Legal
Privacy Policy
Last updated: April 24, 2026
This Privacy Policy applies to all users of 409A Valuation Pro regardless of location, and is designed to comply with applicable privacy laws including the General Data Protection Regulation (GDPR) (EU and UK), Digital Personal Data Protection Act 2023 (DPDP) (India), Personal Data Protection Act (PDPA) (Singapore), Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), UAE Federal Decree-Law No. 45/2021 on Personal Data Protection (PDPL), Oman Personal Data Protection Law (Royal Decree No. 6/2022), and applicable US state privacy laws including CCPA/CPRA.
1. Who We Are
409A Valuation Pro ("409A Valuation Pro", "we", "us", "our") provides 409A valuation services for private companies and startups. Our principal place of business is in the United States. For the purposes of applicable data protection law, 409A Valuation Pro is the data controller of personal data collected through this website.
Data Protection Contact: privacy@409avaluationpro.com
2. Personal Data We Collect
We collect the following categories of personal data:
2.1 Data You Provide Directly
- Contact information: Full name, work email address, phone number
- Business information: Company name, funding stage, industry, city/location
- Enquiry content: Messages submitted through our contact and lead forms
- Valuation inputs: Financial metrics you enter into our valuation calculator (we do not store these beyond your session)
2.2 Data Collected Automatically
- Usage data: Pages visited, time on site, click interactions, referral source
- Device and browser data: IP address, browser type and version, operating system
- Analytics data: Session duration, geographic region (city/country level), UTM parameters
- Cookies: See Section 8 (Cookie Policy) for full details
2.3 Data We Do Not Collect
We do not collect sensitive personal data (special category data under GDPR) including racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or financial account credentials. Our valuation calculator does not require or store your company's actual financial records.
3. How We Use Your Personal Data
We use personal data for the following purposes, supported by the listed lawful bases:
| Purpose | Lawful Basis (GDPR) | Retention |
|---|---|---|
| Responding to enquiries and providing quotes | Legitimate interests / Pre-contractual steps | 3 years from last contact |
| Delivering purchased valuation services | Contract performance | 7 years (legal/tax requirements) |
| CRM management (Zoho Bigin) | Legitimate interests | 3 years from last activity |
| Service communications and updates | Contract performance / Legitimate interests | Duration of relationship |
| Marketing communications (with consent) | Consent | Until consent withdrawn |
| Website analytics and improvement | Legitimate interests | 26 months (Google Analytics default) |
| Legal compliance and fraud prevention | Legal obligation | As required by applicable law |
4. International Data Transfers
Our services are operated from the United States. If you are located outside the US — including in the EU, UK, India, Singapore, UAE, Oman, or Canada — your personal data will be transferred to and processed in the United States.
We implement the following safeguards for international transfers:
- EU/UK users: Transfers are covered by Standard Contractual Clauses (SCCs) as adopted by the European Commission and UK ICO, or the EU-US Data Privacy Framework where applicable
- Indian users (DPDP Act 2023): We process Indian residents' data in accordance with the DPDP Act. We will notify the Data Protection Board of India of any significant data breach affecting Indian data principals within applicable timeframes. Indian users may exercise their rights under the DPDP Act by contacting us at privacy@409avaluationpro.com
- Singapore users (PDPA): Transfers are made with contractual protection as required under the PDPA Transfer Limitation Obligation
- Canadian users (PIPEDA): Transfers are made with comparable protection as required under PIPEDA Schedule 1 Principle 4.1.3
- UAE users (Federal PDPL): Transfers are made in compliance with UAE Federal Decree-Law No. 45/2021 and its executive regulations
- Oman users: Transfers are made in compliance with Royal Decree No. 6/2022 on Personal Data Protection
5. Your Rights
Depending on your location, you may have the following rights regarding your personal data. To exercise any right, contact us at privacy@409avaluationpro.com. We will respond within 30 days (or the timeframe required by applicable law).
| Right | EU/UK GDPR | India DPDP | Singapore PDPA | US (CCPA) |
|---|---|---|---|---|
| Access / Know | ✓ | ✓ | ✓ | ✓ |
| Correction | ✓ | ✓ | ✓ | ✓ |
| Erasure / Deletion | ✓ | ✓ | Limited | ✓ |
| Data Portability | ✓ | ✓ | — | ✓ |
| Restrict Processing | ✓ | — | — | — |
| Object / Opt-out | ✓ | ✓ (withdraw consent) | ✓ (withdraw consent) | ✓ (opt-out of sale) |
| Nominate representative | — | ✓ | — | — |
Note for Indian residents: Under the DPDP Act 2023, you have the right to nominate another individual to exercise your rights in the event of your death or incapacity. You may also file a complaint with the Data Protection Board of India if you believe your rights have been violated after we have failed to address your grievance satisfactorily.
Note for California residents: We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising without your consent. You have the right to know, delete, correct, and opt out of the sharing of your personal information.
6. Data Sharing and Third Parties
We share personal data with the following categories of third parties:
- Zoho Bigin (CRM): Contact information and business details are stored in Zoho's CRM platform. Zoho is certified under ISO 27001 and processes data in accordance with GDPR. Data may be stored in US or EU data centres. See Zoho's Privacy Policy.
- Google Analytics: Anonymised usage data is shared with Google for analytics purposes. IP addresses are anonymised. See Google's Privacy Policy.
- Supabase (Database): Form submissions and content data are stored in Supabase's infrastructure, which runs on AWS. Data is encrypted at rest and in transit.
- Vercel (Hosting): Our website is hosted on Vercel's infrastructure. Vercel processes request logs including IP addresses.
We do not sell, rent, or trade your personal data to any third party for their own marketing purposes. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
- TLS/HTTPS encryption for all data in transit
- Encryption at rest for database storage
- Role-based access controls limiting employee access to personal data
- Regular security assessments of our infrastructure
- Vendor security reviews for all third-party processors
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required by GDPR) and affected individuals without undue delay where required by applicable law.
8. Cookie Policy
We use the following categories of cookies:
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly necessary | Session management, security, form functionality | No |
| Analytics | Google Analytics — usage patterns, page performance | Yes (EU/UK/India) |
| Functional | Remembering preferences, calculator state | No |
| Marketing | We do not use marketing/tracking cookies | N/A |
You can manage or withdraw cookie consent at any time by adjusting your browser settings or using our cookie preference centre. Withdrawing consent will not affect the lawfulness of processing based on consent given before withdrawal.
9. Children's Privacy
Our services are intended for business professionals and are not directed at individuals under 18 years of age (or the applicable age of digital consent in your jurisdiction — 16 in most EU member states, 13 in the United States). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@409avaluationpro.com and we will delete it promptly.
10. Complaints and Supervisory Authorities
If you have a complaint about how we handle your personal data, please contact us first at privacy@409avaluationpro.com. We will investigate and respond within 30 days.
You also have the right to lodge a complaint with the relevant supervisory authority:
- EU: Your local Data Protection Authority (DPA)
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- India: Data Protection Board of India (once operational under DPDP Act 2023)
- Singapore: Personal Data Protection Commission (PDPC) — pdpc.gov.sg
- Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca
- UAE: UAE Data Office — uaedataoffice.ae
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on this page with a revised "Last updated" date. For material changes, we will notify registered users by email where required by applicable law. We encourage you to review this policy periodically.
12. Contact Us
For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact:
409A Valuation Pro
Email: privacy@409avaluationpro.com
Address: United States