Privacy Policy

Last updated: March 15, 2026

1. Introduction

CashPilot Inc. ("CashPilot," "we," "us," or "our") is committed to protecting the privacy and security of the personal information entrusted to us. This Privacy Policy describes how we collect, use, store, share, and protect information when you use the CashPilot platform, website, and related services (collectively, the "Service").

This policy applies to two categories of individuals:

• Users: Business owners and authorized personnel who create a CashPilot account and use the Service to manage overdue invoice follow-ups.
• Customers: Individuals and businesses whose invoice and contact information is synced from a User's QuickBooks Online account and who may receive follow-up emails sent through the Service on the User's behalf.

2. Scope of This Policy

CashPilot operates as a data processor (or "service provider" under California law) with respect to Customer data. Users are the data controllers who determine the purposes and means of processing Customer data. CashPilot processes Customer data solely on behalf of and at the direction of Users, to provide the Service.

With respect to User account data (e.g., login credentials, billing information, usage data), CashPilot acts as a data controller.

This Privacy Policy should be read together with our Terms of Service, which govern your use of the Service.

3. Information We Collect

3.1 Information from QuickBooks Online

When you connect your QuickBooks Online account, we access and synchronize the following data through Intuit's OAuth 2.0 API (scope: com.intuit.quickbooks.accounting):

Data Category	Specific Data Elements	Purpose
Invoice Data	Invoice numbers, amounts due, due dates, payment statuses, line item descriptions	Identify overdue invoices, calculate days overdue, generate follow-up sequences
Customer PII	Customer display names, email addresses	Address and deliver follow-up emails
Company Info	Your business name, business address	Populate sender identity and CAN-SPAM footer in follow-up emails
OAuth Tokens	Access token, refresh token (encrypted at rest)	Authenticate API requests to QuickBooks on your behalf

3.2 Account and Configuration Data

We collect information you provide when setting up and configuring your CashPilot account:

• Business name and sender display name
• Sender email address and reply-to email address
• Preferred time zone
• Tone and sequence preferences
• Legal acknowledgment timestamp (confirming you understand CashPilot sends follow-up emails on your behalf and is not a collection service)
• Billing plan selection

3.3 Service Usage and Event Data

We automatically collect operational data as you use the Service:

• Email send events (timestamp, recipient identifier, template used, delivery status)
• Invoice status changes and payment events
• QuickBooks connection and disconnection events
• Dashboard access patterns and feature usage
• Error logs (with PII masked)

3.4 Technical Data

We may collect standard technical information when you access the Service:

• IP address
• Browser type and version
• Device type and operating system
• Referring URL
• Pages visited and time spent

4. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Data Used
Invoice synchronization — Pulling and updating invoice data from QuickBooks	OAuth tokens, invoice data, customer PII
Email delivery — Sending follow-up emails to your customers on your behalf	Customer email, customer name, invoice data, company info, sender settings
Dashboard and reporting — Displaying invoice statuses, recovery activity, and communication history	Invoice data, event data, customer PII
Recovery attribution — Calculating which payments are attributable to CashPilot follow-ups for billing purposes	Invoice data, email send events, payment events
Billing — Calculating and processing your subscription fees	Recovery attribution data, account data
Service improvement — Analyzing aggregate, de-identified usage patterns to improve the Service	Aggregated event data, technical data (no PII)
Security and fraud prevention — Detecting and preventing unauthorized access	Technical data, access logs
Legal compliance — Maintaining audit trails and responding to legal obligations	Event data, communication logs

5. Legal Basis for Processing

We process personal information on the following legal bases:

• Contractual necessity: Processing is necessary to perform our obligations under the Terms of Service (e.g., syncing invoices, sending follow-up emails, providing the dashboard).
• Legitimate interests: Processing is necessary for our legitimate business interests, such as improving the Service, preventing fraud, and ensuring security, provided these interests are not overridden by the data subject's rights.
• Consent: Where required by applicable law, we obtain consent before processing (e.g., the User's explicit authorization to connect QuickBooks and send emails on their behalf).
• Legal obligation: Processing is necessary to comply with applicable laws, regulations, or legal processes.

6. Sub-Processors and Third-Party Services

CashPilot engages the following sub-processors to deliver the Service. Each sub-processor is contractually obligated to protect data in accordance with our privacy and security standards.

Sub-Processor	Parent Company	Purpose	Data Processed	Location
Google Cloud Platform / Firebase	Google LLC	Cloud infrastructure, Firestore database, hosting	All application data (encrypted at rest and in transit)	United States
SendGrid	Twilio Inc.	Transactional email delivery	Recipient email address, sender info, email subject and body content	United States
QuickBooks Online API	Intuit Inc.	Source platform for invoice and customer data	OAuth credentials (used to authenticate); invoice and customer data originates here	United States

We will provide Users with advance notice before engaging any new sub-processor that processes personal information. If you object to a new sub-processor, you may terminate the Service as described in our Terms of Service.

We do not use any advertising networks, social media tracking pixels, or third-party analytics services that would share your data or your customers' data with advertisers.

7. Data Sharing and Disclosure

We do not sell personal information. We share personal information only in the following limited circumstances:

• Sub-processors: As described in Section 6, to the extent necessary to provide the Service.
• Legal compliance: When required by law, court order, subpoena, or government request. We will notify you before disclosing your data unless prohibited by law from doing so.
• Business transfers: In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets. Any successor entity will be bound by the terms of this Privacy Policy with respect to previously collected data.
• Protection of rights: To enforce our Terms of Service, protect the safety of any person, or protect CashPilot's legal rights.
• With your consent: In any other circumstances where you have given explicit consent.

8. Data Retention and Deletion

8.1 Active Accounts

We retain your data for as long as your account is active and as needed to provide the Service. Specifically:

• Invoice and customer data: Retained while your account is active and synced periodically from QuickBooks
• Communication logs: Retained for the duration of your account plus 12 months (for audit trail purposes)
• OAuth tokens: Retained while your QuickBooks connection is active; deleted within 24 hours of disconnection
• Event and activity logs: Retained for 24 months from creation

8.2 Account Termination

When you terminate your account:

• QuickBooks OAuth tokens are deleted within 24 hours
• All active follow-up sequences are stopped immediately
• Invoice data, customer data, and communication logs are retained for 30 days to allow you to request a data export
• After the 30-day retention period, all personally identifiable data is permanently deleted
• Aggregated, anonymized, and de-identified data that cannot be used to identify any individual may be retained indefinitely for analytics and service improvement

8.3 Data Export

You may request an export of your data at any time by contacting privacy@cashpilot.com. We will provide your data in a commonly used, machine-readable format (CSV or JSON) within 30 days of your request.

9. Security Measures

CashPilot implements the following technical and organizational measures to protect your data:

9.1 Encryption

• Tokens at rest: All QuickBooks OAuth tokens (access and refresh) are encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) before storage
• Data in transit: All communications between your browser, our servers, and third-party APIs use TLS 1.2 or higher
• Database encryption: Firebase/Firestore provides encryption at rest for all stored data

9.2 Access Controls

• Token separation: OAuth tokens are stored in a separate, access-restricted Firestore collection (qb_tokens), segregated from user profile data. User profiles contain no tokens or credentials.
• API authentication: All API endpoints require valid authentication
• Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks

9.3 Application Security

• Security headers: All responses include X-Content-Type-Options, X-Frame-Options (DENY), Referrer-Policy, Permissions-Policy, and Content-Security-Policy headers
• CORS: Cross-origin requests are restricted to the application domain only
• PII masking: Customer email addresses and other PII are masked in application logs (e.g., jo***@example.com)
• Audit logging: All significant events (email sends, QuickBooks connections, setting changes) are logged with timestamps for compliance and debugging

9.4 Infrastructure Security

• The Service runs on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and FedRAMP certifications
• SendGrid (Twilio) maintains SOC 2 Type II certification for email delivery infrastructure

10. Your Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act ("CCPA/CPRA"), provides you with specific privacy rights. Since the B2B exemption expired on January 1, 2023, these rights apply to business contacts as well as consumers.

10.1 Your Rights

You have the right to:

• Know and access: Request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Delete: Request that we delete personal information we have collected from you, subject to certain exceptions (e.g., legal obligations, ongoing service delivery).
• Correct: Request that we correct inaccurate personal information we maintain about you.
• Opt out of sale or sharing: You have the right to opt out of the "sale" or "sharing" of your personal information. CashPilot does not sell or share personal information as those terms are defined under the CCPA/CPRA.
• Non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Limit use of sensitive personal information: You may direct us to limit the use and disclosure of sensitive personal information to what is necessary to perform the Service. CashPilot already limits its use of personal information to service delivery only.

10.2 Categories of Personal Information Collected

Under the CCPA/CPRA's categorical framework, CashPilot collects:

CCPA Category	Examples	Sold?	Shared?
Identifiers	Name, email address, QuickBooks realm ID	No	No
Commercial information	Invoice records, payment history, amounts due	No	No
Internet/electronic activity	Dashboard usage, email delivery logs, IP address	No	No
Professional/employment info	Business name, business address	No	No

10.3 How to Exercise Your Rights

To exercise any of your CCPA/CPRA rights, submit a verifiable request by contacting us at:

• Email: privacy@cashpilot.com

We will verify your identity before processing your request. We will respond to verifiable requests within 45 days. If we need more time (up to an additional 45 days), we will notify you in writing.

You may also designate an authorized agent to make a request on your behalf. The authorized agent must provide proof of written authorization from you.

10.4 CashPilot as Service Provider

With respect to Customer data processed on behalf of our Users, CashPilot acts as a "service provider" under the CCPA/CPRA. If you are a Customer whose data is processed through CashPilot, please direct your privacy rights requests to the business (our User) that invoiced you. We will cooperate with our Users to fulfill such requests.

11. Additional State Privacy Rights

Several other U.S. states have enacted comprehensive privacy laws. If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or other states with privacy legislation, you may have similar rights to access, delete, correct, and opt out of the processing of your personal data. To exercise these rights, please contact us at privacy@cashpilot.com.

If we decline a request, you may have the right to appeal. Appeals should be submitted in writing to the same email address.

12. Data Breach Notification

In the event of a security breach that results in the unauthorized access, disclosure, or acquisition of personal information, CashPilot will:

• Investigate the incident promptly and take steps to contain and remediate the breach
• Notify affected Users by email within 72 hours of confirming the breach, including a description of the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach
• Notify applicable state attorneys general and regulatory authorities as required by law (e.g., within 72 hours under CCPA for breaches affecting 500+ California residents)
• Cooperate with Users to enable them to notify their affected Customers as required by applicable law
• Provide credit monitoring or identity protection services to affected individuals where required by law or where CashPilot deems it appropriate

13. Children's Privacy

The Service is designed for use by businesses and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information promptly.

If you believe that a child under 18 has provided us with personal information, please contact us at privacy@cashpilot.com.

14. International Data Transfers

CashPilot is based in the United States. All data is stored and processed within the United States. Our sub-processors (Google Cloud, SendGrid, Intuit) process data in the United States.

If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to this transfer.

CashPilot does not currently offer data residency options outside the United States. The Service is designed for businesses operating in the United States.

15. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently respond to DNT signals. However, CashPilot does not engage in cross-site tracking of its Users or their Customers.

16. Cookies and Tracking

CashPilot uses minimal cookies and local storage, limited to:

• Authentication tokens: Session cookies used to maintain your logged-in state
• Theme preference: A localStorage value (cashpilot_theme) that stores your light/dark mode preference

We do not use advertising cookies, third-party tracking cookies, or social media pixels. We do not participate in any advertising networks or cross-site tracking programs.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you by email at least 30 days before material changes take effect
• Provide a summary of the changes in our notification

Your continued use of the Service after the updated Privacy Policy takes effect constitutes your acceptance of the changes. If you do not agree with the updated policy, you should stop using the Service and terminate your account.

18. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

CashPilot Inc.
Privacy Inquiries: privacy@cashpilot.com
General Support: support@cashpilot.com
Legal: legal@cashpilot.com

For CCPA/CPRA requests specifically, please email privacy@cashpilot.com with the subject line "CCPA Request" and include your full name and the email address associated with your account.