This policy explains what data FreeCapT collects, why, and what you can do about it. FreeCapT is operated by Bifrost Studios ("we"), Copenhagen, Denmark. We are the data controller for your account data, and a data processor for the cap table content you store with us. We write this in plain English on purpose.
What we collect
- Account data: your email address (used for magic-link sign-in) and basic profile and workspace settings.
- Cap table content: the companies, stakeholders, securities, and transactions you create. You control this; we process it to provide the service.
- Usage and diagnostics: minimal, privacy-respecting product analytics and error reports to keep the service working. Account identifiers are hashed in event payloads.
We do not use Google Analytics, advertising trackers, or third-party session-replay tools that we do not control. We do not sell your data, ever.
Where your data lives
You choose your data region when you create a company. EU customers' data is hosted in the EU (Frankfurt); US customers in us-east. The region is fixed once a company is created. A small number of carefully chosen sub-processors (hosting, email delivery, AI inference, error tracking) support the service; each is bound by a data processing agreement and selected for EU data handling where applicable.
AI features
When you use AI features (document extraction, plain-English bulk add, ask-your-cap-table), the relevant content is sent to our AI provider to generate a response, in your region where supported. We do not allow your content to be used to train third-party models.
Legal basis (GDPR)
We process account and cap table data to perform our contract with you, usage and security data under our legitimate interest in keeping the service safe and reliable, and any optional communications with your consent. EU/UK data subjects have rights of access, rectification, erasure, restriction, portability, and objection.
Your controls
- Export: one click exports everything - ledger, documents, and audit log - as a ZIP.
- Deletion: deleting your account starts a 30-day grace period, then a full purge.
- Requests: data subject access requests are handled within 30 days.
Security
AES-256 encryption at rest, TLS 1.3 in transit, per-tenant encryption keys, an append-only audit log, and magic-link authentication (no passwords). More detail is on our security overview.
Cookies
We use only the cookies required to keep you signed in and the service secure. We do not use advertising or cross-site tracking cookies.
Contact
For any privacy request or question, email privacy@freecapt.com. A Data Processing Agreement is available on request.
This policy is provided in good faith and in plain language. If anything here conflicts with your rights under applicable law, those rights prevail.