Legal

Privacy Policy

Last updated: April 7, 2026

This Privacy Policy ("Policy") describes how CashCycle ("we," "us," "our," or the "Company") collects, uses, stores, discloses, and protects information when you access or use our website, platform, APIs, integrations, and any related services (collectively, the "Service"). By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, you must not use the Service.

1. Definitions

For the purposes of this Policy:

  • "Personal Data" means any information that identifies or can be used to identify a natural person, directly or indirectly.
  • "Customer Data" means all data, files, content, invoices, bank transactions, contact records, communications, and other information uploaded, imported, or generated within the Service by or on behalf of a user or organization.
  • "Processing" means any operation performed on data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
  • "Sub-processor" means any third-party service provider engaged by us to process data on our behalf.
  • "Controller" means the entity that determines the purposes and means of processing Personal Data. You are the Controller of your Customer Data; we act as a Processor on your behalf.

2. Information We Collect

2.1 Information You Provide Directly

When you register for an account, configure the platform, or use our features, we collect:

  • Account registration details: name, email address, password, phone number, company name, and job title.
  • Organization and branding settings: company name, logo, address, timezone, default currency, and tax identifiers.
  • Financial and operational data you choose to import or create: invoices, contacts, products, bank transactions, payment receipts, remittance documents, and recurring invoice templates.
  • Communications content: emails drafted, sent, received, or generated by AI on your behalf, including attachments.
  • Integration credentials: OAuth tokens, API keys, and SMTP configurations for third-party services you connect (Xero, QuickBooks, Stripe, PayPal, Gmail, Outlook, Slack, WhatsApp).
  • Billing information: subscription plan, payment method details (processed by Stripe — we do not store full card numbers), and billing history.
  • Support communications: messages, feedback, and files you submit when contacting us.

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

  • Usage data: pages visited, features used, actions performed, timestamps, session duration, and click patterns.
  • Device and browser information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
  • Email engagement data: open timestamps (via tracking pixel), click timestamps (via redirect links), bounce status, and reply detection.
  • Log data: server logs, error reports, API request metadata, and performance metrics.
  • Referral data: the URL that referred you to our Service.

2.3 Information from Third-Party Integrations

When you connect third-party services, we receive data from those services as necessary to provide the features you have enabled:

  • Accounting platforms (Xero, QuickBooks): invoices, contacts, payment statuses, and account metadata.
  • Payment processors (Stripe, PayPal): transaction records and invoice sync data.
  • Email providers (Gmail, Outlook): email sending capabilities and OAuth authentication tokens.
  • Messaging services (Slack, WhatsApp): notification delivery data.

2.4 AI-Processed Data

Our AI features process your data to provide functionality including:

  • AI-generated collection emails based on invoice and contact context.
  • Payment-to-invoice matching suggestions using our 3-layer matching engine.
  • Cash flow forecasting using historical transaction data.
  • Reply classification and dispute detection from inbound communications.
  • OCR extraction from uploaded bank statements and remittance documents.
  • Contact relationship scoring based on payment behavior and engagement.
  • AI-generated account summaries and collection sequence suggestions.

AI-generated outputs (emails, match suggestions, forecasts) are always presented for your review before any action is taken. AI-generated emails are never sent without explicit human approval.

AI-processed data is derived using probabilistic models and may contain errors, inaccuracies, or omissions. By enabling AI features, you acknowledge and accept the inherent limitations of AI technology. We make no representations or warranties regarding the accuracy, reliability, or completeness of any AI-generated output. You are solely responsible for reviewing and verifying all AI-processed data before relying on it for any purpose. We shall not be liable for any decisions, actions, or consequences arising from your use of or reliance on AI-processed data.

3. How We Use Your Information

We process your information for the following purposes:

  • Service delivery: To provide, operate, and maintain the CashCycle platform, including invoicing, collections, reconciliation, forecasting, analytics, and the customer portal.
  • AI-powered features: To generate email drafts, match payments to invoices, forecast cash flow, classify communications, and provide intelligent suggestions — all subject to your review and approval.
  • Transactional communications: To send emails on your behalf to your customers (invoices, collection reminders, receipts) as you direct.
  • Account management: To manage your subscription, process payments, enforce plan limits, and provide billing support.
  • Security and compliance: To authenticate users, enforce access controls, detect fraud, prevent abuse, and maintain audit trails.
  • Platform improvement: To analyze usage patterns, diagnose technical issues, and improve the Service's performance, reliability, and features.
  • Legal obligations: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

We do not sell, rent, or trade your Personal Data or Customer Data to any third party for marketing or advertising purposes.

4. Legal Basis for Processing (GDPR)

Where the EU General Data Protection Regulation (GDPR) or similar legislation applies, our legal bases for processing your Personal Data are:

  • Performance of a contract: Processing necessary to provide the Service you have subscribed to.
  • Legitimate interests: Processing for platform security, fraud prevention, service improvement, and analytics, where such interests are not overridden by your rights.
  • Consent: Where you have given explicit consent, such as connecting third-party integrations or enabling optional features.
  • Legal obligation: Processing required to comply with applicable laws.

5. Data Sharing and Disclosure

We may share your information only in the following circumstances:

  • Service providers and sub-processors: We use third-party providers to host infrastructure, process payments (Stripe), deliver AI capabilities (Azure OpenAI), send emails, and provide analytics. These providers are contractually obligated to protect your data and use it only as instructed.
  • Third-party integrations at your direction: When you connect external services (Xero, QuickBooks, Stripe, PayPal, Gmail, Outlook, Slack, WhatsApp), data is shared with those services as necessary for the integration to function. Each integration is initiated by you and governed by the respective third party's own terms and privacy policy.
  • Your customers (via Customer Portal): Invoice data you make available through the self-service portal is accessible to your customers via unique, token-based URLs. No login is required for portal access — you control which invoices are shared.
  • Legal requirements: We may disclose information if required by law, regulation, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business transfers: In the event of a merger, acquisition, bankruptcy, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

We do not share your data with any third party for their own independent marketing or commercial purposes.

6. Data Storage, Security, and Multi-Tenant Isolation

6.1 Encryption

  • Data in transit is encrypted using TLS (Transport Layer Security).
  • Data at rest is encrypted using AES-256 encryption.
  • Sensitive fields (OAuth tokens, MFA secrets, API keys) are encrypted at the application level using Fernet symmetric encryption and are decrypted only when needed.
  • Passwords are hashed using bcrypt and are never stored in plaintext.

6.2 Multi-Tenant Data Isolation

CashCycle employs a schema-per-tenant PostgreSQL architecture. Each organization's data is stored in a dedicated database schema, ensuring complete logical isolation. One customer's data is never accessible to or commingled with another's.

6.3 Access Controls

  • Role-based access control (RBAC) with 50+ granular permissions.
  • JWT-based authentication with short-lived access tokens (15-minute expiry) and rotating refresh tokens.
  • Optional multi-factor authentication (TOTP-based) with encrypted backup codes.
  • API key authentication with per-key permission scoping and expiry dates.

6.4 Infrastructure Security

  • Redis-backed rate limiting to prevent abuse.
  • File upload protections: path traversal prevention, filename sanitization, size limits, and content type validation.
  • Regular backups of all data in secure, access-controlled environments.
  • Immutable audit logs recording every action with user, timestamp, IP address, and change details.

6.5 Hosting and Infrastructure Locations

CashCycle's infrastructure, including servers, databases, and backup systems, may be hosted across multiple geographic regions worldwide. Your data may be stored and processed in any region where we or our infrastructure providers maintain facilities. By using the Service, you consent to the storage and processing of your data in any such region, which may include locations outside your country of residence. Regardless of where your data is hosted, we apply the same security standards and protections described in this Policy.

6.6 No Guarantee of Absolute Security

While we implement commercially reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. You acknowledge and accept the inherent risks of providing information online and agree that we shall not be held liable for any breach of security beyond our reasonable control.

6.7 Limitation of Liability for Data Processing

To the fullest extent permitted by applicable law, CashCycle shall not be liable for any loss, damage, or claim arising from the processing, storage, transmission, or deletion of your data, including but not limited to: data loss or corruption (whether partial or complete), unauthorized access or disclosure resulting from factors beyond our reasonable control, errors or inaccuracies in AI-processed data (including summaries, classifications, scores, predictions, or extracted content), delays or failures in data synchronization with third-party services, unintended modifications to data during import, export, or migration operations, or any consequences arising from your reliance on data processed by the Service. You are solely responsible for maintaining independent backups of all critical data and for verifying the accuracy of any data processed by the Service before relying on it for business, financial, legal, or regulatory purposes.

7. Data Retention

  • Active accounts: We retain your data for as long as your account remains active and as necessary to provide the Service.
  • Account closure: Upon account termination or deletion, we will delete or anonymize your Customer Data within 90 days, except where retention is required by applicable law, regulation, or legitimate business purpose (such as fraud prevention, dispute resolution, or audit compliance).
  • Audit logs: Audit trail data may be retained for a longer period as required for compliance, legal defense, or regulatory purposes.
  • Backups: Data may persist in encrypted backup systems for a limited period after deletion from primary systems, after which it is permanently purged.
  • Legal holds: We may retain data beyond the stated periods if required by legal proceedings, investigations, or regulatory obligations.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your Personal Data:

  • Access: Request a copy of the Personal Data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your Personal Data (subject to legal retention requirements). CashCycle provides GDPR-ready data erasure functionality that anonymizes contact data.
  • Data portability: Request your data in a structured, machine-readable format. CashCycle provides a data export feature for this purpose.
  • Restriction of processing: Request that we limit how we process your data in certain circumstances.
  • Objection: Object to processing of your data based on legitimate interests.
  • Withdrawal of consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@cashcycle.ai. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before fulfilling your request.

9. International Data Transfers

Your data may be processed in countries other than your country of residence. Where we transfer data outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms. By using the Service, you consent to the transfer and processing of your data in jurisdictions that may have different data protection laws than your own.

10. Cookies and Tracking Technologies

10.1 Cookies We Use

  • Essential cookies: Required for authentication, session management, security, and core platform functionality. These cannot be disabled.
  • Preference cookies: Store your settings such as language, timezone, and display preferences.
  • Analytics cookies: Help us understand how the platform is used, which features are popular, and where users encounter issues.

10.2 Email Tracking

Emails sent through CashCycle on your behalf may include a small invisible tracking pixel and redirect-wrapped links to track opens and clicks. This engagement data is used to power features such as contact relationship scoring and conditional escalation in collection sequences. Your customers can unsubscribe from collection emails at any time via a one-click unsubscribe link included in every email, compliant with RFC 8058.

10.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may impair the functionality of the Service.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect Personal Data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

12. Third-Party Links and Services

The Service may contain links to or integrations with third-party websites, services, and applications. This Policy does not apply to any third-party services. We are not responsible for the privacy practices, content, or security of any third-party service. We encourage you to review the privacy policies of any third-party service you connect to or access through CashCycle.

13. Data Breach Notification

In the event of a data breach that affects your Personal Data, we will notify you and any applicable regulatory authorities as required by law, without undue delay. Notification will include the nature of the breach, the data affected, the measures taken to address it, and recommendations for you to protect yourself.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will post the updated Policy on this page and update the "Last updated" date. For material changes, we will provide notice through the platform or via email. Your continued use of the Service after changes become effective constitutes acceptance of the revised Policy. If you do not agree with the updated Policy, you must stop using the Service.

15. Jurisdiction-Specific Provisions

15.1 European Economic Area (EEA) and United Kingdom

If you are located in the EEA or UK, the GDPR and UK GDPR apply. You have the rights described in Section 8 above. Our legal bases for processing are described in Section 4. You may lodge a complaint with your local supervisory authority.

15.2 Bulgaria

If you are located in Bulgaria, we process your data in accordance with the Bulgarian Personal Data Protection Act (LPDP), which implements the EU GDPR. The supervisory authority is the Commission for Personal Data Protection (CPDP). You may lodge a complaint with the CPDP at any time.

15.3 California (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including the right to know what data we collect, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information.

15.4 Saudi Arabia

If you are located in Saudi Arabia, we process data in compliance with the Saudi Personal Data Protection Law (PDPL) and applicable ZATCA e-invoicing requirements.

16. Limitation of Liability

To the fullest extent permitted by applicable law, CashCycle shall not be liable for any direct, indirect, incidental, special, consequential, or punitive damages arising out of or related to our data practices as described in this Policy, including but not limited to: any unauthorized access to or breach of your data despite commercially reasonable security measures, any loss or corruption of data, any consequences of data processing by AI or third-party sub-processors, any inaccuracies in data derived from automated processing, or any actions taken by third parties who receive your data in accordance with this Policy. Your sole remedy for dissatisfaction with our data practices is to cease using the Service and request deletion of your data. This limitation applies regardless of the theory of liability and even if we have been advised of the possibility of such damages.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

We will make every reasonable effort to respond to your inquiry within 30 days.