Privacy Policy

Introduction

Tadda ("we," "our," or "us") operates the Tadda platform (the "Service"), which helps companies organize and manage their due diligence documentation. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using Tadda, you agree to the collection and use of information in accordance with this Privacy Policy.

Information We Collect

1. Information You Provide Directly

Account Information:

• Name and email address
• Company name and details
• Contact information
• Account credentials

Beta Request Information:

• Company revenue range
• Transaction timeline and type
• Due diligence concerns
• How you found us

Communication Information:

• Messages you send us
• Feedback and support requests
• Survey responses

2. Information We Collect Automatically

Usage Information:

• Pages visited and features used
• Time spent on the Service
• Click patterns and navigation paths
• Device and browser information
• IP address and general location (city/country level)

Technical Information:

• Browser type and version
• Operating system
• Screen resolution
• Referring website
• Date and time of access

3. Information from Third-Party Services

Google Drive Integration:

When you connect your Google Drive account to Tadda:

What we access:

• File metadata (file names, types, sizes, modification dates, folder structure)
• Document content for analysis and categorization
• Folder organization and hierarchy

What we DO NOT access:

• We use read-only OAuth scopes — we never modify, move, or delete your files
• We do not access files outside folders you explicitly grant access to
• We do not access your Gmail, Google Calendar, or other Google services
• We do not share your Google Drive content with third parties

What we store:

• Document metadata (names, types, categories)
• Analysis results (gap reports, compliance findings)
• Document structure and organization
• We do NOT store full document content unless necessary for buyer Q&A functionality

Revoking access:

• You can disconnect Google Drive at any time from your account settings
• Upon disconnection, we delete all associated document metadata within 30 days

How We Use Your Information

We use collected information for the following purposes:

Service Delivery

• Provide, operate, and maintain the Tadda platform
• Scan and organize your due diligence documents
• Generate gap reports and compliance analysis
• Enable secure buyer access to data rooms
• Provide RAG-powered Q&A functionality
• Track document access and create audit logs

Communication

• Send you account-related notifications
• Respond to your inquiries and support requests
• Send product updates and feature announcements
• Request feedback (only if you're a beta user)

Improvement and Analytics

• Analyze usage patterns to improve the Service
• Develop new features and functionality
• Monitor and analyze trends and usage
• Detect and prevent technical issues

Legal and Security

• Comply with legal obligations
• Enforce our Terms of Service
• Protect against fraud and abuse
• Secure our systems and user data

Marketing (with your consent)

• Send promotional communications about new features
• Share relevant industry insights and resources
• Notify you about beta program updates

You can opt out of marketing communications at any time.

How We Share Your Information

We do NOT sell, rent, or trade your personal information. We may share information only in the following circumstances:

With Your Explicit Consent

Buyer Access to Data Rooms:

• When you grant investors/acquirers access to your data room, they can view the documents and information you've chosen to share
• All buyer access is logged and you maintain full control over permissions
• You can revoke buyer access at any time

Service Providers

We may share information with trusted third-party service providers who assist us in operating the Service:

Infrastructure Providers:

• Cloud hosting (AWS, Google Cloud Platform)
• Database services
• Content delivery networks

Analytics and Monitoring:

• Usage analytics platforms
• Error tracking and monitoring
• Performance measurement

Communication Services:

• Email delivery services
• Customer support platforms

All service providers are contractually obligated to:

• Use data only for services they provide to us
• Maintain appropriate security measures
• Delete or return data when services end

Legal Requirements

We may disclose information if required to do so by law or in response to:

• Valid legal requests (court orders, subpoenas)
• Government or regulatory inquiries
• Requests to protect rights, property, or safety
• Enforcement of our Terms of Service
• Investigation of fraud or security issues

Business Transfers

If Tadda is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our Service of any change in ownership or use of your personal information.

Data Security

Security Measures

We implement industry-standard security measures to protect your information:

Encryption:

• All data encrypted in transit using TLS 1.3
• All data encrypted at rest using AES-256
• Encrypted backups with separate encryption keys

Access Controls:

• Role-based access control (RBAC)
• Multi-factor authentication (MFA) available
• Principle of least privilege for all systems
• Regular access reviews and audits

Infrastructure Security:

• Secure cloud hosting with reputable providers
• Regular security patches and updates
• Network segmentation and firewalls
• Intrusion detection and monitoring

Application Security:

• Regular security audits and penetration testing
• Secure software development lifecycle
• Input validation and sanitization
• Protection against common vulnerabilities (OWASP Top 10)

Compliance:

• SOC 2 Type II certification in progress
• GDPR compliance for European users
• Regular third-party security assessments

Limitations

No system is 100% secure. While we implement strong security measures, we cannot guarantee absolute security. You are responsible for:

• Maintaining the confidentiality of your account credentials
• Notifying us immediately of any unauthorized access
• Using strong, unique passwords
• Enabling multi-factor authentication when available

Your Data Rights

Access and Portability

You have the right to:

• Access your personal information we hold
• Request a copy of your data in machine-readable format
• Review document metadata and analysis results

How to exercise: Contact us at privacy@tadda.ai

Correction and Update

You have the right to:

• Correct inaccurate personal information
• Update your account details
• Modify your communication preferences

How to exercise: Update directly in account settings or contact privacy@tadda.ai

Deletion

You have the right to request deletion of your personal information, subject to legal retention requirements.

What happens when you delete your account:

• Personal information deleted within 30 days
• Document metadata deleted within 30 days
• Audit logs retained for 90 days for security purposes
• Aggregated, anonymized analytics may be retained

How to exercise: Account settings > Delete Account, or contact privacy@tadda.ai

Note: We may retain certain information where required by law or for legitimate business purposes (e.g., fraud prevention, legal compliance).

Objection and Restriction

You have the right to:

• Object to certain processing of your information
• Request restriction of processing in certain circumstances
• Opt out of marketing communications

How to exercise: Contact privacy@tadda.ai or use unsubscribe links in emails

Withdraw Consent

Where we rely on consent for processing, you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

Examples:

• Disconnect Google Drive integration
• Opt out of marketing communications
• Revoke third-party access permissions

Data Retention

We retain different types of information for different periods:

Account Information:

• Retained while your account is active
• Deleted within 30 days of account closure

Document Metadata:

• Retained while your account is active
• Deleted within 30 days of Google Drive disconnection or account closure

Usage and Analytics Data:

• Retained for up to 2 years for product improvement
• May be anonymized and retained indefinitely for statistical analysis

Audit Logs:

• Retained for 90 days for security purposes
• Extended retention up to 7 years if required by law

Communication Records:

• Support inquiries retained for 3 years
• Marketing communications retained until you opt out

Legal Hold:

• Information subject to legal hold retained as required by law
• You will be notified if your data is subject to legal hold

International Data Transfers

Tadda operates globally. Your information may be transferred to and processed in countries other than your country of residence.

For users in the European Economic Area (EEA):

• We comply with GDPR requirements for international transfers
• We use Standard Contractual Clauses (SCCs) where applicable
• European data can be stored in EU data centers upon request
• We ensure adequate protections are in place for all transfers

For users in other regions:

• We implement appropriate safeguards for cross-border transfers
• We comply with applicable data protection laws
• We maintain security standards regardless of data location

Children's Privacy

Tadda is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.

If you become aware that a child has provided us with personal information, please contact us at privacy@tadda.ai. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information.

Cookies and Tracking Technologies

Types of Cookies We Use

Essential Cookies (Required):

• Session management and authentication
• Security and fraud prevention
• Load balancing and performance
• Cannot be disabled as they're essential for Service operation

Analytics Cookies (Optional):

• Usage statistics and feature analytics
• Performance monitoring
• Error tracking and debugging
• Can be disabled through cookie preferences

Preference Cookies (Optional):

• Remember your settings and preferences
• Personalize your experience
• Can be disabled through cookie preferences

Managing Cookies

You can control cookies through:

• Our cookie preferences center (when you first visit)
• Browser settings (see your browser's help documentation)
• Do Not Track signals (we honor DNT browser settings)

Note: Disabling essential cookies may limit your ability to use certain features of the Service.

Third-Party Tracking

We may use third-party analytics services (e.g., Google Analytics, Mixpanel) to understand how users interact with our Service.

These services may:

• Set their own cookies
• Collect usage information
• Aggregate data across multiple websites

We ensure third-party services:

• Have strong privacy policies
• Provide opt-out mechanisms
• Comply with applicable privacy laws

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know

• Categories of personal information collected
• Sources of personal information
• Business purposes for collection
• Categories of third parties with whom we share information

Right to Delete

• Request deletion of your personal information
• Subject to certain exceptions (legal obligations, fraud prevention, etc.)

Right to Opt-Out

• Opt out of the "sale" of personal information
• Note: We do not sell personal information

Right to Non-Discrimination

• We will not discriminate against you for exercising your privacy rights

To exercise your California privacy rights: Contact privacy@tadda.ai

Verification: We may request information to verify your identity before fulfilling requests.

Authorized Agents: You may designate an authorized agent to make requests on your behalf by providing written authorization.

European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing

We process your personal information based on the following legal grounds:

Contract Performance:

• Providing the Service you've requested
• Managing your account
• Delivering features and functionality

Legitimate Interests:

• Improving our Service
• Ensuring security and preventing fraud
• Analyzing usage patterns
• Internal business operations

Legal Obligations:

• Complying with applicable laws
• Responding to legal requests
• Maintaining records as required by law

Consent:

• Marketing communications (where consent is required)
• Optional features and analytics
• Third-party integrations beyond core functionality

Your GDPR Rights

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing in certain circumstances
• Right to data portability in machine-readable format
• Right to object to processing based on legitimate interests
• Right to withdraw consent where processing is based on consent
• Right to lodge a complaint with your local data protection authority

To exercise your GDPR rights: Contact privacy@tadda.ai

Data Protection Officer: For GDPR-related inquiries, contact dpo@tadda.ai

Data Transfers

For EEA users, we ensure adequate protection when transferring data outside the EEA:

• Standard Contractual Clauses (SCCs) with service providers
• EU data residency options available upon request
• Annual review of transfer mechanisms

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features.

When we make changes:

• We will update the "Last Updated" date at the top of this policy
• For material changes, we will notify you via:
  • Email to your registered email address (at least 30 days before effective date)
  • Prominent notice on our website
  • In-app notification when you next log in

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

Email: privacy@tadda.ai

Data Protection Officer: dpo@tadda.ai

Response Time: We aim to respond to all inquiries within 10 business days.

For security-related concerns, please email: security@tadda.ai

Definitions

• Service: The Tadda platform, including website, web application, and all related services.
• Personal Information: Information that identifies, relates to, or could reasonably be linked to you.
• Account: Your registered user account on the Tadda platform.
• Data Room: A secure, organized collection of documents shared with buyers/investors.
• Buyer: An investor, acquirer, or other party you grant access to your data room.
• Google Drive Integration: The connection between Tadda and your Google Drive account via OAuth.