FirstIgnite - Privacy

FirstIgnite, Ltd.

Privacy Policy

Last Updated: June 1, 2026

1. Background and Scope

FirstIgnite, Ltd. (“FirstIgnite,” “Company,” “we,” “us,” or “our”) is a Delaware corporation providing an AI-powered research partnership platform. We are committed to protecting the privacy, security, and confidentiality of personal information we collect, use, and disclose.

This Privacy Policy applies to personal information processed by FirstIgnite through:

our public websites, including www.firstignite.com and trust.firstignite.com (the “Sites”);
our customer-facing applications, including app.firstignite.com, crm.firstignite.com, and eu.firstignite.com (the “Services”); and
our business communications with prospects, customers, partners, and job applicants.

FirstIgnite acts as a data controller for personal information we collect directly (for example, through website forms, marketing, or our own sales and recruiting activities). When we process personal data on behalf of our customers as part of delivering the Services, we act as a data processor under the direction of that customer (the controller).

By using the Sites or Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Sites or Services.

2. EU-U.S. Data Privacy Framework Notice

FirstIgnite, Ltd. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

FirstIgnite, Ltd. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (the “EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

FirstIgnite, Ltd. has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (the “Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

2.1 Scope of DPF Coverage

FirstIgnite’s DPF self-certification covers all personal data received from the European Union, the United Kingdom (and Gibraltar), and Switzerland in connection with the operation of our Sites, Services, and business activities, other than Human Resources data concerning our own EU, UK, or Swiss employees.

As required under the DPF Principles, FirstIgnite remains liable for any onward transfers of personal data to third parties acting as our agents, unless we prove that we are not responsible for the event giving rise to the damage.

3. Commitment to the DPF Principles

FirstIgnite adheres to each of the seven DPF Principles and the sixteen Supplemental Principles with respect to personal data received under the EU-U.S. DPF, UK Extension, and Swiss-U.S. DPF:

Notice — we provide the information described in this Policy when we collect personal data.
Choice — we offer opt-out (or opt-in for sensitive data) for disclosures to third parties or use materially different from the purpose for which the data was collected.
Accountability for Onward Transfer — we contractually require recipients to provide at least the same level of protection as the DPF Principles.
Security — we maintain reasonable and appropriate technical and organizational safeguards.
Data Integrity and Purpose Limitation — we process personal data only for purposes relevant to the reason it was collected.
Access — we provide individuals with reasonable access to their personal data and the ability to correct, amend, or delete inaccurate data.
Recourse, Enforcement, and Liability — we provide independent recourse mechanisms and enforceable verification, described in Section 13 below.

4. Personal Data We Collect

The personal data we collect depends on how you interact with us.

4.1 Information You Provide Directly

Identity Data: full name, email address, phone number, job title, employer or institution, and professional profile information.
Account Data: username, password, authentication credentials, and preferences.
Content Data: research descriptions, technology summaries, project details, messages, uploaded files, and other content you submit to the Services.
Communications Data: correspondence with our sales, support, and partnerships teams.
Billing Data: billing contact, address, and payment identifiers processed through our payment providers. FirstIgnite does not store full payment card numbers.

4.2 Information Collected Automatically

Technical Data: IP address, device identifiers, browser type and version, operating system, language preference, and referring and exit URLs.
Usage Data: pages viewed, features used, time and duration of access, click patterns, and similar product telemetry.
Cookies and Similar Technologies: as described in Section 15 below.

4.3 Information From Third Parties

Public and Licensed Sources: publicly available information about researchers, institutions, and companies (for example, authored publications, grant records, patent filings, institutional affiliations, and public professional profiles) used to power the Services.
Integrated Services: information you authorize us to receive from connected services such as Google Workspace or your institutional identity provider (see Section 16).
Business Partners: contact details received from customers, resellers, or referral partners to facilitate introductions.

4.4 Sensitive Personal Data

FirstIgnite does not solicit or intend to process sensitive categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning health or sex life, or data relating to criminal offenses) through the Services. If such data is nonetheless submitted, we will treat it with the heightened protections required under applicable law and the DPF Principles.

5. How We Use Personal Data

We use personal data only for purposes that are relevant, proportionate, and consistent with this Policy, including to:

provide, operate, maintain, and improve the Sites and Services;
authenticate users, manage accounts, and enforce security;
deliver AI-driven matching, market research, outreach, grant discovery, and related features you request;
communicate with you about your account, service updates, and support requests;
conduct marketing activities (subject to your right to opt out) and deliver event, webinar, and product communications;
process payments and manage billing;
detect, prevent, and investigate fraud, abuse, and security incidents;
perform internal analytics, research, and service improvement;
comply with legal obligations and enforce our agreements.

5.1 Artificial Intelligence and Machine Learning

FirstIgnite does not use customer data, user inputs, uploaded content, or personal information processed through the Services to train foundation models or general-purpose AI/ML systems. Customer Content is used solely to deliver the requested Services to that customer and is not shared with AI model providers for model training purposes.

Where we engage third-party AI providers (see Section 9), we do so under contractual terms that prohibit use of FirstIgnite Customer Content for model training and require appropriate confidentiality and security.

6. Legal Bases for Processing (EU, UK, and Swiss Residents)

Where the EU GDPR, UK GDPR, or Swiss FADP applies, we rely on one or more of the following legal bases:

Consent — where you have given us permission to process personal data for a specific purpose.
Contractual necessity — where processing is needed to provide the Services or fulfill a contract with you or your organization.
Legitimate interests — including securing our platform, preventing fraud, improving the Services, conducting business development, and communicating with professional contacts, in each case balanced against individual rights.
Legal obligation — to comply with applicable law, regulation, or lawful request from a public authority.

7. Your Choices

In accordance with the Choice Principle, FirstIgnite offers individuals the opportunity to:

opt out of the disclosure of their personal data to unaffiliated third parties other than in circumstances permitted under the DPF Principles;
opt out of the use of personal data for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized;
opt in to any use or onward transfer of sensitive personal data where required by the DPF Principles; and
opt out of direct marketing communications at any time.

To exercise these choices, please contact us at [email protected].

8. Disclosure of Personal Data

We do not sell personal data. We disclose personal data only as described below:

Service Providers and Subprocessors: third parties that help us operate the Sites and Services, listed in Section 9. These providers are contractually required to protect personal data consistent with this Policy and the DPF Principles.
Customers and their Authorized Users: where we process personal data on behalf of a customer, that customer controls access within their own account.
Affiliates: entities under common ownership with FirstIgnite, bound by equivalent protections.
Business Transactions: in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar transaction, subject to the successor entity being bound by commitments consistent with this Policy.
Legal and Safety: to comply with applicable law, lawful requests by public authorities (including national security or law enforcement requirements), court orders, and to protect the rights, property, or safety of FirstIgnite, our users, customers, or the public.
With Your Consent or Direction: where you authorize a specific disclosure.

Consistent with the DPF Principle on Accountability for Onward Transfer, FirstIgnite requires third parties that receive personal data transferred under the DPF to provide at least the same level of protection as required by the DPF Principles.

9. Subprocessors

FirstIgnite engages the following subprocessors to help deliver the Services. An up-to-date list is maintained at https://firstignite.com/subprocessors/ and is reproduced below for reference.

Core Infrastructure

Subprocessor	Purpose	Data Categories	Region
Google Cloud Platform	Primary cloud hosting, database storage, and computing infrastructure.	Account, content, usage, technical	USA / EU
Amazon Web Services	Secondary cloud infrastructure, file storage (S3), and data warehousing (Redshift).	Content, usage	USA
Microsoft Azure	Cloud infrastructure and Azure AI Search supporting AI workloads.	Content, usage	USA

Artificial Intelligence and Machine Learning

Subprocessor	Purpose	Data Categories	Region
OpenAI	LLM provider for parsing, summarization, and matching.	Content, identity (limited)	USA
Anthropic	AI model provider for natural language processing.	Content, identity (limited)	USA
Google (Gemini)	AI model provider for natural language processing.	Content, identity (limited)	USA
Perplexity AI	AI-powered research and discovery.	Content (queries)	USA
Parallel AI	AI orchestration and inference.	Content	USA
OpenRouter	AI model routing and inference platform.	Content	USA

Analytics and Product Usage

Subprocessor	Purpose	Data Categories	Region
Segment (Twilio)	Customer data infrastructure and event routing.	Identity, usage, technical	USA
PostHog	Product analytics, feature flags, and session replay.	Identity, usage, technical	USA / EU
Mixpanel	Product analytics and user behavior tracking.	Identity, usage	USA
Google Analytics	Website analytics for the Sites.	Technical, usage	USA

Customer Communications and Support

Subprocessor	Purpose	Data Categories	Region
Intercom	Customer support, in-product messaging, and help center.	Identity, communications	USA
Canny	User feedback and feature request management.	Identity, communications	USA
Vitally	Customer success management.	Identity, usage	USA
Mailgun (Sinch)	Transactional and operational email delivery.	Identity, communications	USA
Resend	Transactional email delivery.	Identity, communications	USA

Sales, Marketing, and Outreach

Subprocessor	Purpose	Data Categories	Region
HubSpot	CRM and marketing automation.	Identity, communications	USA
Salesforge	Sales outreach automation.	Identity, communications	USA
Mailmodo	Interactive email marketing.	Identity, communications	USA

Identity, Authentication, and Payments

Subprocessor	Purpose	Data Categories	Region
PropelAuth	Authentication and identity management.	Identity, account credentials	USA
Google OAuth	OAuth-based sign-in for Google accounts.	Identity (limited)	USA
Stripe	Payment processing and billing.	Billing, identity (limited)	USA

10. International Data Transfers

FirstIgnite is headquartered in the United States. Personal data we collect may be transferred to, stored in, and processed in the United States and other countries where we or our subprocessors operate.

When we transfer personal data from the European Economic Area, the United Kingdom (and Gibraltar), or Switzerland to the United States, we rely on the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework, as described in Section 2. Where the DPF is not an available transfer mechanism, we rely on EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism, and we implement supplementary measures where appropriate.

11. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, or as required by law, regulation, or contract. Retention periods vary based on the nature of the data and the context of the processing, including:

account data is retained for the duration of the customer relationship and for a limited period thereafter to fulfill contractual, legal, and audit obligations;
billing records are retained for the period required by applicable tax, accounting, and anti-fraud laws;
usage and telemetry data is retained on a rolling basis in line with our operational needs;
data subject request records are retained to demonstrate compliance with this Policy and applicable law.

Once retention requirements are met, we securely delete or de-identify personal data in accordance with our Customer Data Deletion Runbook and Data Classification, Retention and Disposal Policy.

12. Your Data Protection Rights

Subject to applicable law and the DPF Principles, you may exercise the following rights in relation to personal data we hold about you:

access the personal data we hold about you;
request correction of inaccurate or incomplete data;
request deletion of your personal data, subject to legal and contractual retention obligations;
object to or restrict certain processing;
request data portability where applicable;
withdraw consent where processing is based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond within the timeframes required by applicable law, typically within 30 days. We may need to verify your identity before acting on your request.

If we process personal data on behalf of one of our customers (acting as processor), we will refer your request to that customer and support them in responding to you.

You also have the right to lodge a complaint with your local supervisory authority. A list of EU Data Protection Authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en, the UK ICO at https://ico.org.uk/, and the Swiss FDPIC at https://www.edoeb.admin.ch/.

13. Recourse, Enforcement, and Liability

13.1 Independent Recourse Mechanism — BBB National Programs

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), FirstIgnite, Ltd. commits to resolve DPF Principles-related complaints about our collection and use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF.

EU, UK, and Swiss individuals with inquiries or complaints should first contact FirstIgnite at [email protected].

FirstIgnite, Ltd. has further committed to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to BBB NATIONAL PROGRAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

13.2 FTC Enforcement

FirstIgnite, Ltd. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) with respect to its adherence to the DPF Principles.

13.3 Binding Arbitration

Under certain conditions, more fully described on the Data Privacy Framework website (https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction), EU, UK, and Swiss individuals may invoke binding arbitration to address complaints about FirstIgnite’s compliance with the DPF Principles that have not been resolved by the other available recourse mechanisms.

13.4 Verification

Consistent with the DPF Principle on Recourse, Enforcement, and Liability, FirstIgnite uses a self-assessment approach to verify that our attestations and assertions about our privacy practices are accurate and that our privacy practices have been implemented as represented and in accordance with the Principles. This verification is performed at least annually and is documented as part of our Information Security Management System.

14. Information Security

FirstIgnite maintains an Information Security Management System aligned to ISO/IEC 27001:2022 and the AICPA SOC 2 Trust Services Criteria. We implement appropriate organizational, administrative, physical, and technical safeguards to protect personal data against loss, misuse, unauthorized access, alteration, and destruction, including:

encryption of data in transit (TLS 1.2 or higher) and at rest;
role-based access controls, multi-factor authentication, and least-privilege provisioning;
continuous logging, monitoring, and alerting across production systems;
independent penetration testing and vulnerability management;
formal incident response, business continuity, and vendor risk management programs;
background checks and security awareness training for personnel.

No method of transmission or storage is completely secure. If FirstIgnite becomes aware of a personal data breach affecting your information, we will notify affected individuals and authorities as required by applicable law.

15. Cookies and Tracking Technologies

We use cookies, pixels, and similar technologies to recognize users, understand usage patterns, secure the Sites, and improve the Services. Cookie categories include strictly necessary, functional, analytics, and marketing cookies.

You may manage your cookie preferences through the consent banner on our Sites or your browser settings. Disabling certain cookies may limit functionality. The Sites do not currently respond to “Do Not Track” signals.

16. Google Services and Google User Data

16.1 Google Analytics

We use Google Analytics to understand anonymized usage of the Sites, such as pages visited and session duration. Google Analytics data is subject to Google’s privacy policies.

16.2 Google Account Integrations

If you authorize FirstIgnite to access your Google account (for example, Gmail or Google Calendar), we will access Google user data only to provide user-facing features you explicitly enable, such as scheduling, communication workflows, reminders, and summaries.

FirstIgnite’s use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Google user data:

is used only for user-facing features you have activated;
is not sold, shared, or used for advertising;
is not used for profiling, surveillance, or credit-worthiness decisions;
is not used to train foundation or general-purpose AI/ML models.

16.3 Access, Retention, and Revocation

Human access to Google user data is permitted only with explicit user consent, to investigate security or abuse, to comply with legal obligations, or where data is aggregated or de-identified for internal operations. Users may revoke Google account access at any time, after which FirstIgnite will cease access and delete or de-identify retained Google user data in accordance with our retention policies.

17. Children’s Privacy

The Sites and Services are not directed to children under 18. We do not knowingly collect personal data from children. If you believe we have collected personal data from a child, please contact us so we can delete it.

18. U.S. State Privacy Rights

Depending on your state of residence (including California, Virginia, Colorado, Connecticut, Utah, and other U.S. states with comprehensive privacy laws), you may have additional rights regarding your personal data, such as the right to know, correct, delete, or opt out of certain processing. To exercise these rights, contact [email protected].

FirstIgnite does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.

19. Third-Party Websites and Services

The Sites and Services may link to or integrate with websites and services operated by third parties. This Privacy Policy applies only to FirstIgnite’s Sites and Services. We are not responsible for the privacy practices of third parties, and we encourage you to review their privacy notices.

20. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the Last Updated date above and, where appropriate, provide additional notice (such as by email or through the Services). Continued use of the Sites or Services after an update constitutes acceptance of the revised Policy.

21. How to Contact Us

If you have questions, concerns, or requests relating to this Policy or our privacy practices, please contact:

FirstIgnite, Ltd.

Attn: Privacy Team

7348 Maple Terrace, Traverse City, MI 49686, USA

Email: [email protected]

General inquiries: [email protected]

21.1 EU and UK Representative

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:

United Kingdom (UK)
European Union (EU)

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter, or make use of your data subject rights, please visit the following website: https://app.prighter.com/portal/firstignite.