How The Buy Signal handles your data, the documents you upload, and the NDAs you sign.
The Buy Signal is buyer-side analytical software. We process deal documents solely to help buyers evaluate potential acquisitions, the same purpose permitted under every standard broker NDA. We never share, sell, or aggregate deal data across users. Documents are processed under strict data-handling terms with our AI provider, identifying information is stripped from persistently stored data, and original uploads are retained encrypted at rest, behind per-account access controls.
The Buy Signal is software you use to evaluate acquisitions. We are not a broker, marketplace, lender, or seller-facing service. We do not aggregate, sell, or share deal data across users.
When you upload a document, we strip identifiers (business name, owner names, addresses, phone numbers, emails, and other identifying values) from the structured analysis before saving it to our database. The original values are encrypted with a key your administrator could not use to decrypt them at the database layer.
Original uploaded files (PDFs, DOCXs, etc.) are retained so analysis can be refined and you can re-review the source. They are encrypted at rest, locked to your account by row-level security, and only reachable through short-lived signed URLs. You can delete any document yourself at any time.
When you upload to a deal, you affirm that you have a valid NDA permitting disclosure to service providers, written broker consent, or that no NDA is in place and you accept full liability. We log the affirmation as an immutable audit record.
All AI requests route through OpenRouter under per-request Zero Data Retention enforcement, directing traffic only to upstream provider endpoints on Amazon Bedrock, Google Vertex AI, or Microsoft Azure. The applicable API terms with Anthropic, Google, and OpenAI all explicitly prohibit using API content for model training. Your deal documents do not become part of any model's knowledge.
When a broker asks you to sign an NDA, you can attach our NDA Addendum to expressly include analytical SaaS tools in the agreement\'s definition of permitted Representatives. The addendum is short, professional, and ready for the broker to countersign.
Download NDA AddendumWe use the following third-party services to operate The Buy Signal. They are bound by contract to the data-handling commitments described above.
| Provider | Purpose | Region |
|---|---|---|
OpenRouter, Inc. Every TBS request carries per-request ZDR enforcement. OpenRouter routes only to upstream endpoints with contractual no-retention terms. No prompt or completion content persists on OpenRouter beyond the per-request lifetime. | AI inference gateway: routes prompts to upstream model providers under Zero Data Retention (ZDR) | New York, USA |
Google LLC (Vertex AI) Accessed exclusively via Google Vertex AI ZDR-eligible endpoints. API content is contractually not used for model training. No persistent storage of inputs or outputs beyond the request lifetime. | Foundation-model inference for document extraction (CIM and supporting docs) | United States |
Anthropic PBC · Google LLC · OpenAI OpCo LLC Accessed exclusively via ZDR-enforced endpoints on Amazon Bedrock, Google Vertex AI, or Microsoft Azure. Each provider's API terms explicitly prohibit using API content for model training. No persistent storage of inputs or outputs beyond the request lifetime. | Foundation-model inference for Signal Report narrative: one provider selected per request by OpenRouter's auto-router from a ZDR-constrained set | United States |
Supabase, Inc. SOC 2 Type II. AES-256 at rest, TLS 1.3 in transit. Row-level security siloes each customer's data. | Authentication, Postgres database, file storage | United States |
Railway Corp. TLS 1.3 in transit. Process isolation between deployments. | Application backend hosting | United States |
For the technically curious: these are the actual implementation details, not marketing language.
Customers who require a signed DPA (typically: funds, family offices, search funders with LPs) can request our standard DPA below. It incorporates the sub-processor list above plus OpenRouter\'s and each upstream foundation-model provider\'s data-handling terms.
Email trust@thebuysignal.com to request the DPA.