Operations

Consents & Privacy.

TECH collects specific, unbundled consents — each one with its own purpose, its own document version, and its own immutable audit record. You can view, export, or revoke any consent from Settings at any time. This approach reflects GDPR Article 7 (specific consent per purpose), CCPA/CPRA §999.306 (unbundled disclosure), and FINRA's recordkeeping expectations.

Design principle

TECH's consent architecture is deliberately more granular than the industry standard. Most platforms ask for one "terms + privacy" acceptance at signup and call it done. We ask for six specific consents because six specific purposes exist — platform use, data handling, processing, AI matching, FINRA archival, marketing — and regulators increasingly require that each purpose be consented to independently.

The six consents

Mandatory. Platform use conditions. Versioned.

Mandatory. Data handling practices. Versioned.

Data Processing

Mandatory. GDPR Article 6 lawful basis for processing your profile, engagement, and org data.

AI Matching

Mandatory to use PRISM or Intelligence tools. Authorises AI processing of your profile data for matching, scoring, and analysis. EU AI Act limited-risk classification.

FINRA Archival

Mandatory. Acknowledges that platform messages are archived under FINRA Rule 4511 with 6-year retention and cannot be deleted by CCPA request alone (tombstoned only).

Communications

Optional. Product updates, partner news, weekly digest. Revocable any time without impact on platform access.

What we record on each consent

Every consent grant, update, and revocation writes an immutable audit record. The schema:

Consent name — one of the six categories above.
Version — the document version in force at the moment the consent was granted. Versions are never rewritten retroactively; if a policy changes, a new version number is issued and users are re-prompted.
State — granted or revoked.
Timestamp — UTC, to the second.
IP address — source IP of the request.
User-agent — browser/device string.
Source — which surface produced the event: registration_form, onboarding_step_N, settings_update, reconsent_after_policy_change, api_endpoint.

Records are retained for at least seven years past revocation or account deletion — the retention floor for CCPA disputes and GDPR regulatory inquiries.

How versioning works

When we update a policy (Terms, Privacy, AI, FINRA), we bump the document version in CURRENT_VERSIONS. On your next login after a version change, you'll see a re-consent banner showing:

Which policy changed.
A link to the previous version and the current version.
A short summary of material changes (redlined diff available on request).
A clear accept or reject path.

If you reject a mandatory version update, your account is placed in consent-lapsed state — you retain access to your data and the export/deletion endpoints, but new matches, messages, and Intelligence runs are paused until you either accept the new version or complete account deletion.

Revocation

Optional consents (Communications) can be revoked any time without platform impact. Mandatory consents cannot be revoked while your account is active — revoking a mandatory consent is equivalent to closing your account, and the UI treats it that way by taking you to the account-deletion confirmation flow.

This is deliberate: a platform that works only when users consent to AI matching cannot coherently offer "revoke AI matching but keep using the platform" — that would be a fiction. What you can do is leave the platform at any time, in which case we process your deletion with appropriate retention overrides for the FINRA-mandated messaging archive.

Data export (right to know)

CCPA §1798.110 and GDPR Article 15 both entitle you to a copy of the personal data a platform holds about you. The export endpoint produces a zip containing:

Your user profile (name, email, title, phone, bio, avatar URL, LinkedIn).
Your organization profile as you control it (sector, stage, description, objectives, criteria).
All messages you have sent on the platform (content, timestamps, recipients).
All matches you have seen (PRISM output, your responses).
All Intelligence reports you have generated (Fit, ROI, Playbook, FinTech Analyzer).
All consents you have granted or revoked, with full version history.
Your engagement log (login events, sessions, actions).
Your notification preferences and history.

Delivery is by signed URL within 30 days; for orgs on the free tier the typical delivery is same-day. The URL expires 72 hours after generation.

Account deletion (right to delete)

CCPA §1798.105 and GDPR Article 17 both entitle you to request deletion of your personal data, subject to regulatory exceptions. The deletion flow:

Click "Delete my account" in Settings → Privacy.
Read the confirmation screen listing what will be deleted and what will be retained (with the specific regulatory basis for retention).
Confirm via emailed token (anti-CSRF).
TECH scrubs your personal data within 7 days. Retention-overriden fields are tombstoned but not deleted.

What gets retained: FINRA Rule 4511 messaging archive (minimum six years from send; message bodies remain searchable by regulator but your user identity is tombstoned), KYB records (seven years post-verification under BSA), compliance logs containing your actions (seven years post-action). Everything else — profile, preferences, non-message content you authored — is fully deleted.

Data correction (right to correct)

CCPA §1798.106 and GDPR Article 16 entitle you to correct inaccurate data. Most profile fields are self-serve editable immediately in Settings. Fields you cannot edit directly (KYB-verified fields like legal entity name) can be corrected by re-running KYB with the updated source documents.

Do Not Sell / Do Not Share

TECH does not sell personal information and does not engage in the CCPA-defined "cross-context behavioural advertising" that the 2024 CPRA amendments target. There is no opt-out to process because there is no sale or sharing to opt out of. The Do Not Sell link on our privacy policy is a legal formality; clicking it is a no-op from your perspective beyond recording the preference.

Version history

Previous versions of every policy (Terms, Privacy, AI, FINRA Acknowledgement) are kept indefinitely so a regulator asking "what was in force when User X agreed on Date Y" always has an authoritative answer. Version transitions are recorded in ConsentVersion records, linked to every affected consent event.

API surface

GET /auth/settings/

Current consent state + versions accepted

PATCH /auth/settings/

Update optional consents (Communications)

POST /auth/me/data-export/

Queue a personal data export — returns job id and estimated delivery

POST /auth/me/delete-account/

Initiate permanent account deletion (requires email confirmation)

Privacy by control, not by promise

Open Settings → Privacy.

Every control described above is one click away in Settings. The UI is intentionally transparent — if you don't like what you see, the export and deletion paths are right there.

Open Settings →