Privacy Policy

1. DEFINITIONS

1.1. “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes, but is not limited to, name, email address, postal address, telephone number, company name, job title, IP address, device identifiers, and financial account information.

1.2. “Client Data” means any and all data, files, or information uploaded, submitted, or otherwise provided by you to the Services, including but not limited to bank statements, CSV files, Excel files, transaction records, receipts, invoices, payroll data, and any other financial or business data.

1.3. “Usage Data” means information collected automatically when you access or use the Services, including but not limited to IP address, browser type, browser version, operating system, referring URLs, pages visited, time and date of visits, time spent on pages, click patterns, upload history, row counts, feature usage, and other diagnostic data.

1.4. “Cookies” means small data files placed on your device when you visit a website, which may include anonymous unique identifiers. Cookies may be “session” cookies (which expire when you close your browser) or “persistent” cookies (which remain on your device until deleted or until they expire).

1.5. “Service Providers” means third-party companies or individuals employed by us to facilitate the Services, provide the Services on our behalf, perform Services-related functions, or assist us in analyzing how the Services are used.

1.6. “Processing” means any operation or set of operations performed on Personal Information or Client Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

2. INFORMATION WE COLLECT

2.1. Information You Provide Directly

We collect information that you voluntarily provide to us when you:

• Create an account (name, email address, password, company name)
• Complete the onboarding questionnaire (industry, business type, revenue range, employee count, number of financial accounts, special needs, and additional notes)
• Upload files for processing (bank statements, CSV files, Excel files, and other financial data)
• Respond to review questions about your transactions
• Contact us for support or with inquiries
• Subscribe to a plan or make a payment
• Provide feedback or participate in surveys

2.2. Financial Data

The core function of our Services requires you to upload financial data, which may include:

• Bank account transaction records (dates, amounts, descriptions, merchant names, account numbers)
• Credit card transaction records
• PayPal, Stripe, and other payment processor records
• Payroll transaction data
• Invoice and receipt data
• Account balances and statements
• Any other financial records you choose to upload

We recognize that financial data is highly sensitive. We treat all Client Data as confidential and subject to the protections described in this Policy and our Terms of Service.

2.3. Payment Information

When you subscribe to a plan or pay overage charges, your payment is processed by our third-party payment processor, Stripe, Inc. We do NOT directly collect, store, or process your credit card numbers, debit card numbers, bank account numbers for payment purposes, or other sensitive payment instrument data. Stripe collects and processes this information in accordance with its own privacy policy and PCI-DSS compliance standards. We receive only limited payment information from Stripe, including: the last four digits of your card, card brand, expiration date, billing address, and transaction confirmation details.

2.4. Information Collected Automatically

When you access or use the Services, we automatically collect certain information, including:

• Device Information: Device type, operating system, browser type and version, screen resolution, device identifiers, and language preferences
• Log Data: IP address, access times, pages viewed, referring and exit pages, and the actions you take within the Services
• Usage Information: Features used, files uploaded, row counts processed, frequency and duration of activities, and interaction patterns
• Location Information: Approximate geographic location inferred from your IP address (we do not collect precise GPS location)

2.5. Cookies and Similar Technologies

We use cookies and similar tracking technologies to track activity on the Services and to hold certain information. The types of cookies we use include:

• Essential Cookies: Required for the operation of the Services, including authentication, session management, and security. These cannot be disabled.
• Functional Cookies: Used to remember your preferences and settings, such as language, display preferences, and login status.
• Analytics Cookies: Used to understand how you interact with the Services, which pages are most popular, and how users navigate the platform. This helps us improve the Services.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of the Services, including authentication and session management.

2.6. Information from Third Parties

We may receive information about you from third-party services that you integrate with the Services, including payment processors (Stripe) and authentication providers. We use this information only as necessary to provide the Services.

3. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

3.1. To Provide and Maintain the Services

• Process your uploaded financial data (categorization, reconciliation, and report generation)
• Generate and deliver Deliverables, including financial reports, categorized transaction data, and summaries
• Manage your account, subscription, and billing
• Process payments and overage charges
• Provide customer support and respond to inquiries
• Track your monthly row usage and enforce plan limits

3.2. To Improve the Services

• Analyze usage patterns and trends to improve functionality and user experience
• Develop new features and services
• Improve the accuracy of our automated categorization and processing systems
• Conduct internal research and analytics
• Test and debug the Services

3.3. To Communicate with You

• Send you account-related notifications (registration confirmation, subscription changes, payment receipts)
• Notify you about updates to the Services, including new features and changes to these policies
• Send you review questions about your uploaded transactions
• Respond to your comments, questions, and support requests
• Send you technical notices, security alerts, and administrative messages

3.4. To Ensure Security and Prevent Fraud

• Monitor and analyze the Services for security threats and vulnerabilities
• Detect, investigate, and prevent fraudulent, unauthorized, or illegal activity
• Verify your identity and protect against unauthorized access to your account
• Enforce our Terms of Service

3.5. To Comply with Legal Obligations

• Comply with applicable federal, state, and local laws and regulations
• Respond to lawful requests from government authorities, including law enforcement and regulatory agencies
• Comply with legal process (subpoenas, court orders, or similar legal process)
• Protect our rights, property, and safety, and the rights, property, and safety of our users and the public

4. HOW WE SHARE YOUR INFORMATION

We do NOT sell, rent, lease, or trade your Personal Information or Client Data to third parties for their marketing or advertising purposes. We may share your information only in the following limited circumstances:

4.1. Service Providers

We share information with third-party Service Providers who perform services on our behalf, including:

• Supabase, Inc.: Database hosting, file storage, and authentication services. Your Client Data and account information are stored on Supabase infrastructure.
• Stripe, Inc.: Payment processing. Stripe receives your payment information and limited account details necessary to process transactions.
• Anthropic, PBC: Artificial intelligence processing. Portions of your Client Data (transaction descriptions, amounts, and categories) may be processed by AI models to assist in automated categorization. This processing is subject to Anthropic’s data usage policies.

Each Service Provider is contractually obligated to use your information only for the purposes of providing services to us and is prohibited from using your information for their own purposes.

4.2. Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities, including:

• To comply with a subpoena, court order, or other legal process
• To respond to requests from federal, state, or local government agencies, including law enforcement and tax authorities
• To comply with applicable laws and regulations
• To protect and defend our rights or property
• To prevent or investigate possible wrongdoing in connection with the Services
• To protect the personal safety of users of the Services or the public

4.3. Business Transfers

In the event that Cannon & Co. Books is involved in a merger, acquisition, reorganization, bankruptcy, dissolution, sale of all or a portion of its assets, or similar transaction, your information may be transferred as part of that transaction. We will provide notice before your Personal Information is transferred and becomes subject to a different privacy policy. In such event, we will use reasonable efforts to ensure that the acquiring entity honors the commitments made in this Policy.

4.4. With Your Consent

We may share your information for any other purpose with your explicit, informed consent.

4.5. Aggregated and De-Identified Data

We may share aggregated, anonymized, and de-identified data that cannot reasonably be used to identify you or your business. This data may be used for industry benchmarking, research, analytics, and improving our Services. Aggregated data is not subject to the restrictions of this Policy because it does not constitute Personal Information.

5. DATA SECURITY

5.1. We implement commercially reasonable administrative, technical, and physical security measures designed to protect your Personal Information and Client Data from unauthorized access, use, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS/SSL) protocols.
• Encryption at Rest: Client Data stored on our servers and in our database is encrypted at rest using industry-standard AES-256 encryption.
• Access Controls: Access to your data is restricted to authorized personnel who need access to provide the Services. All personnel with access to Client Data are bound by confidentiality obligations.
• Authentication: We use secure authentication mechanisms, including hashed and salted passwords, to protect your account.
• Infrastructure Security: Our infrastructure is hosted on enterprise-grade cloud platforms with SOC 2 compliance certifications, physical security controls, and redundant systems.
• Regular Monitoring: We monitor our systems for unauthorized access, security vulnerabilities, and suspicious activity.

5.2. DESPITE OUR EFFORTS, NO METHOD OF TRANSMISSION OVER THE INTERNET AND NO METHOD OF ELECTRONIC STORAGE IS 100% SECURE. WE CANNOT AND DO NOT GUARANTEE THE ABSOLUTE SECURITY OF YOUR INFORMATION. ANY TRANSMISSION OF PERSONAL INFORMATION OR CLIENT DATA IS AT YOUR OWN RISK. WE ARE NOT RESPONSIBLE FOR THE CIRCUMVENTION OF ANY PRIVACY SETTINGS OR SECURITY MEASURES CONTAINED ON THE PLATFORM.

5.3. In the event of a security breach that affects your Personal Information or Client Data, we will notify you in accordance with applicable law. Such notification may be provided by email, through the Platform, or by other reasonable means. We will also take commercially reasonable steps to investigate the breach, mitigate any harm, and prevent future occurrences.

5.4. You are responsible for maintaining the confidentiality of your account credentials, including your password. You agree to notify us immediately of any unauthorized use of your account or any other breach of security. We shall not be liable for any loss or damage arising from your failure to protect your account credentials.

6. DATA RETENTION

6.1. Active Accounts. We retain your Personal Information and Client Data for as long as your account is active and as necessary to provide the Services to you. This includes all uploaded files, generated reports, transaction data, categorizations, and account information.

6.2. Post-Termination Retention. Upon cancellation or termination of your account, we will retain your data for a period of ninety (90) calendar days to allow you to export your data and to resolve any pending matters. After the ninety (90) day retention period, your Client Data and Personal Information will be permanently deleted from our active systems.

6.3. Backup Retention. Copies of your data may persist in our backup systems for an additional period of up to thirty (30) days following deletion from active systems, after which they will be permanently destroyed in the ordinary course of backup rotation.

6.4. Legal Retention. Notwithstanding the foregoing, we may retain certain information for longer periods as required by applicable law, regulation, or legal process, including but not limited to tax laws, financial record-keeping requirements, and litigation holds. We may also retain de-identified or aggregated data indefinitely.

6.5. Billing Records. We retain billing and payment records (including subscription history, payment amounts, dates, and invoice details) for a minimum of seven (7) years following the date of the transaction, as required by applicable tax and financial record-keeping laws.

6.6. Communication Records. We may retain records of communications between you and our support team for a period of three (3) years following the date of the communication for quality assurance, dispute resolution, and legal compliance purposes.

7. YOUR RIGHTS AND CHOICES

Depending on your jurisdiction, you may have certain rights regarding your Personal Information. We honor the following rights for all users, regardless of jurisdiction:

7.1. Right to Access

You have the right to request a copy of the Personal Information we hold about you. You may access most of your information directly through your account dashboard. For additional requests, please contact us at [email protected].

7.2. Right to Correction

You have the right to request that we correct any inaccurate or incomplete Personal Information we hold about you. You may update most account information directly through your dashboard.

7.3. Right to Deletion

You have the right to request the deletion of your Personal Information and Client Data. Upon receiving a verified deletion request, we will delete your information within thirty (30) days, subject to the exceptions described in Section 6 (Data Retention). Please note that deletion of your data may result in the termination of your account and loss of access to the Services.

7.4. Right to Data Portability

You have the right to receive your Client Data in a structured, commonly used, and machine-readable format. You may download your uploaded files and generated reports through your account dashboard at any time while your account is active.

7.5. Right to Restrict Processing

You have the right to request that we restrict the processing of your Personal Information under certain circumstances, including when you contest the accuracy of your data or when you believe processing is unlawful.

7.6. Right to Object

You have the right to object to the processing of your Personal Information for certain purposes, including direct marketing and profiling. We do not engage in direct marketing based on your financial data or profiling for automated decision-making that produces legal effects.

7.7. Right to Withdraw Consent

Where we rely on your consent as the legal basis for processing your information, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

7.8. Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not deny you Services, charge you different prices, provide a different level of service, or suggest that you will receive a different price or level of service for exercising your rights.

7.9. Exercising Your Rights

To exercise any of the rights described above, please contact us at [email protected] or through your account dashboard if you have an account. We may need to verify your identity before processing your request. We will respond to verified requests within thirty (30) days. If we need additional time, we will inform you of the reason and extension period (not to exceed an additional sixty (60) days).

8. STATE-SPECIFIC PRIVACY RIGHTS

8.1. California Residents (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including:

• The right to know what Personal Information we collect, use, disclose, and sell
• The right to delete your Personal Information
• The right to opt out of the sale or sharing of your Personal Information (we do NOT sell or share your Personal Information as defined by the CCPA/CPRA)
• The right to correct inaccurate Personal Information
• The right to limit the use and disclosure of sensitive Personal Information
• The right to non-discrimination for exercising your CCPA/CPRA rights

In the preceding twelve (12) months, we have collected the categories of Personal Information described in Section 2 of this Policy. We do not sell Personal Information as defined by the CCPA/CPRA. We do not use or disclose sensitive Personal Information for purposes other than those permitted by the CCPA/CPRA.

8.2. Virginia Residents (VCDPA)

If you are a Virginia resident, you may have additional rights under the Virginia Consumer Data Protection Act (VCDPA), including the right to access, correct, delete, and obtain a portable copy of your Personal Information, and the right to opt out of targeted advertising, sale of personal data, and profiling.

8.3. Colorado Residents (CPA)

If you are a Colorado resident, you may have additional rights under the Colorado Privacy Act (CPA), similar to those described for Virginia residents above.

8.4. Connecticut Residents (CTDPA)

If you are a Connecticut resident, you may have additional rights under the Connecticut Data Privacy Act (CTDPA), similar to those described for Virginia residents above.

8.5. Other State Laws

Privacy laws are evolving rapidly across the United States. If you are a resident of any state with applicable consumer privacy legislation, we will honor your rights as required by applicable law. Please contact us at [email protected] to exercise any privacy rights available to you under your state’s law.

9. INTERNATIONAL DATA TRANSFERS

9.1. The Services are operated from the United States. If you are accessing the Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where our servers are located and our central database is operated.

9.2. The data protection and privacy laws of the United States may differ from the laws of your country of residence. By using the Services, you consent to the transfer of your information to the United States and the processing of your information in the United States in accordance with this Policy.

9.3. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we will ensure that any transfer of your Personal Information to the United States is conducted in compliance with applicable data protection laws, including through the use of appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.

10. CHILDREN’S PRIVACY

10.1. The Services are not intended for use by individuals under the age of eighteen (18). We do not knowingly collect Personal Information from children under the age of eighteen (18). If you are under eighteen (18), do not use the Services and do not provide any information to us.

10.2. If we become aware that we have collected Personal Information from a child under the age of eighteen (18) without verification of parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child under eighteen (18), please contact us immediately through your account dashboard.

11. THIRD-PARTY SERVICES AND LINKS

11.1. The Services may contain links to third-party websites, services, or applications that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services.

11.2. We strongly advise you to review the privacy policy of every third-party website or service that you visit or interact with. We are not responsible for the privacy practices of third parties, and this Policy does not apply to information collected by third parties.

11.3. The inclusion of a link to a third-party website or service does not imply our endorsement of that website or service or any association with its operators.

12. DO NOT TRACK SIGNALS

12.1. Some web browsers transmit “Do Not Track” (DNT) signals to websites. Because there is no uniform standard for interpreting DNT signals, the Services do not currently respond to DNT signals. We will continue to monitor developments in DNT technology and may update this Policy if a uniform standard is established.

13. AUTOMATED DECISION-MAKING AND AI PROCESSING

13.1. The Services utilize artificial intelligence (AI) and machine learning technologies to assist in the automated categorization and processing of your financial data. This processing is used to suggest transaction categories, identify potential anomalies, generate preliminary reports, and assist human reviewers.

13.2. Automated processing may involve transmitting portions of your Client Data (including transaction descriptions, amounts, dates, and merchant names) to AI model providers for processing. This data is transmitted securely and is subject to the data processing agreements we maintain with our AI Service Providers.

13.3. No automated decision made by the Services produces legal effects concerning you or similarly significantly affects you without human review. All automated categorizations are subject to human review as part of our workflow.

13.4. You have the right to request information about the logic involved in automated processing of your data. Please contact us at [email protected] for such requests.

14. DATA PROCESSING AGREEMENTS

14.1. We maintain data processing agreements (DPAs) with all third-party Service Providers who process Personal Information or Client Data on our behalf. These agreements require Service Providers to:

• Process data only in accordance with our instructions
• Implement appropriate technical and organizational security measures
• Assist us in responding to data subject requests
• Notify us promptly of any data breach
• Delete or return data upon termination of the service relationship
• Not use the data for their own purposes beyond providing the contracted services

15. CHANGES TO THIS PRIVACY POLICY

15.1. We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, applicable law, or for other operational, legal, or regulatory reasons.

15.2. For material changes, we will provide you with prominent notice prior to the change becoming effective. Notice may be provided by: (a) sending an email to the address associated with your account; (b) posting a notice on the Platform; or (c) other means we deem appropriate under the circumstances. Material changes will be communicated at least thirty (30) days before taking effect.

15.3. For non-material changes, the updated Policy will be posted on this page with an updated “Last updated” date. Your continued use of the Services after any changes constitutes your acceptance of the revised Policy.

15.4. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

15.5. Previous versions of this Privacy Policy are available upon request.

16. CONTACT INFORMATION

16.1. If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at:

You do not need to have an account with Cannon & Co. Books to submit a privacy inquiry or exercise your privacy rights. All privacy requests will be acknowledged within five (5) business days and substantively responded to within thirty (30) days.

16.2. If you are not satisfied with our response to your privacy concern, you may have the right to file a complaint with your applicable data protection authority or state attorney general.

Cannon & Co. Books is a service operated in Helen, Georgia, United States.