1. Information We Collect

Account Information: When you sign up, we collect your email address and optional full name. We generate a hashed API key for authentication — we never store the raw key.

Financial Data (via Plaid): When you connect a bank account, Plaid transmits transaction data to our servers. We process this data using our privacy-first architecture:

• Exact transaction amounts are securely stored and delivered to your authenticated Excel ledger for precise cross-bank reconciliation
• For internal categorization and ML, amounts are converted into privacy-preserving magnitude buckets (Micro, Small, Medium, Large, XLarge)
• We store merchant names, transaction dates, direction (inflow/outflow), amounts, and magnitude categories
• We never store bank account numbers or routing numbers
• Exact amounts never appear in application logs, error reports, or ML training data

Billing Information: Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status. We never see or store your credit card details.

2. How We Use Your Information

• To provide the TreasuryFlow service: transaction categorization, cash flow forecasting, variance analysis, bank fee analysis, working capital metrics, runway projections, and vendor intelligence
• To generate AI-powered insights — forecasts, scenario analysis, the treasury assistant, and AR narratives — using Google Gemini. The assistant and these narratives are sent your actual figures (amounts, balances, and merchant or customer names) so they can answer questions about specific transactions. We do not train any TreasuryFlow models on your data. The categorization engine, by contrast, only ever sees magnitude ranges, never exact amounts.
• To authenticate your API requests via hashed API key lookup
• To manage your subscription and billing through Stripe
• To send transactional communications (account creation, billing events)

3. Privacy-First Architecture

TreasuryFlow is built on a privacy-first principle. Your exact transaction amounts are securely stored and delivered only through authenticated API endpoints to your Excel ledger. Our internal systems are designed to minimize exposure:

• Exact amounts are accessible only via your authenticated API key — never through logs, analytics, or internal tools
• Internal categorization and ML pipelines operate exclusively on magnitude buckets, not raw amounts
• Logs contain only request IDs and metadata — never financial data

4. Third-Party Services

• Plaid: Bank account linking and transaction data. See Plaid's Privacy Policy
• Stripe: Payment processing. See Stripe's Privacy Policy
• Google Gemini: AI-powered forecasting and recommendations. Transaction data sent to Google's API is anonymized (no account numbers, no PII). See Google AI Terms
• Google Ads: We use Google Ads conversion tracking and Enhanced Conversions to measure the performance of our advertising. If you sign up or book a demo after clicking one of our ads, we send Google a one-way hashed (SHA-256, irreversible) version of your email address so the conversion can be attributed. We never send Google your financial data, transaction amounts, or bank information. See Google's Privacy Policy; you can opt out of personalized advertising at adssettings.google.com.

5. Data Retention & Deletion

Your data is retained for as long as your account is active. Upon account cancellation, we delete all associated transaction data, Plaid tokens, and profile information within 30 days. You may request immediate deletion by contacting us.

6. Security

We implement industry-standard security measures including:

• API key authentication with one-way hashing of stored tokens
• Rate limiting on public endpoints
• CORS origin restrictions
• HTTPS-only communication
• No sensitive data in application logs

7. Your Rights

You have the right to:

• Access your stored data through your TreasuryFlow account dashboard
• Request deletion of your account and all associated data
• Disconnect your bank account at any time

8. Contact

For privacy-related inquiries, contact us at privacy@treasuryflow.ai.