Privacy Policy

We collect the following information when you create an account:

• Email address
• Full name
• Business name
• NAICS (North American Industry Classification System) code
• Industry classification
• Revenue range
• Employee count
• Account creation timestamp
• Premium subscription status
• Onboarding completion status

This information is used to create and maintain your account, provide personalized services, and deliver appropriate business insights based on your industry and business size.

When you connect your financial accounts through Plaid:

Security Note: Plaid access tokens are stored in our database and treated as sensitive secrets. They are protected by access controls and encryption in transit and at rest. We do not store your actual banking credentials—these are managed securely by Plaid Inc.

We collect and store detailed transaction information:

• Transaction ID (unique identifier)
• Associated user ID and account ID
• Transaction amount
• Transaction date
• Merchant name
• Transaction category
• Pending status
• ISO currency code
• Payment channel (online, in-store, etc.)
• Location data: City, Region/state, Country
• Transaction creation timestamp

This transaction data forms the foundation of our financial insights, spending analysis, anomaly detection, and business intelligence features.

When you configure financial alerts:

• Alert ID (unique identifier)
• Alert type (spending threshold, unusual activity, etc.)
• Threshold amounts or parameters
• Active/inactive status
• Alert creation timestamp
• Last triggered timestamp
• Preferred notification method

To provide AI-powered insights and anomaly detection, we collect:

This data enables personalized anomaly detection and improves the accuracy of our AI recommendations over time.

When you interact with our AI assistant, we collect:

• Conversation ID and title
• User ID
• Message content (your questions and AI responses)
• Role (user or assistant)
• Creation and update timestamps
• AI model used for each response
• Token count (computational usage)

Your conversation history is retained to provide context-aware responses and improve your experience with the AI assistant.

When you upload invoices or documents:

• Document ID
• User ID
• Original file name
• File storage URL
• Document embedding (vector representation for AI processing)
• Document metadata
• Upload timestamp

Documents are processed using Supermemory (api.supermemory.ai) to enable intelligent document search, retrieval, and document-based question answering.

If we offer paid plans, we may collect billing-related metadata such as your plan tier and subscription status. We will update this Privacy Policy if billing features materially change our data practices.

• Document ID
• User ID
• Tax year
• File storage URL
• Document type
• Upload timestamp

• Session ID
• User ID
• Session creation timestamp
• Expiration timestamp (30-day default)
• Device information
• IP address

Session data is used for security monitoring and to maintain your authenticated state across the Platform.

These logs are maintained for security monitoring, debugging, billing accuracy, and compliance purposes.

• User ID
• Completed step identifier
• Completion timestamp
• Step-specific data

• Event ID
• User ID
• Associated Plaid item ID
• Webhook type
• Event payload
• Processed status
• Creation timestamp

Webhook events enable real-time updates when your financial accounts have new transactions or status changes.

• Log ID
• User ID
• Plaid item ID
• Connection action (link, relink, remove)
• Action status
• Timestamp

• Account Management: Creating and maintaining your user account using the information you provide
• Financial Account Integration: Connecting and synchronizing your bank accounts via Plaid
• Transaction Tracking: Retrieving, categorizing, and displaying your financial transactions
• Balance Monitoring: Providing real-time account balance information

• Anomaly Detection: Training and deploying machine learning models (Isolation Forest) to identify unusual spending patterns
• Conversational AI: Powering our AI assistant using multiple models (e.g., openai/gpt-oss-120b, openai/gpt-oss-20b, llama-3.3-70b-versatile)
• Document Processing: Indexing and analyzing uploaded invoices/documents via Supermemory to support search and Q&A
• Spending Analysis: Generating insights based on transaction patterns
• Financial Forecasting: Predicting future cash flow and identifying potential financial issues

• Custom Alerts: Monitoring financial thresholds and triggering notifications based on your configured alert settings
• Email Notifications: Sending alerts via Resend email service based on your notification preferences
• Real-time Updates: Delivering instant updates through real-time notifications when new transactions or account changes occur

• Industry Benchmarking: Comparing your business metrics against industry standards using NAICS codes
• Expense Categorization: Organizing expenses using system and user-defined categories
• Recurring Transaction Detection: Identifying subscription services and regular payments from transaction patterns
• Goal Tracking: Monitoring progress toward financial objectives you configure

• Performance Optimization: Using derived features and caching to accelerate repeated calculations
• Usage Analytics: Analyzing usage signals to optimize system performance
• Feature Development: Understanding user behavior through anonymized analytics via Vercel Analytics
• Model Training: Improving AI accuracy by training on anonymized transaction patterns

• Fraud Prevention: Monitoring account activity for suspicious patterns
• Access Control: Implementing Row-Level Security (RLS) policies to ensure users can only access their own data
• Audit Trail: Maintaining comprehensive logs of user actions and system events
• Webhook Processing: Handling secure communications from Plaid via webhook processing

• Billing: Managing subscriptions and plan status (if billing features are enabled)
• Feature Access: Controlling premium feature availability based on subscription status
• Usage Tracking: Monitoring API usage for billing and rate limiting purposes

• Document Storage: Securely storing documents you upload (e.g., invoices and receipts)
• Invoice Processing: Analyzing uploaded invoices and supporting document Q&A using Supermemory and our AI providers

• Transactional Emails: Sending account-related communications via Resend
• Support: Responding to customer inquiries using conversation history
• Updates: Notifying users of platform changes, security updates, or important alerts

• Compliance: Maintaining records required by financial services regulations
• Dispute Resolution: Preserving transaction history and audit logs for dispute investigation
• Legal Obligations: Responding to lawful requests for user data when required

Privacy Policy: https://plaid.com/legal/#privacy-statement

Purpose: Plaid enables secure connections to your financial institutions, retrieves transaction data, and provides account balance information.

Your Control: You can disconnect Plaid connections at any time through account settings, which will revoke our access to future transaction updates.

Privacy Policy: https://groq.com/privacy-policy/

Purpose: Groq provides high-speed AI model inference for our conversational AI assistant and financial analysis features.

Privacy Policy: https://supabase.com/privacy

Purpose: Supabase provides our PostgreSQL database infrastructure, user authentication system, and real-time data synchronization.

Data Shared: Data you provide and data generated through your use of the Platform is stored and processed within Supabase's cloud-hosted infrastructure.

Data Location: Supabase cloud infrastructure (region determined by service configuration)

API Endpoint: https://api.delphi.ai

Purpose: Delphi AI provides specialized conversational capabilities using a “chrismyers” clone configuration.

Data Flow: User message → B:Side Assist → Delphi AI API → Response → B:Side Assist → User

Privacy Policy: https://resend.com/legal/privacy-policy

Purpose: Resend handles transactional emails, financial alerts, and notification delivery.

User Control: You can unsubscribe from non-essential emails via links in email footers where available.

Privacy Policy: https://vercel.com/legal/privacy-policy

Purpose: Vercel Analytics provides privacy-friendly usage analytics and performance monitoring.

Privacy: Vercel Analytics is designed to be privacy-focused and does not use cookies or track personal information beyond aggregate usage patterns.

Privacy Policy: https://policies.google.com/privacy

Purpose: Google Maps enables visualization of transaction location data to provide geographic spending insights.

Usage: Only aggregated location data from transactions is displayed; no real-time location tracking is performed.

Status: Used for real-time webhook update notifications

Purpose: Convex provides real-time delivery of Plaid webhook update notifications so the UI can refresh without polling.

Data Minimization: We do not store bank credentials or full transaction content in Convex; it is used for lightweight event notifications only.

API Endpoint: https://api.supermemory.ai

Privacy Policy: https://supermemory.ai/privacy-policy

Purpose: Supermemory supports document search/Q&A and memory features (e.g., storing document metadata and conversation exchange summaries to improve retrieval and personalization).

Isolation: Content is tagged to your user identifier to isolate your documents and memory from other users.

Primary API Endpoint: https://api.exa.ai

Fallback API Endpoint: https://api.tavily.com

Purpose: Exa is our primary web search provider for up-to-date information. Tavily is used as a backup provider if Exa is unavailable.

API Endpoint: https://api.e2b.dev

Purpose: E2B provides a sandbox environment for executing Python code used in advanced financial analysis (e.g., complex calculations or generating charts).

API Endpoint: https://api.pwnedpasswords.com

Purpose: We use the Have I Been Pwned “Pwned Passwords” service to help detect commonly breached passwords during signup.

Important: Your plaintext password is not sent to Have I Been Pwned.

Purpose: We use third-party image services to display merchant avatars/logos in the UI (e.g., transaction lists and dashboards).

Data Shared: When your browser loads these images, the provider may receive your IP address and standard browser request headers (such as user agent and referrer) and the image URL requested.

Retention: Account profile data is retained for the duration of your account plus 30 days after an account deletion request to allow for recovery in case of accidental deletion.

Deletion: After the 30-day grace period, all personal account data is permanently deleted, except as required for legal or regulatory compliance.

Retention: Transaction data is retained indefinitely while your account is active.

Post-Deletion: Upon account deletion, transaction data may be retained in anonymized form for up to 7 years to comply with financial services record-keeping requirements.

Retention: Chat conversations and messages are retained indefinitely while your account is active to provide context-aware AI assistance.

Deletion: Upon account deletion, chat history is deleted within 30 days unless specific messages are flagged for quality improvement purposes (in which case they are anonymized).

User Control: You can delete individual conversations or messages at any time through the chat interface.

Retention: Trained anomaly detection models are retained indefinitely while your account is active.

Post-Deletion: Models are deleted within 90 days of account deletion after being anonymized for potential aggregated research use.

Retention: Derived feature caches are maintained while your account is active to optimize performance.

Purpose: Pre-computed features accelerate repeated calculations and improve platform responsiveness.

Deletion: Feature cache data is deleted within 7 days of account deletion.

Retention: Uploaded documents and derived data (such as indexes/embeddings) are retained while your account is active or until you manually delete them.

Post-Deletion: All documents and their embeddings are permanently deleted within 30 days of account deletion.

User Control: You can delete individual documents at any time through the document management interface.

Automatic Expiration: Sessions automatically expire after 30 days of inactivity.

Cleanup: Expired session records are purged from the database within 7 days of expiration.

Retention: API usage and audit logs are retained for 2 years from creation.

Post-Deletion: Even after account deletion, anonymized audit logs may be retained for up to 2 years for regulatory compliance.

Retention: Webhook event logs are retained for 90 days.

Purpose: Debugging integration issues and ensuring transaction synchronization accuracy.

Cleanup: Events older than 90 days are automatically purged.

Retention: If billing features are enabled, billing records are retained as required by applicable tax and financial record-keeping laws.

Purpose: Compliance with tax and financial record-keeping regulations.

Post-Deletion: Where permissible, billing records may be dissociated from personal identifiers and retained only as required by law.

We implement multiple layers of security to protect your data:

Audit Logs: We maintain audit logs of significant actions (with timestamps and, where applicable, IP addresses) to support security monitoring.

Anomaly Detection: Unusual account access patterns are flagged for review.

Session Monitoring: Active sessions may be monitored to detect suspicious activity and protect accounts.

We carefully select third-party services with strong security practices and review their security documentation (where available).

In the event of a data breach:

1. Detection: Our monitoring systems and audit logs help detect unauthorized access
2. Containment: Immediate steps are taken to contain the breach and prevent further unauthorized access
3. Assessment: We assess the scope and impact of the breach
4. Notification: We notify affected users and, where required, regulators consistent with applicable law
5. Remediation: Security measures are strengthened to prevent recurrence
6. Reporting: We comply with all regulatory reporting requirements

You can enhance your account security by:

• Using strong, unique passwords
• Not sharing your login credentials
• Logging out when using shared devices
• Keeping your email account secure (password reset emails)
• Reviewing account activity regularly
• Reporting suspicious activity immediately

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right to Access: Obtain confirmation and access to your personal data
• Right to Rectification: Correct inaccurate or incomplete personal data
• Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data
• Right to Restrict Processing: Request restriction of processing your personal data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing for certain purposes
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File complaint with supervisory authority

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information collected
• Right to Delete: Request deletion of personal information
• Right to Opt-Out of Sale: We do NOT sell your personal information
• Right to Non-Discrimination: No discriminatory treatment for exercising rights

Regardless of location, all users have the right to:

To protect your privacy, we verify your identity before fulfilling rights requests:

Timeline: Most requests are processed within 30 days; complex requests may take up to 60 days with notification of extension.

You may designate an authorized agent to submit requests on your behalf:

Submission: Send authorization documents to verification@bsideassist.ai.

Primary Database: Data is stored in Supabase's cloud infrastructure. The specific geographic region depends on service configuration.

For EEA, UK, and Swiss Users: We rely on the following mechanisms for international data transfers:

• Standard Contractual Clauses (SCCs): European Commission-approved clauses with third-party processors
• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
• Necessity for Contract Performance: Some transfers necessary to perform our contract with you

B:Side Assist uses artificial intelligence and machine learning extensively. This section provides transparency about how AI affects you.

Technology: Large language models via Groq Cloud and other providers (including tool-based web search and sandboxed code execution)

Technology: AI-powered categorization using merchant names, transaction amounts, and patterns

Data Used: Transaction details such as merchant name, amount, and description

Purpose: Automatically assign spending categories to transactions

Technology: Supermemory (document indexing/search) and AI models for analysis

Technology: Pattern recognition algorithms

Data Used: Historical transaction patterns

Purpose: Identify subscription services and recurring payments

Technology: Time series analysis and predictive modeling

Accuracy: Forecasts are estimates based on historical patterns; actual outcomes may vary significantly.

GDPR Compliance: For EU users, you have the right not to be subject to automated decision-making with legal or similarly significant effects.

Our Practice: No automated decisions have legal or contractual effects without human oversight. AI recommendations are informational and require your action to implement. You can always request human review of AI-generated insights.

Awareness: We acknowledge that AI systems may exhibit biases based on training data.

Reporting Bias: If you believe AI systems are producing biased or unfair results, please report this at verification@bsideassist.ai.

B:Side Assist is intended exclusively for business users aged 18 years or older. We do not knowingly collect personal information from individuals under the age of 18.

The Platform is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).

As B:Side Assist is currently in beta release, our data practices, features, and security measures are continuously evolving. This Privacy Policy will be updated to reflect new features, additional third-party service integrations, enhanced security measures, changes in data retention policies, and regulatory compliance updates.

Material Changes include:

• New categories of personal data collected
• New third-party data sharing arrangements
• Reduced data security protections
• Changes to data retention periods
• New uses of personal data not previously disclosed

Advance Notice: We will provide at least 30 days' notice of material changes before they take effect.

For questions about this Privacy Policy or to exercise your privacy rights, please contact:

Email: verification@bsideassist.ai

Response Time: We aim to respond to all privacy inquiries within 5 business days and to fulfill verified requests within 30 days.

For questions about how third-party services process your data, please refer to their privacy policies:

• • Plaid: https://plaid.com/legal/#privacy-statement
• • Supabase: https://supabase.com/privacy
• • Groq: https://groq.com/privacy-policy/
• • Delphi: https://www.delphi.ai/privacy
• • Supermemory: https://supermemory.ai/privacy-policy
• • Resend: https://resend.com/legal/privacy-policy
• • Convex: https://www.convex.dev/privacy
• • Vercel: https://vercel.com/legal/privacy-policy
• • Google: https://policies.google.com/privacy
• • Exa: https://exa.ai/privacy
• • Tavily: https://tavily.com/privacy
• • E2B: https://e2b.dev/privacy