DeepFindsBook the install →

Legal

Privacy Policy

Effective May 8, 2026 · Last updated May 8, 2026

1. Who We Are

DeepFinds (“DeepFinds”, “we”, “us”, or “our”) operates the data infrastructure service available at deepfinds.ai. We are incorporated in Quebec, Canada.

Questions about this policy: contact@deepfinds.ai

2. The One Thing That Matters Most

We do not use your data for any purpose other than making it available to you through your own AI agent connection.

The data you connect to DeepFinds — your emails, files, contacts, deals, messages — is ingested, stored, and made queryable exclusively for your benefit, through the MCP key you control. We do not use it to train AI models. We do not sell it. We do not analyze it for our own business purposes. We do not share it with third parties for marketing, advertising, or any other purpose. Your data exists in our system for one reason: so your AI agent can answer your questions about your business.

3. What Data We Collect

3.1 Account Data

When we create your account, we store your email address, your organization name, and your account role. We do not collect billing addresses or payment card numbers directly — payments are processed by Stripe, a PCI-compliant third party.

3.2 Connected Source Data

When you authorize a connection (Gmail, Google Drive, HubSpot, Slack, Notion, Airtable, or other supported platforms), we receive an OAuth access token from that platform. We store this token in encrypted form. We use it to fetch content from that platform on your behalf. The fetched content — emails, documents, contacts, messages, records — is processed and stored in your private database partition.

3.3 Processed Data (Knowledge Graph)

We normalize, chunk, and embed the raw content from your sources. Embeddings are numerical vector representations of text — they enable semantic search. We also run an AI inference pass to extract relationships between entities in your data (see Section 5 on Third-Party Processors). All of this processed data is stored in your private partition and is never commingled with other clients’ data.

3.4 Usage Logs

We log MCP tool calls: which tool was called, the query text, the result count, and latency. These logs are stored in your partition and visible to you in the dashboard. We use aggregate, anonymized metrics (e.g., “total MCP calls today”) for rate limiting and service health monitoring only.

3.5 System Events

We log pipeline events (start, completion, failure) with CPU and memory measurements. These are used exclusively for infrastructure monitoring and debugging. They do not contain the content of your data.

4. How We Use Your Data

  • To ingest, normalize, and store your business data in your private knowledge graph.
  • To serve your AI agent queries through the MCP connection you authorized.
  • To keep your data synchronized when new content is added to your connected sources.
  • To enforce usage limits under your service plan.
  • To troubleshoot pipeline failures when you request support.

That’s it. We have no other use for your data.

5. Third-Party Processors

We use a small number of sub-processors to operate the service. Each is subject to a data processing agreement and handles your data only as instructed by us.

Supabase (via Amazon Web Services)

Purpose: Database storage — all your knowledge graph data lives here.

Location: United States (AWS us-east-1)

Your data is stored in a logically isolated partition with row-level security. Supabase cannot access your data for their own purposes.

Anthropic (Claude API)

Purpose: Relationship inference — we send text chunks to Claude to extract relationships between entities in your data.

Location: United States

Anthropic's API usage policy prohibits training on API-submitted data. We do not send more data than necessary for this step.

Stripe

Purpose: Payment processing.

Location: United States

Stripe handles all payment card data. We never see or store your card number.

We do not use OpenAI, Google, or any other embedding API. All text embeddings are generated locally on our servers using an open-source ONNX model (BGE-small-en-v1.5). Your raw text is not sent to any external service for embedding.

6. Data Isolation and Security

  • Every query to the database is scoped to your organization ID. It is architecturally impossible for your data to appear in another client's results.
  • MCP API keys are stored as SHA-256 hashes — we cannot recover the raw key.
  • OAuth tokens are stored encrypted at rest.
  • Access to production systems is restricted to authorized DeepFinds personnel and requires multi-factor authentication.
  • Database connections use TLS in transit.

7. Data Retention

Your data is retained for as long as your account is active. When you terminate your account or request deletion, we will delete your organization record, all ingested content, all embeddings, all relationship data, and all MCP logs within 30 days.

You can disconnect individual sources at any time from the dashboard. Disconnecting a source stops future ingestion from that source. To remove previously ingested data from a disconnected source, contact us at contact@deepfinds.ai.

8. Your Rights

Depending on your jurisdiction, you may have rights including: access to the data we hold about you, correction of inaccurate data, deletion of your data, and data portability.

To exercise any of these rights, email contact@deepfinds.ai. We will respond within 30 days.

Residents of Quebec are protected under Law 25 (Act respecting the protection of personal information in the private sector). Residents of the European Union or United Kingdom are protected under GDPR/UK GDPR. We extend these protections to all clients regardless of location.

9. Cookies

The dashboard uses session cookies issued by Supabase Auth to keep you logged in. We do not use advertising cookies, tracking pixels, or third-party analytics on any part of the dashboard.

The public landing page may include basic, anonymous analytics (page views only — no fingerprinting, no cross-site tracking). If you would like details, contact us.

10. Children

This service is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have done so in error, contact us immediately for deletion.

11. Changes to This Policy

If we make material changes to this policy — particularly around how we use your data — we will notify you by email at least 14 days before the change takes effect. Continued use of the service after that date constitutes acceptance of the updated policy.

12. Contact

DeepFinds
Montreal, Quebec, Canada
contact@deepfinds.ai