1. Introduction

Primordia Co. ("Primordia," "we," "us," or "our") is a Delaware corporation committed to protecting the privacy of individuals who visit our website at primordia.ai and use our AI-powered investment research and analysis platform (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you access or use the Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information. When you register for an account, we collect your email address, password, and optionally your display name.

• Organization Information. If you create or join an organization, we collect the organization name, description, and your role within the organization.

• Project and Research Data. When you use the Service, you may create projects, upload documents, generate investment memos, build financial models, and interact with our AI agents. We collect and store the content you provide, including uploaded documents, research inputs, chat messages, and generated outputs.

• Payment Information. If you subscribe to a paid plan, payment processing is handled by Stripe, Inc. We do not directly collect or store your credit card number or bank account details. We receive and store a Stripe customer identifier, subscription status, and billing period information from Stripe.

• Communications. If you contact us directly, we may collect your name, email address, and the content of your correspondence.

2.2 Information Collected Automatically

• Session and Authentication Data. We use Firebase Authentication and Supabase Authentication to manage user sessions. These services may set cookies or use local storage tokens to maintain your authenticated session.

• Local Preferences. We store certain user interface preferences (such as theme selection, panel layout, and notification settings) in your browser's local storage. This data remains on your device and is not transmitted to our servers.

• Log Data. Our servers may automatically record information about how you access and use the Service, including your IP address, browser type, operating system, referring URLs, pages visited, and timestamps.

• Product Analytics Data. We use product analytics tools to collect anonymized usage data such as page views, feature interactions, and session information. This data helps us understand how the Service is used and identify areas for improvement. Analytics tools may collect your IP address, browser type, device type, and general geographic location. Analytics data may be routed through our own subdomain via a reverse proxy to improve reliability (see Section 5.4 for details).

2.3 Information from Third-Party Sources

• Financial Data Providers. We obtain publicly available financial data (such as stock prices, company fundamentals, and market data) from third-party providers including Intrinio to power our investment analysis features. This data is not personal information.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing and Maintaining the Service. To operate, maintain, and improve the Service, including processing your research requests, generating investment analyses, and delivering AI-powered insights.

• AI Processing. To process your inputs (including documents, research queries, and chat messages) through our AI orchestration system and third-party large language model providers in order to generate analyses, reports, and recommendations.

• Account Management. To create and manage your account, authenticate your identity, and provide customer support.

• Organization and Collaboration. To facilitate organization creation, member invitations, and role-based access to shared projects and resources.

• Payment Processing. To process subscriptions, manage billing, and communicate with you about your account status.

• Communications. To send you transactional emails such as account verification, invitation notifications, and service-related updates via our email service provider.

• Security and Compliance. To detect, prevent, and address fraud, unauthorized access, and other illegal activities, and to comply with applicable legal obligations.

• Product Analytics. To collect and analyze anonymized usage data through PostHog in order to understand how the Service is used, measure feature adoption, identify issues, and prioritize improvements.

• Service Improvement. To analyze usage patterns and improve the functionality, reliability, and performance of the Service.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Third-Party Service Providers

We engage third-party companies and services to facilitate and support the Service. These providers have access to your information only to perform specific tasks on our behalf and are contractually obligated to protect it. The categories of service providers we use include:

• Authentication and Identity Providers. We use third-party services to manage user registration, login, and session management.

• Cloud Infrastructure and Hosting. The Service is hosted on third-party cloud platforms that provide compute, storage, networking, and content delivery infrastructure.

• Payment Processing. Subscription billing and payment transactions are handled by Stripe, Inc. We do not store your credit card or bank account details; Stripe processes and secures this information directly.

• Email Delivery. We use third-party email services to send transactional messages such as account verification, organization invitations, and service notifications.

• AI and Large Language Model Providers. We use multiple third-party large language model providers to power our AI-driven research and analysis features (see Section 4.2 below).

• Document Processing and Retrieval. We use third-party services to parse, index, and retrieve content from documents you upload to the Service.

• Financial Data Providers. We obtain publicly available financial and market data from third-party data providers to support investment analysis features.

• Product Analytics. We use PostHog to collect anonymized usage analytics to understand how the Service is used and to improve it (see Section 5.4).

• Error Monitoring. We use third-party error tracking services to detect and diagnose software issues. These services may receive technical error data such as stack traces, URLs, and browser information but are configured not to collect personally identifiable information.

• Reverse Proxy and CDN. We use Cloudflare as a reverse proxy for our analytics subdomain (r.primordia.ai) to improve data reliability.

We may also engage additional service providers from time to time to support the operation and improvement of the Service. All such providers are subject to contractual obligations to protect your data and may only process it on our behalf and in accordance with our instructions.

4.2 AI Model Providers

To deliver our AI-powered investment research capabilities, your inputs — including text queries, uploaded document content, and contextual data from your projects — may be transmitted to third-party large language model providers for processing. These providers may include, but are not limited to, OpenAI, Anthropic, Google, and Mistral. We select providers and configurations designed to prevent your data from being used to train their models. These providers process data according to their respective API terms of service and data processing agreements.

4.3 Within Your Organization

If you are part of an organization on Primordia, other members of your organization may have access to shared projects, documents, and research outputs in accordance with their assigned roles and permissions.

4.4 Legal Requirements

We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a legal obligation, subpoena, or government request; (b) protect and defend the rights or property of Primordia Co.; (c) prevent or investigate possible wrongdoing in connection with the Service; or (d) protect the personal safety of users of the Service or the public.

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

5. Cookies and Tracking Technologies

5.1 Cookies

We use cookies and similar technologies primarily for authentication and session management. Specifically:

• Authentication Cookies. Firebase and Supabase may set cookies to maintain your login session and verify your identity across requests.

• Payment Cookies. Stripe may set cookies during the checkout process to facilitate secure payment transactions.

5.2 Local Storage

We use your browser's local storage to save user interface preferences such as your selected theme, layout configuration, and notification settings. This data is stored locally on your device and is not transmitted to our servers.

5.3 Managing Cookies and Local Storage

Most web browsers allow you to control cookies through their settings, including blocking or deleting cookies. Please note that disabling authentication cookies may prevent you from logging in or using the Service. You may clear local storage data at any time through your browser's developer tools or settings; doing so will reset your interface preferences and analytics identifiers but will not affect your account or data stored on our servers.

5.4 Product Analytics (PostHog)

We use PostHog, a product analytics platform, to understand how users interact with the Service. PostHog collects usage data such as page views, clicks, feature interactions, session duration, browser type, device type, IP address, and general geographic location (country/region level). This data is used solely for product improvement and is not used for advertising or sold to third parties.

Reverse Proxy and Cloudflare. To improve the reliability and completeness of analytics data collection, we route PostHog analytics events through a reverse proxy hosted on our subdomain r.primordia.ai. This proxy is operated by Cloudflare, a third-party infrastructure provider, on our behalf. By using the Service, you acknowledge that analytics data transmitted through this proxy will be processed by Cloudflare in the course of delivering this functionality. Cloudflare's role is limited to routing data and does not include access to or use of the analytics data for its own purposes.

Opting Out. PostHog respects the Do Not Track browser setting. If your browser sends a Do Not Track signal, PostHog will not collect analytics data from your session. You may also block analytics data collection by using a browser extension that blocks JavaScript tracking, or by disabling JavaScript for the r.primordia.ai subdomain in your browser settings. Opting out of analytics does not affect the functionality of the Service.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. If you delete your account, we will delete or anonymize your personal information within a reasonable timeframe, except where we are required to retain it for legal, regulatory, or legitimate business purposes (such as resolving disputes or enforcing our agreements).

Project data, documents, and AI-generated outputs associated with your organization may be retained for as long as the organization account remains active, subject to the organization administrator's control.

7. Data Security

We implement commercially reasonable technical and organizational measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS/SSL), access controls, and secure cloud infrastructure hosted on Google Cloud Platform.

However, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

7.1 Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will notify affected users as required by applicable law. Such notification may be provided by email to the address associated with your account, by posting a notice within the Service, or by other means as required by the applicable jurisdiction. Where required by law (such as under the GDPR), we will also notify the relevant supervisory authority within the required timeframe.

8. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information, including:

• Access. You may request a copy of the personal information we hold about you.

• Correction. You may request that we correct inaccurate or incomplete personal information.

• Deletion. You may request that we delete your personal information, subject to certain exceptions.

• Portability. You may request a copy of your data in a structured, commonly used, and machine-readable format.

• Objection. You may object to our processing of your personal information in certain circumstances.

• Withdraw Consent. Where we rely on your consent to process personal information, you may withdraw that consent at any time.

To exercise any of these rights, please contact us at info@primordia.ai. We will respond to your request within a reasonable timeframe and in accordance with applicable law.

8.1 Account Settings

You can update your display name and certain account preferences at any time through your account settings within the Service.

8.2 Email Communications

You may opt out of non-essential email communications by following the unsubscribe instructions in those emails. You cannot opt out of transactional communications related to your account (such as verification emails and security alerts).

9. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information, including the right to know what personal information we collect, the right to delete your personal information, the right to correct inaccurate information, and the right to opt out of the sale or sharing of personal information. We do not sell or share your personal information as defined under the CCPA/CPRA. To exercise your rights, contact us at info@primordia.ai.

10. European Privacy Rights (GDPR / UK GDPR)

If you are located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, the General Data Protection Regulation ("GDPR") and/or the UK GDPR provide you with additional rights regarding your personal data.

10.1 Lawful Basis for Processing

We process your personal data on the following lawful bases:

• Performance of a Contract. Processing necessary to provide the Service to you under our Terms of Service (e.g., account management, project storage, AI processing of your inputs).

• Legitimate Interests. Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud, where those interests are not overridden by your data protection rights.

• Consent. Where you have provided explicit consent for specific processing activities (e.g., receiving non-essential communications). You may withdraw consent at any time by contacting us.

• Legal Obligation. Processing necessary to comply with applicable laws and regulations.

10.2 Your Rights Under GDPR

In addition to the rights described in Section 8, if you are in the EEA, UK, or Switzerland, you have the right to:

• Restrict Processing. Request that we restrict the processing of your personal data in certain circumstances.

• Data Portability. Receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.

• Object to Processing. Object to processing based on legitimate interests, including profiling.

• Lodge a Complaint. Lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. For UK residents, you may contact the Information Commissioner's Office (ICO) at https://ico.org.uk.

10.3 International Transfers from the EEA/UK

When we transfer personal data from the EEA, UK, or Switzerland to the United States or other countries, we rely on appropriate safeguards including Standard Contractual Clauses approved by the European Commission, or other legally recognized transfer mechanisms. You may request a copy of the applicable safeguards by contacting us at info@primordia.ai.

10.4 Data Protection Contact

For questions or requests related to your rights under the GDPR or UK GDPR, please contact us at info@primordia.ai. We will respond to your request within one (1) month, as required by applicable law, and will inform you if an extension is necessary.

11. International Data Transfers

The Service is hosted and operated in the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to the transfer of your information to the United States.

Where required by applicable law, we will implement appropriate safeguards (such as Standard Contractual Clauses) to protect your personal information during international transfers. For more details on transfers from the EEA and UK, see Section 10.3.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe that a child under 18 has provided us with personal information, please contact us at info@primordia.ai.

13. Third-Party Links

The Service may contain links to third-party websites, services, or resources that are not owned or controlled by Primordia. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the Service.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated Privacy Policy on this page and updating the "Last Updated" date above. We may also notify you by email or through the Service. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Primordia Co.
Email: info@primordia.ai
Website: https://primordia.ai

Registered Agent: Corporation Service Company
Registered Office: Wilmington, New Castle County, Delaware

This Privacy Policy is provided for informational purposes and does not constitute legal advice. We recommend consulting with a qualified attorney to ensure compliance with all applicable privacy laws and regulations.