Privacy Policy
Last updated: April 28, 2026
1. Introduction
MainStreet CFO, Inc., a Delaware corporation ("MainStreetCFO," "we," "us," or "our"), operates the MainStreetCFO platform available at mainstreetcfo.ai (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using the Service, you agree to the terms of this Privacy Policy.
2. Information We Collect
Account Information
When you create an account, we collect your name, email address, company name, and other information you provide during registration.
Financial Data
To provide our Service, we collect financial data that you authorize us to access, including but not limited to:
- Accounting data from QuickBooks, Xero, FreshBooks, Wave, or similar platforms
- Bank transaction data accessed through Plaid or similar secure banking APIs
- Financial files you upload directly (CSV, QBB, or other formats)
- Invoice and accounts receivable data
- Payroll data from integrated payroll providers (e.g., Gusto)
Important: We access your financial data in read-only mode. We cannot move, transfer, or withdraw funds from any connected account. We never store your banking login credentials — all bank connections are handled through secure, encrypted third-party services (such as Plaid) that use bank-level security.
Usage Data
We automatically collect certain information when you access our Service, including your IP address, browser type, device information, pages viewed, and interaction patterns. This data helps us improve the Service and troubleshoot issues.
Waitlist & Communications
If you sign up for our waitlist or contact us, we collect your email address and any information you provide in your communications with us.
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve our Service
- Generate financial insights, forecasts, alerts, and reports for your business
- Power our AI-driven analysis and recommendations
- Send you weekly financial briefings and alerts
- Process your subscription and billing
- Communicate with you about the Service, updates, and support
- Detect, prevent, and address fraud, security issues, or technical problems
- Comply with legal obligations
4. How We Protect Your Data
We take the security of your financial data seriously. We implement industry-standard technical and organizational security measures including:
- Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)
- Authenticated encryption (AES-256-GCM) for sensitive credentials and OAuth tokens
- Database-layer multi-tenant isolation via Postgres row-level security policies, so one customer's data is not reachable from another customer's session even at the query layer
- Secure, encrypted connections to all third-party financial services
- Role-based access controls and authentication, with all sign-ins audited
- Data stored on infrastructure (Supabase on AWS, Vercel) that is independently SOC 2 Type II certified
Employee access
Access to production systems holding customer financial data is restricted to a small number of named engineers on a need-to-know basis, requires multi-factor authentication, and is logged. We do not browse or access individual customer data except to (a) deliver support a customer has explicitly requested, (b) investigate a security incident, or (c) comply with a legal obligation.
Lifecycle event logging
We log significant lifecycle events tied to your account, including integration connections and disconnections, data sync runs (with row counts), and file or dataset deletions. These records are retained for at least twelve (12) months for security-monitoring and incident-response purposes, and form part of the evidence we would draw on to investigate a security concern affecting your account.
Breach notification
If we become aware of a security incident that compromises the confidentiality, integrity, or availability of your personal or financial data, we will notify affected users without undue delay, and in any event within 72 hours of becoming aware of the incident, unless a law-enforcement authority instructs us to delay notification. Notification will describe the nature of the incident, the data affected, the remediation steps we are taking, and what (if anything) you should do in response.
While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to maintaining the highest practical standards.
5. Data Sharing & Disclosure
We do not sell your personal or financial data. Period.
We may share your information only in the following limited circumstances:
- Service Providers: With trusted third-party vendors who help us operate the Service (e.g., hosting, payment processing, analytics), subject to strict confidentiality agreements.
- With Your Consent: When you explicitly authorize us to share data, such as connecting to a third-party integration.
- Legal Requirements: When required by law, regulation, legal process, or governmental request.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred. We will notify you of any such change in ownership.
6. Data Retention
We retain different categories of data for different periods, based on the purpose of the data and applicable legal obligations. The schedule below reflects our standard practice; specific obligations under tax, accounting, or regulatory law may require longer retention in particular cases.
| Category | Retention |
|---|---|
| Account & profile data Name, email, company, login credentials | Retained while your account is active. Deleted within 30 days of account deletion request, except as required by law. |
| QuickBooks-synced financial data Accounts, invoices, transactions pulled from QuickBooks | Retained while the QuickBooks connection is active. Deleted immediately on disconnect with deletion requested. Database backups (point-in-time recovery) may retain a copy for up to 30 days before they roll off. |
| Manually uploaded files & datasets CSV, Excel, PDF you upload | Retained while your account is active. Deleted within 30 days of account or file deletion request. |
| Billing & payment records Invoices, receipts, transaction IDs | Retained for at least seven (7) years after the transaction, as required by US tax and accounting regulations. Card data itself is held by our payment processor (Stripe), not by us. |
| Customer support communications Support emails, in-app messages | Retained for up to three (3) years from the date of the last communication. |
| Usage logs & analytics Page views, API requests, performance metrics | Retained for up to twelve (12) months. Aggregated, de-identified analytics may be retained indefinitely. |
| AI conversation history Chat with the MainStreetCFO assistant | Retained while your account is active so the assistant has context. Deleted on user request via the chat interface or with the account. |
| Lifecycle event logs Integration connects/disconnects, sync runs, file or dataset deletions | Retained for at least twelve (12) months for security-monitoring and incident-response purposes. |
When we delete data, the deletion is permanent and irreversible (subject to the backup window noted above). We do not maintain a separate "archive" of deleted customer data. If you require an export of your data before deletion, email privacy@mainstreetcfo.ai and we will provide one within 30 days.
7. Your Rights & Choices
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of the data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data
- Portability: Request your data in a portable format
- Opt-Out: Unsubscribe from marketing emails at any time
- Revoke Access: Disconnect any linked financial accounts at any time through your account settings
To exercise any of these rights, contact us at privacy@mainstreetcfo.ai. We will respond to verifiable requests within 30 days, and may extend that period by an additional 30 days where reasonably necessary (consistent with GDPR Article 12 and the CCPA). We may need to verify your identity before fulfilling certain requests; we will not charge a fee for routine requests.
California Residents (CCPA)
If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of the sale of personal information. We do not sell personal information.
European Residents (GDPR)
If you are located in the European Economic Area, you have additional rights under the GDPR, including the right to lodge a complaint with a supervisory authority. Our legal basis for processing your data is your consent and the performance of our contract with you.
8. Sub-Processors
To run the Service we rely on a small set of trusted third-party vendors ("sub-processors") who process your data on our behalf, under contracts that require them to handle your data only to deliver the services we've engaged them for. We perform diligence on each sub-processor's security and privacy practices, and only use vendors that hold their own SOC 2 Type II or equivalent certification, or that deliver functionality we cannot reasonably build in-house.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage, and row-level-security tenant isolation. Also delivers transactional auth emails on our behalf (signup confirmation, password reset, magic link). Hosted on AWS. | United States |
| Vercel, Inc. | Web application hosting and serverless function execution. | United States |
| Anthropic, PBC | AI inference for the chat assistant and briefing generation. Receives only the minimum context required for the requested response. Does not use customer data to train models. | United States |
| Google LLC (Gemini) | AI inference for upload schema detection. Receives only file headers and small samples. Does not use customer data to train models. | United States |
| Stripe, Inc. | Subscription billing and payment processing. Card data is collected and held by Stripe, not by us. | United States |
| Upstash, Inc. | Redis-based rate limiting on AI endpoints. Stores only short-lived counters keyed by anonymized identifiers; no customer data. | United States |
| Intuit, Inc. | QuickBooks Online integration. Source of synced accounting data on customer authorization. | United States |
| Plaid, Inc. | Bank-account data aggregation. Invoked only when a customer connects a bank via Plaid Link. | United States |
| Gusto, Inc. | Payroll data aggregation. Invoked only when a customer connects Gusto. | United States |
We will provide at least 30 days' advance notice via this page or email before adding a new sub-processor that materially affects how customer data is processed. If you have a contractual right of objection (for example, under a Data Processing Agreement), you may exercise it during that notice window by contacting privacy@mainstreetcfo.ai.
9. AI / Machine Learning & Customer Data
MainStreetCFO does not use customer data to train AI or machine-learning models. When the in-product assistant or briefing generator runs, the relevant snippets of your data are sent to our AI sub-processors (Anthropic, Google) under standard service-provider terms with no-training commitments, solely to compute the response you requested. We never send raw bulk data dumps; we send only the minimum context required for the specific analysis the user asked for, and the response is delivered back through us, not directly from the sub-processor.
We do not sell, rent, or license your data to any third party for AI training, advertising, profiling, or product development purposes, including our own internal model training.
10. Cross-Border Data Transfers
MainStreetCFO is operated from the United States and our infrastructure providers (Supabase, Vercel, Stripe, Anthropic, Google, Upstash) host their primary production environments in the United States. By using the Service, you consent to your information being transferred to and processed in the United States, which may have different data protection standards than your jurisdiction of residence.
Where required by applicable law (e.g., for transfers from the European Economic Area, the United Kingdom, or Switzerland), we rely on recognized lawful transfer mechanisms, including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, in conjunction with supplementary technical and organizational measures. We can provide a copy of the applicable transfer mechanism on request.
11. Cookies & Tracking
We use a small number of cookies to operate the Service. We do NOT use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies.
| Cookie / Storage | Purpose | Lifetime |
|---|---|---|
| Supabase auth cookies | Authenticate your session; required to use the Service. | Session + refresh window (typically up to 7 days, refreshed silently) |
| __mscfo_access | Caches your subscription/plan status for 5 minutes to reduce database lookups on every page load. | 5 minutes |
| CSRF tokens | Block cross-site request forgery on state-changing requests. | Session |
| sessionStorage / localStorage | UI preferences (sidebar collapse, chat scroll position, dismissed dialogs). Stored in your browser only; never sent to our servers. | Until cleared by you |
You can clear or block cookies through your browser settings, but doing so will sign you out of the Service and may break features that depend on session state.
12. Third-Party Services
In addition to the sub-processors listed above, our Service can connect to additional third-party platforms when you choose to authorize them (QuickBooks Online, Plaid, Gusto, etc.). Those services have their own privacy policies, which govern how they collect and use your data on their side of the connection. We encourage you to review them.
13. QuickBooks Online Integration
When you connect your QuickBooks Online ("QuickBooks") company to MainStreetCFO, we access and process specific data from your QuickBooks account on your authorization. This section describes how we handle that data, in accordance with Intuit's developer policies.
Data we access
We request read-only access to your QuickBooks accounting data. Specifically, we read:
- Chart of accounts (account names, types, and numbers)
- Invoices and bills (counterparty, amount, balance, dates, status)
- Journal entries
- Purchases (vendor expenses)
- Sales receipts
- Deposits
- Company profile information (company name and country, used for display only)
We do not request access to write, modify, or delete data inside your QuickBooks company. We cannot move funds, send invoices, or change any record in QuickBooks. The OAuth scope we request is limited to com.intuit.quickbooks.accounting.
How we use the data
QuickBooks data is used solely to power the analyses, dashboards, AI insights, and reporting features inside MainStreetCFO for the same business that authorized the connection. We do not sell, rent, share, or otherwise disclose your QuickBooks data to third parties for advertising, marketing, or profiling.
Where the data is stored
Synced QuickBooks data is stored in our multi-tenant Postgres database (Supabase, hosted on AWS) and is isolated per organization at the database layer using row-level-security policies. Your OAuth access and refresh tokens are encrypted at rest with AES-256-GCM (authenticated encryption) before being written to the database. All transport is over TLS 1.2 or higher.
Sharing with AI sub-processors
When you ask MainStreetCFO's AI assistant questions, relevant snippets of your QuickBooks data may be sent to our AI sub-processors (Anthropic and Google) under standard service-provider terms, solely to generate the response you requested. These sub-processors do not use your data to train their models. We never send raw data dumps; only the minimum context required for the requested analysis.
Disconnecting and deleting your QuickBooks data
You can disconnect QuickBooks from MainStreetCFO at any time, in two places:
- Inside MainStreetCFO on the Integrations page. You will be asked whether to keep or delete the synced data.
- Inside QuickBooksby removing the app from Intuit's "My Apps" page. When you disconnect on Intuit's side, we receive a notification and automatically revoke our tokens and delete your synced QuickBooks data within minutes.
Either way, we revoke our OAuth tokens with Intuit so they cannot be used again. If you choose to delete data, every row in our database that originated from your QuickBooks company is permanently removed. Manually uploaded files and operational datasets you created in MainStreetCFO are not affected.
You may also email us at privacy@mainstreetcfo.ai to request a complete export or deletion of all data we hold on your behalf.
Data retention
We retain QuickBooks data for as long as the connection is active or until you request deletion. After disconnect with deletion requested, data is removed immediately. Database backups (point-in-time recovery) may retain a copy for up to 30 days before they roll off; backups are not used to repopulate your account after a deletion request.
Security
MainStreetCFO complies with Intuit's Developer Code of Conduct and Security Requirements for QuickBooks Online apps, including encrypted token storage, transport-layer security, OAuth state CSRF protection, signed webhook verification, and rate-limited API usage.
Questions
If you have questions specifically about how MainStreetCFO handles your QuickBooks data, email privacy@mainstreetcfo.ai.
14. Children's Privacy
Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.
16. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at: