Privacy Policy

Effective Date: February 4, 2026

We never store your financial data

We collect only what's necessary

We never sell your personal information

You control your data and can delete it anytime

1. Information We Collect

1.1 Information You Provide Directly

CategoryExamplesPurpose
Account RegistrationName, email address, passwordAccount creation, authentication
Client MetadataClient name, industry, fiscal year-endClient management, benchmark selection
Support RequestsIssue description, contact infoCustomer support, troubleshooting
Payment InformationBilling address (processed by Stripe)Subscription management

1.2 Information We Collect Automatically

CategoryExamplesPurpose
Usage DataFeature usage counts, session durationAnalytics, product improvement
Device InformationBrowser type, OS, screen resolutionCompatibility, performance optimization
CookiesSession token, preferencesAuthentication, user experience
Log DataIP address, timestamps, error logsSecurity, debugging, fraud prevention

1.3 Information We DO NOT Collect

Critical Distinction: We do NOT store financial data uploaded to our platform.

CategoryExamplesStored?
Trial Balance DataAccount names, balances, classifications
Account BalancesDollar amounts, percentages, ratios
Transaction DetailsJournal entries, invoices, payments
Uploaded FilesCSV/Excel files, bank statements
Anomaly DetailsSpecific flagged accounts, amounts

2. How We Use Your Information

We use the information we collect for the following purposes:

PurposeDescription
Provide ServiceProcess uploaded files, run analytics, generate reports
Account ManagementMaintain user accounts, handle authentication
SecurityDetect fraud, prevent abuse, enforce terms of service
AnalyticsImprove product features, understand usage patterns
SupportRespond to inquiries, troubleshoot issues
Legal ComplianceComply with laws, regulations, legal processes

Aggregate Statistics

We may store anonymized, aggregated statistics such as:

  • "12 users uploaded trial balances in January 2026"
  • "Average session duration: 18 minutes"
  • "Journal Entry Testing used 347 times this month"

These statistics cannot be used to identify you or reconstruct your financial data.

We Do NOT:

  • Sell your personal information to third parties
  • Use your financial data for advertising or marketing
  • Share your data with data brokers or affiliates
  • Train AI models on your uploaded financial data

3. Zero-Storage Architecture

Paciolus is built on a Zero-Storage architecture for financial data. This is our core privacy commitment.

How It Works

  1. 1.You upload a trial balance, journal entry file, or other financial document
  2. 2.Our server reads the file into ephemeral memory (RAM only)
  3. 3.We run analytics, detect anomalies, and generate reports
  4. 4.Results are streamed back to your browser in real-time
  5. 5.All data is immediately destroyed when the response completes (typically <5 seconds)
Security

No database to breach, no files to leak

Privacy

Zero retention = zero risk of unauthorized access

Compliance

Simplifies GDPR/CCPA — no PI to delete

Technical Details: Uploaded files exist in server memory for the duration of the HTTP request only. We do not write to disk, cache layers, or persistent storage. PDF/Excel exports are generated on-the-fly and streamed directly to your browser.

4. Information We Share

We share limited personal information with the following third-party service providers:

ProviderServiceData Shared
VercelFrontend hostingIP address, browser info, access logs
RenderBackend hostingAPI request logs, error traces
PostgreSQL (Render)Metadata storageUser accounts, client metadata
StripePayment processingEmail, billing address, payment method
SentryError monitoringError logs, stack traces, user ID (anonymized)

Legal Requirements

We may disclose personal information if required to do so by law or in response to:

  • Valid court orders or subpoenas
  • Government investigations
  • Requests from law enforcement agencies

Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you via email at least 30 days before any such transfer.

5. Your Rights and Choices

Access and Portability

Right: GDPR Article 15, CCPA § 1798.100

You can request a copy of all personal information we hold about you. We will provide it in a machine-readable format (JSON) within 30 days.

Correction

Right: GDPR Article 16

You can update your account information (name, email, practice settings) at any time via the Settings page. For corrections requiring verification, contact privacy@paciolus.com.

Deletion ("Right to be Forgotten")

Right: GDPR Article 17, CCPA § 1798.105

You can delete your account and all associated data at any time. Deletion is immediate and irreversible.

What gets deleted:

  • User account record (email, password hash, profile)
  • Client metadata (names, industries, fiscal year-ends)
  • Engagement records (diagnostic workspace data)
  • Follow-up items (issue narratives)

Note: Financial data uploaded during active sessions is already deleted per our Zero-Storage architecture.

Objection and Restriction

Right: GDPR Articles 18, 21

You can object to specific processing activities or request temporary restriction. Contact privacy@paciolus.com to exercise this right.

Do Not Sell My Personal Information

Right: CCPA § 1798.120

We do not sell personal information. We have never sold user data and never will. No opt-out mechanism is necessary because sale never occurs.

6. Data Security

We implement industry-standard security measures to protect your personal information:

TLS 1.3 Encryption

All data in transit is encrypted end-to-end

bcrypt Password Hashing

Passwords salted and hashed with 12 rounds

JWT Authentication

Stateless token-based session management

Multi-Tenant Isolation

User data segregated at database level

Zero-Storage for Financial Data

No persistent storage = no data breach risk

Rate Limiting

Protection against brute-force attacks

Breach Notification

In the unlikely event of a data breach affecting personal information, we will:

  • Notify affected users via email within 72 hours
  • Report to relevant supervisory authorities (EU DPA, California AG)
  • Provide details on the nature of the breach and mitigation steps

7. International Data Transfers

Paciolus operates globally. Your personal information may be transferred to and processed in the following jurisdictions:

ServiceData LocationSafeguards
Frontend (Vercel)United States (Virginia)Standard Contractual Clauses (SCCs)
Backend (Render)United States (Oregon)Standard Contractual Clauses (SCCs)
Database (PostgreSQL)United States (Oregon)Encryption at rest, TLS in transit

EEA Users

For users in the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers. These clauses ensure your data receives equivalent protection as required under GDPR.

8. Children's Privacy

Paciolus is a professional financial platform intended for use by licensed accountants, auditors, and financial professionals. Our services are not directed to individuals under the age of 16.

We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, contact privacy@paciolus.com immediately, and we will delete it within 48 hours.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

Material Changes

For material changes (e.g., new data sharing practices, changes to your rights), we will:

  • Email you at least 30 days in advance
  • Display a prominent notice on the platform
  • Update the "Effective Date" at the top of this document

Non-Material Changes: Minor updates (e.g., clarifications, typo fixes, contact email changes) will be posted immediately with an updated "Effective Date."

10. Contact Us

For privacy-related inquiries, data requests, or security concerns, contact us at:

Request TypeContact
General Privacy Questionsprivacy@paciolus.com
Data Access Requestsprivacy@paciolus.com
Data Deletion Requestsprivacy@paciolus.com
GDPR/CCPA Complianceprivacy@paciolus.com
Security Incidents / Breach Notificationssecurity@paciolus.com

Response Time

We aim to respond to all privacy inquiries within 5 business days. Data access requests will be fulfilled within 30 days as required by GDPR Article 15.

11. GDPR-Specific Information

For users in the European Economic Area (EEA), the following additional information applies:

Data Controller

Paciolus LLC is the data controller responsible for your personal information under GDPR.

Lawful Basis for Processing

Processing ActivityLawful Basis (GDPR Article 6)
Account creation and authenticationContract (Article 6(1)(b)) — necessary to provide service
Payment processingContract (Article 6(1)(b)) — necessary to fulfill subscription
Security monitoring and fraud preventionLegitimate Interests (Article 6(1)(f)) — protect platform integrity
Product analytics and improvementLegitimate Interests (Article 6(1)(f)) — improve user experience
Legal compliance and law enforcementLegal Obligation (Article 6(1)(c))

Data Protection Officer (DPO)

You can contact our Data Protection Officer at privacy@paciolus.com for GDPR-related inquiries.

Supervisory Authority

If you are located in the EEA, you have the right to lodge a complaint with your local supervisory authority if you believe we have violated your data protection rights.

12. CCPA-Specific Information

For California residents, the following additional information applies under the California Consumer Privacy Act (CCPA):

Categories of Personal Information Collected

CategoryExamplesCollected?
IdentifiersName, email, IP address, unique ID
Commercial InformationSubscription tier, payment history
Internet/Network ActivityBrowser type, device info, usage data
Professional InformationPractice name, client metadata
Sensitive Personal InformationAccount credentials (password hash)
Geolocation DataPrecise GPS coordinates
Biometric InformationFingerprints, facial recognition

Business Purposes for Collection

  • Providing and maintaining the service
  • Processing transactions and payments
  • Detecting security incidents and fraud
  • Debugging and error resolution
  • Internal analytics and product improvement

Sale of Personal Information

We do NOT sell personal information.

Paciolus has not sold personal information in the past 12 months and does not share personal information with third parties for cross-context behavioral advertising.

Your California Privacy Rights

California residents have the following rights under CCPA:

  • Right to Know: Request disclosure of PI collected, sources, purposes, and third parties
  • Right to Delete: Request deletion of PI we hold about you
  • Right to Opt-Out: Opt out of sale of PI (not applicable — we don't sell)
  • Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights

To exercise these rights, contact privacy@paciolus.com.

Summary: What We Collect vs. Store

Data TypeCollected?Stored?Retention
Account Information (name, email)Until account deletion
Client Metadata (names, industries)Until account deletion
Usage Statistics (aggregated)Indefinitely (anonymized)
Trial Balance Data<5 seconds (ephemeral)
Journal Entries / Invoices<5 seconds (ephemeral)
Uploaded CSV/Excel Files<5 seconds (ephemeral)
Anomaly Details (amounts, accounts)<5 seconds (ephemeral)

Questions About This Policy?

We're committed to transparency and protecting your privacy. If you have questions or concerns about this Privacy Policy, contact us at privacy@paciolus.com.

Last updated: February 4, 2026