Privacy Policy
Last updated June 4, 2026
Effective date: June 2, 2026.
0. The two data sets — read this first
FormDFlow works with two fundamentally different kinds of data, and they are governed differently. The distinction matters, so we state it up front.
1. Public Form D filings (NOT your personal data, NOT covered by this policy as “your” data). FormDFlow ingests Form D and Form D/A filings from the U.S. Securities and Exchange Commission’s EDGAR system. These filings are public-domain federal disclosure — private companies are required to file them with the SEC when they raise capital under Regulation D, and the SEC publishes them as a free public record. We read EDGAR, normalize the filings, tag them by vertical and stage, and make them searchable and filterable. We do not own these filings, and surfacing them is not the subject of your privacy rights as a FormDFlow customer. SEC EDGAR is a public data source we read — it is not a sub-processor of your data (see §4).
2. Your account and customer data (private, protectable, the subject of this policy). When you create an account, configure saved filters, add teammates, or pay us, you give us information that is personal data: your email, your name, your organization, your filter configurations, your team/seat identities, and your billing identity. This data is private, and it is what this Privacy Policy governs. We treat it under the GDPR, the UK GDPR, and the CCPA/CPRA as applicable.
We never use “the filings are public” as cover for loose handling of your data. The Form D filings being public has no bearing on how we protect your account, your filters, your team data, or your billing identity. Those are private and are handled under the standards described below.
1. Who we are, and the scope of this policy
This Privacy Policy explains how Sleet Labs LLC (“Sleet Labs,” “FormDFlow,” “we,” “us,” or “our”) collects, uses, and protects the personal data of customers and visitors to the FormDFlow service.
| Controller / company | Sleet Labs LLC |
|---|---|
| Postal address | 5830 E 2nd St, Ste 7000, Casper, WY 82609, USA |
| Privacy & data requests | Contact form (a dedicated privacy@formdflow.com mailbox is being established) |
| Service | FormDFlow — filtered, vertical-tagged alerts derived from public SEC Form D filings, plus a searchable filing directory |
What this policy covers: the personal data of our customers, account holders, team members, newsletter subscribers, and website visitors.
What this policy does not cover: the contents of public SEC Form D filings. Those are public-domain federal disclosures published by the SEC; we present and filter them, and we make no ownership claim over them. FormDFlow is not affiliated with, endorsed by, or sponsored by the U.S. Securities and Exchange Commission, and FormDFlow is not an investment adviser, broker-dealer, or registered securities professional. Nothing in our product constitutes investment advice. EDGAR is a free public resource operated by the SEC.
For the data Sleet Labs holds about you, Sleet Labs is the controller. The third parties listed in §4 act as our processors (sub-processors).
2. What we collect
We collect only what we need to run the service you signed up for.
Account and identity data
- Email address (your login identifier and the address we deliver to)
- Name (where you provide it)
- Organization / company name
- Authentication data — we support Google sign-in (OAuth); we receive the basic profile and email scope from Google and do not receive or store your Google password
Service-configuration data
- Saved filter configurations (e.g., vertical, geography, offering-size band, exemption type, keyword)
- Delivery preferences and destinations you configure (e.g., a Slack or Teams integration on eligible tiers)
- Team / seat data — the identities (email and role) of teammates you invite to your organization
Billing data
- Billing identity and subscription state. Card payments are processed by Stripe; we do not store full card numbers. We retain Stripe customer and subscription references and the entitlement state they reflect (e.g., tier, active/trialing).
Usage, log, and device data
- Standard server and application logs (e.g., timestamps, IP address, user agent, requested routes, error events) used for security, debugging, abuse prevention, and operating the service
- Delivery records (e.g., that a digest was sent, and to which destination) used to operate and troubleshoot delivery
Cookies and similar technologies
- Strictly necessary cookies for authentication and session management. See §9.
- We use no analytics, advertising, or product-telemetry cookies (see §9). Only strictly-necessary authentication/session cookies are set.
We do not intentionally collect special-category (sensitive) personal data, and we ask that you not put it into free-text fields such as filter keywords.
3. How we use your data, and our lawful basis
FormDFlow is a B2B service that you (or your organization) chose to subscribe to. We process your personal data for the following purposes:
| Purpose | What it involves | Lawful basis (GDPR/UK GDPR) |
|---|---|---|
| Provide the service | Create and authenticate your account, store and run your saved filters, deliver digests and alerts, operate the directory | Performance of a contract (Art. 6(1)(b)) |
| Billing | Process subscription payments via Stripe, manage upgrades/downgrades, prevent payment fraud | Performance of a contract (Art. 6(1)(b)); legitimate interests for fraud prevention (Art. 6(1)(f)) |
| Security, reliability, abuse prevention | Logging, monitoring, rate-limiting, SSRF/abuse defenses, incident response | Legitimate interests (Art. 6(1)(f)) in operating a secure service |
| Service & transactional communications | Receipts, password resets, security and account notices, service-status messages | Performance of a contract (Art. 6(1)(b)); legal obligation where applicable (Art. 6(1)(c)) |
| Commercial email — the daily digest and the free “Top 50 deals” newsletter | Send the product digest you subscribed to, and the marketing newsletter you opted into | Performance of a contract (digest, Art. 6(1)(b)); legitimate interests / consent (newsletter, Art. 6(1)(f) or 6(1)(a) as applicable) |
| Product improvement | Aggregate, non-identifying analysis of usage to improve the service | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have weighed those interests against your rights; you may object (see §7).
3.1 Transactional vs. commercial email
We distinguish two kinds of email, and treat them differently:
- Transactional / service email — receipts, password resets, security alerts, and account notices. These are not marketing and do not carry a marketing unsubscribe, because you need them to use the service.
- Commercial email — the daily digest and the free “Top 50 deals” newsletter. Both are commercial messages under the U.S. CAN-SPAM Act. Every commercial send carries a valid physical postal address, accurate sender and header identification, and a non-deceptive subject line. Each commercial send also carries a functioning unsubscribe that we honor promptly and the one-click List-Unsubscribe headers (RFC 8058) that mailbox providers require. Unsubscribing from commercial email does not stop transactional/service email.
4. Sub-processors
We use a small set of third-party service providers (“sub-processors”) to operate FormDFlow. Each processes only the data needed for its function. The list below is living documentation — our CISO owns the per-vendor due-diligence and Data Processing Agreement (DPA) review, and we update this list as vendors change. Our current sub-processor list is available on request; the tables below summarize it.
EDGAR is not a sub-processor. SEC EDGAR is a public data source we read — not a processor of your data. We send EDGAR no customer personal data. We send only the SEC-required
User-Agentrequest header (which contains a FormDFlow support email, not customer data) when retrieving public filings, and we respect EDGAR’s fair-access terms (real-contact User-Agent and the rate limit). EDGAR therefore does not appear in the sub-processor table.
4.1 Sub-processors that handle customer personal data
| Sub-processor | What data they process | Purpose | Region | DPA on file |
|---|---|---|---|---|
| Supabase | Account (email, name, org), authentication, saved filters, team/seat data, billing references, delivery records | Primary database + authentication | United States (AWS us-east-1) | DPA available; SCCs. Region confirmed US. |
| Stripe | Billing identity, payment details, subscription state | Payment processing and billing | US (global) | DPA auto-incorporated via the Stripe Services Agreement; DPF-certified + SCCs. |
| Resend | Recipient email address + digest/newsletter content | Transactional and commercial email delivery | US | DPA auto-incorporated on ToS acceptance; US-hosted; SCCs. |
| Vercel | Account/session data in transit; server and application logs | Application hosting (FormDFlow web app + APIs); also the contracted LLM hop (Vercel AI Gateway — see §4.2) | US (global edge) | DPA auto-incorporated via Vercel ToS; DPF-certified + SCCs. |
| Railway | Data processed by the ingestion/delivery worker (e.g., recipient routing for deliveries) | Hosting for the Python ingestion + delivery worker | US | DPA executed (counter-signature on file); US-hosted; SCCs apply. |
| Google / Google Workspace | Authentication (OAuth sign-in: basic profile + email); internal company email | Customer sign-in (Google OAuth) and our internal email/workspace | US (global) | Cloud Data Processing Addendum auto-applies; DPF-certified + SCCs. |
4.2 Providers that process public-company data, not customer PII
These providers support our enrichment of public Form D filings and the companies and signatories named in them. Their classification was confirmed by our CISO: they process public-company and public-record data only — never your account/customer PII.
| Provider | What it processes | Purpose | Region | Notes |
|---|---|---|---|---|
| Vercel AI Gateway / LLM (model providers reachable via the Gateway: Anthropic Claude Haiku — primary, Google Gemini Flash, OpenAI GPT-mini — fallbacks) | Tagging/enrichment prompts built from public filing data (issuer name, offering amount, SIC/industry) plus public signatory names from the filing signature block | Vertical/stage tagging and enrichment of public filings; resolving public professional profiles of filing signatories | US (global) | Public-company/public-record data only — no customer PII. Contracted via the Vercel AI Gateway on Vercel system credentials; Vercel’s DPA governs, model providers downstream. The Gateway does not retain prompt/response content; providers do not train on API inputs under their commercial terms. The specific model providers reachable via the Gateway may change as we finalize our enrichment architecture. SCCs. |
| Brave Search API | Search queries about public companies (issuer name + domain) and public signatory names from the filing signature block | LinkedIn / company-page enrichment of public issuers; resolving public professional profiles of filing signatories | US (global) | Public-company/public-record data only — no customer PII; no customer-data DPA required. |
| Brandfetch | Public company domain / brand lookups (logo + brand assets for an issuer) | Logo / brand enrichment of public issuers on filing pages | US (global) | Public-company data only — no customer PII; no customer-data DPA required. |
Google favicon service (google.com/s2/favicons) | A public company domain string (to fetch a favicon) | Fallback logo/icon for public issuers | US (global) | Public-company data only — no customer PII; no customer-data DPA required. |
Why two tables. The §4.1 vendors touch your private account/customer data and are full sub-processors under GDPR/CCPA. The §4.2 providers see only data derived from public SEC filings (and queries about public companies) — not your personal data. If a §4.2 provider’s role ever changes to touch customer PII, it moves to §4.1 and gets a DPA.
Public signatory data. Some enrichment resolves the public professional profiles of the persons named in a filing’s public signature block (a signatory’s name → their public LinkedIn/company profile). A signatory name is a natural person, so this is personal data — but it is public SEC-record data, and the data subjects are the filing signatories, not you, our customer. We process this public-record personal data on a legitimate-interest basis to enrich public filings; the §4.2 providers never touch your account/customer PII.
We do not sell your personal data, and we do not share it with third parties for their own marketing.
5. International data transfers
FormDFlow and its sub-processors are primarily hosted in the United States. If you access the service from the European Economic Area, the United Kingdom, or Switzerland, your personal data will be transferred to and processed in the US and in other countries where our sub-processors operate.
Where we transfer personal data out of the EEA/UK/Switzerland, we rely on appropriate safeguards — typically the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, or another lawful transfer mechanism — and we require our sub-processors to provide equivalent protections. The per-vendor mechanism is summarized in §4.1 (most providers are EU-US Data Privacy Framework–certified and/or rely on SCCs). Our primary data store (Supabase) is hosted in the United States (AWS us-east-1), so the EU/UK→US transfer analysis for that store rides the SCCs / UK-IDTA described above.
6. Data retention
We keep your personal data for as long as your account is active and for as long as we need it to provide the service, comply with our legal obligations, resolve disputes, and enforce our agreements.
- Account, filter, team, and billing data — retained for the life of your account.
- After account closure — we delete or anonymize your personal data after a short deletion grace window, except where we must retain limited records (e.g., for tax, accounting, or legal-compliance reasons) or in backups that age out on a rolling schedule.
- Deletion grace window — 30 days after closure or a deletion request before permanent deletion, allowing accidental-deletion recovery and orderly off-boarding.
- How erasure works today — we honor a verified deletion request by removing your data administratively, on request through our contact form, within the window above. We do not currently offer a self-serve “delete my account” button; erasure is handled by our team (a self-serve control is on our roadmap).
- Logs — operational and audit logs are retained for up to 12 months and then pruned; platform logs (Vercel/Railway/Supabase) follow each platform’s default retention.
- Billing records — retained as required by applicable financial/tax law even after account closure.
7. Your privacy rights
Depending on where you live, you have rights over your personal data. We honor these rights regardless of how public the underlying SEC filings are — your account data is yours.
7.1 If you are in the EEA / UK / Switzerland (GDPR / UK GDPR)
You have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your data (“right to be forgotten”), subject to our legal-retention obligations
- Restrict or object to certain processing, including processing based on legitimate interests and direct marketing
- Portability — receive your data in a structured, commonly used, machine-readable format
- Withdraw consent at any time where we rely on consent (this does not affect prior processing)
- Lodge a complaint with your local supervisory authority (e.g., the UK ICO or an EU data-protection authority)
Response time: we respond to verified GDPR/UK-GDPR requests within 30 days. If a request is complex, we may extend this and will tell you within the initial 30 days.
7.2 If you are in California (CCPA / CPRA)
You have the right to:
- Know what personal information we collect, use, and disclose
- Delete personal information we hold about you, subject to legal exceptions
- Correct inaccurate personal information
- Opt out of the “sale” or “sharing” of personal information for cross-context behavioral advertising — note: we do not “sell” or “share” your personal information in this sense
- Non-discrimination for exercising your rights
Response time: we acknowledge CCPA/CPRA requests within 10 business days and respond within 45 days. We may extend by an additional 45 days where reasonably necessary, and will notify you of any extension.
7.3 How to make a request
Submit a request through our contact form, our path for privacy and data requests. We will verify your identity before acting on a request, and we will not charge a fee except where a request is manifestly unfounded or excessive. You may use an authorized agent where the law permits.
8. Security
We take the security of your account data seriously. Our controls include role-scoped database access (row-level security with a strict service-role boundary), least-privilege OAuth scopes, encryption in transit (HTTPS/TLS) and at rest (provider-managed), restricted webhook egress (SSRF defenses), idempotent billing-event handling, and audit logging. Our CISO owns the security program, vendor security review, and breach detection and response.
No method of transmission or storage is perfectly secure, but we work to protect your data and to maintain the safeguards described here.
9. Cookies and similar technologies
FormDFlow uses only strictly necessary cookies:
- Authentication / session — a first-party Supabase auth cookie that keeps you signed in (the service will not work without it).
- Third-party cookies appear only on Stripe Checkout and the Google sign-in screen — on those providers’ own domains, for the flow you invoked.
We use no analytics, advertising, product-telemetry, or tracking cookies. Because we set only strictly-necessary cookies, no cookie-consent banner is required as the service is built today. If we ever introduce a non-essential cookie (e.g., analytics or marketing), we will obtain prior consent and add a consent banner before it is set. You can control cookies through your browser settings; disabling strictly necessary cookies may break sign-in.
10. Children
FormDFlow is a B2B service intended for business users. It is not directed to children, and we do not knowingly collect personal data from anyone under 18 — FormDFlow has no consumer or minor users. If you believe a minor has provided us personal data, contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date and, where appropriate, notify account holders by email or in-product notice. Continued use of FormDFlow after an update means you accept the revised policy.
12. Contact
Questions, requests, or complaints about this policy or your personal data:
Sleet Labs LLC
5830 E 2nd St, Ste 7000
Casper, WY 82609, USA
Contact form (a dedicated privacy@formdflow.com mailbox is being established)
See also our Terms of Service.