Skip to main content

Privacy Policy

Effective date: January 1, 2025 — Last updated: May 2026

CapBench (“we,” “us,” or “our”) operates the www.capbench.com platform (the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and what rights you have regarding your data.

Geographic Scope (United States only)

CapBench is operated from the United States and is intended solely for users and business transactions located in the United States. Our services — SBA 7(a) financing intelligence, U.S. business listings, and buyer prequalification — are U.S.-specific. We do not market, offer, or provide services to individuals located in the European Economic Area, the United Kingdom, or other jurisdictions outside the United States, and we do not intend to subject ourselves to non-U.S. data-protection laws. If you access the Service from outside the United States, you do so on your own initiative and are responsible for compliance with your local laws.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, phone number (optional), LinkedIn profile URL, and organization details. If you sign in via Google or LinkedIn OAuth, we receive your public profile information from those providers.

1.2 Deal and Transaction Data

Information you provide while using the platform, including deal materials, confidential information memoranda, NDA signatures, and chat messages. Seller-provided deal materials may include sensitive business records such as financial statements, tax information, customer lists, employee-related materials, operating metrics, contracts, and other confidential transaction documents.

1.3 Behavioral and Usage Data

We collect data about how you interact with the Service: pages visited, documents viewed or downloaded, time spent on sections, session identifiers, click events, and engagement patterns. This data helps advisors understand buyer interest and helps us improve the platform.

1.4 Device and Network Information

We automatically collect your IP address, browser type and version, operating system, device type, approximate geolocation (city/country derived from IP), referrer URL, and UTM campaign parameters.

1.5 Electronic Signatures

When you sign an NDA on the platform, we capture your typed or drawn signature, your IP address, user agent, and a timestamp. A cryptographic hash of the signed document content is stored to ensure integrity.

1.6 Payment Information

Payment card details are collected and processed directly by Stripe. We do not store full card numbers on our servers. We retain your Stripe customer ID and subscription status for billing purposes.

2. How We Use Your Information

  • Provide and operate the Service— manage your account, facilitate deal progression, deliver deal materials, and support buyer-advisor communication.
  • Fraud detection and platform integrity— verify user identity and detect suspicious activity using IP, email, and phone fraud scoring via IPQualityScore (IPQS).
  • Analytics and improvement— understand how users interact with the platform to improve features, performance, and user experience.
  • Communication— send transactional emails (NDA confirmations, deal notifications, OTP codes), respond to support inquiries, and deliver buyer deal alerts.
  • Legal compliance— maintain records required for legal, tax, or regulatory obligations, including signed NDAs and LOIs.
  • AI-assisted features— generate deal summaries and assist advisors with content creation.

3. Third-Party Services

We share data with the following categories of third-party service providers, each operating under their own privacy policies:

  • Anthropic— AI processing for deal content generation. Deal content may be sent to Anthropic to extract or generate requested content. We minimize submitted data where feasible, and AI-processed content is not used by CapBench to train foundation models.
  • Stripe— payment processing and subscription management. Stripe receives your name, email, and payment card details.
  • PostHog— product analytics and session tracking. PostHog receives pseudonymized usage events associated with an account identifier, device information, and page view data.
  • IPQualityScore (IPQS)— fraud detection. IPQS receives IP addresses, email addresses, and phone numbers to generate risk scores.
  • Resend— transactional email delivery. Resend receives recipient email addresses and message content.
  • Twilio— SMS delivery for verification codes. Twilio receives phone numbers and OTP message content.
  • Convex— backend infrastructure and database hosting. All application data is stored on Convex's cloud infrastructure.
  • Vercel— frontend hosting and edge network delivery.

Lending partners (lead recipients).Separately from the service providers above, when you ask us to connect you with a lender — for example by submitting a pre-qualification, lender-match, or “contact a lender” request — we share the contact and deal details you provide (such as your name, email, phone, location, and the financing you're seeking) with SBA lenders and loan brokers, some of whom pay CapBench for these introductions. We share this information only after you affirmatively request the connection, and only so those partners can contact you about financing. Under California law this may be considered a “sale” or “sharing” of personal information — see your rights in Section 9.

4. Data Retention

  • Account data— retained for the lifetime of your account. Deleted or anonymized within 30 days of an account deletion request, except where retention is required for legal, security, audit, or transaction recordkeeping obligations.
  • Deal engagement data— retained for the duration of the deal plus 12 months after deal closure for reporting purposes.
  • NDA and LOI records— retained for 7 years after execution to satisfy legal and compliance obligations, even after account deletion. Direct database identifiers and searchable PII fields are anonymized upon deletion request where feasible, but executed PDFs, signature evidence, content hashes, and related audit records may be retained until the retention period expires or a legal hold is released.
  • Legal holds— records subject to litigation, regulatory inquiry, security investigation, or transaction dispute may be retained for longer while the hold remains in effect.
  • Behavioral tracking data— retained for 24 months, then automatically purged.
  • Fraud detection records— IP and risk score data is cached for 24 hours and retained in aggregate for 12 months.

5. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights:

  • Right of access— request a copy of all personal data we hold about you. You can export your data directly from your account settings, or contact us.
  • Right to deletion— request that we delete your personal data. You can initiate deletion from your account settings. Certain data, including executed NDAs, LOIs, access logs, and records under legal hold, may be retained in full or anonymized form for legal compliance, audit, security, dispute resolution, or transaction recordkeeping.
  • Right to rectification— request correction of inaccurate personal data.
  • Right to data portability— receive your data in a structured, machine-readable format.
  • Right to object— object to certain types of processing, including behavioral tracking and profiling.
  • Right to restrict processing— request that we limit how we use your data while a complaint or request is being resolved.

To exercise any of these rights, contact us at hello@capbench.com. We will respond within 30 days.

6. Behavioral Tracking and Opt-Out

CapBench collects behavioral data (page views, document interactions, session activity) to help advisors understand buyer engagement, support seller portal workflows, and improve the platform. Buyer and seller users may opt out of optional behavioral tracking. If you wish to opt out, you can do so from your account settings or by contacting us at hello@capbench.com. Please note that opting out of tracking may limit certain platform features that rely on engagement data (e.g., engagement scores visible to advisors).

7. Cookies and Similar Technologies

We use the following types of cookies:

  • Essential cookies— required for authentication, session management, and platform functionality. These cannot be disabled.
  • Analytics cookies— used by PostHog, and where enabled Google Analytics, to collect pseudonymized usage statistics. Set only with your consent (the “Analytics” choice in our cookie banner).
  • Marketing cookies— where enabled, advertising and remarketing pixels such as the Meta (Facebook) Pixel and Google Ads tag, which help us measure and target advertising. These are set onlyif you accept the “Marketing” choice in our cookie banner, and never by default.
  • Fraud prevention cookies— used to generate device fingerprints and visitor IDs for fraud detection purposes.

You control Analytics and Marketing cookies through the cookie banner, and you can change your choice at any time. Under California law, the use of advertising/marketing cookies may be considered “sharing” for cross-context behavioral advertising; you can opt out at any time as described in our Do Not Sell or Share section. Separately, when you request a lender introduction, we share the contact details you submit with lending partners as described in Section 3 and Section 9.

8. GDPR (European Economic Area)

If you are located in the European Economic Area (EEA), the legal bases for our processing of your personal data are:

  • Contract performance— processing necessary to provide the Service you have signed up for.
  • Legitimate interests— fraud prevention, platform security, and analytics to improve the Service.
  • Legal obligations— retention of NDA and signature records as required by law.
  • Consent— where required, such as for optional behavioral tracking.

You have the right to lodge a complaint with your local data protection authority if you believe your data has been processed unlawfully.

CapBench uses hello@capbench.com as its data protection contact. If an EU representative or Data Protection Officer becomes legally required for a specific processing activity, this policy will be updated with that contact.

9. CCPA / CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the CPRA:

  • Right to know— request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete— request deletion of your personal information, subject to certain exceptions.
  • Right to correct— request correction of inaccurate personal information we hold about you.
  • Right to non-discrimination— we will not discriminate against you for exercising your privacy rights.
  • Right to opt out of sale or sharing— you may direct us not to sell or share your personal information at any time (see “Do Not Sell or Share” below).

Notice of sale/sharing.When you ask us to introduce you to a lender (for example, a pre-qualification or lender-match request), we share the identifiers and financing details you provide — such as your name, email, phone, location, and deal information — with SBA lenders and loan brokers, some of whom compensate CapBench for the introduction. Under the CCPA/CPRA, this may be considered a “sale” or “sharing” of personal information. We do not sell or share any other personal information, we do not exchange it for money apart from these lender introductions you request, and we do not knowingly sell or share the personal information of consumers under 16.

Do Not Sell or Share My Personal Information. You can opt out at any time by emailing us at hello@capbench.com with the subject “Do Not Sell or Share” and the email or phone number you used; we will stop sharing your details with lending partners. Because this sharing happens only when you affirmatively request a lender introduction, declining to submit a lender-match or pre-qualification request also prevents it entirely.

To exercise any of these rights, contact us at hello@capbench.com.

10. International Data Transfers

Your data may be transferred to and processed in the United States, where our infrastructure providers (Convex, Vercel, Stripe) are headquartered. We ensure appropriate safeguards are in place, including standard contractual clauses where required, to protect your data during international transfers.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 18, we will delete that data promptly.

12. Breach Notification

If CapBench becomes aware of a personal data breach, we will assess the scope, risk, and affected users. Where legally required, we will notify the appropriate supervisory authority and affected individuals within the timelines required by applicable law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

CapBench
Email: hello@capbench.com
Website: www.capbench.com

Scroll