Back to Home

Privacy Policy

Last updated: April 8, 2026

Introduction

At Dealyo ("we," "our," or "us"), operated by Howcan, Inc., we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered deal management platform ("the Service").

By using Dealyo, you consent to the data practices described in this policy. If you do not agree with the terms of this privacy policy, please do not access the site or use our services.

1. Information We Collect

Account Information

  • Email address and name (provided via Google or Microsoft OAuth sign-in)
  • Profile information you choose to provide
  • Authentication tokens for connected email accounts (securely encrypted via Supabase Vault using AES-256-GCM)

Email Data (Gmail and Microsoft Outlook)

  • Email messages and metadata (sender, recipients, date, subject, labels)
  • Email body content (text and HTML)
  • Email attachments and documents
  • Contact information extracted from your emails

Deal Information

  • Deal names, descriptions, types, and status
  • Participant information and engagement data
  • Tasks, deadlines, and date tracking
  • Documents, notes, and custom data you add to deals
  • AI-generated insights, summaries, and analysis

Usage Data

  • Features you use and actions you take
  • Error logs and performance data (PII is automatically redacted from all logs)
  • Device and browser information
  • IP address and general location (country/region)

2. How We Use Your Information

We use the information we collect to:

  • Provide and maintain our deal management service
  • Read and analyze your emails to identify and organize deal-related communications
  • Send emails on your behalf through your connected email account — specifically for calendar event invitations and deal reminder notifications that you initiate
  • Generate AI-powered insights, summaries, task suggestions, and deal analysis
  • Organize documents, track deal participants, and manage deal timelines
  • Send you service-related notifications via our transactional email system (not your email account)
  • Respond to your support requests and inquiries
  • Improve our service and develop new features
  • Detect and prevent fraud, abuse, and security issues
  • Comply with legal obligations and enforce our terms

3. Email Access and Permissions

Google Gmail

We request the following Google OAuth scopes:

  • gmail.readonly — to read your email messages, metadata, and attachments for deal discovery and analysis
  • gmail.send — to send calendar event invitations and deal reminder notifications from your email address, only when you explicitly initiate these actions
  • userinfo.email — to identify your account

We will never delete or modify your existing emails. Sending is limited to calendar invitations and reminders that you explicitly trigger through the application. We do not send marketing emails, automated follow-ups, or any communication without your direct action.

Microsoft Outlook

We request the following Microsoft Graph API permissions:

  • Mail.Read — to read your email messages for deal discovery and analysis
  • Mail.Send — to send calendar invitations and deal reminders from your email address
  • Files.Read.All — to access documents shared via OneDrive/SharePoint in your deals
  • Calendars.ReadWrite — to manage deal-related calendar events
  • User.Read — to identify your account

You may revoke email access at any time through your account settings. When you disconnect your email account, we revoke the OAuth token with the provider and delete it from our encrypted vault.

Google API Limited Use Disclosure

Dealyo's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy , including the Limited Use requirements.

4. AI Processing and Third-Party Services

To provide our AI-powered features, we use third-party AI services. When you use our AI features:

  • Email content is anonymized (personally identifiable information replaced with reversible tokens) before being sent to AI providers
  • We only send the minimum necessary data for processing
  • Data sent to AI providers is not used to train their models
  • All AI processing follows strict data minimization principles
  • For certain features (such as extracting key deal terms from documents), content may be sent without anonymization when the content itself is the data being analyzed. This processing is covered under our data processing agreements with these providers

Sub-Processors

We use the following third-party service providers to deliver our Service:

  • Google Gmail API / Microsoft Graph API — email access (read and send) and calendar management
  • OpenAI / Anthropic — AI analysis, insights, and document processing (data anonymized before sending unless content extraction requires original text)
  • Supabase — database, authentication, and file storage (encrypted at rest, row-level security on all tables)
  • Pinecone — vector search for email-to-deal matching (embeddings and metadata)
  • PromptLayer — AI prompt management and observability (data sanitized before sending, no PII stored)
  • AgentMail — transactional email delivery for service notifications (document request invitations, team invitations)
  • Trigger.dev — background job processing (job metadata only, no email content)
  • Vercel — application hosting, serverless functions, and edge network
  • Stripe — payment processing (we never store your payment card details — Stripe handles all PCI compliance)
  • AWS Textract — document OCR and text extraction (document content only, transient processing)

We maintain data processing agreements (DPAs) with all sub-processors to ensure appropriate data protection standards.

5. Data Security

We implement comprehensive security measures to protect your information:

  • All data in transit is encrypted via TLS with HSTS preloading (2-year max-age)
  • All data at rest is encrypted (database, file storage, and backups)
  • OAuth tokens are encrypted using AES-256-GCM via Supabase Vault (pgsodium) and are never stored in plaintext
  • Row-Level Security (RLS) is enforced on all database tables, ensuring users can only access their own data
  • PII (emails, phone numbers, social security numbers, API keys) is automatically redacted from all application logs
  • Content Security Policy (CSP), X-Frame-Options, and other security headers are enforced on all responses
  • All server actions are authenticated via JWT claims — no unauthenticated mutations are possible
  • Automated security scanning via Semgrep, Dependabot, and Biome in our CI/CD pipeline
  • Regular security audits and vulnerability assessments

Despite our efforts, no security measures are perfect or impenetrable. We cannot guarantee the absolute security of your information.

6. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

  • With your explicit consent
  • With deal room members you invite — they can see deal-related emails, documents, and insights for deals you share with them, based on visibility settings you control
  • To comply with legal obligations, court orders, or government requests
  • To protect our rights, privacy, safety, or property
  • In connection with a merger, acquisition, or sale of assets (with prior notice)
  • With service providers listed as sub-processors above (under strict data processing agreements)

7. Data Retention

We retain your information for as long as necessary to provide our services and fulfill the purposes outlined in this policy:

  • Active account data is retained while your account is active
  • Email data is retained as long as you maintain your email integration
  • Email content (body text and HTML) is retained to power ongoing deal suggestions, search, and re-processing capabilities
  • Deleted deals and associated data are removed from our systems within 30 days
  • Backup data is retained for up to 90 days
  • Some data may be retained longer to comply with legal obligations

8. Account Deletion and Data Removal

You can delete your account at any time through your account settings. When you delete your account, we perform a complete data removal:

  • All your deals, emails, documents, tasks, insights, and participants are deleted
  • All uploaded files are removed from storage
  • All vector embeddings are deleted from our search index (Pinecone)
  • Your OAuth tokens are revoked with the email provider and deleted from our encrypted vault
  • All active sessions are terminated
  • Your authentication record is permanently deleted

This deletion is cascading and permanent. Once your account is deleted, your data cannot be recovered. If you disconnect your email account (without deleting your account), we revoke and delete the OAuth tokens but retain your existing deal data.

9. Your Rights and Choices

You have the following rights regarding your personal information:

  • Access: Request information about the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Delete your account and all associated data at any time through your account settings (self-service, immediate)
  • Restriction: Request that we limit processing of your information
  • Withdrawal: Revoke email access or delete your account at any time

To exercise these rights, you can use the self-service options in your account settings or contact us at support@dealyo.ai. We will respond to requests within 30 days.

10. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ.

We take appropriate safeguards to ensure your information remains protected in accordance with this privacy policy, including maintaining data processing agreements with all sub-processors that include Standard Contractual Clauses where applicable.

11. GDPR Compliance (For EU Users)

If you are located in the European Union, you have additional rights under the General Data Protection Regulation (GDPR):

  • The right to be informed about our data processing activities
  • The right to object to processing based on legitimate interests
  • The right not to be subject to automated decision-making
  • The right to lodge a complaint with your supervisory authority

Our legal basis for processing your personal data includes:

  • Contract: To provide the services you've requested
  • Consent: For optional features such as email sending on your behalf
  • Legitimate interests: To improve our services and ensure security
  • Legal obligations: To comply with applicable laws

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

For material changes, we will provide additional notice via email or through the Service. We encourage you to review this Privacy Policy periodically for any changes.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

  • Email: support@dealyo.ai
  • Company: Howcan, Inc.