Privacy Policy

Last updated: March 23, 2026

TreasuryFlow ("we", "our", "us") is operated by Pantoll Ventures LLC. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

Account Information: When you sign up, we collect your email address and optional full name. We generate a hashed API key for authentication — we never store the raw key.

Financial Data (via Plaid): When you connect a bank account, Plaid transmits transaction data to our servers. We process this data using our privacy-first architecture:

• Exact transaction amounts are securely stored and delivered to your authenticated Excel ledger for precise cross-bank reconciliation
• For internal categorization and ML, amounts are converted into privacy-preserving magnitude buckets (Micro, Small, Medium, Large, XLarge)
• We store merchant names, transaction dates, direction (inflow/outflow), amounts, and magnitude categories
• We never store bank account numbers or routing numbers
• Exact amounts never appear in application logs, error reports, or ML training data

Billing Information: Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status. We never see or store your credit card details.

2. How We Use Your Information

• To provide the TreasuryFlow service: transaction categorization, cash flow forecasting, variance analysis, bank fee analysis, working capital metrics, runway projections, and vendor intelligence
• To generate AI-powered insights (forecasts, scenario analysis, recommendations) using Google Gemini — your data is sent to Google's API in anonymized form and is not used for model training
• To authenticate your API requests via hashed API key lookup
• To manage your subscription and billing through Stripe
• To send transactional communications (account creation, billing events)

3. Privacy-First Architecture

TreasuryFlow is built on a privacy-first principle. Your exact transaction amounts are securely stored and delivered only through authenticated API endpoints to your Excel ledger. Our internal systems are designed to minimize exposure:

• Exact amounts are accessible only via your authenticated API key — never through logs, analytics, or internal tools
• Internal categorization and ML pipelines operate exclusively on magnitude buckets, not raw amounts
• Logs contain only request IDs and metadata — never financial data

4. Third-Party Services

• Plaid: Bank account linking and transaction data. See Plaid's Privacy Policy
• Stripe: Payment processing. See Stripe's Privacy Policy
• Google Gemini: AI-powered forecasting and recommendations. Transaction data sent to Google's API is anonymized (no account numbers, no PII). See Google AI Terms

5. Data Retention & Deletion

Your data is retained for as long as your account is active. Upon account cancellation, we delete all associated transaction data, Plaid tokens, and profile information within 30 days. You may request immediate deletion by contacting us.

6. Security

We implement industry-standard security measures including:

• API key authentication with SHA-256 hashing and timing-safe comparison
• Rate limiting on public endpoints
• CORS origin restrictions
• HTTPS-only communication
• No sensitive data in application logs

7. Your Rights

You have the right to:

• Access your stored data through your TreasuryFlow account dashboard
• Request deletion of your account and all associated data
• Disconnect your bank account at any time

8. Contact

For privacy-related inquiries, contact us at privacy@pantollventures.com.

← Back to TreasuryFlow