Privacy Policy

Effective date: May 31, 2026

Stanton Street, Inc. ("we," "us," or "our") operates the Looking Forward platform, a warm-introduction management tool for founders and investors. This Privacy Policy explains what information we collect, how we use it, and your choices.

1. Information We Collect

Account information. When you create an account we collect your name, email address, job title, company affiliation, and an optional bio and profile photo.

Authentication data. We support sign-in via email (magic link), Google OAuth, and passkeys (WebAuthn). We also support LinkedIn and Y Combinator (Bookface) OAuth for profile verification purposes. When you authenticate or verify through a third-party provider we receive limited profile information (such as name and email) and store OAuth tokens necessary to maintain your session or verification status. We do not access your passwords on any third-party service.

Sending from your Google account. If you choose to connect a Google account so that introductions and invitations are sent from your own email address, we request the Gmail "send" permission (https://www.googleapis.com/auth/gmail.send) and store the resulting OAuth tokens in encrypted form. We use this permission solely to send the specific messages you explicitly initiate, and we never use it to read, search, or otherwise access your mailbox. This connection is optional and you can disconnect it at any time (see Section 9).

Google Contacts (imported and stored). If you choose to import contacts from Google, we request read-only access to your Google Contacts (https://www.googleapis.com/auth/contacts.readonly) to retrieve names, email addresses, organizations, job titles, and photos. We store these imported contacts in our database so that you can quickly add them and create invitations. This import is optional and initiated by you. You can disconnect Google Contacts at any time, and we will delete the imported contact data (see Section 9). We also store contacts you add manually.

Gmail access (read-only). If you choose to connect Gmail, we request read-only access (https://www.googleapis.com/auth/gmail.readonly) to read message header metadata only — the names and email addresses on the From, To, Cc, and Reply-To lines, plus the subject and date. We use this to help you find and add contacts and to suggest people to CC on introduction emails. We request the read-only permission because Gmail's search API requires it to look up messages by sender or recipient; however, we deliberately limit our access to header metadata (using the Gmail API's metadata format) and never request, read, or store the contents, bodies, or attachments of your email messages. Gmail header data is processed transiently in memory to generate these suggestions and is not retained on our servers; a contact's name and email address are saved only when you choose to add or invite that person.

Content you provide. This includes blurbs, pitch decks, introduction requests, messages within introduction threads, and any other content you create within the platform.

Usage data. We collect analytics events such as page views, feature usage, and session information to improve the product. We use PostHog for product analytics. We track page views on public profiles and deck-share pages, including for anonymous visitors.

Technical data. We automatically collect IP addresses, browser type, device information, and referring URLs when you visit our platform.

2. How We Use Your Information

To provide, maintain, and improve the Looking Forward platform.
To facilitate warm introductions between founders and investors at your direction.
To authenticate your identity and maintain the security of your account.
To send emails on your behalf and to you in connection with introductions, invitations, and account activity (see Section 4).
To send introduction and invitation emails from your connected Google account, at your direction, when you choose a "send from" address (see Section 4).
To help you find and add contacts and to suggest recipients to CC on introductions, using your connected Google Contacts and Gmail header metadata (see Section 1).
To analyze usage patterns and improve the user experience.
To comply with legal obligations.

3. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

At your direction. When you request or approve a warm introduction, the relevant profile information and materials you have chosen to share (including your name, title, company, blurb, and pitch deck) are made visible to the other parties in that introduction.
Email address disclosure. When an introduction is completed, the connecting email includes the email addresses of both the requesting and receiving parties so they can continue the conversation directly.
Public profile information. Your name, title, company, bio, profile photo, and verification badges are visible on your public profile page and in search results. Your email address is not displayed on your public profile.
Service providers. We use Amazon Web Services (AWS) for hosting, compute, database, file storage, and email delivery (via AWS SES). We use PostHog for product analytics. These providers process data on our behalf.
Legal requirements. We may disclose information if required to comply with applicable law, regulation, or legal process.

4. Email and Communications

We send emails on your behalf and to you in connection with the Service. These include:

Introduction emails. When an introduction is accepted, we send an email connecting the parties involved. This email includes the email addresses of both parties so they can communicate directly.
Introduction updates. We send email notifications to participants when introduction requests are created, forwarded, accepted, or declined, and when messages are sent within introduction threads.
Invitations. When you invite a founder or investor to the platform, we send an invitation email to the recipient on your behalf. These recipients may not yet have an account on the platform.
Trust notifications. When you trust someone with your network, we notify them by email. If they do not yet have an account, the email includes a link to create one.
Account emails. We send transactional emails directly to you, such as magic-link sign-in codes and welcome emails.

Platform and account emails are sent from our domain (lookingforward.cc) via AWS SES. If you connect a Google account and choose to send from your own address, those specific introduction and invitation emails are instead sent through the Gmail API from your address using the Gmail "send" permission (see Section 5).

5. Google API Services Limited Use

Some features rely on Google APIs, and the access we request is scoped narrowly to the feature you choose to use:

Google Contacts (contacts.readonly) — when you import your Google Contacts, we read and store them so you can quickly add contacts and create invitations.
Gmail read-only (gmail.readonly) — we read message header metadata only (never message bodies) to help you find and add contacts and to suggest people to CC on introductions. This data is processed transiently and is not stored on our servers.
Gmail send (gmail.send) — we send the introduction and invitation emails you explicitly initiate from your connected Google address. We never use this permission to read your mailbox.

Looking Forward's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, information obtained through Google APIs is not used or transferred for advertising purposes, not sold, and not used to train generalized artificial intelligence or machine-learning models. We do not transfer this information to third parties except as necessary to provide or improve these user-facing features, to comply with applicable law, or as part of a merger or acquisition. We do not allow humans to read this data unless we have your consent for specific messages, it is necessary for security or to comply with applicable law, or the data has been aggregated and anonymized. We never access the contents or bodies of your email messages.

6. Data Storage and Security

We use industry-standard measures to protect your data, including encrypted connections (TLS), HTTP-only session cookies, encrypted database storage (AWS Aurora with encryption at rest), and encrypted file storage (AWS S3 with server-side AES-256 encryption). Access to our infrastructure is restricted via private networking and VPN.

Profile photos and company images are stored in a publicly accessible storage bucket so they can be displayed across the platform. Pitch decks and other documents are stored in a private bucket and are accessible only through time-limited signed URLs.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

We retain your account data for as long as your account is active. When your account is deleted, we delete your personal data and associated database records (OAuth tokens, imported contacts, blurbs, introduction requests, session data, and credentials). Files you uploaded (such as profile photos and pitch decks) may remain in storage until they are purged. Automated database backups are retained for up to 7 days after deletion.

8. Cookies

We use the following cookies:

Session cookie ("lf_session"). HTTP-only. Keeps you signed in. Expires after 14 days.
Deck viewer cookie ("lf_share_viewer"). HTTP-only. Used to attribute anonymous deck-share viewing sessions for analytics. Expires after 1 year.
Analytics cookies. Our analytics provider (PostHog) may set cookies for product analytics purposes.

We do not use advertising or tracking cookies.

9. Your Rights and Choices

Access and portability. You may request a copy of the personal data we hold about you by contacting us.
Correction. You can update your profile information at any time through the platform.
Deletion. You may request deletion of your account and personal data by contacting us.
Google Contacts. You can disconnect your Google Contacts integration at any time through the platform, and we will immediately delete all imported contact data.
Gmail connection. You can disconnect your Gmail integration at any time through the platform, which revokes our read-only access. Because we do not store your Gmail data, there is no imported mail to delete.
Send-from Google account. You can disconnect a Google account you connected for sending introductions and invitations at any time through the platform, which deletes the stored send tokens.
Revoking access with Google. You can also review and revoke our access to your Google account directly at myaccount.google.com/permissions.

To exercise any of these rights, contact us at the address below.

10. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following additional rights:

Right to know. You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
Right to delete. You may request that we delete the personal information we have collected about you, subject to certain exceptions.
Right to non-discrimination. We will not discriminate against you for exercising your privacy rights.

We do not sell personal information as defined by the CCPA. To exercise your rights, contact us at support@lookingforward.cc.

11. International Users

The Service is hosted in the United States (AWS, US-East-1 region). If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer. We process personal data on the basis of your consent (provided when you create an account), contractual necessity (to provide the Service), and our legitimate interests (to improve the Service and maintain security).

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you may have additional rights under applicable data protection laws, including the right to access, correct, or delete your personal data, restrict or object to its processing, and data portability. To exercise these rights, contact us at support@lookingforward.cc.

12. Third-Party Links

The platform may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.

13. Children's Privacy

Looking Forward is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at support@lookingforward.cc.