Privacy Policy

1. Overview

3PMA ("we," "our," or "us"), a product of The Pylon Group, operates a software-as-a-service platform for technology and security due diligence in M&A transactions. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website (3pma.ai) or use our platform (platform.3pma.ai).

By using our services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect your name, email address, firm name, job title, and authentication credentials. Account creation and authentication are managed through our infrastructure provider (Supabase Auth).

2.2 Platform Data

In the course of using our platform, you may input or upload:

• Deal information including target name, sector, deal stage, and thesis context
• Technology inventory data including SaaS applications, infrastructure providers, contract terms, and spend
• Vendor information including company names, contract details, criticality ratings, and disposition decisions
• Security assessment responses, control ratings, evidence references, and gap descriptions
• Documents such as SOC 2 reports, ISO certifications, policies, SBOMs, and other diligence artifacts
• Findings, remediation plans, integration cost models, and DD reports

2.3 AI Processing Data

Our AI features process documents, assessment data, and user queries to provide analysis, scoring, and recommendations. Document content submitted for AI analysis is sent to our AI service provider (Anthropic) for processing and is not retained by the AI provider beyond the processing session. We do not use your data to train AI models.

2.4 Usage and Technical Data

We automatically collect certain technical information including IP address, browser type, device information, pages visited, features used, session duration, and interaction patterns. This data is used for service improvement, security monitoring, and troubleshooting.

2.5 Demo Request and Marketing Data

When you request a demo or contact us through our website, we collect the information you provide in the form, including name, email, firm, role, deal stage, and any additional context you share.

3. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve our platform and services
• Process diligence assessments, technology analysis, vendor risk evaluation, and DD reporting
• Power AI-driven document extraction, scoring, and recommendations
• Send service-related communications including platform updates and security notices
• Respond to demo requests, support inquiries, and customer feedback
• Monitor and prevent security incidents, fraud, and abuse
• Comply with legal obligations

We do not sell your personal information or platform data to third parties. We do not use your data for advertising purposes. Deal-specific data uploaded by your firm is not shared with any other firm or used for any purpose outside of the diligence engagement it was created for.

4. Data Sharing and Disclosure

4.1 Service Providers (Sub-Processors)

We use the following third-party service providers to operate our platform:

• Supabase. Database hosting, authentication, edge functions, and file storage. Supabase maintains SOC 2 Type II compliance. Data is hosted in the United States.
• Cloudflare. Content delivery, DDoS protection, and DNS for our marketing site.
• Anthropic. AI processing for document analysis and assessment scoring. Data sent to Anthropic is processed in real-time and not retained for model training.
• Formspree. Processing of demo request form submissions on our marketing site.

4.2 Legal Requirements

We may disclose your information if required to do so by law, in response to valid legal process, to protect our rights or safety, or to investigate potential violations of our Terms of Service.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security (RLS) enforcing organization-level data isolation in our database
• JWT-based authentication with secure session management
• Rate limiting on API endpoints and Edge Functions
• Regular security assessments of our platform and infrastructure
• Role-based access controls within the platform

Our infrastructure provider (Supabase) maintains SOC 2 Type II compliance. While 3PMA itself does not currently hold an independent SOC 2 attestation, we operate on SOC 2-compliant infrastructure and implement security controls consistent with SOC 2 Trust Services Criteria.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your account data and platform data for as long as your account is active or as needed to provide services to your firm. When a firm's account is terminated, we retain data for a period of 30 days to allow for data export, after which it is permanently deleted from our systems. Backup copies may persist in encrypted backups for up to 90 days.

Demo request form submissions and marketing inquiries are retained for up to 24 months.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate personal information
• Request deletion of your personal information
• Object to or restrict processing of your personal information
• Request portability of your data in a structured, machine-readable format
• Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@3pma.ai. We will respond to requests within 30 days.

8. Cookies and Tracking

Our marketing site (3pma.ai) does not currently use third-party analytics cookies or tracking pixels. We use essential cookies for authentication and session management on the platform (platform.3pma.ai). We do not use cookies for advertising or cross-site tracking.

9. International Data Transfers

Our platform infrastructure is hosted in the United States via Supabase (AWS). If you are accessing our services from outside the United States, your data will be transferred to and processed in the United States. By using our services, you consent to this transfer.

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email or platform notification.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

3PMA
Email: privacy@3pma.ai
Part of The Pylon Group