How Aleva handles your data

Aleva is a private software workspace for small (2–4 person) investor partnerships. Each partnership's data — deals, documents, capital calls, K-1s, comments, investment thesis — is private to that partnership and never visible to anyone outside it. There is no public deal feed, no marketplace, no shared activity stream. The product exists to keep your partnership's investing organized; it does not exist to collect or monetize your data.

• Account info: your email address (used as login + for sending the magic-link / password-reset / digest emails you opt into) and your display name if you set one.
• Partnership data you create: deals you add, documents you upload, capital calls and K-1s you forward, comments you write, your investment thesis, decision deadlines, member invites.
• Integration tokens: if you connect Google Drive, Slack, or Telegram, we store the OAuth tokens or webhook URLs you provide so the integration keeps working. Tokens are stored encrypted at rest and used only to perform the integration's function (read picked Drive files, post a notification, etc).
• Operational logs: server-side request logs, error reports, and AI extraction audit records (which documents were parsed, when, by which model). These help us debug; they don't leave Aleva and our infrastructure providers.

• We don't sell your data. To anyone. Ever.
• We don't share data with advertising or marketing networks.
• We don't train AI models on your partnership data. When we use AI (e.g. Claude for document parsing or deal summarization), the requests are made under our standard commercial agreement with the model provider, which prohibits use of customer data for training.
• We don't handle money. Aleva never sees, holds, transfers, or routes investor capital. Capital calls and K-1s in Aleva are records of money that moved elsewhere — not vehicles for moving it.

Aleva runs on a small, deliberately boring stack of US-based providers. We use:

• Supabase (Postgres + Auth + Storage) for the database, sign-in, and document storage.
• Vercel for application hosting.
• Postmark for inbound deal email forwarding; Resend for outbound notification emails.
• Anthropic (Claude) for AI document extraction and deal summarization. OpenAIfor the small embedding model that powers “similar deals.”
• Inngest for background jobs (parsing, digests).
• Sentry for error monitoring.

All of these are subprocessors that handle your data on Aleva's behalf. None of them are advertising networks.

Partnership data is enforced private at the database layer via Postgres Row-Level Security. The policy is: a row is visible only to members of the partnership it belongs to. This is not application-level access control that could be forgotten in a code path — it's the default-deny rule the database enforces on every query, including ours.

You can export everything Aleva holds about you (CSV exports for deals, capital calls, K-1s; original document downloads). You can delete your account, at which point your personal identifiers are removed. Partnership data you authored remains in the partnership unless your co-owners also delete it — the partnership is the unit of account.

Email accounts@aleva.io for any data request.

Aleva sets a session cookie when you sign in. We don't set advertising or analytics cookies. The site does not run third-party tracking pixels.

When this policy changes meaningfully, we'll email partnership owners and update the “last updated” date above. Cosmetic edits (typo fixes, clarifications) ship without notice.

Questions about this policy or about data we hold: accounts@aleva.io.