Privacy Policy
Last updated: April 17, 2026
1. Who We Are
Concessio (“we,” “us,” “our”) operates the infrastructure concession intelligence platform at concessio.io and app.concessio.io. We provide data, analytics, and intelligence tools to infrastructure investment professionals. Our registered address is available upon request at privacy@concessio.io.
2. Data We Collect
We collect information in three categories:
Account data. When you create an account or request a demo, we collect your name, work email address, company name, job title, and optionally your firm’s assets under management range. Authentication is handled by Clerk, Inc., which processes your email and password or OAuth credentials on our behalf.
Uploaded documents. You may upload concession agreements, fund documents, or other files for analysis. These documents are stored in our database infrastructure and processed by our AI analysis pipeline. Uploaded documents remain associated with your organization and are never shared with other users, used to enrich shared database records, or included in any model training data.
Usage data. We collect standard web analytics through Vercel Analytics, including pages visited, feature usage patterns, API request counts, and session duration. We do not use third-party advertising trackers.
3. How We Use Your Data
To provide the service. Your account data authenticates you and determines your access tier. Uploaded documents are analyzed to extract concession terms, risk signals, and compliance information visible only within your organization.
To improve the platform. Aggregated, anonymized usage patterns help us prioritize features. We never analyze the content of your uploaded documents for product development purposes.
To communicate with you. We send transactional emails (account verification, alert notifications, intelligence digests) via Resend. We may send product updates to your registered email. You can unsubscribe from non-essential communications at any time.
4. Document Confidentiality
We understand that concession agreements and fund documents contain commercially sensitive information. Uploaded documents are stored in isolated, organization-scoped database rows. They are never exposed to other users, surfaced in shared search results, used to populate public database records, or transmitted to any third party. AI processing of uploaded documents uses the Anthropic API with no data retention — Anthropic does not store or train on API inputs. Document data is encrypted at rest and in transit.
5. Third-Party Processors
We use the following sub-processors to deliver the service:
| Provider | Purpose | Data Processed |
|---|---|---|
| Vercel | Hosting, CDN, analytics | Web requests, session data |
| Supabase | Database infrastructure | All platform data |
| Clerk | Authentication | Email, password hashes, session tokens |
| Anthropic | AI analysis (no data retention) | Document text for analysis |
| Resend | Transactional email | Email address, message content |
| Mapbox | Map visualization | Geographic coordinates only |
6. Data Retention
Account data is retained for the duration of your subscription and for 90 days following account closure. Uploaded documents are permanently deleted within 30 days of a deletion request or account closure. Platform usage analytics are retained in anonymized form indefinitely. API access logs are retained for 12 months.
7. Your Rights (GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under applicable data protection law:
Access. Request a copy of the personal data we hold about you.
Rectification. Request correction of inaccurate personal data.
Erasure. Request deletion of your personal data, subject to legitimate retention needs.
Portability. Request your data in a structured, machine-readable format.
Restriction. Request that we limit processing of your data in certain circumstances.
To exercise any of these rights, contact us at privacy@concessio.io. We will respond within 30 days.
8. International Data Transfers
Our infrastructure is hosted in the United States (Vercel, Supabase). If you access the service from the EEA, UK, or Switzerland, your data is transferred to the US under Standard Contractual Clauses maintained by our sub-processors. We evaluate the data protection practices of all sub-processors before engagement.
9. Security
All data is encrypted in transit (TLS 1.2+) and at rest. Authentication uses industry-standard protocols via Clerk. Database access is restricted by row-level security policies. API keys are stored as SHA-256 hashes. We conduct periodic security reviews of our infrastructure and sub-processors.
10. Cookies
We use essential cookies for authentication session management (Clerk) and basic analytics (Vercel). We do not use advertising cookies or third-party tracking cookies. No cookie consent banner is required as we only use strictly necessary cookies.
11. Changes to This Policy
We may update this policy to reflect changes in our practices or applicable law. Material changes will be communicated via email to registered users at least 14 days before taking effect. The “Last updated” date at the top of this page indicates the most recent revision.
12. Contact
For privacy-related inquiries, data subject access requests, or complaints, contact us at privacy@concessio.io.