Privacy Policy

Introduction

ClearStaq ("we," "our," or "us"), operated by Capital Gurus LLC, a Delaware limited liability company, is committed to protecting your privacy and the privacy of the individuals whose financial data you process through our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI-powered bank statement parsing, fraud detection, income verification, tax return parsing, and financial analysis services (collectively, the "Service").

ClearStaq processes sensitive financial information, including bank statements and tax returns that contain Nonpublic Personal Information ("NPI") as defined by the Gramm-Leach-Bliley Act (GLBA). We take this responsibility seriously and have designed our data processing pipeline to minimize data exposure and maximize security.

By using ClearStaq, you agree to the collection and use of information in accordance with this policy. If you are using ClearStaq on behalf of an organization, you represent that you have the authority to accept this policy on behalf of that organization.

Information We Collect

Account Information

When you create an account, we collect:

• Full name and email address
• Company or organization name
• Job title or role
• Phone number (optional)
• Password (stored as a cryptographic hash — we never store plain-text passwords)

Billing & Payment Information

When you subscribe to a paid plan or purchase Boost Packs, payment information (credit card number, billing address) is collected and processed directly by our payment processor, Stripe, Inc. ClearStaq does not store full credit card numbers on our servers. We retain only the last four digits of your card, card type, and billing address for record-keeping purposes.

Usage Data

We automatically collect information about how you interact with our Service, including:

• API call logs (endpoint, timestamp, response status, credit consumption)
• Feature usage metrics (documents processed, fraud checks run, integrations used)
• Performance and error metrics
• Browser type, operating system, and device information
• IP address and approximate geographic location
• Referring URLs and pages visited on our marketing website

Communications

When you contact our support team or communicate with us via email, we collect the content of those communications along with any metadata (e.g., timestamps, email addresses).

Financial Document Processing

ClearStaq's core service involves processing sensitive financial documents. This section details exactly how we handle these documents at each stage.

What We Process

You may upload the following document types for analysis:

• Bank Statements (PDF): We extract account holder name, account numbers, routing numbers, transaction details (dates, amounts, descriptions, categories), daily balances, statement periods, and financial summaries
• Tax Returns (PDF): We extract income figures, filing status, entity information, and other structured data from tax return documents

Data Processing Pipeline

What We Store vs. What We Delete

How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To process your financial documents, generate parsed results, run fraud detection, calculate income verification, and deliver analysis through our web app and API
• Account Management: To create and manage your account, process payments, track credit usage, and manage team permissions
• Service Improvement: To analyze aggregated, anonymized usage patterns to improve our AI models, user experience, and service reliability (see "AI & Machine Learning" section)
• Support: To respond to your inquiries, troubleshoot issues, and provide technical support
• Communications: To send you transactional emails (receipts, usage alerts, security notifications), product updates, and, with your consent, marketing communications
• Security: To detect and prevent fraud, abuse, and unauthorized access to our platform
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests

Nonpublic Personal Information (NPI) & GLBA

The financial documents processed through ClearStaq may contain Nonpublic Personal Information ("NPI") as defined by the Gramm-Leach-Bliley Act (GLBA), including but not limited to:

• Bank account numbers and routing numbers
• Account holder names and addresses
• Transaction histories, amounts, and descriptions
• Account balances and financial summaries
• Income and tax information
• Social Security Numbers (if present on tax returns)

Our GLBA-Aligned Commitments

As a service provider processing NPI on behalf of our customers, ClearStaq commits to the following:

• Purpose Limitation: NPI is processed solely for the purpose of providing the Service as directed by you. We do not use NPI for our own marketing, advertising, or unrelated business purposes
• Access Controls: Access to NPI is restricted to authorized systems and personnel who require it to deliver the Service, and all access is logged and auditable
• Safeguards: We maintain administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of NPI, including AES-256 encryption at rest, TLS 1.3 in transit, and SOC 2 Type II certified controls
• No Disclosure: We do not disclose NPI to non-affiliated third parties except as necessary to provide the Service (via sub-processors listed below), as required by law, or as otherwise authorized by you
• Disposal: Original documents containing NPI are permanently deleted after processing. Extracted data is retained only as long as your subscription is active and for the wind-down period described in our Data Retention section

If you are a financial institution subject to GLBA, you acknowledge that you are the data controller and are responsible for providing required privacy notices to your customers. ClearStaq acts as your service provider/data processor.

Data Sharing & Sub-Processors

We do not sell your personal information or NPI. We never have and we never will.

We share information only with the following categories of recipients, and only to the extent necessary:

Sub-Processors

We use the following third-party service providers ("sub-processors") to operate ClearStaq:

Other Disclosures

We may also disclose information:

• Legal Requirements: When required by law, subpoena, court order, or governmental regulation, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, in which case the acquiring entity will be bound by this Privacy Policy with respect to your information
• With Your Consent: When you explicitly direct us to share data, such as through third-party integrations (Salesforce, Zapier, HubSpot, QuickBooks) that you configure

Data Retention

We retain different types of data for different periods, based on the purpose for which it was collected:

You may request early deletion of your parsed results and account data at any time by contacting [email protected]. We will process deletion requests within thirty (30) days, subject to our obligation to retain certain records for legal compliance.

AI & Machine Learning

ClearStaq uses artificial intelligence and machine learning to power document parsing, fraud detection, and financial analysis. We believe in transparency about how AI interacts with your data:

• No Raw Data Training: We do not use your uploaded documents, parsed results, or identifiable financial data to train or fine-tune our AI models. Your data is your data
• Aggregated Patterns Only: We may derive aggregated, anonymized, and de-identified statistical patterns from processing activity to improve model accuracy. Examples include general document format distributions, common parsing error patterns, and anonymized fraud signal frequency data. These aggregated patterns cannot be used to re-identify any individual, customer, or specific document
• Third-Party AI Models: Where we use third-party AI services in our processing pipeline, your document data is processed under strict data processing agreements that prohibit the third party from using your data for their own model training
• Opt-Out: If you wish to opt out of even anonymized aggregated pattern analysis, contact us at [email protected]

Team & Organization Data

If you use ClearStaq as part of a team or organization account:

• Admin Visibility: Team administrators can view the names, email addresses, roles, and activity of all team members, including documents processed, credits consumed, and features used
• Shared Workspace: Parsed results, fraud reports, and financial analyses uploaded by any team member may be visible to other team members based on role-based access controls configured by the team administrator
• Admin Control: Team administrators can add or remove team members, change roles, and export or delete team data. If a team admin removes you from the team, your individual access to the team's data is revoked
• Departure: When you leave a team, any data you processed on behalf of the team remains with the team account. Your individual account (if you have one) is separate from the team account

Security

We implement comprehensive security measures to protect your information, including financial documents and NPI:

• Encryption at Rest: All stored data is encrypted using AES-256 encryption
• Encryption in Transit: All data in transit is protected by TLS 1.3
• Access Controls: Role-based access controls with least-privilege principles. All administrative access requires multi-factor authentication
• SOC 2 Type II: Our security controls are independently audited under the SOC 2 Type II framework
• PCI DSS: Payment processing complies with PCI DSS requirements through our partnership with Stripe
• Infrastructure Security: Network segmentation, intrusion detection, vulnerability scanning, and regular penetration testing
• Employee Security: Background checks, security training, and strict access policies for all employees who may interact with production systems
• Incident Response: Documented incident response plan with defined escalation procedures

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information
• Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions (e.g., legal compliance, completing a transaction)
• Right to Correct: You may request correction of inaccurate personal information we maintain about you
• Right to Opt-Out of Sale: We do not sell personal information. We have never sold personal information and have no plans to do so
• Right to Opt-Out of Sharing: We do not share personal information for cross-context behavioral advertising
• Right to Limit Use of Sensitive Information: We process sensitive personal information (financial data) solely as necessary to provide the Service as requested by you
• Non-Discrimination: We will not discriminate against you for exercising any of these rights

To exercise any of these rights, contact us at [email protected] with the subject line "CCPA Request." We will verify your identity before processing the request and respond within forty-five (45) days.

International Data Transfers

ClearStaq is operated by Capital Gurus LLC in the United States. All data processing, including financial document parsing, fraud detection, and data storage, occurs within the United States.

If you access ClearStaq from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your data to the United States.

EU/EEA/UK Users

If you are located in the European Union, European Economic Area, or United Kingdom, we acknowledge your rights under the General Data Protection Regulation (GDPR) and the UK GDPR. ClearStaq is primarily a B2B service for U.S.-based financial professionals; however, if you use our Service from the EU/EEA/UK:

• Data transfers to the U.S. are conducted based on your explicit consent and/or the necessity of transfer for the performance of the contract between you and ClearStaq
• You have the right to access, rectify, erase, restrict processing, and port your personal data
• You have the right to object to processing and to withdraw consent at any time
• You have the right to lodge a complaint with your local data protection supervisory authority

For GDPR-related requests, contact [email protected].

Your Rights

Regardless of your location, as a ClearStaq user you have the following rights:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate personal information
• Deletion: Request deletion of your personal information and parsed results
• Export: Request an export of your data in a machine-readable format (JSON)
• Opt-Out: Opt out of non-essential communications and marketing emails at any time via unsubscribe links or by contacting us
• Restrict Processing: Request that we restrict certain processing activities
• Withdraw Consent: Where processing is based on consent, withdraw that consent at any time

To exercise these rights, contact [email protected]. We will respond to all requests within thirty (30) days, or within the timeframe required by applicable law.

Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information or financial data processed through ClearStaq:

• Notification Timeline: We will notify affected users within seventy-two (72) hours of confirming a breach, in accordance with GDPR timelines and consistent with U.S. state breach notification laws
• Notification Content: Our notification will include the nature of the breach, the types of data involved, the actions we have taken to contain and remediate the breach, and steps you can take to protect yourself
• Regulatory Notification: We will notify applicable regulatory authorities as required by law
• Ongoing Updates: We will provide timely updates as our investigation progresses

Children & Age Restrictions

ClearStaq is a business-to-business (B2B) service designed exclusively for use by financial professionals, lenders, MCA brokers, CPAs, and accounting firms. Our Service is not intended for individuals under the age of eighteen (18).

We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a person under 18, we will take steps to promptly delete that information. If you believe we have inadvertently collected information from a minor, please contact us at [email protected].

Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. There is currently no universally accepted standard for how websites should respond to DNT signals.

ClearStaq's marketing website does not use third-party advertising trackers or cross-site tracking technologies. We use only privacy-focused analytics (Vercel Analytics), which does not track users across websites. As such, the presence or absence of a DNT signal does not materially change our data collection behavior. We do not serve targeted advertisements and do not share browsing data with ad networks.

Cookies

We use essential cookies to operate our services and privacy-focused analytics to understand how users interact with our platform. We do not use advertising or cross-site tracking cookies.

For full details, including a complete list of cookies, their purposes, and how to manage them, please see our Cookie Policy.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will:

• Post the updated policy on this page with a revised "Last updated" date
• Notify you by email to the address associated with your account
• Provide a prominent notice on our Service for at least thirty (30) days

We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how we handle your data, please contact us: