Privacy Policy

Effective date: May 31, 2026 | Last reviewed: May 31, 2026

Table of Contents

Who We Are
Data We Collect
How We Use Your Data
Who We Share Data With
Data Retention & Security
Your Rights
Cookies & Tracking
Children's Privacy
Third-Party Links
Changes to This Policy
Contact Us

    BizLinx.AI is committed to protecting your personal data. We collect only what is necessary to provide our Services, never sell your data to third parties for advertising purposes, and give you full control over your information. We are GDPR and CCPA compliant.
  

1. Who We Are

BizLinx.AI is operated by Polsia, Inc., a Delaware corporation ("Polsia," "we," "us," or "our"). Our registered office is at 1007 N. Orange St., Wilmington, DE 19801.

If you have questions about this Privacy Policy or how we handle your data, contact us at privacy@bizlinxai.com.

2. Data We Collect

We collect information in three categories:

2.1 Information You Provide

Account data: Name, email address, phone number, password (hashed), and role (buyer/seller/admin).
Intake profiles: Seller and buyer profiles including revenue, asking price, budget, industry, location, transaction type, acquisition criteria, and timeline.
Questionnaire responses: Exit Score and Buyer Score questionnaire data, including personality vectors and financial health indicators.
Valuation inputs: Financial data submitted for valuation calculations.
Document uploads: NDA documents, LOI files, and financial statements uploaded to the Document Vault.
Bank statement: Bank statements submitted by buyers for identity and financial verification.
Chatbot messages: Queries submitted through the AI Consultant chatbot.
Verification records: Background check, credit check, and identity verification data collected via our third-party verification providers.
Payment information: Stripe handles all payment processing. We store Stripe customer IDs and subscription tier — never raw payment card data.

2.2 Data Collected Automatically

Usage logs: Pages visited, features accessed, time on page, and clickstream data within the Platform.
Device data: Browser type, operating system, IP address, and device identifiers.
Cookie data: Authentication tokens, session IDs, and preference settings stored in cookies.
Referral and UTM data: UTM parameters, referrer URLs, and source attribution for marketing attribution.

2.3 Data From Third Parties

Verification providers: Background checks from Checkr, credit data from Experian, and identity verification results.
Payment processors: Stripe — subscription status, payment history, and billing metadata.
Marketing platforms: UTM-tagged campaign data from paid advertising platforms.

3. How We Use Your Data

We use your data for the following purposes:

Purpose	Legal Basis (GDPR)
Account creation and authentication	Contract performance (Art. 6(1)(b))
AI matching between buyers and sellers	Contract performance (Art. 6(1)(b))
Exit Score and Buyer Score calculation	Contract performance (Art. 6(1)(b))
Business valuation processing	Contract performance (Art. 6(1)(b))
Deal stage management and notifications	Contract performance (Art. 6(1)(b))
Document Vault access management	Contract performance (Art. 6(1)(b))
Identity and financial verification	Legal obligation (Art. 6(1)(c))
Subscription billing and payment processing	Contract performance (Art. 6(1)(b))
Email and SMS communications (transactional)	Consent (Art. 6(1)(a)) or legitimate interest (Art. 6(1)(f))
Platform improvement and AI model training	Legitimate interest (Art. 6(1)(f))
Security monitoring and fraud prevention	Legitimate interest (Art. 6(1)(f))
Legal compliance and law enforcement requests	Legal obligation (Art. 6(1)(c))
Marketing emails (where opted in)	Consent (Art. 6(1)(a))

We do not sell your personal data to third parties for advertising or marketing purposes. We share data only in the following limited circumstances:

4.1 Matched Parties

When you and another user enter into a deal relationship, each party receives limited profile information about the other — business description, industry, revenue range, and location. Sensitive financial documents are only accessible after both parties sign the NDA. LOI details are shared only with Dealia (our deal mediation service) and the other party.

4.2 Service Providers

We share data with trusted third-party service providers who process it on our behalf for specific functions:

Stripe: Payment processing and subscription billing (Stripe Privacy Policy: stripe.com/privacy)
Checkr: Background check services (Checkr Privacy Policy: checkr.com/privacy)
Experian: Credit check services (Experian Privacy Policy: experian.com/privacy)
Twilio (MessageBird): SMS OTP delivery and SMS communications (Twilio Privacy Policy: twilio.com/privacy)
Postmark: Transactional email delivery (Postmark Privacy Policy: postmarkapp.com/privacy)
Polsia AI: AI matching and natural language processing for chatbot and scoring features.

4.3 Legal Requirements

We may disclose your data if required by law, court order, or government request, or if we believe in good faith that disclosure is necessary to protect the rights, safety, or property of Polsia, our users, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all assets of Polsia, your data may be transferred as part of that transaction. We will notify you via email and update this policy before the transfer takes effect.

5. Data Retention & Security

5.1 Retention Periods

Data Category	Retention Period
Account and profile data	Until account deletion + 30-day grace period
Deal and match records	5 years after deal closure or account deletion
Financial documents (NDA/LOI)	7 years per legal requirement
Questionnaire responses (scores)	3 years or until account deletion
Email and SMS logs	2 years
Verification records	3 years or per provider requirements
Marketing consent records	Until consent withdrawn
Support and chatbot escalations	2 years

5.2 Security Measures

We implement the following security measures:

AES-256 encryption at rest for all database storage.
TLS 1.2+ encryption in transit for all data transmission.
JWT-based authentication with secure, HttpOnly cookies.
Two-factor authentication (2FA) via SMS OTP for account access.
Role-based access control (RBAC) limiting data access to authorized personnel.
Regular security audits and vulnerability scanning.
Access logs retained for 90 days for incident investigation.

No method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to industry-standard safeguards and prompt notification of any breach affecting your data.

5.3 Data Breach Notification

In the event of a data breach that affects your rights, we will notify you within 72 hours of discovering the breach, as required by GDPR Article 33. Notification will be sent to the email address associated with your account and will include: a description of the breach, the categories and approximate number of data subjects affected, our intended remedial measures, and your rights under applicable law.

6. Your Rights

GDPR Rights (European Economic Area)

If you are located in the EEA, you have the following rights:

Right of Access (Art. 15): Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
Right to Portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to Object (Art. 21): Object to processing based on legitimate interest or for direct marketing.
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you, the purposes for which it was used, and the categories of third parties with whom it was shared.
Right to Delete: Request deletion of your personal information, subject to certain exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: Opt out of the sale or sharing of your personal information. We do not sell your data.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
Authorized Agent: You may designate an authorized agent to exercise your rights on your behalf.

How to Exercise Your Rights

To exercise any of the above rights, contact us at:

Email: privacy@bizlinxai.com
Mail: Polsia, Inc., Attn: Privacy Team, 1007 N. Orange St., Wilmington, DE 19801

We will respond to your request within 30 days (GDPR) or 45 days (CCPA). For complex requests, we may extend the response period by an additional 30 days with notice.

For identity verification purposes, we may ask you to confirm your email address or provide additional information before processing your request. We will not discriminate against you for exercising any rights.

7. Cookies & Tracking

We use cookies and similar tracking technologies for the following purposes:

Cookie Type	Purpose	Duration
Authentication	Maintains your logged-in session	30 days
CSRF Protection	Prevents cross-site request forgery	Session
User Preferences	Stores display and UX preferences	1 year
Analytics	Aggregated usage statistics (non-identifying)	2 years
Marketing (opt-in only)	Campaign attribution and retargeting	90 days

You can control cookie settings through your browser. Disabling cookies may affect Platform functionality, including the ability to log in. Do Not Track signals are respected where technically feasible.

8. Children's Privacy

The Platform is not intended for users under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18 without parental consent, contact us immediately at privacy@bizlinxai.com and we will promptly delete the data.

9. Third-Party Links

The Platform may contain links to third-party websites, including franchisor websites, external resources, and partner services. This Privacy Policy applies only to BizLinx.AI. We are not responsible for the privacy practices of third-party sites. When you leave our Platform, review the privacy policy of any third-party site before submitting personal information.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or business practices. When we make material changes, we will:

Post the revised policy on this page with an updated "Effective date."
Send a notification to the email address associated with your account (for significant changes).
Update the "Last reviewed" date at the top of this policy.

Your continued use of the Platform after any modification constitutes acceptance of the revised Privacy Policy. If you do not agree to the revised terms, you may delete your account and request data deletion.

11. Contact Us

For questions, concerns, or data subject requests:

Email: privacy@bizlinxai.com
Data Protection Officer: Polsia, Inc., Attn: DPO, 1007 N. Orange St., Wilmington, DE 19801
Response time: We aim to respond within 48 hours for privacy-related inquiries.