Privacy Policy

This Policy applies to individuals who visit our website, use the ZeroFin platform, or interact with our services (collectively, the "Services").

For the majority of the data processed by the platform—including bank statements, audit reports, invoices, and historical accounting records uploaded by our Customers ("Customer Data")—ZeroFin acts as a Data Processor (or "Service Provider" under the CCPA/CPRA).

Our Customers (typically the entities subscribing to the Services) act as the Data Controller. Customers are solely responsible for establishing a lawful basis for processing, providing required transparency notices to their employees, contractors, or vendors, and responding to data subject rights requests relating to Customer Data, except as expressly agreed in a separate Data Processing Addendum (DPA).

ZeroFin does not determine the purposes or means of processing Customer Data beyond what is necessary to provide the Services as instructed by the Customer.

ZeroFin acts as a Data Controller (or "Business" under the CCPA/CPRA) only for information used to manage account relationships, billing, marketing, and the technical security and optimization of our infrastructure.

Name, professional email address, job title, password hashes, multi-factor authentication (MFA) tokens, and recovery data.

Records of correspondence, including support tickets, chat logs with Mr. CFO, and any attachments provided during troubleshooting.

Payment processor transaction IDs, billing addresses, and partial credit card information (last four digits) used for subscription management.

IP addresses, browser types, operating systems, access timestamps, and device identifiers used for threat detection and system monitoring.

Error reports, crash logs, and performance metrics used to maintain platform stability.

Information regarding how users interact with platform features and Mr. CFO prompts.

Financial records uploaded by Customers may contain personal data of third parties, including but not limited to employee payroll details, contractor tax IDs, and vendor contact information. ZeroFin processes this data solely as a processor under Customer instruction.

ZeroFin utilizes machine learning and AI algorithms to automate financial categorization and historical reconstruction.

ZeroFin does not engage in solely automated decision-making that produces legal or similarly significant effects regarding individuals under GDPR Article 22.

ZeroFin does not engage in profiling that produces legal or similarly significant effects concerning individuals. Any categorization or financial analysis generated by the platform is intended solely to support Customer decision-making.

All AI-generated outputs, including suggested journal entries and runway forecasts, are decision-support tools only.

The responsibility for final verification, human review, and the legal accuracy of financial filings remains exclusively with the Customer.

ZeroFin does not sell personal information and does not share personal information for cross-context behavioral advertising as defined under the California Privacy Rights Act (CPRA) and similar state laws.

ZeroFin processes Sensitive Personal Information (such as financial account credentials or tax identifiers) solely for purposes reasonably necessary to provide the Services requested by Customers, detect security incidents, prevent fraud, comply with legal obligations, or as otherwise permitted under applicable law. We do not use or disclose Sensitive Personal Information for purposes requiring a separate right to limit under the CPRA.

Depending on your state of residence, you may have the following rights: access, deletion, correction, portability, and opt-out where applicable. We will not deny services or change prices if you exercise your privacy rights (Non-Discrimination).

To exercise these rights, email privacy@zerofin.ai. You may designate an authorized agent to submit requests on your behalf; we require written proof of such authorization and will verify your identity directly.

Upon receipt of a request, we perform verification steps proportionate to the sensitivity of the data, which may include email verification, MFA challenges, or matching identifiers against our records.

Responses are provided within 30 days.

Responses are provided within 45 days.

We reserve the right to extend these periods where permitted by law, provided we notify you of the reason.

Requests may be denied if they are manifestly unfounded, excessive, or conflict with legal obligations. If a request is denied, we will provide an explanation. Residents of CO, VA, and CT have the right to appeal denials by contacting appeals@zerofin.ai.

Where required under applicable law, individuals may lodge a complaint with their local supervisory authority. For individuals located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with your national data protection authority, including the Information Commissioner's Office (ICO) in the UK or your local EU supervisory authority.

ZeroFin utilizes third-party subprocessors bound by written agreements imposing strict confidentiality, security, and data protection obligations. A current list is maintained at zerofin.ai/subprocessors. We notify Customers of updates via the platform or email.

Data is hosted primarily in the United States. For transfers from the EEA, UK, or Switzerland, we utilize Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supported by Transfer Impact Assessments (TIAs) and technical safeguards for onward transfers.

We retain personal information based on the following: the duration of the Customer's contract; statutory requirements (e.g., tax/accounting compliance); necessity for dispute resolution or fraud prevention; and preservation requirements in connection with litigation, investigations, or legal holds.

Backups may persist for up to 30 days beyond the primary deletion cycle. Where required, we may retain specific records subject to legal hold, regulatory inquiry, or dispute resolution obligations until such matters are resolved. Anonymized data may be retained indefinitely.

We implement commercially reasonable technical and organizational measures to protect data. However, no method of transmission or storage is completely secure; we cannot guarantee absolute security.

The Services are not directed to individuals under 18. If we discover child data has been collected, it will be deleted immediately.

In the event of a merger, acquisition, or asset sale, personal information may be transferred to the successor entity, subject to this Policy.

This Policy does not create contractual or fiduciary obligations beyond those required by applicable law or specific written agreements.