This Privacy Policy explains how PEVCOS, Inc.("PEVCOS", "we", "us") collects, uses, shares, and protects information when you use the PEVCOS application at https://www.pevcos.com(the "Service"). We've written it in plain language. If anything is unclear, email us at privacy@pevcos.com.
PEVCOS is a software platform for private equity and venture capital fund managers. It helps users track deal flow, manage CRM relationships with founders and limited partners, score investment conviction, generate investment memos, and report to LPs. The Service is operated by PEVCOS, Inc..
When you create an account we collect your email address, name, password (stored as a hash by our authentication provider), and any role/firm details you provide during onboarding (firm name, fund vintage, role, etc.).
Anything you create or upload — companies, contacts, notes, interactions, documents, IC memos, LP records, tasks, fund/portfolio data — is stored to provide the Service to you. We treat this content as confidential. It is not used to train any AI models.
If you connect a Gmail account, PEVCOS accesses messages in your inbox and sent folder to help you organize and act on deal flow. The specific scopes we request and how we use them are listed in Section 4 below.
Subscription billing is handled by Stripe. We never see your full card number. Stripe shares a customer ID, last 4 digits, expiration date, and billing country with us for receipts and subscription management.
If you connect a DocuSign account, PEVCOS uses DocuSign's API on your behalf to send subscription documents, side letters, and other agreements to your LPs. We store the OAuth tokens needed to send envelopes, the envelope IDs we create, and the sent/delivered/completed status returned by DocuSign's webhooks so the platform can show you what's outstanding. We never receive the signed PDF bytes — those are stored in DocuSign and accessed directly through their UI. You can disconnect DocuSign at any time from Settings, which revokes our tokens.
We log basic technical information (IP address, browser type, timestamps, pages visited) for security, debugging, and fraud prevention. We do not use third-party advertising trackers.
We do not sell your personal information. We do not share your data with advertisers. We do not use your content (including Google user data) to train AI models.
PEVCOS' use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Gmail message contents are stored in your private workspace inside our database (Supabase, us-east-1) so that PEVCOS can show recent activity, categorize messages (deal flow / LP communication / portfolio update / CRM), and link them to the appropriate person or company record. AI features (such as auto-categorization) run on a per-user basis against your own data only; they never aggregate or share data across accounts.
Tokens are stored encrypted at rest. Message contents are protected by row-level security in our database — only the user who connected the Gmail account can read them. Our infrastructure providers (Supabase, Vercel) are SOC 2 compliant.
We do notshare Google user data with any third parties except our subprocessors listed in Section 6, which is strictly limited to what's necessary to provide the Service. We do not use Google user data for advertising. We do not sell Google user data. We do not transfer Google user data to AI/ML models for training; AI features that operate over your messages run with your data scoped to your workspace and the prompts are not used by any provider to improve their models.
You can disconnect Gmail at any time from the Settings page in PEVCOS. Doing so revokes our access token and deletes the stored refresh token. You can also revoke access directly from your Google Account permissions page. To request deletion of synced message content, email privacy@pevcos.com from the address associated with your PEVCOS account and we will remove it within 30 days.
PEVCOS uses Anthropic's Claude models to power features like AI Score, AI Enrich, IC Memo drafting, LP letter generation, and email categorization. When you trigger one of these features, the relevant subset of your workspace data is sent to Anthropic's API to generate the requested output. Anthropic does not train its models on data sent via its API (see Anthropic's commercial terms). Generated outputs are stored alongside the entity they relate to in your workspace.
We use the following third-party services to operate PEVCOS:
We retain your workspace data for as long as your account is active. When you cancel and request deletion, we delete your workspace within 30 days, except for billing records we're required to keep for tax and accounting purposes (typically 7 years). Logs are retained for 90 days for security purposes and then deleted.
You can access, export, correct, or delete your data at any time. Email privacy@pevcos.com with requests. Residents of the EEA, UK, and California have additional rights under GDPR/CCPA which we honor (right to access, rectification, erasure, restriction, portability, objection).
We use industry-standard security practices: TLS everywhere, encrypted at-rest storage, row-level security for tenant isolation, hashed passwords, and regular dependency updates. No system is perfectly secure — if you discover a vulnerability please report it to privacy@pevcos.com.
PEVCOS infrastructure is located in the United States. By using the Service you consent to your data being transferred to and processed in the U.S., subject to the protections described in this policy.
PEVCOS is not directed at children under 16. We do not knowingly collect data from minors.
If we make material changes we'll notify you in-app or by email at least 14 days before they take effect. Continued use of the Service after the changes take effect constitutes acceptance.
Questions, data requests, or vulnerability reports: privacy@pevcos.com.