← Back to dashboard

Privacy Policy

Effective date: May 20, 2026  ·  Version: 2026-05-20

This Privacy Policy describes how ("we", "us", or "our") collects, uses, and shares information when you use the Financial Statement Reader application.

1. Who We Are



Contact:

2. What Data We Collect

We collect the following categories of data:

3. How We Use Your Data

4. AI Processing Disclosure

When AI narrative generation is enabled, we send a summary of the relevant financial data to an internal AI proxy (ClawRouter), which relays the request to a third-party AI provider (such as Google Gemini or Anthropic Claude, depending on system configuration). The data sent includes revenue and expense figures, expense breakdowns, general-ledger activity, period-over-period variances, the reporting basis and period, and the relevant cost-center or activity name.

If annotations exist for the period being analyzed, the request also includes a notes block containing each annotation's title and body (truncated to 240 characters), its flag status, and creation date. Annotation authors are identified only as "analyst" — usernames are not included in the data sent to the AI provider.

AI narrative generation is optional. You can disable it at any time under Settings → Privacy. When disabled, no data is sent to the AI proxy or any external AI provider. Disabling AI narrative generation does not affect any other features. Generated narratives may be cached on our server for up to two hours for draft statements and up to seventy-two hours for final statements.

This automated processing is disclosed in accordance with applicable California privacy law.

5. Third-Party Services

6. Your Rights (CCPA)

If you are a California resident, you have the right to:

7. Data Retention

We retain data for the following periods:

8. Security

We use industry-standard security measures including bcrypt password hashing, HttpOnly session cookies with SameSite protection, role-based access control, TLS encryption in transit, WebAuthn/FIDO2 passkey support for passwordless authentication, rate limiting on authentication and upload endpoints, and CSRF protection on all state-changing routes.

9. Changes to This Policy

We will notify users of material changes to this policy. Continued use of the application after changes take effect constitutes acceptance of the updated policy.

10. Contact

For privacy-related questions or requests, contact: