Peony LogoPeony

Privacy Policy

Last updated: March 27, 2026

This Privacy Policy describes how Peony (US) Inc. ("Peony," "we," "us," or "our") collects, uses, discloses, and protects your personal data when you use our data room platform and related services (the "Services"). We are based in San Francisco, CA.

By using the Services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Services.

Our Privacy Commitments

  • Your documents are yours. We never access, review, or use your files except to deliver the features you enable.
  • No AI training on your data. Your documents and queries are never used to train machine learning models.
  • No advertising. No tracking pixels. No cookie banners. We only use essential cookies for authentication.
  • Self-service deletion. Delete documents, data rooms, or your entire account from your dashboard — no support ticket, no waiting period.
  • DPA in 24 hours. Need a Data Processing Agreement? Email us and we execute it within one business day.
  • We never sell your data. Not to advertisers, not to data brokers, not to anyone.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, company name, and password. If you subscribe to a paid plan, our payment processor (Stripe) collects your billing information. We do not store credit card numbers on our servers.

1.2 Documents and Content

You may upload documents, files, and other content to your data rooms. We store this content on your behalf using AES-256 encryption at rest and TLS 1.3 encryption in transit on SOC 2-ready infrastructure. We do not access, review, or use your documents except as necessary to provide the Services (e.g., AI extraction, indexing, and search features that you enable).

1.3 Viewer and Analytics Data

When someone views documents shared through Peony, we collect analytics data on your behalf, including: viewer name and email (when provided or captured via NDA gating), IP address, approximate geographic location (city and country derived from IP), device type, operating system, browser, pages viewed, time spent per page, and download activity. This data is collected to provide you with page-level analytics and engagement reporting.

1.4 AI Feature Data

When you or your viewers use AI-powered features (AI Document Extraction, Smart Q&A, AI Rooms), queries and responses are processed to provide answers. We do not use your document content or AI queries to train machine learning models.

1.5 Usage and Technical Data

We automatically collect technical information such as IP address, browser type, operating system, device identifiers, referring URLs, and pages visited on our marketing website. We use this data to improve the Services and diagnose technical issues.

2. How We Use Your Information

We use personal data to:

  • Provide, maintain, and improve the Services
  • Process transactions and send billing-related communications
  • Generate analytics and engagement reports for data room administrators
  • Power AI features (document extraction, Q&A, auto-indexing)
  • Send service-related notifications (access requests, NDA signatures, Q&A activity)
  • Respond to support requests
  • Enforce our Terms of Service and protect against fraud or abuse
  • Comply with legal obligations and respond to lawful requests

3. How We Share Your Information

We do not sell your personal data. We share data only with:

3.1 Service Providers (Sub-processors)

We use the following third-party services to operate the platform:

  • Amazon Web Services (AWS) — cloud infrastructure and data storage (us-east-1 region)
  • Vercel — application hosting and edge delivery
  • Cloudflare — DNS, CDN, and DDoS protection
  • Stripe — payment processing

3.2 Data Processing Agreement (DPA)

If your organization requires a Data Processing Agreement for GDPR or regulatory compliance, contact deqian@peony.ink and we will execute one within 24 hours. No procurement process required.

3.3 Data Room Administrators

If you access a data room as a viewer, the data room administrator may see your viewer analytics (pages viewed, time per page, device, location, NDA status). This is the core functionality of the platform.

3.4 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4. Data Retention

We retain your account data for as long as your account is active. Documents in your data rooms are retained until you delete them or close your account. Viewer analytics data is retained for the lifetime of the data room. You can delete individual documents, entire data rooms, or your full account at any time from your dashboard — no support ticket required. When you delete your account, we delete your data within 30 days, except where we are required by law to retain it.

5. Data Security

We protect your data with AES-256 encryption at rest and TLS 1.3 encryption in transit. Our infrastructure is SOC 2 ready. We implement access controls, audit logging, two-factor authentication, dynamic watermarking, screenshot protection, and NDA-gated access. For full details on our security architecture, see our Security page.

6. Cookies

We only use essential cookies for authentication and session management. We do not use third-party advertising cookies, tracking pixels, or retargeting scripts. Because we only use strictly necessary cookies, no cookie consent banner is required — one fewer popup between you and your data room.

7. International Data Transfers

Peony (US) Inc. is a US company with a registered address in London, United Kingdom. Your data may be processed in the United States (AWS us-east-1 region). We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards for transfers of personal data from the UK/EEA to the United States.

8. Your Rights

8.1 UK/EEA Residents (GDPR)

If you are located in the UK or European Economic Area, you have the right to: access your personal data, rectify inaccurate data, request deletion of your data, restrict or object to processing, request data portability, and withdraw consent at any time. To exercise these rights, contact us at deqian@peony.ink. We will respond within 30 days.

8.2 California Residents (CCPA)

If you are a California resident, you have the right to: know what personal information we collect, request deletion of your data, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact deqian@peony.ink.

9. Children

The Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Services after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Peony (US) Inc.
San Francisco, CA
Registered office: 86–90 Paul Street, London, EC2A 4NE, UK
Email: deqian@peony.ink
Phone: +1 (808) 255-5691