PRISM Diligence

Privacy Policy

Last updated: May 26, 2026

Back to sign in

Overview

This Privacy Policy explains how PRISM Diligence ("PRISM," "we," "us," or "our") collects, uses, shares, and protects information when you use our financial diligence workspace, website, and related services. If your organization has a separate written agreement with us, that agreement controls where it conflicts with this policy.

Information We Collect

  • Account information, including name, email address, organization, authentication events, role, and invite status.
  • Customer content, including uploaded financial documents, project data, extracted tables, mappings, adjustments, forecasts, diligence questions, reports, and related notes.
  • Usage, device, and diagnostic information, such as IP address, browser type, pages visited, timestamps, errors, performance data, and security logs.
  • Billing information handled through Stripe, such as customer, subscription, invoice, and payment status metadata. We do not store full payment card numbers.
  • Communications you send us, including support requests, feedback, and administrative correspondence.

How We Use Information

  • Provide, secure, maintain, and improve the service.
  • Authenticate users, manage invites, enforce access controls, and prevent misuse.
  • Process uploaded documents, extract financial data, generate diligence outputs, and support download and reprocessing features.
  • Operate billing, subscriptions, customer support, service communications, and administrative notices.
  • Monitor reliability, investigate errors, detect security issues, and comply with legal obligations.

AI and Document Processing

PRISM uses third-party OCR and language model providers to power document extraction, structuring, analysis, and related workflow features. Customer content may be sent to those providers only as needed to provide the requested service. Current processing providers may include Mistral, OpenAI, and Google Gemini. You should not upload content unless you have the rights and authority to process it through PRISM and its service providers.

How We Share Information

We do not sell customer content. We share information only as needed to operate PRISM, comply with law, protect rights and safety, or complete a business transaction. Service providers may include hosting, database, object storage, email delivery, payments, observability, OCR, and AI model providers, including Vercel, Railway, PlanetScale, Cloudflare R2, Resend, Stripe, Sentry, Mistral, OpenAI, and Google.

Security Practices

We use technical and organizational safeguards designed to protect customer data. These include TLS for data in transit, private Cloudflare R2 object storage, short-lived signed upload URLs, provider-managed encryption at rest for object storage, database access controls, invite-gated production access, role-based admin controls, one-time email authentication codes, server-side validation, restricted production secrets, security headers, and production monitoring. We limit access to systems and data to people and service providers with a business need.

No method of transmission or storage is perfectly secure. If you believe your account or data may have been compromised, contact us promptly.

Retention and Deletion

We keep account information, project data, uploaded documents, extraction outputs, logs, and billing records for as long as needed to provide the service, comply with legal obligations, resolve disputes, maintain backups, and enforce agreements. You may request deletion of account or project data, subject to legal, security, backup, and operational limits.

Cookies and Similar Technologies

We use cookies and similar technologies for authentication, session management, security, preferences, and basic service operation. You can control cookies through your browser settings, but disabling required cookies may prevent the service from working.

Your Choices and Rights

Depending on where you live, you may have rights to access, correct, delete, or receive a copy of certain personal information, or to object to or restrict certain processing. To make a request, contact us using the information below. We may need to verify your identity and authority before acting on a request.

International Processing

PRISM and its service providers may process information in the United States and other countries where they operate. Those countries may have data protection laws different from the laws where you live.

Children's Privacy

PRISM is intended for business users and is not directed to children under 13. We do not knowingly collect personal information from children under 13.

Contact

Questions or requests about this Privacy Policy can be sent to hello@prismdiligence.com.