Privacy Policy

PeakPaver ("PeakPaver", "we", "us", "our") provides a B2B sales-intelligence service that turns a company name into a sourced sales insight and an opening line. For personal data about our users and customers, PeakPaver is the data controller (the "data fiduciary" under the DPDP Act). This policy applies to our website, our application, and the related services we offer (together, the "Service"). It should be read together with our Terms of Service and our Security overview. If you do not agree with this policy, please do not use the Service.

Because PeakPaver is a B2B tool, it is important to distinguish two kinds of information:

• Information about you, our user or customer: the account, usage, billing, and technical data described in Section 3. We are the controller of this data.
• Information about the companies and people you research: publicly available business information about prospect organizations and, in a business-role context, the people who work at them. We process this to assemble the sourced insight you requested. Section 4 describes this in detail, and Section 15 explains how an individual featured in a report can contact us.

• Account data: your name and email address, received from Google or Microsoft when you sign in. We use sign-in providers only, so we never receive or store a password. Where your provider returns one, we store an encrypted authentication token to keep you signed in.
• Report inputs: the company names, website URLs, and the sales intent you submit. Your per-report intent is stored on that report as audit context and is never written into our shared knowledge graph.
• Usage data: the reports you generate, the companies you watch, the feedback and ratings you give, and the Intel you choose to submit.
• Billing data: when you buy credits, our payment processor collects and processes your name, email, billing details, and payment method. We do not receive or store full card numbers; we store only a record of the purchase needed to provision your credits and meet tax and accounting obligations.
• Technical and abuse-prevention data: basic server logs and your IP address, used to keep the Service secure and prevent abuse. We do not use this for advertising.
• Communications: messages you send us (for example, support or grievance emails, waitlist or early-access requests) and our replies.

To produce a report, we gather publicly available business information about the prospect company you name. This can include information about individuals in a strictly professional, role-based context (for example, a named executive quoted in a press release or a public company filing). We collect this from public sources such as company websites, news, public reviews, and search-engine results retrieved through our search provider.

• We constrain this to public, business-role information and link every factual claim back to its source; anything inferred is labelled as inferred.
• We do not seek out special-category or sensitive personal data, private contact details, or information that is not relevant to a B2B sales context.
• We treat this third-party material as untrusted input, and a PeakPaver report is not an endorsement, accusation, or assessment of any individual.

The lawful-basis position for processing publicly available third-party business information is described in Section 6, and Section 15 gives a contact route for any individual who appears in a report.

We use personal data only for the purposes below:

• To provide the Service: to generate, store, and display your reports and to operate features such as watched companies, feedback, credits, and Intel.
• To operate and secure the Service: to keep accounts signed in, prevent fraud and free-tier abuse, enforce rate limits, debug, and maintain reliability.
• To process payments: to sell and provision credits and to meet tax, invoicing, and accounting obligations.
• To communicate with you: to send transactional messages (for example, account, billing, watched-company, and security notices) and to respond to your requests.
• To improve the Service: to understand aggregate usage and improve quality. We do not train AI models on your reports or your private per-report intent, and we do not sell your personal data.
• To meet legal obligations: to comply with applicable law and to establish, exercise, or defend legal claims.

Under the DPDP Act, we process your personal data with the consent you give at sign-up and, where they apply, on the legitimate uses the Act permits to provide a service you have requested. For publicly available business information about prospect personnel, we rely on the DPDP Act's treatment of personal data that has been made publicly available. Where the EU or UK GDPR applies, we rely on: performance of our contract with you (to provide the Service and process payments); our legitimate interests (to secure the Service, prevent abuse, operate a B2B sales-intelligence tool, and process publicly available business information about prospect personnel), balanced against your rights; your consent (for non-essential analytics); and compliance with legal obligations. This is an evolving area of law; our documented position is reviewed with counsel, and you can object as described in Sections 14 and 15.

PeakPaver reports are generated by automated systems, including large language models, from public sources. Reports are decision-support: every claim is linked to a source and anything inferred is flagged, and a human (you) decides whether and how to act. We do not use the Service to make solely automated decisions that produce legal or similarly significant effects about an individual. Reports may contain errors or omissions and are not professional, legal, financial, or investment advice, as set out in our Terms of Service.

We use a small number of strictly necessary cookies to keep you signed in and to keep the Service secure; these do not require consent. Where enabled, we use privacy-respecting product analytics to understand aggregate usage. Our analytics run without advertising trackers, without cross-site tracking, and without session recording, and they identify you only by an internal account identifier, not by name. We do not run advertising or third-party ad networks. Where the law requires consent for non-essential analytics, we ask for it and you can decline.

We share personal data only in these circumstances:

• With subprocessors that help us run the Service, under contract and only for the purposes in this policy (Section 10).
• For legal and safety reasons: to comply with a valid legal request, to enforce our Terms, or to protect the rights, safety, and security of our users, the public, or PeakPaver.
• In a business transfer: if PeakPaver is involved in a merger, acquisition, financing, or sale of assets, your data may be transferred subject to this policy; we will notify you of any change in control of your personal data.

We do not sell your personal data, and we do not share it for cross-context behavioural advertising.

Our application data is hosted in AWS in India and encrypted at rest and in transit. We use a limited set of subprocessors, some of which process limited data outside India under contract. The current set includes:

• AWS (compute, database, transactional email, and object storage), in India.
• Anthropic (large-language-model inference for report synthesis and extraction), in the United States.
• Google and Microsoft (sign-in), in the United States.
• DataForSEO (search-engine queries), in the United States.
• Cloudflare (frontend hosting, content delivery, and DNS), on a global network.
• Razorpay (payment processing), in India.
• Sentry (error monitoring), PostHog (product analytics), and Better Stack (uptime monitoring), in the European Union.

We notify customers in advance of material changes to this list, and you may object in writing to a subprocessor at grievance@peakpaver.com; an objection may result in service limitations or termination.

Where we transfer personal data outside India (for example, to our inference and search providers in the United States, or to our monitoring providers in the European Union), we do so as necessary to provide the Service and in accordance with the DPDP Act. Where the GDPR applies, such transfers are protected by an appropriate safeguard, such as the European Commission's Standard Contractual Clauses together with the relevant data-processing agreement. You may contact us for more information about the safeguards we use.

We keep personal data only as long as we need it for the purpose it was collected:

• Account and report data: while your account is active. When you delete your account, we hard-delete your private data after a short grace period, except where we must retain limited records for legal, tax, or security reasons.
• Billing records: retained for the period required by tax and accounting law.
• Operational logs: retained for a limited period (currently up to one year) for security and reliability, then deleted or anonymized.
• Search-result cache: short-lived (currently up to 24 hours), then evicted.
• Audit records: a minimal audit entry may survive account deletion where required for security and accountability; it does not contain your report content.

We isolate every customer's data at the database level, encrypt it at rest and in transit, sign in users through OAuth providers so we never hold a password, and apply least-privilege access and monitoring. No system is perfectly secure, but we design for isolation and minimal data exposure. You can read more on our Security page.

Subject to applicable law, you have the following rights over your personal data, which you can exercise from Settings or by contacting us:

• Access and portability: see and download a copy of your data.
• Correction: update your name and email.
• Erasure: delete your account and private data.
• Withdraw consent: withdraw consent you have given, without affecting processing already carried out, by changing your choices or deleting your account.
• Grievance and complaint: raise a grievance with our grievance officer (Section 18) and, in India, escalate to the Data Protection Board.
• Nominate: under the DPDP Act, nominate another person to exercise your rights in the event of death or incapacity, by contacting us.

Where the GDPR applies, you also have rights to restrict or object to processing and to lodge a complaint with your local supervisory authority. Where US state privacy laws apply, you have rights to know, access, correct, and delete your personal information, to opt out of any sale or sharing (we do not sell or share for advertising), and not to be discriminated against for exercising your rights. We will not charge you for, or deny you service because of, a rights request, except as the law allows.

If you are an individual and your information appears in a PeakPaver report or source, and you believe it is inaccurate or should not be processed, you can contact us at grievance@peakpaver.com. We will review the request and, where appropriate, correct or remove the information and take steps to prevent it from being surfaced again. We process such information only in a public, business-role context, as described in Section 4.

The Service is a workplace tool intended for business users and is not directed to children. You must be at least 18 years old to use it. We do not knowingly collect personal data from children; if you believe a child has provided us personal data, contact us and we will delete it.

We maintain an incident-response process. In the event of a personal-data breach that affects you, we will notify you and the relevant authorities as required by law, including, under the DPDP Rules, the Data Protection Board of India, with a plain-language description of what happened, what data was affected, the steps we are taking, and what you can do.

You can reach our designated grievance officer, and ask any question about this policy or your data, at grievance@peakpaver.com. We aim to acknowledge and respond to grievances within 30 days. Under the DPDP Act, if you are not satisfied with our response, you may escalate your grievance to the Data Protection Board of India.

We may update this policy from time to time. When we make a material change, we will revise the "Last updated" date above, notify you in advance where required, and, where a change affects how we use your data, ask you to review and accept the updated terms. Continued use of the Service after an update means you have read the current policy.