Skip to main content
Deal Matrix
Sign InGet Started

Privacy Policy

Version 2.2 · Effective Date: April 11, 2026 · Last Updated: April 11, 2026

Phoenix Holdings LLC — An Illinois Limited Liability Company

This Privacy Policy ("Policy") describes how Phoenix Holdings LLC, an Illinois limited liability company ("Company," "we," "us," or "our"), collects, uses, discloses, retains, and protects information in connection with the Service. This Policy applies to all Customers, Authorized Users, website visitors, and any other individuals whose Personal Data we process.

IMPORTANT: This Policy is designed to work alongside the Terms of Service, the Data Processing Agreement ("DPA"), and the Service Level Agreement ("SLA") for the Service. In the event of a conflict between this Policy and the DPA with respect to the processing of Customer Data, the DPA shall control.

1. Acceptance of This Policy

1.1 How Acceptance Occurs

By creating an account, clicking "I Agree" (or a similar affirmative action) during registration, or by accessing or using the Service in any manner, you represent that you have read, understood, and agree to be bound by this Policy. If you are accepting on behalf of a Customer organization, you represent that you have the authority to bind that organization to this Policy.

1.2 Effective Date vs. Acceptance Date

The "Effective Date" at the top of this Policy is the date on which this version of the Policy was published by the Company. Your individual acceptance occurs on the date you first create an account, affirmatively consent, or use the Service (your "Acceptance Date"). For existing users, continued use of the Service after the Effective Date of any updated Policy constitutes acceptance of the updated terms, subject to the notice provisions in Section 18.

1.3 Refusal

If you do not agree with this Policy, you must not create an account or use the Service. If you are an existing Customer and do not agree to a material update, you may terminate your subscription and export your data as provided in the Terms of Service prior to the updated Policy's effective date.

2. Definitions

"Customer" means the organization or individual that has entered into a subscription agreement with us for access to the Service.

"Customer Data" means all data, content, and information submitted to or processed through the Service by or on behalf of a Customer or its Authorized Users, including personal data about hotel clients, contacts, leads, deal records, notes, and attached documents. Customer Data does not include Usage Data or Aggregated Data.

"Authorized User" means any individual granted access to the Service by a Customer, including employees, contractors, and agents.

"Contact" means any third-party individual whose Personal Data is stored within Customer Data (e.g., a hotel client, lead, vendor, or business contact whose record exists in the Service).

"Personal Data" means any information that identifies or could reasonably be used to identify a natural person, directly or indirectly, including names, email addresses, phone numbers, IP addresses, device identifiers, and similar identifiers, as further defined by applicable law.

"Usage Data" means technical and behavioral data automatically collected when you access or use the Service, such as IP addresses, browser type, pages visited, feature usage, click paths, and timestamps.

"Aggregated Data" means data derived from Customer Data or Usage Data that has been de-identified and aggregated such that it cannot reasonably be used to identify any individual, Customer, or their business. Aggregated Data is not Customer Data.

"Sensitive Personal Information" means Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric data, precise geolocation, Social Security numbers, financial account numbers, or other categories defined as sensitive under applicable law.

"Sub-processor" means any third-party vendor or service provider engaged by us to process Customer Data on our behalf.

"Prohibited Data" has the meaning set forth in Section 5.6.

3. Our Role: Controller and Processor

3.1 When We Are a Data Controller

We act as a data controller with respect to:

  • Account registration data and billing information you provide when signing up for the Service;
  • Contact information for Customer account administrators and primary contacts;
  • Usage Data and technical information collected through our website and the Service;
  • Communications between you and our support, sales, or legal teams; and
  • Information collected through cookies and similar tracking technologies on our website.

3.2 When We Are a Data Processor

With respect to Customer Data — meaning the hotel client records, contacts, deals, and other business data you upload or input into the Service — we act as a data processor on your behalf. You (the Customer) are the data controller for that data. We process it solely pursuant to your documented instructions and the terms of the Data Processing Agreement ("DPA"), which is incorporated by reference into the Terms of Service.

3.3 Customer Responsibilities — General

As the data controller for Customer Data, the Customer acknowledges, represents, and warrants that:

  • Customer has a valid legal basis under applicable law for collecting and processing all Personal Data it uploads to or processes through the Service;
  • Customer has provided all required notices and obtained all required consents from Contacts and other data subjects;
  • Customer is solely responsible for responding to data subject rights requests from its Contacts;
  • Customer is solely responsible for the accuracy, quality, integrity, and legality of all Customer Data;
  • Customer shall maintain its own publicly available privacy policy;
  • Customer shall ensure that Customer Data does not include Prohibited Data (see Section 5.6) unless a separate written agreement is in place; and
  • Customer is responsible for managing Authorized User access, permissions, roles, and compliance.

3.4 Customer Responsibilities — CRM-Specific Obligations

Because the Service is a customer relationship management platform that stores and processes Contact records on the Customer's behalf, the Customer additionally acknowledges, represents, and warrants the following:

(a) Lawful Data Sources. All Contact data uploaded to the Service has been obtained through lawful means. Customer shall not upload Contact data that was obtained through scraping, harvesting, or any unauthorized collection method.

(b) Anti-Spam and Electronic Communications Compliance. If the Service provides email, SMS, or other electronic communication features, Customer is solely responsible for ensuring compliance with all applicable anti-spam and electronic communications laws, including the CAN-SPAM Act, the TCPA, CASL, and the EU ePrivacy Directive.

(c) Do-Not-Call and Do-Not-Contact Compliance. Customer is solely responsible for scrubbing Contact lists against the National Do-Not-Call Registry and applicable state do-not-call lists.

(d) Consent Record-Keeping. Customer is solely responsible for maintaining records of consent, opt-in, and opt-out status for each Contact within the Service.

(e) Email Tracking and Activity Monitoring Disclosures. Customer is solely responsible for disclosing the use of tracking technologies to Contacts as required by applicable law.

(f) Sharing, Visibility, and Access Configuration. Customer is solely responsible for configuring sharing rules, field-level security, role hierarchies, and access permissions within the Service.

(g) Authorized User Training. Customer shall ensure that all Authorized Users receive adequate training on data protection obligations before being granted access.

(h) Third-Party Integration Data Flows. When Customer connects third-party integrations, Customer is solely responsible for understanding and authorizing the data flows.

(i) Data Enrichment. If the Service offers data enrichment features, Customer acknowledges that enrichment data is provided "as-is" without warranty of accuracy.

(j) Regulatory Compliance. Customer is solely responsible for determining whether Customer's use of the Service complies with any industry-specific regulations.

3.5 Right to Suspend for Compliance Violations

We reserve the right to suspend Customer's access to the Service if we reasonably determine that Customer's use: (a) generates excessive abuse complaints; (b) violates Prohibited Data restrictions; (c) violates applicable laws; or (d) poses a material risk to the Service or other Customers.

4. Information We Collect

4.1 Information You Provide Directly

  • Account Information: Name, business email address, company name, phone number, job title, and billing address.
  • Payment Information: Credit card numbers, billing address, and transaction history processed through Stripe. We do not store full payment card numbers on our servers.
  • Customer Data: Client profiles, contact records, deal histories, notes, tasks, documents, and any other content you upload or create.
  • Support Communications: Messages, attachments, screenshots, and other information you send when contacting support.
  • Survey and Feedback Data: Responses to optional surveys, product feedback forms, or user research sessions.

4.2 Information Collected Automatically

  • Usage Data: Features accessed, pages viewed, search queries, click paths, session duration, and frequency of use.
  • Device and Browser Data: IP address, browser type and version, operating system, device identifiers, language preferences, and screen resolution.
  • Log Data: Server logs including access times, error logs, API call records, and request/response metadata.
  • Cookies and Tracking Technologies: See Section 9 for details.

4.3 Information From Third Parties

  • Single Sign-On Providers: Authentication tokens and profile information from SSO providers.
  • Payment Processors: Transaction confirmations, billing events, and fraud detection signals from Stripe.
  • Integration Partners: Data from third-party integrations as directed and configured by you.
  • Business Partners: Lead or referral information from authorized channel partners.

5. How We Use Your Information

5.1 Service Delivery and Operations

  • Creating and managing your account and organization;
  • Providing, operating, maintaining, and improving the Service;
  • Processing transactions, managing subscriptions, and billing;
  • Providing customer support and responding to inquiries;
  • Sending service-related communications; and
  • Enforcing our Terms of Service and other agreements.

5.2 Service Improvement and Analytics

  • Analyzing Usage Data in aggregate to understand how the Service is used;
  • Conducting internal research, testing, and development of new features;
  • Generating Aggregated Data for product analytics and benchmarking; and
  • Troubleshooting bugs, errors, and performance issues.

5.3 Marketing and Communications

We will only send marketing communications to Authorized Users who have not opted out. We will not send unsolicited marketing to Contacts or any individuals whose Personal Data exists within Customer Data.

5.4 Security and Fraud Prevention

Detecting, investigating, and preventing fraud, abuse, unauthorized access, and security incidents; monitoring for anomalous activity; and performing identity verification for administrative actions.

5.5 Legal and Compliance

Complying with applicable laws, responding to lawful requests, protecting rights and safety, and establishing or defending legal claims.

5.6 Prohibited Data

The Service is not designed to process, and Customers must not upload, the following categories of data unless a separate written agreement is in place:

  • Protected Health Information ("PHI") as defined under HIPAA, unless a BAA has been executed;
  • Payment card data (full credit/debit card numbers, CVV codes) except as processed through Stripe;
  • Social Security numbers, national identification numbers, or government-issued ID numbers of Contacts;
  • Biometric data, genetic data, or data concerning a person's sex life or sexual orientation;
  • Financial account numbers of Contacts;
  • Login credentials or passwords of Contacts or third parties;
  • Data subject to ITAR or EAR;
  • Data relating to minors under the age of 16; and
  • Any data requiring specific certifications or approvals beyond those described in this Policy.

We disclaim all liability for any Prohibited Data uploaded to the Service in violation of this section.

5.7 Artificial Intelligence and Machine Learning

We do not use Customer Data to train artificial intelligence or machine learning models. If the Service incorporates AI-powered features, such processing occurs solely within the Customer's own tenant environment. We will clearly identify AI-powered features and provide the ability to enable or disable them.

5.8 Legal Basis for Processing (EU/UK Users)

Legal BasisPurpose
ContractProcessing necessary to perform our contract with you (e.g., providing the Service, billing, support).
Legitimate InterestsImproving the Service, security monitoring, fraud prevention, and direct marketing to existing customers (subject to opt-out).
Legal ObligationCompliance with applicable law and responding to legal process.
ConsentMarketing to individuals who have opted in; use of non-essential cookies.

6. How We Share Your Information

We do not sell your Personal Data. We do not share your Personal Data with third parties for their own marketing purposes or for cross-context behavioral advertising.

6.1 Service Providers (Sub-processors)

We engage trusted third-party vendors to help operate the Service. These Sub-processors access Personal Data only as necessary and are contractually bound to protect it.

6.2 Business Transfers

If we are involved in a merger, acquisition, or similar corporate transaction, Personal Data may be transferred as part of that transaction. We will notify affected Customers at least thirty (30) days prior.

6.3 Legal Requirements and Government Requests

We may disclose Personal Data if required by law. We commit to narrowing the scope of any request, challenging overbroad requests, and notifying affected Customers where permitted by law.

6.4 Professional Advisors

We may share Personal Data with attorneys, accountants, auditors, and insurers as necessary, subject to professional duties of confidentiality.

7. Confidentiality of Customer Data

We treat Customer Data as confidential information. Access is logged, auditable, and restricted on a need-to-know basis. Customer Data is logically segregated from that of other Customers. We will not use Customer Data to contact Contacts directly or for any purpose other than providing the Service.

8. Data Retention

8.1 Customer Data

We retain Customer Data for as long as the subscription remains active plus ninety (90) days following termination. We will respond to data export or portability requests within ten (10) business days. After the 90-day post-termination period, Customer Data is permanently deleted from production systems and purged from backups within 180 days.

8.2 Account and Billing Records

We retain account registration data, billing records, and transaction history for seven (7) years following account closure.

8.3 Usage and Log Data

Usage Data and server logs are retained for twelve (12) months and then either deleted or irreversibly anonymized.

9. Cookies and Tracking Technologies

TypeDescription
Strictly NecessaryRequired for the Service to function (e.g., session authentication, CSRF protection). Cannot be disabled.
FunctionalRemember your preferences (e.g., language, timezone, UI settings).
AnalyticsHelp us understand how the Service is used. Disabled if you reject analytics cookies.
MarketingTrack visits to our marketing website for ad attribution. Not used within the authenticated application.

You can control cookies through our cookie consent banner, your browser settings, and the "Cookie Settings" link in the footer. We honor the Global Privacy Control (GPC) signal.

10. Data Security

  • Encryption in Transit: All data encrypted using TLS 1.2 or higher.
  • Encryption at Rest: Customer Data encrypted using AES-256.
  • Access Controls: Role-based access controls and MFA for all administrative access.
  • Vulnerability Management: Regular penetration testing (at least annually) and vulnerability scans.
  • Incident Response: Documented incident response plan; notification within 72 hours for confirmed data breaches.
  • Employee Security: Background checks and annual security awareness training.
  • Business Continuity: Documented disaster recovery plans, tested at least annually.

11. International Data Transfers

Our primary infrastructure is located in the United States. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs), the EU-U.S. Data Privacy Framework, and the UK International Data Transfer Agreement (IDTA) as applicable.

12. Your Privacy Rights

12.1 Rights for All Users

  • Access and update your account information at any time;
  • Export your Customer Data using built-in export tools (CSV, JSON, API);
  • Request deletion of your account and associated Personal Data; and
  • Opt out of marketing emails at any time.

12.2 European Union and United Kingdom Residents (GDPR / UK GDPR)

If you are located in the EU or UK, you have additional rights including: Right of Access, Right to Rectification, Right to Erasure, Right to Restriction, Right to Data Portability, Right to Object, Right to Withdraw Consent, and Right to Lodge a Complaint with your supervisory authority.

12.3 U.S. State Privacy Rights

If you are a resident of California (CCPA/CPRA), Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Nevada, or any other state with applicable privacy laws, you may have rights including: Right to Know/Access, Right to Delete, Right to Correct, Right to Opt-Out of Sale or Sharing, Right to Data Portability, Right to Non-Discrimination, and Right to Appeal. We do not sell your Personal Data.

13. Children's Privacy

The Service is designed for business professionals and is not intended for use by individuals under the age of 18. We do not knowingly collect Personal Data from children. Customers must not upload Contact records for individuals known to be under the age of 16.

14. Third-Party Links and Integrations

The Service may contain links to or integrations with third-party services. This Privacy Policy does not apply to those third-party services. Enabling a third-party integration constitutes your instruction to share the applicable data.

15. Do Not Track and Global Privacy Control

We honor the Global Privacy Control (GPC) signal as a valid opt-out request in jurisdictions where legally recognized. We do not currently respond to Do Not Track (DNT) signals separately from GPC.

16. Privacy by Design and Data Minimization

We conduct privacy impact assessments before launching new features, collect only the minimum Personal Data necessary, apply purpose limitation, implement safeguards at every stage of development, and default to the most privacy-protective settings.

17. Limitation of Liability, Indemnification, and Disclaimers

17.1 Company Liability Cap

Our aggregate liability shall not exceed the total fees actually paid by the Customer in the twelve (12) months immediately preceding the event giving rise to the claim.

17.2 Exclusion of Consequential Damages

In no event shall we be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or relating to the processing of Personal Data.

17.3 Customer Indemnification

The Customer shall indemnify and hold harmless the Company from claims arising out of: Prohibited Data violations, failure to obtain required consents, violations of anti-spam or telemarketing laws, failure to comply with data protection law, misconfiguration of access settings, claims by Contacts, and misuse of tracking or enrichment features.

17.4 Disclaimers

The Company does not provide legal, regulatory, tax, or compliance advice. The Service is provided "as is" with respect to regulatory compliance features.

18. Changes to This Privacy Policy

We may update this Policy from time to time. We will notify Customers of material changes by emailing the primary account administrator at least thirty (30) days before the change takes effect and by posting a notice within the Service's dashboard.

19. Contact Information

Privacy Contactsupport@dealmatrix.com
Security Contactsupport@dealmatrix.com
Mailing AddressPhoenix Holdings LLC, Illinois

We aim to respond to all privacy inquiries within thirty (30) days.

20. Accessibility

We endeavor to conform to WCAG 2.1 at the AA level. If you experience accessibility barriers, please contact us at support@dealmatrix.com.

21. General Provisions

21.1 Severability. If any provision is held invalid, the remaining provisions continue in full force.

21.2 Survival. Sections 2, 3.3, 3.4, 5.6, 7, 8, 12, 17, 21, and 22 survive termination.

21.3 Waiver. No failure or delay in exercising any right shall operate as a waiver.

21.4 Assignment. Customer may not assign without prior written consent. The Company may assign in connection with a merger or acquisition.

21.5 Entire Agreement. This Policy, together with the Terms of Service, DPA, and SLA, constitutes the entire agreement. Order of precedence: (1) DPA, (2) Terms of Service, (3) this Privacy Policy, (4) SLA.

21.7 No Third-Party Beneficiaries. This Policy is for the benefit of the Company and its Customers and Authorized Users only. Contacts should direct privacy inquiries to the applicable Customer.

21.8 Electronic Communications Consent. By creating an account, you consent to receive electronic communications related to your account and the Service.

22. Governing Law and Dispute Resolution

This Privacy Policy is governed by the laws of the State of Illinois, without regard to conflict of law principles. The exclusive venue for any claims shall be the state and federal courts located in Cook County, Illinois.