Privacy Policy

CashVault AI (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information about you when you use our AI-powered cash flow management platform, including our website, web application, APIs, and all related services (collectively, the “Service”).

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described herein. If you do not agree, please discontinue use of the Service.

This policy applies to all users of the Service, including individuals who connect third-party accounts (such as QuickBooks Online) to CashVault AI.

1. Information We Collect

We collect information in the following ways:

1.1 Information You Provide Directly

• Account information: When you register, we collect your name, email address, and password (managed securely through Clerk, our authentication provider).
• Business profile: Business name, type, industry, time zone, and preferred currency.
• Project and client data: Information you enter about your clients, projects, contracts, payment terms, invoices, and cost of goods sold (COGS).
• Financial configuration: Bank balance inputs, overhead allocations, credit facility details, and cash flow targets you configure manually.
• Communications: Messages, feedback, and support inquiries you send to us.

1.2 Information Collected from Third-Party Integrations

• QuickBooks Online: When you connect your QuickBooks account, we retrieve financial data including invoices, bills, transactions, customer records, vendor records, chart of accounts, and profit and loss summaries. We access only the data necessary to provide the Service and as authorized by you through the QuickBooks OAuth flow.
• Authentication providers: Basic profile information (name, email, profile picture) returned by Clerk during sign-in, including data from social login providers (Google, Microsoft) if you choose to use them.

1.3 Information Collected Automatically

• Usage data: Pages viewed, features used, actions taken within the application, session duration, and navigation paths.
• Device and browser information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Log data: Server logs including request timestamps, error logs, and API call records.
• Cookies and similar technologies: Session tokens, authentication cookies, and preference cookies. See Section 9 for details.

1.4 Information Processed by AI Services

When you use AI-powered features (cash flow analysis, forecasting, recommendations), relevant subsets of your financial data are transmitted to Anthropic (Claude) and/or OpenAI (GPT-4o) for processing. This may include project values, payment timelines, expense categories, and aggregated financial summaries. We do not transmit unnecessary personal identifying information to AI providers.

2. How We Use Your Information

We use the information we collect to:

• Provide and operate the Service: Process your data, display dashboards, generate cash flow forecasts, and enable all features of the platform.
• AI-powered analysis: Generate cash flow insights, runway estimates, project profitability analysis, and financial recommendations using AI models.
• Account management: Create and maintain your account, verify your identity, manage subscriptions, and process payments.
• Customer support: Respond to your inquiries, troubleshoot issues, and provide technical assistance.
• Product improvement: Analyze aggregate usage patterns (never individual financial details) to improve the Service, develop new features, and fix bugs.
• Security: Detect, prevent, and investigate fraud, abuse, security incidents, and other harmful or illegal activity.
• Communications: Send you service-related notifications, product updates, and (with your consent) marketing communications. You may opt out of marketing emails at any time.
• Legal compliance: Comply with applicable laws, regulations, legal processes, and lawful government requests.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

• Contractual necessity: Processing required to provide the Service pursuant to our agreement with you (EULA and subscription terms).
• Legitimate interests: Improving the Service, preventing fraud, ensuring security, and communicating about product updates, where our interests are not outweighed by your rights.
• Legal obligation: Processing necessary to comply with applicable laws and regulations.
• Consent: Marketing communications and optional data processing activities, where you have provided explicit consent.

4. How We Share Your Information

We do not sell your personal information or your financial data. We share information only in the following circumstances:

4.1 Third-Party Service Providers

We share data with vendors and partners who help us operate the Service, under contracts that require them to protect your data and use it only for the purposes we specify:

4.2 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity, subject to the same privacy protections described in this policy. We will notify you via email or prominent notice on our website before any such transfer.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process (such as a subpoena, court order, or government demand), or when we believe disclosure is necessary to: (a) comply with applicable law; (b) protect the rights, property, or safety of CashVault AI, our users, or the public; or (c) detect, prevent, or address fraud, security, or technical issues.

4.4 With Your Consent

We may share your information with third parties for other purposes with your explicit consent.

5. QuickBooks Data Use and Restrictions

CashVault AI’s use of data accessed through the QuickBooks Online API is subject to Intuit’s developer policies. Specifically:

• We access QuickBooks data only to provide the cash flow management features you have requested and for which you have granted authorization.
• We do not use your QuickBooks data to train AI models, profile you for advertising, or share it with third parties except as necessary to provide the Service.
• You can revoke CashVault AI’s access to your QuickBooks account at any time through your QuickBooks account settings or the CashVault AI application settings.
• When you disconnect QuickBooks, we will cease fetching new data. Existing data previously retrieved may be retained for the period described in Section 8.

6. Data Security

We implement industry-standard technical and organizational security measures to protect your information, including:

• Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher encryption.
• Encryption at rest: Database data is encrypted at rest using AES-256 encryption through Supabase and AWS infrastructure.
• Row-level security: Database access controls ensure that users can only access their own data.
• Access controls: Internal access to production data is restricted, logged, and audited.
• Authentication security: Managed through Clerk with support for multi-factor authentication (MFA).
• Security reviews: We review the security practices of our infrastructure and third-party service providers on an ongoing basis.

Despite our efforts, no security measures are perfect or impenetrable. In the event of a data breach that affects your personal information, we will notify you as required by applicable law and take prompt steps to mitigate the breach.

7. Data Retention

We retain your information for the following periods:

• Active account data: Retained for as long as your account is active and for up to 90 days following account deletion, to allow for account recovery and dispute resolution.
• Financial data: Retained for up to 7 years to comply with applicable accounting and tax record-keeping requirements, unless you request earlier deletion and applicable law permits it.
• Usage logs and analytics: Typically retained for 12 months, then aggregated or deleted.
• Support communications: Retained for up to 3 years following resolution of the support request.
• Legal hold: Data subject to a legal hold or government investigation may be retained beyond the standard periods until the hold is lifted.

When we no longer have a legal or business need to retain your information, we will either delete it securely or anonymize it.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

8.1 Rights for All Users

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete information. You can update most account information directly within the Service.
• Deletion: Request deletion of your account and associated personal information, subject to our retention obligations.
• Data portability: Request an export of your data in a machine-readable format.
• Opt-out of marketing: Unsubscribe from marketing emails at any time using the link in any marketing email or by contacting us.

8.2 Additional Rights for EEA/UK Residents (GDPR)

• Restriction of processing: Request that we limit how we use your data in certain circumstances.
• Object to processing: Object to our processing of your data based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
• Lodge a complaint: File a complaint with your local data protection authority (e.g., the ICO in the UK, or your EU member state’s supervisory authority).

8.3 California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months.
• Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information or share it for cross-context behavioral advertising. If this changes, we will update this policy and provide an opt-out mechanism.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, contact us at martin@cashvault.ai. We will respond to verifiable requests within 45 days (with a possible 45-day extension where reasonably necessary).

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve the Service. The types of cookies we use include:

• Essential cookies: Required for the Service to function, including authentication session cookies managed by Clerk. These cannot be disabled without breaking the Service.
• Preference cookies: Remember your settings and preferences (such as theme selection and display options).
• Analytics cookies: Help us understand how users interact with the Service so we can improve it. We use anonymized analytics data and do not build individual user profiles for advertising purposes.

You can control cookies through your browser settings. Disabling essential cookies will prevent you from using the Service. Disabling analytics cookies will not affect your ability to use the Service but may reduce our ability to improve it.

We do not use third-party advertising cookies or participate in cross-site tracking for advertising purposes.

10. Children’s Privacy

The Service is designed for business use and is not directed to individuals under the age of 13 (or 16 in certain jurisdictions under GDPR). We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected personal information from a child under 13, we will take steps to delete it promptly.

If you believe we may have information about a child under 13, please contact us at martin@cashvault.ai.

11. International Data Transfers

CashVault AI is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to countries not deemed adequate by the relevant data protection authorities, we aim to rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or other mechanisms recognized under applicable data protection laws.

By using the Service, you acknowledge that your information may be transferred to and processed in countries with different data protection laws than your country of residence.

12. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services (such as QuickBooks). This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you connect to or interact with.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated policy on this page with a new effective date.
• Send an email notification to the address associated with your account, where required by applicable law or where the changes are material.
• Display a prominent notice within the Service for a period following the update.

Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes. We encourage you to review this policy periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For EEA/UK users, if you are unsatisfied with our response to your privacy request, you have the right to lodge a complaint with your local data protection supervisory authority.