Privacy Policy

Last updated: April 16, 2026

CapitalScout (“we”, “us”) is operated from Newfoundland and Labrador, Canada. This policy explains what personal information we collect, why, and what your rights are.

1. What we collect

• Account information: your email address, the timestamp of sign-up, and the tier you’re on.
• Funding profile: the answers you provide during onboarding (entity type, sector, stage, funding interests, etc.) so we can match you against programs. You can edit or delete this at any time.
• Billing information: if you subscribe to a paid tier, we store your Stripe customer ID and subscription status. We do not see or store your credit-card number — Stripe handles that directly.
• Usage data: aggregated, anonymous page-view and performance metrics via Vercel Analytics and Speed Insights. No personally identifying cross-site tracking.
• Server logs: standard request logs (IP address, user-agent, timestamp) retained for up to 30 days for security and debugging.

2. How we use it

• To run the matching engine and surface relevant programs.
• To send sign-in magic links (via Resend) and, if you opt in, periodic alerts when new programs match your profile.
• To process subscriptions and bill paid tiers (via Stripe).
• To detect and prevent abuse, spam, and fraud.
• To improve the Service — e.g. spotting which match factors users disagree with.

We do not sell your personal information. We do not share it with advertisers. We do not train AI models on the contents of your funding profile.

3. Sub-processors

The Service relies on the following third parties to operate:

• Supabase — database and authentication (data hosted in Canada when possible; check Supabase’s status page for current region).
• Vercel — application hosting and analytics.
• Stripe — payment processing and subscription management.
• Resend — transactional email delivery.
• Anthropic — AI-generated match explanations. The inputs are your funding profile and the program details; we do not send your email or billing data.
• Sentry — error tracking. Stack traces and request context are sent on errors; we scrub email/user-id where practical.

4. Cookies

We use session cookies (set by Supabase) to keep you signed in, and first-party analytics cookies set by Vercel for aggregate page-view counts. We do not set advertising cookies. See our cookie policy for details.

5. Your rights

Under PIPEDA and equivalent laws, you have the right to:

• access the personal information we hold about you;
• request correction of inaccurate information;
• withdraw consent and request deletion;
• complain to the Office of the Privacy Commissioner of Canada.

To exercise any of these, email hello@capitalscout.ca. You can also delete your account directly from your account page.

6. Data retention

We retain your account and funding profile for as long as the account is active. After deletion, profile and match data are removed within 30 days; billing records are retained for 7 years to comply with Canadian tax law.

7. Security

Data in transit is protected with TLS. Data at rest is encrypted by Supabase. We follow the principle of least privilege for staff access. No system is bullet-proof; we’ll notify affected users promptly in the event of a breach involving personal information.

8. Children

The Service is not directed at children under 13 and we do not knowingly collect personal information from them.

9. Changes to this policy

We’ll post material changes here and notify account holders by email at least 30 days before they take effect.

10. Contact

Privacy questions: hello@capitalscout.ca.