Privacy Policy

At The Tributum Group ("we," "us," or "our"), we are committed to protecting your privacy and ensuring the security of your personal and financial information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Client Portal and related services.

1. Information We Collect

1.1 Information You Provide to Us

• Account Information: Name, email address, company name, business address, phone number
• Authentication Data: Password (encrypted), multi-factor authentication codes
• Business Information: Tax ID, business structure, number of locations, industry type
• Communication Data: Messages you send us, support requests, feedback

1.2 Financial Information via Plaid

When you connect your bank accounts through Plaid Link, we collect:

• Bank Account Details: Account numbers, routing numbers, account balances
• Transaction History: Transaction amounts, dates, merchant names, categories
• Institution Information: Bank name, account type (checking, savings, credit card)

Important: We use Plaid, a trusted third-party service, to securely connect to your financial institutions. Plaid does not share your login credentials with us. All financial data is encrypted at rest using industry-standard encryption.

1.3 Automatically Collected Information

• Usage Data: Pages viewed, features used, time spent, clicks
• Device Information: IP address, browser type, operating system, device identifiers
• Authentication Logs: Login times, failed login attempts, MFA verification events
• Performance Data: Page load times, errors, system performance metrics

2. How We Use Your Information

2.1 To Provide Our Services

• Display your financial data in personalized dashboards and reports
• Perform cash flow analysis and financial forecasting
• Generate financial insights and recommendations
• Provide CFO advisory and strategic planning services
• Sync and update your financial data from connected accounts

2.2 To Maintain Security

• Authenticate your identity using multi-factor authentication
• Detect and prevent fraud, unauthorized access, and security breaches
• Monitor system security and investigate suspicious activity
• Maintain audit logs for compliance and security purposes

2.3 To Improve Our Services

• Analyze usage patterns to enhance user experience
• Develop new features and functionality
• Troubleshoot technical issues
• Conduct research and analytics (using aggregated, anonymized data)

2.4 To Communicate With You

• Send account notifications and security alerts
• Respond to your inquiries and support requests
• Provide updates about our services
• Send marketing communications (with your consent, and you may opt out at any time)

2.5 For Legal and Compliance Purposes

• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service and other agreements
• Protect our rights, privacy, safety, and property
• Respond to legal requests and prevent illegal activity

3. How We Protect Your Information

3.1 Encryption

• In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 protocol
• At Rest: Sensitive financial data (access tokens, account numbers, routing numbers) is encrypted at rest using XChaCha20-Poly1305 AEAD encryption
• Database Layer: AES-256 encryption for all database storage via Supabase

3.2 Access Controls

• Multi-Factor Authentication: Required for all client portal access using TOTP (Time-based One-Time Passwords)
• Row Level Security: Database policies ensure you can only access your own data
• Principle of Least Privilege: Staff and systems have minimal access necessary to perform their functions
• Audit Logging: All access to sensitive data is logged for security monitoring

3.3 Infrastructure Security

• Hosting: Vercel cloud platform with automatic security updates and DDoS protection
• Database: Supabase PostgreSQL with enterprise-grade security and automatic backups
• Monitoring: 24/7 security monitoring and intrusion detection
• Vulnerability Management: Regular security scans and dependency updates

4. Information Sharing and Disclosure

4.1 Third-Party Service Providers

We share information with trusted service providers who help us operate our business. The following is a complete list of third-party data processors we currently use:

• Auth0 (Okta): Identity and authentication provider. Receives your email address and login metadata for user authentication.
• Supabase: Database and backend infrastructure provider (hosted on AWS). Stores all client business and financial data.
• Stripe: Payment processor. Receives billing name, email address, and payment card details for subscription management.
• Plaid: Financial data aggregation service. Receives bank account credentials (via tokenized OAuth) to retrieve bank transaction data when you connect a bank account.
• Intuit / QuickBooks: Accounting data integration. Receives QuickBooks OAuth tokens to retrieve financial statement data when you connect QuickBooks.
• Resend: Transactional email delivery service. Receives your email address and name for sending system notifications and account emails.
• Notion: Internal knowledge management tool. May receive anonymized business category and plan tier information for internal operational tracking.
• Google Cloud Platform (GCP): Cloud infrastructure for the Tributum financial forecasting engine. Processes financial statement data to generate cash flow forecasts.
• Square: Point-of-sale integration (optional). Receives OAuth tokens to retrieve sales data when you connect a Square account.
• Vercel: Application hosting and deployment platform. Processes all HTTP requests as the server infrastructure.
• OpenAI: AI processing service. Receives anonymized, de-identified transaction data (amounts, dates, and vendor category codes — with all personally identifiable business information stripped) to categorize and structure financial transactions. No raw account numbers, business names, or owner information are transmitted. OpenAI processes this data solely to provide the service and does not use it to train models under our API agreement.
• Anthropic: AI processing service. Receives structured, anonymized financial summaries to generate AI-powered financial insights displayed in your dashboard. No raw transaction data or personally identifiable information is transmitted. Anthropic processes this data solely to provide the service.

These providers are contractually obligated to protect your information and use it only for the purposes we specify.

4.2 Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders, subpoenas, or other legal processes
• Government or regulatory requests
• Legal claims or investigations
• Circumstances involving potential threats to safety

4.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Your Rights and Choices

5.1 Access and Portability

You have the right to:

• Access your personal information
• Request a copy of your data in a portable format
• View and export your financial data from your dashboard

5.2 Correction and Updates

You can update your account information at any time through your dashboard settings. Contact us if you need assistance updating your information.

5.3 Deletion

You have the right to request deletion of your personal information. You can:

• Disconnect individual bank accounts from your dashboard
• Request complete account deletion by contacting us
• Note: Some information may be retained for legal or compliance purposes (e.g., audit logs for 7 years)

5.4 Opt-Out Rights

• Marketing Communications: Unsubscribe from marketing emails using the link in any message
• Data Collection: Disconnect your bank accounts to stop new data collection

5.5 California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You have the right to know what personal data we collect, how we use it, and with which third parties we share it. This Privacy Policy serves as our primary disclosure.
• Right to Deletion: You may request deletion of your personal data at any time. Submit a deletion request through your account settings or by emailing hello@thetributumgroup.com with the subject line "CCPA Request." Requests are processed within 45 days. Some information may be retained for legal or compliance purposes (e.g., audit logs).
• Right to Opt Out of Marketing: You may opt out of marketing communications at any time by unchecking marketing consent in your account settings, or by replying "unsubscribe" to any marketing email you receive from us.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• We Do Not Sell Your Data: We do not sell your personal information to third parties, and we do not share your personal information with third parties for their own direct marketing purposes.

California residents may submit any CCPA-related requests to hello@thetributumgroup.com with the subject line "CCPA Request."

5.6 Geographic Scope of Services

Tributum primarily serves clients in the United States, with a focus on businesses in Kentucky, Indiana, Ohio, and Tennessee. We welcome clients from all U.S. states and territories. Services are not directed at residents of the European Economic Area (EEA), and we do not maintain GDPR compliance infrastructure.

5.7 European Residents (GDPR)

Because Tributum's services are not directed to EEA residents, the General Data Protection Regulation (GDPR) does not currently apply to our data processing activities. In the event Tributum expands its services to the EEA in the future, we will update this policy accordingly and implement the required compliance measures at that time. For reference, EEA residents would generally have the following rights under GDPR:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict or object to processing
• Right to data portability
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

6. AI-Powered Features and Data Processing

Tributum uses artificial intelligence to provide financial insights and analysis within your dashboard. Here is how that works and what it means for your data:

• Transaction Categorization: Raw transaction data retrieved from your connected accounts is anonymized and de-identified (business name, owner name, and account identifiers are stripped) before being sent to OpenAI's API for categorization. Only amounts, dates, and vendor category codes are transmitted.
• CFO-Level Financial Insights: Structured, anonymized financial summaries are sent to Anthropic's API to generate narrative financial insights displayed in your dashboard. No raw transaction data or personally identifiable information is included.
• No Training on Your Data: Neither OpenAI nor Anthropic use your data to train their models under our API agreements.
• AI Insights Disclaimer: All AI-generated insights are for informational purposes only and do not constitute financial, tax, investment, or legal advice. Always consult a licensed professional before making financial decisions.

7. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

• Financial Data (transaction records, financial statements, connected account data): Retained for 60 days after account closure or subscription cancellation, then permanently deleted. A 7-year audit archive of records required for legal or tax compliance is retained in a non-accessible archive format only.
• Non-Financial Account Information (name, email address, company name, contact information): May be retained for up to 7 years for business records purposes.
• AI-Generated Insights: CFO insights and financial summaries generated by AI are stored in your account for up to 90 days, then permanently deleted. They are not shared with third parties and are not used to train AI models.
• Audit Logs: 7 years for security and compliance purposes
• Authentication Logs: 1 year for security monitoring

After these periods, we securely delete or anonymize your information. Anonymized data may be retained indefinitely for analytics and research.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Required for authentication and security (cannot be disabled)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use our services

You can control cookies through your browser settings, but disabling certain cookies may limit functionality.

9. Third-Party Links

Our services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

10. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect information from children. If we learn that we have collected information from a child, we will promptly delete it.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy and applicable laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Email notification to your registered email address
• Prominent notice on our website or dashboard
• Updating the "Last Updated" date at the top of this policy

Your continued use of our services after changes take effect constitutes acceptance of the updated policy.

13. Security Incident Notification

In the event of a data breach affecting your personal information, we will:

• Notify you within 72 hours of discovering the breach
• Provide details about what information was affected
• Explain steps we are taking to address the breach
• Offer guidance on protecting yourself
• Notify relevant regulatory authorities as required by law

This Privacy Policy was last updated on April 8, 2026. Version 1.1