PRIVACY.

Last updated: 2026-04-17

◆ TL;DR

We collect the minimum to operate the service. No tracking pixels from ad networks. No selling your data. You can delete everything we have on you with one click.

◆ WHAT WE COLLECT

  • Account data — via GitHub OAuth: your GitHub ID, username, email (primary), avatar URL. Nothing else.
  • Usage data — which endpoints you hit, when, and status codes. Used for rate limiting and debugging. We don't log the request bodies or responses.
  • Subscriber email — if you opt into the newsletter, we store your email + signup source. We use Brevo as a sub-processor for delivery.
  • Audit log — signups, key rotations, webhook creates. IP is stored for abuse prevention (retained 90 days).
  • Analytics — we use PostHog for aggregate product usage. Self-hosted, no cross-site tracking, no third-party cookies.

◆ DATA WE DON'T COLLECT

  • ▸ Passwords (we use GitHub OAuth, so we never see one)
  • ▸ Payment info (Stripe handles that when Pro ships — we only store their customer ID)
  • ▸ Device fingerprints, cross-site tracking, ad-network data

◆ STARTUP DATA WE PUBLISH

The startups and contacts in our API are aggregated from publicly-available sources — company websites, funding announcements, LinkedIn public profiles. We comply with takedown requests: if you're listed and want to be removed, email privacy@fundedapi.com and we'll remove you within 7 days.

◆ YOUR RIGHTS (GDPR & CCPA)

  • Access / Portability (Art. 15, 20) — download every row we store about you as a single JSON file from the dashboard Danger Zone. Instant, self-service.
  • Deletion (Art. 17) — delete your account from the dashboard. Everything is wiped within 30 days. Audit rows are anonymized, not deleted (90-day abuse retention).
  • Correction (Art. 16) — profile data comes from GitHub; update it there and re-login. Contact rows (non-account): email hello@fundedapi.com.
  • Unsubscribe — every email has a 1-click unsubscribe link.

◆ COOKIES

One session cookie (__Host-fundedapi_session) to keep you logged in. HttpOnly, Secure, SameSite=Lax. That's it. No tracking cookies.

◆ SUB-PROCESSORS

  • Railway — hosting + Postgres
  • GitHub — OAuth + code
  • Brevo — transactional email + newsletter
  • PostHog — product analytics
  • Apify — web scraping infrastructure

◆ RETENTION

  • ▸ Account data: until you delete your account
  • ▸ API usage logs: 30 days rolling
  • ▸ Audit logs: 90 days rolling
  • ▸ Newsletter emails: until you unsubscribe

◆ CONTACT

Questions? privacy@fundedapi.com.
Data controller: Intym Holding B.V., Amsterdam, Netherlands.