Back to ITOptik
ITOptik logo

Privacy Policy

Last Updated: February 14, 2026

1. Introduction / Who We Are

ITOptik ("we," "us," or "our") operates a business-to-business IT due diligence platform designed for Private Equity firms, due diligence firms, and target companies involved in mergers and acquisitions. Our platform facilitates the collection, analysis, and reporting of IT infrastructure, security, and compliance information during the due diligence process.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our platform, including all associated portals (Admin, Client, Due Diligence, and Target Company portals), websites, and related services (collectively, the "Platform").

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you are using the Platform on behalf of an organization, you represent that you have the authority to bind that organization to these terms.

2. Information We Collect

We collect information necessary to provide our IT due diligence services. The categories below describe the types of information we collect and how we obtain them.

2.1 Account Information

When you create an account or are added to the Platform by your organization, we collect:

  • Full name and email address
  • Job title and phone number
  • Company or firm name
  • Your role within the Platform (administrator, PE firm user, DD firm user, or target company user)

2.2 Business Information

For organizations registered on the Platform, we collect:

  • Firm name and type (e.g., Private Equity, Growth Equity, Family Office)
  • Assets Under Management (AUM) range
  • Headquarters location
  • Website URL and organizational contact details

2.3 Assessment and Due Diligence Data

The core of our Platform involves processing due diligence materials. This includes:

  • Documents uploaded by target companies (financial records, IT infrastructure documentation, compliance certifications, security policies, and similar business records)
  • Interview transcripts and notes
  • AI-generated analysis results, assessment scores, and risk evaluations
  • Red flags, deal memos, and expert review findings

2.4 Billing Information

For billing and payment purposes, we collect:

  • Invoice details and payment amounts
  • Transaction identifiers
  • Billing addresses

Payment processing is handled by our third-party payment processor, Payload.com. We do not directly store credit card numbers or bank account details on our servers.

2.5 Authentication and Security Data

To protect your account and our Platform, we collect and process:

  • Encrypted passwords (managed by our authentication provider, Supabase Auth)
  • Multi-factor authentication (MFA/TOTP) enrollment data
  • Hashed recovery codes
  • Login timestamps and records of failed login attempts

2.6 Device and Usage Data

When you access the Platform, we automatically collect:

  • IP addresses (used for rate limiting, security monitoring, and audit logging)
  • User agent strings (browser type and version, device information)
  • Session activity timestamps

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing our services: Operating the Platform, processing due diligence assessments, generating AI-powered document analysis and scoring, and delivering reports to authorized users.
  • Account management: Creating and maintaining your account, authenticating your identity, and managing user roles and permissions across portals.
  • Billing and payments: Processing invoices, tracking transactions, and managing billing relationships between platform participants.
  • Security and compliance: Detecting and preventing fraud, enforcing rate limits, maintaining audit logs for SOC2 compliance, and protecting the integrity of the Platform.
  • Communication: Sending transactional emails (account verification, password resets, assessment notifications, document request alerts) and responding to your inquiries.
  • Platform improvement: Debugging errors, monitoring platform health, and improving the reliability and performance of our services.

We do not use your personal information for advertising, profiling for marketing purposes, or selling to third parties.

4. How We Share Your Information

We share your information only with the third-party service providers necessary to operate the Platform. We do not sell your personal information to anyone.

Service ProviderPurposeData Shared
Supabase (supabase.co)Database hosting, user authentication, file storageAccount data, uploaded documents, application data
Amazon Web Services — AWS BedrockAI-powered document analysis using Anthropic Claude modelsDocument text and interview transcripts (for analysis only)
Inngest (inngest.com)Background job processing and orchestrationJob metadata only (no personal data or document content)
Payload.comPayment processingBilling data, customer information, transaction details
Resend (resend.com)Transactional email deliveryRecipient email addresses and names
Sentry (sentry.io)Error tracking and monitoringError context data; may include anonymized user identifiers
Better Stack (betterstack.com)Uptime and system health monitoringNo user data — system health metrics only

We may also disclose your information when required by law, subpoena, or government request, or when we believe disclosure is necessary to protect our rights, enforce our terms of service, or ensure the safety of our users.

We do not use any third-party analytics services, advertising trackers, or ad networks. There are no Google Analytics, Facebook Pixel, or similar marketing tracking tools on the Platform.

5. Cookies and Similar Technologies

We use a minimal set of cookies, strictly limited to those necessary for the Platform to function. We do not use any advertising or tracking cookies.

CookiePurposeDurationType
Supabase auth sessionMaintains your authenticated login sessionSession / 30-minute inactivity timeoutEssential (httpOnly, secure)
DD firm branding contextStores white-label display settings for due diligence firm branding24 hoursFunctional

Because we only use essential and functional cookies required for the Platform to operate, we do not display a cookie consent banner. You may disable cookies through your browser settings, but doing so will prevent you from logging in to the Platform.

6. Data Security

We take the security of your data seriously and implement multiple layers of protection:

  • Encryption: All data is encrypted in transit (TLS/HTTPS) and at rest.
  • Row-Level Security (RLS): Database-level access policies ensure that users can only access data belonging to their organization and role. Every query is filtered through RLS policies.
  • Multi-Factor Authentication: MFA via time-based one-time passwords (TOTP) is required in production environments, with hashed recovery codes as a backup.
  • Session management: Sessions are automatically terminated after 30 minutes of inactivity.
  • Account lockout: Accounts are temporarily locked after repeated failed login attempts to prevent brute-force attacks.
  • Rate limiting: Sensitive endpoints are protected by rate limiting to prevent abuse.
  • Audit logging: Security events are logged with PII sanitization to support compliance and incident response without unnecessary exposure of personal data.

While we employ commercially reasonable safeguards, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

7. Data Retention

We retain your information only as long as necessary to fulfill the purposes described in this Policy or as required by law.

  • Audit logs: Retained indefinitely to comply with SOC2 compliance requirements and to support security investigations.
  • Rate limit records: Automatically deleted after 1 hour.
  • Documents and assessments: Retained for the duration of the active business relationship between the relevant parties. Upon termination of the relationship, data is retained for a reasonable period to allow for retrieval, after which it is deleted.
  • User accounts: Account data is deleted when an account is removed from the Platform, subject to any legal retention obligations.

8. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal information.
  • Deletion: Request deletion of your personal information, subject to legal and contractual retention requirements.
  • Portability: Request a copy of your data in a structured, commonly used, machine-readable format.
  • Restriction: Request that we limit the processing of your personal information in certain circumstances.
  • Objection: Object to processing of your personal information where we rely on a legitimate interest as the legal basis.

To exercise any of these rights, please contact us at privacy@itoptik.com. We will respond to your request within 30 days, or within the timeframe required by applicable law. We may need to verify your identity before fulfilling your request.

If you are using the Platform through your employer or organization, certain requests may need to be directed to your organization's administrator, as they control the account and data associated with your use.

9. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These include the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate information, and the right to opt out of the sale or sharing of personal information.

We do not sell or share your personal information for cross-context behavioral advertising purposes.

For a detailed description of your California privacy rights, the categories of personal information we collect, and how to exercise your rights, please see our California Privacy Disclosure.

10. Children's Privacy

The Platform is a business-to-business service intended solely for use by professionals in the Private Equity and due diligence industries. It is not directed at, and we do not knowingly collect personal information from, children under the age of 16.

If we learn that we have inadvertently collected personal information from a child under 16, we will promptly delete that information. If you believe a child under 16 has provided us with personal information, please contact us at privacy@itoptik.com.

11. International Data Transfers

ITOptik is based in the United States, and the Platform's data is processed and stored on servers located in the United States. If you access the Platform from outside the United States, your information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using the Platform, you consent to the transfer of your information to the United States. We apply the same security safeguards described in this Policy regardless of where data originates.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Notify affected users by email or through an in-platform notice, where appropriate.

We encourage you to review this page periodically. Your continued use of the Platform after changes are posted constitutes your acceptance of the revised Policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

ITOptik — Privacy Inquiries

Email (privacy): privacy@itoptik.com

Email (general): sales@itoptik.com

This policy is provided for informational purposes. For questions about how this policy applies to your specific situation, please consult qualified legal counsel.