← Back to dashboard
Privacy Policy
Effective date: May 20, 2026 ·
Version: 2026-05-20
This Privacy Policy describes how ("we", "us", or "our") collects, uses, and shares information when you use the Financial Statement Reader application.
1. Who We Are
Contact:
2. What Data We Collect
We collect the following categories of data:
-
Account and authentication data: username, email address (optional),
role assignment (viewer / supervisor / manager / controller / admin), password stored
only as a bcrypt hash (never in plaintext), login timestamps, and account status flags
(active, approved, password-change-required).
-
Passkey (WebAuthn) credentials. If you register a passkey, we store
a credential identifier, a public key (the corresponding private key never leaves your
device), an anti-clone signature counter, supported transport methods (for example
"internal" or "hybrid"), an authenticator identifier (AAGUID, used for diagnostics only),
an optional device label you provide (for example "MacBook Touch ID"), creation and
last-used timestamps, and flags indicating whether the credential is eligible for and
currently backed up by a device-sync service such as iCloud Keychain or Google Password
Manager. We do not receive or store your device biometrics; biometric verification
happens entirely on your device.
-
Financial statement data. Imported financial entries, account catalog
data, budget entries, and budget sessions. This is the organization's financial
information, not personal information about individual users.
-
Annotations and feedback: annotation title and body, the annotation
author's username, flag status, and timestamps; feedback content and the submitting
user's username.
-
Operational and security data:
- Session cookie token (opaque, HttpOnly, Secure, SameSite=Strict) — used to
maintain your authenticated session.
- Rate-limit records: IP address, username, and event timestamps, retained only
for the duration of the relevant rate-limit window (typically one hour or less)
and then purged automatically.
- Audit log lines recording significant actions (logins, role changes, data uploads,
permission decisions) — written to the server's application log file, not stored
in the database.
- IP address and browser user-agent, recorded at login for security monitoring.
3. How We Use Your Data
- Displaying KPI dashboards, financial drill-downs, and executive summaries
- Generating AI-assisted variance narratives (see Section 4)
- Access control and audit logging
- Sending report notifications via email (if configured)
- Authenticating your identity via password or registered passkey
- Detecting and preventing abuse through rate limiting and security monitoring
4. AI Processing Disclosure
When AI narrative generation is enabled, we send a summary of the relevant financial
data to an internal AI proxy (ClawRouter), which relays the request to a third-party
AI provider (such as Google Gemini or Anthropic Claude, depending on system
configuration). The data sent includes revenue and expense figures, expense breakdowns,
general-ledger activity, period-over-period variances, the reporting basis and period,
and the relevant cost-center or activity name.
If annotations exist for the period being analyzed, the request also includes a notes
block containing each annotation's title and body (truncated to 240 characters), its flag
status, and creation date. Annotation authors are identified only as "analyst" — usernames
are not included in the data sent to the AI provider.
AI narrative generation is optional. You can disable it at any time under
Settings → Privacy. When disabled, no data is sent to the AI proxy
or any external AI provider. Disabling AI narrative generation does not affect any other
features. Generated narratives may be cached on our server for up to two hours for draft
statements and up to seventy-two hours for final statements.
This automated processing is disclosed in accordance with applicable California privacy law.
5. Third-Party Services
-
AI narrative provider (Google Gemini, Anthropic Claude, or similar,
via the ClawRouter internal proxy) — financial summary data and, when annotations are
present, anonymized annotation content (author usernames are replaced with the label
"analyst" before transmission), as described in Section 4.
-
Email delivery (SMTP). When email delivery is configured, we use an
outbound SMTP relay to send transactional messages. These include password-reset links
sent to your registered email address and report-delivery messages (containing financial
summaries, not raw statements) sent to a configured recipient list. Email delivery is not
currently active in production. When it is enabled, the SMTP provider processes the
message contents and recipient addresses needed to deliver the message.
-
Hosting. The application and all data at rest are hosted on a virtual
private server provided by Hetzner Online GmbH (Germany).
6. Your Rights (CCPA)
If you are a California resident, you have the right to:
- Know what personal information is collected and how it is used
- Delete your personal information (contact your administrator)
- Opt out of the sharing of personal information with AI services (use Settings → Privacy)
- Non-discrimination — exercising these rights will not affect your access to the application
7. Data Retention
We retain data for the following periods:
- Financial statement data — retained for 7 years from the date of upload, consistent with standard accounting record-keeping requirements.
- Account data — retained for the duration of your active account, plus 90 days after account deactivation to allow for reactivation or audit. Permanently deleted upon written request to your administrator.
- Passkey credentials — retained until you remove them from your account settings or your account is deleted.
- Audit logs — retained for 2 years to support operational accountability and security review.
- Annotations and notes — retained for the life of the associated financial period's data unless deleted by an authorized user.
- Session tokens — expire after inactivity (role-dependent: 15–60 minutes) and are invalidated on logout or password change.
- Rate-limit records — purged automatically after the rate-limit window expires (typically one hour or less).
8. Security
We use industry-standard security measures including bcrypt password hashing,
HttpOnly session cookies with SameSite protection, role-based access control,
TLS encryption in transit, WebAuthn/FIDO2 passkey support for passwordless
authentication, rate limiting on authentication and upload endpoints, and CSRF
protection on all state-changing routes.
9. Changes to This Policy
We will notify users of material changes to this policy. Continued use of the application after changes take effect constitutes acceptance of the updated policy.
10. Contact
For privacy-related questions or requests, contact: