Back to home

Privacy Policy

Last updated: 10 February 2026

1. Introduction

DealStudio Limited (“DealStudio”, “we”, “our”, or “us”) is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our M&A platform and related services.

We are registered in England and Wales and act as the data controller for the personal data we process. We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Personal Information You Provide

We collect personal information that you voluntarily provide when using our services, including:

  • Account Information: Name, email address, phone number, job title, and professional credentials
  • Organisation Information: Company name, address, business type, and team member details
  • Payment Information: Billing address and payment card details (processed securely by Stripe)
  • Deal Information: Business details, financial data, and transaction information you enter into the platform
  • Communications: Content of emails, messages, and support requests

2.2 Information We Collect Automatically

When you access our platform, we automatically collect:

  • Device Information: IP address, browser type and version, operating system, device identifiers
  • Usage Data: Pages visited, features used, time spent on pages, navigation paths
  • Log Data: Access times, error logs, and system activity
  • Location Data: Approximate location based on IP address (country/region level)

2.3 Information from Third Parties

We may receive information from third-party services you connect to your account, such as Google Calendar for meeting scheduling, or from public business registries like Companies House for business verification purposes.

3. How We Use Your Information

We use the collected information for the following purposes and legal bases:

3.1 Contract Performance

  • Providing and maintaining the DealStudio platform and services
  • Processing transactions and managing your subscription
  • Authenticating your identity and managing your account
  • Providing customer support and responding to enquiries

3.2 Legitimate Interests

  • Improving and optimising our platform and developing new features
  • Analysing usage patterns to enhance user experience
  • Detecting and preventing fraud, security incidents, and abuse
  • Sending service-related communications (e.g., security alerts, feature updates)

3.3 With Your Consent

  • Sending marketing communications about our products and services
  • Using your data for AI model training (opt-out available)
  • Sharing your information with third-party integrations you authorise

3.4 Legal Obligations

  • Complying with applicable laws, regulations, and legal processes
  • Responding to lawful requests from public authorities
  • Maintaining records as required by financial regulations

4. AI and Automated Processing

4.1 AI-Powered Features

DealStudio uses artificial intelligence to provide features such as:

  • Buyer-Deal Matching: Analysing buyer preferences and deal characteristics to suggest potential matches
  • Document Analysis: Extracting key information from uploaded documents
  • Email Assistance: Generating suggested email content and responses

4.2 AI Training Data

We may use anonymised, aggregated data to improve our AI models. This data is stripped of any personally identifiable information and confidential deal specifics. You may opt out of AI training data usage by contacting privacy@dealstudio.co.uk.

4.3 Third-Party AI Services

Some AI features may utilise third-party services (such as OpenAI). When using these features, relevant data may be processed by these providers in accordance with their privacy policies. We ensure appropriate data processing agreements are in place with all AI service providers.

5. Data Sharing and Disclosure

We may share your information in the following circumstances:

5.1 Service Providers

We work with trusted third-party service providers who assist in operating our platform:

  • Supabase: Database hosting and authentication (EU/UK data centres)
  • Stripe: Payment processing (PCI DSS compliant)
  • Resend: Email delivery services
  • Vercel: Application hosting and deployment
  • PostHog: Analytics and product insights (with data anonymisation options)
  • Google Analytics: Website usage analytics (GA4, with consent-mode integration)

5.2 Within Your Organisation

Information you enter into the platform may be visible to other members of your organisation based on their role and permissions.

5.3 With External Parties You Authorise

When you share deals or documents with external parties (buyers, sellers, advisors), relevant information is shared according to the access level you grant.

5.4 Legal Requirements

We may disclose your information when required by law, court order, or to protect our legal rights, safety, or property.

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your data.

6. Data Security

We implement comprehensive technical and organisational measures to protect your personal information:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access controls, multi-factor authentication support
  • Infrastructure: SOC 2 Type II compliant cloud infrastructure
  • Monitoring: 24/7 security monitoring and intrusion detection
  • Auditing: Regular security audits and penetration testing
  • Employee Training: All staff receive regular data protection training

While we implement industry-leading security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify you of any breaches affecting your data as required by law.

7. Data Retention

We retain your personal information according to the following schedule:

Data TypeRetention PeriodBasis
Account dataDuration of account + 30 daysContract performance
Deal & transaction data7 years after deal closureLegal/regulatory requirements
Documents & filesDuration of account + 30 daysContract performance
Email communications3 yearsLegitimate interest
Payment records7 yearsTax/accounting requirements
Usage analytics2 years (then anonymised)Legitimate interest
Audit logs3 yearsSecurity & compliance
Deleted account data30 days (then permanently deleted)Recovery period

When data is no longer needed, we securely delete or anonymise it. You may request earlier deletion of your data, subject to our legal and regulatory obligations.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal information:

  • Right of Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data (“right to be forgotten”)
  • Right to Restriction: Request that we limit how we use your data
  • Right to Data Portability: Request your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for marketing
  • Rights Related to Automated Decisions: Request human review of automated decisions
  • Right to Withdraw Consent: Withdraw previously given consent at any time

To exercise these rights, contact us at privacy@dealstudio.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

  • Essential Cookies: Required for the platform to function (authentication, security)
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how you use the platform. We use PostHog (EU-hosted, Frankfurt, Germany) and Google Analytics 4 (GA4) for usage analytics. PostHog data remains within the EU via PostHog Cloud EU. GA4 data is processed by Google under their Data Processing Terms. We do not use analytics cookies until you have given explicit consent.
  • Marketing Cookies: Used to deliver relevant advertisements (only with consent)

9.2 Managing Cookies

When you first visit our website, analytics runs in memory-only mode — no cookies are set and no data is persisted on your device. A cookie consent banner will appear at the bottom of the page, giving you two choices:

  • Accept: Enables analytics cookies (PostHog and Google Analytics) so we can understand how you use the site and improve your experience. Your preference is saved to localStorage.
  • Reject: Analytics remain fully disabled. No tracking cookies are set and no usage data is collected.

You can change your preference at any time by clicking the “Cookie Settings” link in the footer of any page. This will re-display the consent banner so you can update your choice. You can also manage cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the platform.

9.3 Analytics Data Hosting

PostHog: Processes and stores all data within the European Union (Frankfurt, Germany) under PostHog Cloud EU. No PostHog analytics data is transferred outside the EU/UK. PostHog acts as a data processor under our Data Processing Agreement (DPA), in accordance with GDPR Article 28.

Google Analytics 4: Data is processed by Google LLC under their Data Processing Terms. Google Analytics uses the gtag.js consent mode — no cookies are set until you explicitly grant consent via our cookie banner. You can learn more about Google's data practices at policies.google.com/privacy.

10. International Data Transfers

Your information is primarily stored and processed within the UK and European Economic Area (EEA). Where transfers to countries outside the UK/EEA are necessary (e.g., for certain service providers), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the UK ICO
  • Adequacy decisions where applicable
  • Binding Corporate Rules for transfers within corporate groups

11. Children's Privacy

DealStudio is a business-to-business platform not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete such information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the “Last updated” date, and where appropriate, notifying you via email. Your continued use of our services after any changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us:

DealStudio Limited

Data Protection Officer

Email: privacy@dealstudio.co.uk

General enquiries: info@dealstudio.co.uk

Registered in England & Wales