← Back to discoperi.com
Legal

Privacy Policy

How Discoperi M&A Intelligence collects, uses, stores, and protects your personal data — and your rights over it.

Effective date
1 April 2026
Last updated
22 March 2026
Data controller
Discoperi OÜ, Estonia
Jurisdictions
GDPR · CCPA · CalOPPA
i
This Privacy Policy applies to discoperi.com and all related services operated by Discoperi OÜ. It covers our free content pages, our paid subscription service, our weekly email digest, and any advertising we display. Read this policy to understand what data we collect and what rights you have over it. If you have questions, email [email protected].
!
Important legal notice: This Privacy Policy is a working document that should be reviewed by a qualified legal practitioner before publication, particularly with regard to the specific data transfers, sub-processor list, and any jurisdiction-specific obligations applicable to your operations. Update all placeholder values (VAT number, registration number, DPO details) before publishing.
Section 1

Who we are

Discoperi M&A Intelligence is a professional data service providing verified mergers and acquisitions deal intelligence to corporate development professionals, private equity associates, investment bankers, and M&A lawyers.

Data controller

The data controller responsible for your personal data is:

Discoperi OÜ

Registration: [Estonian Business Registry number — insert upon registration]

Registered address: [Estonian registered address — insert upon registration]

VAT number: [EU VAT number — insert upon VAT registration]

Privacy contact: [email protected]

Website: discoperi.com

Applicable jurisdictions
EU · GDPR (Regulation 2016/679)
UK · UK GDPR
US · CalOPPA
US · CCPA / CPRA
Global · Google AdSense terms

Because our service is accessible worldwide and we collect data from users in the EU, UK, and California, this policy is designed to meet the requirements of all four frameworks simultaneously. Where these frameworks conflict, we apply the stricter standard.

Section 2

What data we collect

We collect only what we need. Below is a complete list of every category of personal data we collect, how we collect it, and why.

2.1 Data you provide directly
CategoryData pointsWhen collected
Account registrationFirst name, last name, email address, password (hashed), company name (optional)When you create an account or start a free trial
Payment informationBilling name, billing address, VAT number (optional), payment method token (we never store card numbers — these are held by Stripe or your payment processor)When you subscribe to a paid plan
Contact enquiriesName, email, message content, company name, enquiry typeWhen you submit a contact form or email us
Deal alert preferencesSector preferences, deal size filters, geography filters, delivery methodWhen you configure deal alerts in your account
Advertising submissionsCompany name, contact name, email, ad creative, destination URLWhen you enquire about or book advertising
Corrections & feedbackEmail (optional), message content, URL of content concernedWhen you submit a correction or feedback form
2.2 Data collected automatically
CategoryData pointsHow collected
Usage dataPages visited, deal articles read, search queries, time on page, scroll depth, clicksAnalytics cookies and server logs
Technical dataIP address, browser type and version, operating system, screen resolution, referring URL, device typeServer logs, analytics
Session dataLogin timestamps, session duration, features used, exports downloadedApplication server
Email engagementEmail opens, link clicks, unsubscribes (digest emails only)Email service provider tracking pixels
Advertising dataAd impressions served, ad interactions (via Google AdSense). We do not receive individual user identity from Google for these interactions.Google AdSense (third-party)
What we do not collect: We do not collect sensitive personal data (health, ethnicity, religion, political views, sexual orientation). We do not collect data from or about children under 18. We do not purchase or receive data from third-party data brokers. We do not collect full payment card numbers at any point — these are processed directly by Stripe.
Section 3

How we use your data

We use your personal data for the following purposes only. We never sell your personal data to third parties.

  • Providing the service: Creating and managing your account, delivering deal alerts, processing your subscription, enabling data exports, and providing customer support.
  • Billing and payments: Processing subscription payments, issuing invoices and tax receipts, handling refunds, and maintaining financial records as required by law.
  • Communications: Sending your weekly deal digest (if subscribed), transaction emails (receipts, password resets, subscription confirmations), and service updates. We do not send unsolicited marketing emails.
  • Service improvement: Understanding how users interact with our deal database, which sectors are most read, and how to improve the product. This uses aggregated and anonymised data wherever possible.
  • Security and fraud prevention: Detecting and preventing fraud, unauthorised access, and abuse of the platform.
  • Legal compliance: Meeting our obligations under tax law, data protection law, and other applicable regulations.
  • Advertising (free tier only): Displaying contextual and interest-based advertising via Google AdSense on our free public content pages. Paid subscribers never see advertising. See Section 6 for full details.
We never: sell your personal data, share it with advertisers (Google AdSense receives technical identifiers, not your name or email), use it for automated profiling that produces legal effects on you, or use it for any purpose not listed above.
Section 4

Lawful basis for processing (GDPR)

Under the GDPR, we must identify a lawful basis for every processing activity. The following table sets out our lawful bases.

Processing activityLawful basisNotes
Account creation and managementContractNecessary to perform the service you signed up for (Article 6(1)(b))
Subscription billing and invoicingContractNecessary to fulfil the subscription contract (Article 6(1)(b))
Transaction emails (receipts, alerts)ContractNecessary to perform the service (Article 6(1)(b))
Weekly deal digest emailConsentYou opt in to the digest at sign-up. You may unsubscribe at any time (Article 6(1)(a))
Analytics and product improvementLegitimate interestImproving the service — balanced against your rights (Article 6(1)(f)). Anonymised where possible.
Security monitoring and fraud preventionLegitimate interestProtecting the platform and users (Article 6(1)(f))
Advertising cookies (free visitors)ConsentNon-essential cookies require explicit consent via cookie banner (Article 6(1)(a))
Tax and accounting recordsLegal obligationRequired under Estonian/EU tax law (Article 6(1)(c))
Responding to legal requestsLegal obligationCompliance with applicable law (Article 6(1)(c))
i
Legitimate interests balancing test: Where we rely on legitimate interests as our lawful basis, we have conducted a balancing test confirming that our interest in processing the data does not override your fundamental rights and freedoms. You have the right to object to processing carried out under this basis — see Section 10.
Section 5

Cookies and tracking technologies

We use cookies and similar technologies to make our service work and to understand how it is used. You can control non-essential cookies at any time.

5.1 What cookies we use
Session cookie
Essential
Keeps you logged in to your account during a browser session. Expires when you close your browser.
First-party
Authentication token
Essential
Remembers your login state across sessions for "stay logged in" functionality. 30-day expiry.
First-party
CSRF token
Essential
Security cookie that prevents cross-site request forgery attacks. Session duration only.
First-party
Cookie consent preference
Essential
Stores your cookie consent choices so we don't ask you again. 12-month expiry.
First-party
Google Analytics (_ga, _gid)
Analytics
Measures traffic and user behaviour. Anonymised IP addresses. Set only after consent. 2-year / 24-hour expiry.
Google
Google AdSense (NID, DSID, IDE)
Advertising
Used by Google to serve interest-based advertising on free content pages. Set only on public, non-subscriber pages, and only after consent where required. See Section 6.
Google LLC
Stripe payment cookie
Functional
Used by Stripe to protect against fraud during payment processing. Set only on checkout pages.
Stripe Inc.
5.2 Managing your cookie preferences

When you first visit discoperi.com, a cookie consent banner asks for your preferences for non-essential cookies. You can change your preferences at any time by clicking "Cookie settings" in the footer of any page.

You can also manage cookies in your browser settings. Note that blocking essential cookies will prevent the site from functioning correctly — specifically, you will not be able to log in to a paid account.

  • Google Chrome: Settings → Privacy and security → Cookies and other site data
  • Mozilla Firefox: Preferences → Privacy & Security → Cookies and Site Data
  • Safari: Preferences → Privacy → Manage Website Data
  • Microsoft Edge: Settings → Cookies and site permissions → Cookies and site data
Section 6

Advertising — Google AdSense

!
Google AdSense — mandatory disclosure under AdSense Terms of Service Section 10: This section contains all disclosures required by Google for participation in the AdSense programme. It must remain complete and accessible at all times.

We display advertising on our free public content pages. Paid subscribers do not see advertising. This section explains how that advertising works.

6.1 How AdSense advertising works

We use Google AdSense, an advertising service provided by Google LLC (Google Ireland Limited for EU users), to display advertisements on our free content pages including deal listings, sector pages, and deal articles.

Third-party vendors, including Google, use cookies to serve ads based on a user's prior visits to discoperi.com or other websites.

Google's use of advertising cookies enables it and its partners to serve ads to users based on their visits to our site and/or other sites on the internet.

6.2 Interest-based advertising

Google AdSense may use the information gathered by its cookies to show you advertisements that are relevant to your interests. This is known as interest-based advertising or personalised advertising. This means that if you visit a website about M&A activity, you may subsequently see advertisements related to financial services, software, or professional services on other websites.

6.3 How to opt out

Users may opt out of personalised advertising by visiting Google Ads Settings.

Additional opt-out options:

  • Google Ads Settings — control Google's use of your data for personalised ads
  • aboutads.info/choices — opt out of interest-based advertising from participating NAI member companies
  • youronlinechoices.eu — opt-out tool for EU residents
  • Declining advertising cookies via our cookie consent banner when you first visit the site
6.4 Where advertising is and is not shown
  • Shown: Public deal listing pages, public deal article pages, sector pages, and the homepage — when viewed by non-subscribers
  • Never shown: Any page viewed by a logged-in paid subscriber, checkout and billing pages, the account dashboard, API documentation pages, and any page within the subscription flow
6.5 Google's privacy policy

For more information about how Google collects and uses data from sites that use its advertising services, visit: policies.google.com/technologies/partner-sites

Google's privacy policy is available at: policies.google.com/privacy

Section 7

Third parties and sub-processors

We share your personal data with the following third-party service providers ("sub-processors") who help us operate the service. We have Data Processing Agreements in place with each sub-processor.

Sub-processorPurposeData sharedLocationPolicy
Stripe, Inc. Payment processing, subscription management Billing name, billing address, payment token US / EU stripe.com/privacy
Google LLC (Google Ireland Ltd for EU) AdSense advertising, Analytics, Search Console, Site Kit Cookies, IP address, browsing behaviour on our site (anonymised for Analytics) US / EU policies.google.com/privacy
Anthropic, PBC AI content generation for deal articles (Claude API) Deal data and article text — no personal user data is shared US anthropic.com/privacy
Amazon Web Services Cloud hosting, database, file storage All application data, encrypted at rest EU (Ireland) aws.amazon.com/privacy
Mailchimp / Mandrill (Intuit Inc.) Transactional email delivery, weekly digest Email address, name, digest preferences, email engagement data US / EU mailchimp.com/legal/privacy
Wise Payments Limited Business banking and payment receipt (our bank account provider) Payment details for wire/bank transfer customers UK / EU wise.com/legal/privacy
Google Search Console SEO monitoring — no personal user data processed Site performance data only, no individual user data US / EU policies.google.com/privacy

We do not sell, rent, or trade your personal data with any third party for their own marketing purposes. Sub-processors are contractually bound to use your data only for the specific purpose for which we engage them.

Section 8

Data retention

We retain your personal data only for as long as necessary for the purpose it was collected, or as required by law.

Data categoryRetention periodReason
Account data (active subscribers)Duration of subscription + 12 monthsService operation; 12-month window for reactivation
Account data (cancelled accounts)12 months after cancellationDispute resolution, reactivation
Payment records and invoices7 yearsEstonian / EU tax law requirements (7-year financial record retention)
Email communications (support, corrections)3 yearsDispute resolution; quality assurance
Server logs (IP addresses, access logs)90 daysSecurity monitoring; fraud detection
Analytics data (anonymised)26 monthsGoogle Analytics default; anonymised — no individual identification
Cookie consent records3 yearsEvidence of consent for regulatory compliance
Deal alert preferencesDuration of subscription + 30 daysDeleted with account data

When retention periods expire, data is securely deleted or anonymised. If you request deletion of your account before the retention period expires, we will delete all data not subject to a legal retention requirement (such as tax records).

Section 9

International data transfers

Some of our sub-processors are based outside the European Economic Area (EEA). When we transfer your data outside the EEA, we ensure appropriate safeguards are in place.

Transfers to the United States

Several of our sub-processors, including Stripe, Google, Anthropic, and Mailchimp, are based in the United States. We rely on the following safeguards for these transfers:

  • EU–US Data Privacy Framework (DPF): Where sub-processors are certified under the DPF (currently Stripe and Google), this adequacy decision provides the legal basis for transfer.
  • Standard Contractual Clauses (SCCs): For all other US-based sub-processors, we have executed the European Commission's Standard Contractual Clauses (2021 version, Module 2: Controller to Processor). SCCs are also maintained as a fallback for DPF-certified processors in the event the DPF framework is invalidated.
Transfers within the EEA

Our AWS hosting uses the EU (Ireland) region. Our Google Analytics data is processed via Google Ireland Limited. These transfers remain within the EEA and do not require additional safeguards.

i
You can request a copy of the Standard Contractual Clauses we rely on for international transfers by emailing [email protected].
Section 10

Your rights under the GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following eight rights over your personal data. You can exercise any of these rights by emailing [email protected]. We will respond within 30 days.

1. Right to access
You may request a copy of all personal data we hold about you, along with information about how we use it (a "subject access request").
2. Right to rectification
You may ask us to correct inaccurate or incomplete personal data. You can update most account data directly from your account settings.
3. Right to erasure
You may request that we delete your personal data ("right to be forgotten"), subject to our legal retention obligations (e.g. tax records).
4. Right to restrict processing
You may ask us to stop processing your personal data in certain circumstances — for example, while you contest its accuracy — without requesting full deletion.
5. Right to data portability
Where we process your data by automated means on the basis of consent or contract, you may request a copy in a machine-readable format (CSV or JSON).
6. Right to object
You may object to processing carried out on the basis of legitimate interests. We must stop unless we can demonstrate compelling grounds for continuing.
7. Rights related to automated decisions
You have the right not to be subject to decisions made solely by automated processing that produce legal or similarly significant effects. We do not make such decisions.
8. Right to withdraw consent
Where we rely on your consent (e.g. the weekly digest, analytics cookies), you may withdraw it at any time. Withdrawal does not affect processing carried out before withdrawal.
How to exercise your rights

Email [email protected] with the subject line "Data rights request — [type of request]". We will verify your identity and respond within 30 days. For complex requests, we may extend this by a further two months — we will notify you if this is necessary.

Supervisory authority complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with your local data protection supervisory authority. As an Estonian entity, our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): aki.ee. EU residents may also contact their national supervisory authority (see: edpb.europa.eu). UK residents may contact the Information Commissioner's Office (ICO): ico.org.uk.

Section 11

California residents — CCPA / CPRA

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of personal information collected

In the past 12 months, we have collected the following categories of personal information as defined by the CCPA:

  • Identifiers: Name, email address, IP address, account ID
  • Commercial information: Subscription plan, payment history, products purchased
  • Internet or network activity: Browsing history on our site, deal pages viewed, search queries
  • Professional or employment-related information: Company name (if provided)
  • Inferences: Inferences drawn from the above to understand preferences (e.g. sector interests for deal alerts)
Your CCPA rights
  • Right to know: You may request disclosure of the specific personal information we have collected about you and how it has been used and shared.
  • Right to delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to opt out of sale / sharing: We do not sell personal information. We do not share personal information for cross-context behavioural advertising for monetary consideration. Google AdSense may use cookies for interest-based advertising — you may opt out as described in Section 6.3.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined by the CPRA.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. Exercising your rights will not affect your access to our services or the prices you pay.

To exercise any of these rights, email [email protected] or use our contact form. We respond to verifiable requests within 45 days.

Section 12

Children's privacy

Discoperi is a professional B2B service intended for use by individuals aged 18 and over. We do not knowingly collect personal data from children under the age of 18. If you believe a child under 18 has provided us with personal data, please contact us at [email protected] immediately. We will delete such data promptly upon verification.

Google AdSense policy: In compliance with Google AdSense's "Ads & Made For Kids Content Guide", we do not display targeted advertising on any content directed at children. Advertising is displayed only on content intended for adult financial professionals.
Section 13

Security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, or alteration.

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). This is enforced on all pages — there is no unencrypted HTTP access to discoperi.com.
  • Encryption at rest: All data stored in our database is encrypted at rest using AES-256 encryption via AWS RDS encryption.
  • Password security: User passwords are hashed using bcrypt with appropriate cost factors. We never store passwords in plaintext.
  • Payment security: We are PCI DSS compliant. Card payment details are never transmitted to our servers — they are processed directly by Stripe's PCI DSS Level 1 certified infrastructure.
  • Access controls: Access to personal data is restricted to staff who need it for their work, using role-based access controls. All internal access is logged.
  • Security monitoring: We monitor for unusual access patterns and security incidents continuously.
!
No method of transmission over the internet or method of electronic storage is 100% secure. While we use commercially reasonable means to protect your personal data, we cannot guarantee its absolute security. Please use a strong, unique password for your Discoperi account.
Section 14

Data breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to individuals, we will also notify affected individuals directly without undue delay.

Breach notifications to individuals will be sent to the email address associated with your account. Please ensure your email address is kept up to date in your account settings.

Section 15

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Send an email notification to all registered users at least 14 days before the changes take effect
  • Display a notice on our homepage and deal pages for the 14-day notice period
  • For material changes that affect the legal basis or purpose of processing, seek fresh consent where required by the GDPR

Previous versions of this Privacy Policy are available on request by emailing [email protected].

Section 16

Contact us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Privacy enquiries

For data subject requests, GDPR questions, and privacy concerns. We respond within 30 days (GDPR) or 45 days (CCPA).

General contact

For general questions about the service, advertising, or corrections to published content.

Discoperi OÜ — Registered address

[Registered address in Estonia — insert upon company registration] · discoperi.com/privacy-policy

Legal disclaimer: This Privacy Policy was last reviewed on 22 March 2026. It is provided for informational purposes. While we have endeavoured to make it accurate and compliant with applicable law, this document does not constitute legal advice. Discoperi OÜ is registered in Estonia, European Union. For Estonian supervisory authority: aki.ee. For UK residents: