI agent to the Service (Section 6), we log each tool invocation your agent makes. That log records which tool was called, when, whether it succeeded, and a restricted set of request parameters — never the content of your notes, documents, or financial values (numeric financial parameters are recorded only as coarse bands). The one exception is the report_gap tool, whose free-text summary is, by its stated purpose, shared with the operator.
3.5 Usage, diagnostics, and security data
- Vercel (hosting) logs request metadata (URL, status code, IP, user agent) as part of normal operations.
- Sentry (error monitoring) receives error reports; our Sentry integration is configured to redact private content from error payloads before transmission.
- Upstash (rate limiting) stores request counters keyed by account or network identifiers — counters only, no content.
- We maintain an append-only audit log of security-relevant actions (logins, key lifecycle events, deletions, corrections, agent tool calls). Audit metadata passes through an allowlist-based redaction layer so that free-text and financial values are excluded by construction.
4. How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service | Contract performance |
| AI analysis you initiate | Contract performance |
| Cost tracking (AI/tool invocation logging) | Legitimate interest |
| Security monitoring, rate limiting, abuse prevention | Legitimate interest |
| Waitlist management and card verification | Contract performance |
| Compliance with legal obligations | Legal obligation |
We do not use your private workspace data for training AI models, marketing to third parties, or sale to data brokers. We do not build the shared baseline from any user's private data.
5. How Your Data Is Protected — Stated Truthfully
We describe our security model in terms of what is actually implemented and verified, not aspiration:
- Layered isolation. Access to your private data is enforced by application-level access control and, beneath it, database row-level security: the database role the application reads and writes with can only see and modify rows belonging to the requesting account. These layers are verified by automated isolation tests that run on every change to the codebase.
- Per-user encryption at rest. Sensitive private content (documents and extracted financial data) is encrypted with a per-user data encryption key (DEK). When your account is deleted, your DEK is destroyed ("crypto-shred"), rendering the encrypted content unrecoverable, in addition to row deletion and file purging.
- Encryption in transit. All connections use TLS.
- What we do not claim. This is not end-to-end encryption and not a zero-knowledge system. The Service must process your data to operate (for example, to run extractions and searches you request), and the operator retains the technical ability to access data for service operation. Our operating stance on that access is described in Section 9.
6. Your AI Agent's Access
SoloSearcher is designed to be used by AI agents you connect (via API keys or OAuth you authorize):
- Your agent acts as you: it can see only your private workspace plus the shared baseline — the same boundary you have.
- Keys carry explicit capability grants (read, or read + write) and expire by default; you can revoke them at any time.
- Agent tool invocations are logged as described in Section 3.4 for cost control and security auditing.
- Your agent's conversations with you happen inside your AI provider and are not visible to us; we see only the tool calls that reach our API.
7. Estimated Financials — Disclaimer
The shared baseline includes modeled estimates (for example, estimated revenue, payroll, and seller discretionary earnings) derived deterministically from public records and industry statistics. These are:
- Labeled as estimates wherever they appear, with a stated confidence level;
- Accompanied by a methodology explainer describing how they are derived;
- Not financial statements, appraisals, valuations, or investment advice; and
- Provided without warranty of accuracy. Verify independently before relying on any figure in a transaction.
8. Third-Party Business Information and Corrections
Shared-baseline records derive from public records and describe businesses. If a record includes information about you or your business that you believe is inaccurate, or personal information you wish to have reviewed, contact privacy@solosearcher.com or use the in-product correction path. We review such requests against the public-record source and applicable law, and applied changes are audited.
9. Operator Access Stance
Day-to-day operator monitoring is metadata-only: aggregate usage, cost roll-ups, error rates, audit events, and the redacted invocation logs described above. The operator does not browse users' private content. The only operator actions that touch private content are the ones you request — a data export or an account deletion — and both are recorded in the audit log.
10. Subprocessors
A full list with data-flow details is maintained at /legal/subprocessors.
| Subprocessor | Purpose | Location |
|---|---|---|
| Clerk, Inc. | Authentication and session management | United States |
| Neon, Inc. | PostgreSQL database (data at rest) | United States |
| Vercel, Inc. | Application hosting and request logs | United States / Global CDN |
| Cloudflare, Inc. (R2) | Encrypted document storage | United States |
| Anthropic, PBC | AI analysis (Claude API) | United States |
| Stripe, Inc. | Waitlist card verification and (future) billing | United States |
| Upstash, Inc. | Rate-limit counters (no content) | United States |
| Functional Software, Inc. (Sentry) | Error monitoring (redacted payloads) | United States |
| U.S. Census Bureau geocoder / OpenStreetMap Nominatim | Geocoding of business addresses from the shared baseline only | United States / EU |
11. Your Rights
| Right | Status |
|---|---|
| Access — obtain a copy of your data | Available on request |
| Correction — fix inaccurate data | Private data: self-serve in the dashboard. Shared-baseline facts: correction-report path (Section 8) |
| Deletion — delete your account | Self-serve in Settings; 7-day grace period, then rows purged, files deleted, and your encryption key destroyed |
| Portability — machine-readable export | Available on request (privacy@solosearcher.com) |
| Restriction / Objection | Contact privacy@solosearcher.com |
CCPA (California): we do not sell personal information. GDPR (EEA/UK): the rights above apply, plus the right to lodge a complaint with your supervisory authority. We respond to rights requests within 30 days.
12. Data Retention
| Data Category | Retention |
|---|---|
| Active account data | While the account is active |
| Account data after deletion | 7-day grace window (cancellable), then hard-deleted: rows purged, stored files deleted, per-user encryption key destroyed |
| AI/tool invocation logs | Up to 1 year |
| Security audit log | Up to 2 years (partitioned and rotated) |
| Waitlist entries | Until you request removal or the waitlist program ends |
| Hosting request logs | Per Vercel's standard retention |
13. Cookies
The Service sets Clerk's authentication cookies (required to sign in) and no advertising or third-party tracking cookies.
14. Children's Privacy
The Service is not directed to children under 16, and we do not knowingly collect their personal information.
15. International Transfers
Our servers and subprocessors are primarily located in the United States. If you access the Service from the EEA, UK, or another jurisdiction with transfer restrictions, your data may be processed in the United States. We rely on Standard Contractual Clauses or equivalent mechanisms where required.
16. Governing Law
This policy is governed by the laws of the State of Delaware, United States. GDPR and CCPA obligations apply to the extent those laws require.
17. Changes to This Policy
We will notify you of material changes by updating the "Last Updated" date and, where required, by email or in-app notice.
18. Contact
Privacy inquiries: privacy@solosearcher.com
Mailing address: [Operating Entity], [Address Placeholder], Delaware, United States
Version: v2 · Draft: 2026-07-09