Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Full name and email address
• Organization/company name
• Authentication credentials (passwords are hashed and never stored in plaintext)
• Profile information and team role

1.2 Financial and Portfolio Data

To provide portfolio management services, we process data you enter or import, including:

• Merchant information (names, business details, EINs, contact information)
• MCA deal terms (funding amounts, factor rates, payback amounts, payment frequencies)
• Transaction and payment records (ACH payments, NSFs, returns, balances)
• Bank account data retrieved through third-party providers (e.g., Plaid), including account numbers, routing numbers, balances, and transaction histories
• Underwriting documents and supporting materials you upload
• ISO and broker relationship information

1.3 Usage Data

We automatically collect information about how you interact with the Service, including:

• IP address and browser type
• Device information and operating system
• Pages viewed, features used, and actions taken
• Timestamps and session duration
• Referring URLs

1.4 Cookies

We use cookies and similar technologies for authentication, session management, and preference storage. We use:

• Essential cookies for authentication and session management
• Preference cookies to remember your settings and display preferences
• Analytics cookies to understand how the Service is used and improve performance

2. How We Use Your Information

We use collected information to:

• Provide, operate, and maintain the Service, including portfolio tracking, transaction reconciliation, and reporting
• Process and display your MCA portfolio data, merchant information, and payment records
• Generate risk scores, payment projections, and portfolio analytics
• Facilitate ACH payment processing and bank account connections through third-party providers
• Send alerts and notifications (e.g., NSF alerts, payment status updates, risk changes)
• Provide customer support
• Improve and optimize the Service based on usage patterns
• Comply with legal obligations and enforce our Terms of Service

3. How We Share Your Information

We do not sell your personal information or portfolio data. We may share information only in the following circumstances:

3.1 Service Providers

We share data with third-party service providers who assist in operating the Service, including:

• Supabase — Database hosting and authentication
• Plaid — Bank account connections and financial data retrieval
• ACH processors — Payment processing
• Vercel — Application hosting
• Resend — Transactional email delivery

These providers are contractually obligated to use your data only to perform services on our behalf and in accordance with this Privacy Policy.

3.2 Legal Requirements

We may disclose your information if required to do so by law or in good faith belief that such action is necessary to:

• Comply with a legal obligation or court order;
• Protect and defend the rights or property of Abacus Labs Inc.;
• Prevent fraud or investigate potential violations of our Terms;
• Protect the personal safety of users or the public.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your data becomes subject to a different privacy policy.

4. Data Security

We implement industry-standard security measures to protect your data, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Row-level security (RLS) to ensure strict data isolation between organizations
• Regular security audits and monitoring
• Role-based access controls within your organization
• Secure authentication with optional MFA

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. After account termination, we retain data for up to 30 days to allow for data export requests, after which it may be permanently deleted.

We may retain certain data longer if required by law or necessary for legitimate business purposes such as resolving disputes or enforcing our agreements.

Usage data and anonymized analytics may be retained indefinitely to improve the Service.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data, subject to legal retention requirements
• Export: Request a portable copy of your data in a structured, machine-readable format
• Opt-out: Opt out of marketing communications at any time

To exercise these rights, contact us at support@abacuslabs.co. We will respond within 30 days.

7. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• The right to know what personal information we collect and how it is used
• The right to delete personal information
• The right to opt out of the sale of personal information (we do not sell your data)
• The right to non-discrimination for exercising your privacy rights

8. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification prior to the change becoming effective. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

10. Google API User Data

Abacus integrates with Google APIs so you can connect your Google Drive and Gmail accounts to features inside the Service. When you authorize these integrations, we receive limited access to your data using the following scopes:

• Google Drive (read-only) — view and download files in folders you explicitly select, so Abacus can import them into the Vault document store
• Gmail (read-only) — view email messages so Abacus can parse deal-related communications into the Inbox feature

Abacus's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, in compliance with the Limited Use policy:

• We use Google user data only to provide user-facing features within Abacus (Vault document import, Inbox email parsing)
• We do not transfer Google user data to third parties except as necessary to provide or improve those features, or to comply with applicable law
• We do not use Google user data for advertising
• We do not allow humans to read Google user data unless we have your explicit consent, are required to do so for security purposes or to comply with applicable law, or as part of aggregated and anonymized internal operations
• Google access tokens and refresh tokens are encrypted at rest in our database. You can disconnect Google Drive or Gmail at any time from within Abacus, which immediately revokes access and deletes the stored tokens

Read-only scopes mean Abacus never modifies, deletes, or sends content from your Google Drive or Gmail accounts.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, contact us at:

Abacus Labs Inc.
support@abacuslabs.co