Privacy Policy — Paciolus

1. Information We Collect

1.1 Information You Provide Directly

Category	Examples	Purpose
Account Registration	Name, email address, password	Account creation, authentication
Client Metadata	Client name, industry, fiscal year-end	Client management, benchmark selection
Support Requests	Issue description, contact info	Customer support, troubleshooting
Payment Information	Billing address (processed by Stripe)	Subscription management

1.2 Information We Collect Automatically

Category	Examples	Purpose
Usage Data	Feature usage counts, session duration	Analytics, product improvement
Device Information	Browser type, OS, screen resolution	Compatibility, performance optimization
Cookies	Session token, preferences	Authentication, user experience
Log Data	IP address, timestamps, error logs	Security, debugging, fraud prevention

1.3 Information We DO NOT Collect

Critical Distinction: We do NOT store financial data uploaded to our platform.

Category	Examples	Stored?
Trial Balance Data	Account names, balances, classifications
Account Balances	Dollar amounts, percentages, ratios
Transaction Details	Journal entries, invoices, payments
Uploaded Files	CSV/Excel files, bank statements
Anomaly Details	Specific flagged accounts, amounts

2. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Description
Provide Service	Process uploaded files, run analytics, generate reports
Account Management	Maintain user accounts, handle authentication
Security	Detect fraud, prevent abuse, enforce terms of service
Analytics	Improve product features, understand usage patterns
Support	Respond to inquiries, troubleshoot issues
Legal Compliance	Comply with laws, regulations, legal processes

Aggregate Statistics

We may store anonymized, aggregated statistics such as:

"12 users uploaded trial balances in January 2026"
"Average session duration: 18 minutes"
"Journal Entry Testing used 347 times this month"

These statistics cannot be used to identify you or reconstruct your financial data.

We Do NOT:

Sell your personal information to third parties
Use your financial data for advertising or marketing
Share your data with data brokers or affiliates
Train AI models on your uploaded financial data

3. Zero-Storage Architecture

Paciolus is built on a Zero-Storage architecture for financial data. This is our core privacy commitment.

How It Works

1.You upload a trial balance, journal entry file, or other financial document
2.Our server reads the file into ephemeral memory (RAM only)
3.We run analytics, detect anomalies, and generate reports
4.Results are streamed back to your browser in real-time
5.All data is immediately destroyed when the response completes (typically <5 seconds)

Security

No database to breach, no files to leak

Privacy

Zero financial data retention minimizes breach surface

Compliance

Simplifies GDPR/CCPA — no PI to delete

Technical Details: Uploaded files exist in server memory for the duration of the HTTP request only. We do not write to disk, cache layers, or persistent storage. PDF/Excel exports are generated on-the-fly and streamed directly to your browser.

4. Information We Share

We share limited personal information with the following third-party service providers:

Provider	Service	Data Shared
Vercel	Frontend hosting	IP address, browser info, access logs
Render	Backend hosting	API request logs, error traces
PostgreSQL (Render)	Metadata storage	User accounts, client metadata
Stripe	Payment processing	Email, billing address, payment method
Sentry	Error monitoring	Error logs, stack traces, user ID (anonymized)

Legal Requirements

We may disclose personal information if required to do so by law or in response to:

Valid court orders or subpoenas
Government investigations
Requests from law enforcement agencies

Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you via email at least 30 days before any such transfer.

5. Your Rights and Choices

Access and Portability

Right: GDPR Article 15, CCPA § 1798.100

You can request a copy of all personal information we hold about you. We will provide it in a machine-readable format (JSON) within 30 days.

Correction

Right: GDPR Article 16

You can update your account information (name, email, practice settings) at any time via the Settings page. For corrections requiring verification, contact privacy@paciolus.com.

Deletion ("Right to be Forgotten")

Right: GDPR Article 17, CCPA § 1798.105

You can delete your account and all associated data at any time. Deletion is immediate and irreversible.

What gets deleted:

User account record (email, password hash, profile)
Client metadata (names, industries, fiscal year-ends)
Engagement records (diagnostic workspace data)
Follow-up items (issue narratives)

Note: Financial data uploaded during active sessions is already deleted per our Zero-Storage architecture.

Objection and Restriction

Right: GDPR Articles 18, 21

You can object to specific processing activities or request temporary restriction. Contact privacy@paciolus.com to exercise this right.

Do Not Sell My Personal Information

Right: CCPA § 1798.120

We do not sell personal information. We have never sold user data and never will. No opt-out mechanism is necessary because sale never occurs.

6. Data Security

We implement industry-standard security measures to protect your personal information:

TLS 1.3 Encryption

All data in transit is encrypted end-to-end

bcrypt Password Hashing

Passwords salted and hashed with 12 rounds

JWT Authentication

Stateless token-based session management

Multi-Tenant Isolation

User data segregated at database level

Zero-Storage for Financial Data

No persistent storage = no data breach risk

Rate Limiting

Protection against brute-force attacks

Breach Notification

In the unlikely event of a data breach affecting personal information, we will:

Notify affected users via email within 72 hours
Report to relevant supervisory authorities (EU DPA, California AG)
Provide details on the nature of the breach and mitigation steps

7. International Data Transfers

Paciolus operates globally. Your personal information may be transferred to and processed in the following jurisdictions:

Service	Data Location	Safeguards
Frontend (Vercel)	United States (Virginia)	Standard Contractual Clauses (SCCs)
Backend (Render)	United States (Oregon)	Standard Contractual Clauses (SCCs)
Database (PostgreSQL)	United States (Oregon)	Encryption at rest, TLS in transit

EEA Users

For users in the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers. These clauses ensure your data receives equivalent protection as required under GDPR.

8. Children's Privacy

Paciolus is a professional financial platform intended for use by licensed accountants, auditors, and financial professionals. Our services are not directed to individuals under the age of 16.

We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, contact privacy@paciolus.com immediately, and we will delete it within 48 hours.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

Material Changes

For material changes (e.g., new data sharing practices, changes to your rights), we will:

Email you at least 30 days in advance
Display a prominent notice on the platform
Update the "Effective Date" at the top of this document

Non-Material Changes: Minor updates (e.g., clarifications, typo fixes, contact email changes) will be posted immediately with an updated "Effective Date."

10. Contact Us

For privacy-related inquiries, data requests, or security concerns, contact us at:

Request Type	Contact
General Privacy Questions	privacy@paciolus.com
Data Access Requests	privacy@paciolus.com
Data Deletion Requests	privacy@paciolus.com
GDPR/CCPA Compliance	privacy@paciolus.com
Security Incidents / Breach Notifications	security@paciolus.com

Response Time

We aim to respond to all privacy inquiries within 5 business days. Data access requests will be fulfilled within 30 days as required by GDPR Article 15.

11. GDPR-Specific Information

For users in the European Economic Area (EEA), the following additional information applies:

Data Controller

Paciolus LLC is the data controller responsible for your personal information under GDPR.

Lawful Basis for Processing

Processing Activity	Lawful Basis (GDPR Article 6)
Account creation and authentication	Contract (Article 6(1)(b)) — necessary to provide service
Payment processing	Contract (Article 6(1)(b)) — necessary to fulfill subscription
Security monitoring and fraud prevention	Legitimate Interests (Article 6(1)(f)) — protect platform integrity
Product analytics and improvement	Legitimate Interests (Article 6(1)(f)) — improve user experience
Legal compliance and law enforcement	Legal Obligation (Article 6(1)(c))

Data Protection Officer (DPO)

You can contact our Data Protection Officer at privacy@paciolus.com for GDPR-related inquiries.

Supervisory Authority

If you are located in the EEA, you have the right to lodge a complaint with your local supervisory authority if you believe we have violated your data protection rights.

12. CCPA-Specific Information

For California residents, the following additional information applies under the California Consumer Privacy Act (CCPA):

Categories of Personal Information Collected

Category	Examples	Collected?
Identifiers	Name, email, IP address, unique ID
Commercial Information	Subscription tier, payment history
Internet/Network Activity	Browser type, device info, usage data
Professional Information	Practice name, client metadata
Sensitive Personal Information	Account credentials (password hash)
Geolocation Data	Precise GPS coordinates
Biometric Information	Fingerprints, facial recognition

Business Purposes for Collection

Providing and maintaining the service
Processing transactions and payments
Detecting security incidents and fraud
Debugging and error resolution
Internal analytics and product improvement

Sale of Personal Information

We do NOT sell personal information.

Paciolus has not sold personal information in the past 12 months and does not share personal information with third parties for cross-context behavioral advertising.

Your California Privacy Rights

California residents have the following rights under CCPA:

Right to Know: Request disclosure of PI collected, sources, purposes, and third parties
Right to Delete: Request deletion of PI we hold about you
Right to Opt-Out: Opt out of sale of PI (not applicable — we don't sell)
Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights

To exercise these rights, contact privacy@paciolus.com.

Summary: What We Collect vs. Store

Data Type	Collected?	Stored?	Retention
Account Information (name, email)			Until account deletion
Client Metadata (names, industries)			Until account deletion
Usage Statistics (aggregated)			Indefinitely (anonymized)
Trial Balance Data			<5 seconds (ephemeral)
Journal Entries / Invoices			<5 seconds (ephemeral)
Uploaded CSV/Excel Files			<5 seconds (ephemeral)
Anomaly Details (amounts, accounts)			<5 seconds (ephemeral)

Questions About This Policy?

We're committed to transparency and protecting your privacy. If you have questions or concerns about this Privacy Policy, contact us at privacy@paciolus.com.

Last updated: February 4, 2026