ValueAlpha

Value Alpha Privacy Policy

Effective as of April 1, 2026

1. Who We Are

This Privacy Policy is issued by Felpel Ventures LLC, doing business as Value Alpha (“Value Alpha,” “the Company,” “we,” “us,” or “our”), a limited liability company organized in the State of New York, United States. We are the “controller” (for GDPR/UK GDPR purposes) and the “business” (for California Consumer Privacy Act purposes) of the Personal Information described below.

This Policy describes how we collect, use, share, retain, and protect Personal Information when you use our website at valuealpha.ai, our application at app.valuealpha.ai, and any related services (collectively, the “Service”). It also explains the privacy rights you have and how to exercise them.

This Policy is incorporated by reference into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.

2. Scope

This Policy applies to Personal Information we collect through the Service, through our marketing communications, and through any in-person or written interactions you have with us. It does not apply to third-party websites or services linked from the Service, even where we name those third parties below.

3. Age Restriction & Children’s Privacy

The Service is intended only for individuals at least 18 years of age. We do not knowingly collect Personal Information from anyone under 18. Consistent with the U.S. Children’s Online Privacy Protection Act (COPPA) we do not knowingly collect Personal Information from anyone under 13. Consistent with the CCPA/CPRA we do not knowingly sell or share Personal Information of anyone under 16. If you believe a minor has provided us Personal Information, contact us at privacy@valuealpha.ai and we will delete it.

4. Information We Collect

We collect the following categories of Personal Information. We have used these categories for the past twelve months and intend to continue using them.

4.1 Information you provide directly

  • Identifiers & contact data — name, email address, password (stored hashed), organization name, role, country, and (if you sign in via a third-party identity provider) the identifier that provider gives us.
  • Commercial information — purchase history, subscription tier, billing address.
  • Payment information — payment method tokens issued by our payment processor; we do not store full card numbers.
  • Customer-submitted business & financial information — company descriptions, financial statements (PDF/Excel/CSV/image), assumptions, drug or product pipelines, and any other content you upload or type into the Service. We treat this as confidential and as “sensitive personal information” under California law where it identifies you.
  • Communications — support tickets, emails to or from us, replies to our inbound-email valuation flow, and feedback you submit through in-app surveys.

4.2 Information collected automatically

  • Device & technical data — IP address, browser type, device type, operating system, language, time zone, and approximate location (derived from IP).
  • Usage data — pages viewed, features used, buttons clicked, valuations generated, time on page, referring URL, UTM parameters.
  • Cookie identifiers & similar technologies — see Section 14.
  • Inferences — derived signals such as plan tier, likely industry, or product fit drawn from your submitted information and usage.

4.3 Information we receive from third parties

  • Payment confirmation and limited transaction metadata from Stripe.
  • Authentication metadata from any single-sign-on identity provider you elect to use.
  • Aggregated marketing attribution data from advertising networks (e.g., LinkedIn, Google).

4.4 Sensitive information

We do not intentionally collect race, ethnicity, religion, philosophical beliefs, political opinions, trade-union membership, biometric data, health data, sexual orientation, government identifiers (e.g., SSN), or precise geolocation. We treat customer financial information you upload (your company’s financials) as confidential and we recommend you do not upload the personal financial information of natural persons unless necessary.

5. How We Use Your Information & Legal Bases

We use Personal Information only for the purposes listed below. For users in the European Economic Area, United Kingdom, or Switzerland, we identify the GDPR/UK GDPR legal basis we rely on.

  • To deliver the Service — running the valuation pipeline, storing results, providing AI chat, dashboards, and shareable reports. Legal basis: performance of a contract (Art. 6(1)(b)).
  • To process payments & manage billing — through Stripe. Legal basis: contract performance and compliance with legal obligation (Art. 6(1)(b), (c)).
  • To provide customer support. Legal basis: contract performance and our legitimate interest in supporting users (Art. 6(1)(b), (f)).
  • To secure the Service and prevent fraud or abuse — including detection of competitor scraping and rate-limit enforcement. Legal basis: legitimate interest in operating a safe Service (Art. 6(1)(f)).
  • To improve the Service — through aggregated analytics, error monitoring, and product research. We do not train AI models on your customer-submitted content (see Section 6). Legal basis: legitimate interest (Art. 6(1)(f)).
  • To send transactional communications — receipts, report delivery, account notices, security alerts. Legal basis: contract performance (Art. 6(1)(b)).
  • To send marketing communications (including our newsletter, “The Brief”). Legal basis in the EU/UK: your consent (Art. 6(1)(a)); in the US: legitimate interest plus an opt-out mechanism, consistent with the CAN-SPAM Act.
  • To comply with law — tax, accounting, audit, regulator requests, court orders. Legal basis: legal obligation (Art. 6(1)(c)).
  • To establish, exercise, or defend legal claims. Legal basis: legitimate interest (Art. 6(1)(f)).

6. AI & Automated Processing

The Service uses large-language-model and machine-learning processing to generate valuation Reports, comparable-company matches, AI chat responses, and similar outputs. The following commitments apply to that processing:

  • We do not train our models on your customer-submitted financial or business content. Your uploaded data is used only to generate your own Reports and to operate the Service for you.
  • Our AI vendors are on enterprise / API tiers that do not train on customer data. Specifically, we use OpenAI and Google (Gemini) under API terms that prohibit those providers from training their foundation models on our customers’ inputs and outputs.
  • We may use aggregated, de-identified usage data (e.g., counts of valuations by industry) for internal product analysis. We do not re-identify de-identified data.
  • No solely automated decision producing legal effects. Reports are informational only and are not a basis for legal, financial, investment, or tax decisions (see Terms of Service §9.2). Because no Report produces legal effects or similarly significant effects on you, GDPR Article 22 does not restrict our processing. You may always contact us at privacy@valuealpha.ai for human review of any output.

7. How We Share Personal Information

We do not sell your Personal Information for money, and we do not “share” it for cross-context behavioral advertising as those terms are defined under California law. We disclose Personal Information only to the categories of recipients below.

7.1 Service providers (sub-processors)

We use the following sub-processors. Each is bound by a written data-processing agreement and processes Personal Information only on our documented instructions.

  • Stripe, Inc. (USA) — payment processing, billing, fraud prevention.
  • Supabase, Inc. (USA) — authentication, application database, file storage.
  • Cloudflare, Inc. (USA) — hosting, CDN, DDoS mitigation, bot management.
  • Resend, Inc. (USA) — transactional and inbound email delivery.
  • OpenAI, L.L.C. (USA) — text embeddings used for matching comparable companies (API tier, no training on customer data).
  • Google LLC (Google Cloud / Gemini API) (USA) — large-language-model processing (API tier, no training on customer data).
  • Firecrawl (USA) — public-web data ingestion for benchmark datasets; does not receive customer-submitted content.
  • PostHog, Inc. (USA / EU region available) — product analytics and error monitoring.
  • Google LLC (Google Ads) & LinkedIn Corporation (USA) — marketing-attribution pixels on our marketing pages only; loaded subject to your cookie consent in the EU/UK.

We may update this list from time to time. The current list will always be available in this Policy or by request to privacy@valuealpha.ai.

7.2 Other recipients

  • Within your organization — if you use the Team / organization product, members of your organization with appropriate roles can see valuations and Personal Information you submit to the shared workspace.
  • People you share with — if you generate a share link or claim a shared valuation, the recipient receives the content you choose to share.
  • Professional advisors — auditors, accountants, lawyers, and insurers under confidentiality obligations.
  • Government, regulators, or law enforcement — where compelled by law, subpoena, court order, or to protect rights, property, safety, or to investigate fraud or abuse.
  • Successors — in connection with a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred subject to confidentiality protections substantially similar to this Policy.

7A. Polish Company Data (KRS / rejestr.io)

When you value a Polish company on the Service, we retrieve publicly available data from the Polish National Court Register (Krajowy Rejestr Sądowy, “KRS”) via our data provider rejestr.io. This includes the company’s name, identifiers (KRS, NIP, REGON), PKD industry classification codes, registered address, legal form, and financial information disclosed in publicly filed annual financial statements. Under Polish law, KRS data is public.

Controller status. With respect to Personal Data obtained from KRS records (including names of board members, ultimate beneficial owners, and other natural persons named in the register), Felpel Ventures LLC d/b/a Value Alpha is an independent data controller — distinct from rejestr.io and from the Polish Ministry of Justice (which operates KRS). Our legal basis is Article 6(1)(f) GDPR — legitimate interest in providing business valuation analysis services to our customers.

Source attribution. Polish company data sourced from rejestr.io is displayed on the Service with the attribution “Source: rejestr.io” (or in Polish, “Źródło: rejestr.io”), in accordance with rejestr.io API Terms.

Rights for data subjects in KRS records. If you are a natural person named in KRS data (e.g., as a board member) and wish to exercise GDPR rights (access, rectification, erasure, objection) with respect to our processing, contact us at privacy@valuealpha.ai. Please note that we do not have authority to modify source records held by the Polish Ministry of Justice — for corrections to the underlying KRS register itself, we will refer you to the registering court.

Retention. KRS-derived data is cached on the Service for up to fourteen (14) months from the filing date, after which it is refreshed from the source. Cached records are subject to the same retention and deletion rights as other Personal Data described in this Policy.

8. International Data Transfers

We are based in the United States and most of our sub-processors are based in the United States. If you access the Service from the European Economic Area, the United Kingdom, Switzerland, or any other jurisdiction outside the United States, your Personal Information will be transferred to, processed in, and stored in the United States.

For transfers of EU/EEA, UK, and Swiss personal data to the United States we rely on the European Commission’s Standard Contractual Clauses (2021/914), together with the UK International Data Transfer Addendum and the Swiss equivalent, with each sub-processor. A copy of the safeguards used for a specific transfer is available on request at privacy@valuealpha.ai.

9. How Long We Keep Information

We keep Personal Information only as long as necessary for the purposes set out in this Policy, unless a longer period is required or permitted by law. The default retention periods are:

  • Account & profile data — for the life of your account, plus up to 24 months after your last login or your account closure (whichever is earlier), unless you ask us to delete it sooner.
  • Customer-submitted financial & business content (valuations, uploads) — for the life of your account, deleted on account closure (subject to legal-hold and tax-records exceptions below).
  • Transaction & tax records — up to seven (7) years after the transaction, as required by US tax recordkeeping rules.
  • Support communications — up to 3 years after the last interaction.
  • Marketing data & consent records — until you withdraw consent or unsubscribe, plus 30 days for suppression-list purposes.
  • Identifiable analytics data — up to 14 months; aggregated/de-identified analytics retained indefinitely.
  • Server & security logs — up to 90 days, longer where needed to investigate an incident.
  • Backups — encrypted backups may persist for up to 35 days after the corresponding production record is deleted.

When the applicable retention period expires we delete or irreversibly anonymize the data.

10. Data Security

We use technical and organizational measures designed to protect Personal Information, including: encryption in transit (TLS), encryption at rest for application data and file storage, role-based access controls and database row-level security, principle-of-least- privilege staff access, audit logging, anti-debugging protections on the production app, rate limiting, and periodic credential rotation. Payment information is processed end-to-end by Stripe under PCI-DSS Level 1 standards; we do not see or store full payment card numbers.

No security measure is perfect and we cannot guarantee absolute security. If we become aware of a Personal Data breach we will notify affected users and applicable supervisory authorities without undue delay and, where required, within the timeframes set by applicable law (including 72 hours to relevant EU supervisory authorities under GDPR Article 33).

11. Your Privacy Rights — Overview

Depending on where you live you may have the rights listed below. We honor these rights regardless of jurisdiction where we can do so without violating other legal obligations.

  • Access — request a copy of the Personal Information we hold about you.
  • Correction / rectification — ask us to correct inaccurate or incomplete information.
  • Deletion / erasure — ask us to delete your Personal Information.
  • Portability — request your Personal Information in a portable, machine-readable format.
  • Restriction / objection — restrict or object to certain processing based on our legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time (without affecting prior processing).
  • Opt out of targeted advertising, sale, or share — see Sections 13 and 14.
  • Non-discrimination — we will not deny service, charge different prices, or provide a lesser quality of service because you exercised a privacy right.
  • Appeal — if we deny a request, you may appeal as described in Section 13.3.

To exercise any of these rights, email us at privacy@valuealpha.ai (with legal@valuealpha.ai on copy if you prefer). We will verify your identity using information already associated with your account before fulfilling a request. You may designate an authorized agent to submit a request on your behalf; we will require proof of authorization.

12. EU, EEA, UK & Swiss Residents — GDPR / UK GDPR Rights

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in Section 11 under Articles 15–22 of the GDPR (and the UK GDPR and Swiss FADP equivalents). We will respond to verified requests without undue delay and within one month, which we may extend by two further months for complex requests (we will tell you if we do).

You also have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is published by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may complain to the Information Commissioner’s Office at ico.org.uk/make-a-complaint/.

We are not currently required to appoint an EU/UK representative under Article 27. We will appoint one and publish their contact details here if and when that obligation applies to us.

13. California Residents — CCPA / CPRA Rights

13.1 Categories of Personal Information collected, used, disclosed, and sold/shared

In the past 12 months we have collected the following categories of Personal Information (as defined in Cal. Civ. Code § 1798.140): identifiers; customer records; commercial information; internet or other electronic network activity information; geolocation (approximate, derived from IP); professional or employment-related information; inferences; and we treat account log-in credentials and customer-submitted financial information as sensitive personal information.

We have disclosed each of those categories to the sub-processor categories listed in Section 7 for the business purposes listed in Section 5. We have not sold and we have not “shared” (for cross-context behavioral advertising) any category of Personal Information in the past 12 months. We have not used or disclosed sensitive personal information for purposes other than those permitted by Cal. Code Regs. tit. 11, § 7027(m).

13.2 Your California rights

  • Right to know the categories and specific pieces of Personal Information we have collected about you, the sources, the business purposes, and the categories of recipients.
  • Right to delete Personal Information we have collected from you, subject to statutory exceptions.
  • Right to correct inaccurate Personal Information.
  • Right to opt out of sale or sharing — we do not sell or share, so there is nothing to opt out of, but if our practices change we will provide a “Do Not Sell or Share My Personal Information” link.
  • Right to limit use of sensitive personal information — because we use sensitive personal information only for purposes permitted under the CPRA without need for a limitation right (e.g., providing the service you requested), no separate limitation link is required, but you may still email us to request additional restrictions.
  • Right to non-discrimination for exercising any CCPA/CPRA right.

13.3 How to submit a California request & appeal

Email privacy@valuealpha.ai with subject “California Privacy Request” and tell us which right you want to exercise. We will respond within 45 days (extendable once by another 45 days with notice). If we deny your request you may appeal by emailing legal@valuealpha.ai with subject “Privacy Request Appeal” within 60 days of our denial. We will respond to the appeal within 60 days.

13.4 Notice of financial incentives

We do not currently offer any financial incentive or price/service difference in exchange for the collection, sale, or retention of Personal Information.

14. Residents of Other US States

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Delaware, Montana, Iowa, Tennessee, New Jersey, Indiana, New Hampshire, Minnesota, Maryland, Rhode Island, or any other US state that has enacted a comprehensive consumer privacy law, you have rights substantially similar to those described in Section 13.2, including rights of access, correction, deletion, portability, and opt-out of targeted advertising, sale, or profiling that produces legal effects. To exercise these rights email privacy@valuealpha.ai with the name of your state and “Privacy Request” in the subject line. We will respond within the timeframe required by your state’s law (typically 45 days).

Where your state law provides an appeal right, you may appeal a denial by emailing legal@valuealpha.ai within the time provided under your state’s law.

15. Cookies & Similar Technologies

A “cookie” is a small text file stored on your device. We and our service providers use the following categories:

  • Strictly necessary — authentication, session security, load balancing, CSRF protection. Cannot be turned off.
  • Functional — language, theme, and other preferences.
  • Analytics — PostHog product analytics and error monitoring.
  • Marketing — Google Ads and LinkedIn Insight pixels on our marketing pages only; not loaded on app.valuealpha.ai.

In the EU/UK we load Analytics and Marketing cookies only after you give consent through our cookie banner; you can withdraw consent at any time through the “Cookie settings” control in the website footer. In the US you can opt out of Analytics and Marketing cookies through the same control or your browser settings.

We honor the Global Privacy Control (GPC) browser signal as a valid opt- out of sale and sharing under the CCPA/CPRA, and as a withdrawal of consent for non-essential cookies where required by EU/UK law. Most browsers do not yet send a standardized “Do Not Track” signal in a way we can act on uniformly, so we do not separately respond to DNT.

16. Marketing Emails & Newsletter (“The Brief”)

We send transactional emails (receipts, report delivery, account notices, security alerts) and, with your permission where required, marketing emails such as product updates and our newsletter The Brief. You can unsubscribe from marketing emails at any time via the unsubscribe link in any marketing email or by emailing privacy@valuealpha.ai. Unsubscribing does not affect transactional emails necessary to deliver the Service.

We comply with the US CAN-SPAM Act, Canada’s CASL, and applicable EU/UK marketing rules under the ePrivacy Directive / PECR.

17. Third-Party Links & Integrations

The Service may contain links to or integrations with third-party websites or services (for example, broker listings or news sources referenced in your reports). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy notices.

18. Changes to This Policy

We may update this Policy from time to time. When we make a material change we will update the “Effective” date at the top and, where required by law, provide additional notice (such as an in-app banner or email). Your continued use of the Service after the effective date of an updated Policy constitutes acceptance of the changes.

19. Contact Us

Felpel Ventures LLC DBA Value Alpha
State of New York, United States
Privacy requests: privacy@valuealpha.ai
Legal / appeals: legal@valuealpha.ai

We aim to respond to privacy inquiries within seven (7) business days.