Skip to main content

Privacy Policy

Effective date: March 22, 2026

1. Data Controller

The data controller responsible for your personal data is:

Sodasoft LLC

30 N Gould St. STE4000

Sheridan, Wyoming 82801

United States

Email: contact@sodasoft.com

Sodasoft LLC operates Fund54 (fund54.com), a fundraising operating system for startups and investors. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you access or use our website, platform, and related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Data We Collect

2.1 Account Data

When you register for an account, we collect:

  • Full name
  • Email address
  • Password (stored in hashed form; we never store plaintext passwords)
  • Account role (founder or investor)
  • Authentication tokens and session data

2.2 Profile Data

Depending on your role, you may provide:

  • Company name, description, industry, and stage
  • Job title and professional bio
  • Profile photo and company logo
  • Social media links and website URLs
  • Financial metrics (revenue, MRR, ARR, runway, valuation)
  • Cap table information (shareholders, equity allocations)
  • Investment thesis, portfolio, and check size (for investors)
  • Geographic focus and sector preferences

2.3 Document and Data Room Data

  • Documents uploaded to data rooms (pitch decks, financials, legal documents)
  • Data room access logs and viewer activity
  • Document metadata (file names, sizes, upload timestamps)

2.4 E-Signature Data

When you use our electronic signature feature, we collect and retain the following as part of a legally required audit trail:

  • Signer identity (name and email address)
  • IP address at the time of signing
  • Geolocation data derived from IP address
  • Precise timestamp of the signature event
  • SHA-256 cryptographic hash of the signed document
  • Browser and device information at the time of signing

2.5 Usage Data

  • Pages viewed and features used
  • Actions taken within the platform (clicks, searches, navigation)
  • Time spent on pages and session duration
  • Referral URLs and landing pages

2.6 Device and Technical Data

  • IP address
  • Browser type and version
  • Operating system
  • Device type and screen resolution
  • Language and timezone settings

2.7 Payment Data

Payment card information is collected and processed directly by our payment processor, Stripe. We never receive, access, or store your full credit card number, CVV, or other sensitive payment card details on our servers. We only receive from Stripe: the last four digits of your card, card brand, expiration date, billing address, and transaction history for invoicing purposes.

3. Legal Basis for Processing

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we process your data on the following grounds under Article 6 of the General Data Protection Regulation (GDPR):

  • Performance of a contract (Art. 6(1)(b)): processing necessary to provide the Service to you, including account management, subscription processing, data room access, e-signature execution, and platform functionality.
  • Consent (Art. 6(1)(a)): where you have given explicit consent, such as opting in to analytics cookies, receiving marketing communications, or consenting to the collection of geolocation data for e-signature audit trails. You may withdraw consent at any time.
  • Legitimate interests (Art. 6(1)(f)): processing necessary for our legitimate interests, including improving the Service, preventing fraud, ensuring platform security, analyzing usage patterns, and enforcing our Terms of Service, provided these interests are not overridden by your fundamental rights and freedoms.
  • Legal obligation (Art. 6(1)(c)): processing necessary to comply with applicable legal obligations, including maintaining e-signature audit trails, responding to lawful data requests, and tax and accounting record-keeping.

4. How We Use Your Data

We use the data we collect for the following purposes:

  • Providing the Service: operating and maintaining the platform, processing account registration, managing subscriptions, enabling data room access, and facilitating e-signature workflows.
  • Matching and discovery: enabling startups and investors to discover each other through the investor directory, search filters, and profile matching based on investment criteria.
  • Analytics and insights: providing engagement analytics to data room owners (document views, time spent, viewer activity) and fundraising performance metrics.
  • Communications: sending transactional emails including account verification, password resets, subscription confirmations, data room invitations, e-signature requests, investor update notifications, and in-app notifications.
  • E-signature audit trail: recording and maintaining comprehensive audit logs for all e-signature events to ensure legal validity and compliance with eIDAS, E-SIGN Act, and UETA requirements.
  • Service improvement: analyzing usage patterns and trends to improve user experience, develop new features, and optimize platform performance.
  • Security and fraud prevention: detecting, preventing, and addressing technical issues, abuse, fraud, and security threats.
  • Legal compliance: enforcing our Terms of Service and complying with applicable laws, regulations, and legal processes.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties for marketing or advertising purposes. We never have and never will.

We share your data only in the following circumstances:

5.1 With Other Users (As You Configure)

  • Startup profiles you create may be visible to investors you share them with or, if configured as public, to all authenticated users.
  • Investor profiles in the directory are publicly visible. Claimed profiles display information the investor has chosen to share.
  • Data room content is shared only with users you explicitly grant access to. Viewer activity (document views, time spent) may be visible to the data room owner.
  • Team members within a workspace may see shared data based on their assigned role permissions.

5.2 Service Providers

We share data with the following third-party service providers who process data on our behalf:

  • Stripe (San Francisco, USA) — payment processing and subscription management.
  • Supabase (EU Frankfurt region) — database hosting, authentication, and file storage.
  • Vercel (USA) — application hosting and content delivery.
  • Resend (USA) — transactional email delivery.

All service providers are contractually obligated to process your data only for the purposes of providing services to us and in accordance with applicable data protection laws.

5.3 Legal Requirements

We may disclose your personal data if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent fraud or address security issues; or (d) protect the personal safety of users or the public.

5.4 Business Transfers

In connection with a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.

6. International Data Transfers

Sodasoft LLC is a United States company. Our primary database is hosted on Supabase servers located in the European Union (Frankfurt, Germany). However, some of our service providers (Stripe, Vercel, Resend) operate in the United States, which means your data may be transferred to and processed in the United States.

For transfers of personal data from the EEA, the United Kingdom, or Switzerland to the United States or other countries that have not received an adequacy decision from the European Commission, we rely on the following safeguards:

  • Standard Contractual Clauses (SCCs): we enter into the European Commission's Standard Contractual Clauses with our service providers to ensure adequate protection for your personal data during international transfers.
  • EU-U.S. Data Privacy Framework: where applicable, we rely on our service providers' certifications under the EU-U.S. Data Privacy Framework.
  • Supplementary measures: we implement additional technical and organizational measures, including encryption in transit and at rest, to protect data during transfer.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy. Specific retention periods are as follows:

  • Active accounts: your account data, profile data, and User Content are retained for as long as your account remains active.
  • Deleted accounts: upon account deletion, we will delete or anonymize your personal data within thirty (30) days. This includes your profile information, data room content, CRM data, pipeline data, and other User Content. Backups containing your data may persist for up to an additional thirty (30) days before being automatically purged.
  • E-signature audit trails: audit trail records for electronic signatures (including signer identity, IP address, geolocation, timestamp, and document hash) are retained for a minimum of ten (10) years from the date of signing, as required by applicable electronic signature laws and regulations, regardless of account status.
  • Payment records: transaction and billing records are retained for seven (7) years for tax and accounting compliance purposes.
  • Usage and analytics data: aggregated and anonymized usage data may be retained indefinitely for service improvement purposes. Identifiable usage logs are deleted within ninety (90) days.

8. Your Rights

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with applicable data protection laws, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): you have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
  • Right to rectification (Art. 16 GDPR): you have the right to request correction of inaccurate or incomplete personal data. You can update most of your data directly through your account settings.
  • Right to erasure (Art. 17 GDPR): you have the right to request deletion of your personal data, subject to certain exceptions. We are legally required to retain the following data even after an erasure request: (a) e-signature audit trails (retained for 10 years) to comply with eIDAS, E-SIGN Act, and UETA requirements; (b) payment and transaction records (retained for 7 years) for tax and accounting compliance; and (c) any data necessary to establish, exercise, or defend legal claims. All other personal data will be deleted or anonymized within 30 days of a verified erasure request.
  • Right to data portability (Art. 20 GDPR): you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to restriction of processing (Art. 18 GDPR): you have the right to request restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of your data.
  • Right to object (Art. 21 GDPR): you have the right to object to processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
  • Right to withdraw consent (Art. 7(3) GDPR): where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
  • Right to lodge a complaint: you have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your personal data violates applicable data protection laws.

9. How to Exercise Your Rights

To exercise any of the rights described above, please contact us at contact@sodasoft.com with the subject line "Data Rights Request." Please include your full name and the email address associated with your Fund54 account so we can verify your identity.

We will acknowledge your request within five (5) business days and provide a substantive response within thirty (30) days of receipt. If we require additional time due to the complexity or volume of requests, we will notify you of the extension and the reasons for the delay. Extensions shall not exceed an additional sixty (60) days.

We will not charge a fee for processing your request unless the request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse to act on the request.

10. Cookies and Similar Technologies

We use the following types of cookies:

10.1 Essential Cookies (Strictly Necessary)

These cookies are required for the Service to function and cannot be disabled. They include:

  • Authentication session cookies — to keep you logged in and maintain your session. Retention: duration of your browser session or up to 30 days for "remember me" sessions.
  • Security cookies — CSRF protection tokens to prevent cross-site request forgery. Retention: duration of your browser session.
  • Cookie consent preferences — to remember your cookie consent choices. Retention: 12 months from the date of consent, stored in your browser's local storage.

Because these cookies are strictly necessary for the operation of the Service, they are set without requiring your consent, in accordance with applicable privacy laws.

10.2 Analytics Cookies (Optional)

With your explicit consent, we may use analytics cookies to understand how visitors interact with the Service so we can improve it. These cookies collect aggregated, anonymized information and do not identify you personally. Analytics cookies have a retention period of up to 12 months. You may opt out of analytics cookies at any time by:

  • Clicking "Essential Only" on the cookie consent banner when first visiting the site.
  • Adjusting your preferences via the "Cookie Settings" option on the consent banner.
  • Clearing your browser cookies and local storage to reset your consent preferences (the banner will reappear on your next visit).
  • Using your browser's built-in cookie management settings to block or delete cookies from fund54.com.

10.3 No Advertising or Tracking Cookies

We do not use advertising, retargeting, or third-party tracking cookies. We do not participate in any ad networks. We do not build advertising profiles based on your browsing activity. We do not share cookie data with any third party for advertising purposes.

10.4 How to Disable Cookies in Your Browser

Most web browsers allow you to control cookies through their settings. You can typically find cookie controls in your browser's "Settings," "Preferences," or "Privacy" menu. You can choose to block all cookies, block only third-party cookies, or delete existing cookies. Please note that disabling essential cookies may prevent you from logging in to or using core features of the Service. For instructions specific to your browser, please consult your browser's help documentation.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect, solicit, or process personal data from anyone under the age of 18. If we become aware that we have collected personal data from a child under 18 without verified parental consent, we will take immediate steps to delete that information from our systems. If you believe that a child under 18 has provided us with personal data, please contact us at contact@sodasoft.com.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"). This section supplements the rest of this Privacy Policy and applies solely to California residents.

12.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

  • Identifiers: name, email address, IP address, account ID.
  • Commercial information: subscription plan, payment history, transaction records.
  • Internet or electronic network activity: browsing history on our Service, search queries, interactions with features, device and browser information.
  • Professional or employment-related information: job title, company name, professional bio (if provided).
  • Geolocation data: approximate location derived from IP address (for e-signature audit trails).

12.2 Your California Privacy Rights

As a California resident, you have the right to:

  • Right to know: request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to delete: request deletion of personal information we have collected from you, subject to certain exceptions (e.g., e-signature audit trails we are legally required to retain).
  • Right to correct: request correction of inaccurate personal information.
  • Right to opt-out of sale/sharing: we do not sell or share your personal information as defined by the CCPA. We have never sold personal information and have no plans to do so.
  • Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights.

12.3 Exercising Your California Rights

To exercise your rights under the CCPA, please contact us at contact@sodasoft.com with the subject line "CCPA Request." We will verify your identity before processing your request. We will respond to verifiable requests within 45 days. You may designate an authorized agent to make a request on your behalf, provided you give the agent written permission and we can verify your identity.

12.4 Do Not Track Signals

Our Service does not respond to "Do Not Track" browser signals because there is no industry-standard technology for recognizing and implementing DNT signals. However, we do not engage in cross-site tracking, and we do not use advertising or retargeting cookies.

13. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit: all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS).
  • Encryption at rest: data stored in our database and file storage is encrypted at rest using AES-256 encryption.
  • Row-Level Security (RLS): our database enforces row-level security policies to ensure users can only access data they are authorized to view.
  • Document integrity: documents processed for e-signatures are hashed using SHA-256 cryptographic hashing to ensure tamper detection and document integrity.
  • Access controls: role-based access controls limit access to personal data to authorized personnel who require it for legitimate business purposes.
  • Secure authentication: passwords are hashed using industry-standard algorithms. We support secure session management with automatic expiration.

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly notifying affected users and relevant supervisory authorities in the event of a data breach, in accordance with applicable law.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will provide at least thirty (30) days' advance notice by:

  • Sending an email notification to your registered email address.
  • Posting a prominent notice on the Service.
  • Updating the "Effective date" at the top of this page.

Your continued use of the Service after the revised Privacy Policy takes effect constitutes your acceptance of the changes. If you do not agree to the revised policy, you must discontinue your use of the Service before the new policy takes effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

15. Contact and Data Protection

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your personal data, please contact us:

Sodasoft LLC

Data Protection Inquiries

30 N Gould St. STE4000

Sheridan, Wyoming 82801

United States

Email: contact@sodasoft.com

Website: sodasoft.com

We are committed to working with you to resolve any complaints or concerns about your privacy. If you are located in the EEA or the United Kingdom and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.