Privacy Policy

Incremenza LLC ("Incremenza," "we," "us," or "our") operates the Incremenza platform at incremenza.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Information You Provide

When you create an account or use our Service, we collect:

• Account Information: Name, email address, company name, business address, phone number
• Single Sign-On (SSO): If you choose to sign in using Google or Microsoft, we receive your name, email address, and a unique profile identifier from that provider. We do not receive your password. You can disconnect SSO at any time from your account security settings.
• Profile Information: Job title, team name, role within your organization
• Payment Information: When you process payments through our embedded payment features, we collect billing details necessary for transaction processing (handled securely by Stripe)

1.2 Financial Data from Integrations

When you connect third-party financial services to Incremenza, we collect and process:

• Bank Account Data (via Plaid): Transaction history, account balances, account numbers (masked), routing numbers, transaction descriptions, merchant names, transaction dates and amounts
• Payment Processor Data (Stripe, Square, PayPal): Customer information, payment transactions, subscription details, invoice data, refund information, payment methods (last 4 digits only), transaction fees
• Accounting Data (QuickBooks Online): We read the following data from QuickBooks Online: chart of accounts, invoices, bills, payments, customer records, vendor information, and account categories. We do not write data back to QuickBooks Online unless you have explicitly enabled two-way sync, in which case categorized transaction updates are written back to your QuickBooks account.
• OAuth Credentials: Access tokens and refresh tokens for connected integrations (encrypted at rest using industry-standard encryption)

Important: We do not store full credit card numbers, bank account numbers, or CVV codes. Payment card data is tokenized and stored securely by our payment processor (Stripe) in compliance with PCI DSS standards.

Financial data obtained through Plaid is used solely to provide the Incremenza service to you and to display your financial information within the platform. We do not sell, share, or use Plaid-sourced financial data for advertising, marketing to third parties, or any purpose other than delivering the service you have requested.

1.3 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent on the Service, interaction patterns
• Device Information: IP address, browser type and version, operating system, device identifiers
• Cookies and Tracking: Session cookies, authentication tokens, analytics cookies (see our Cookie Policy for details)
• Log Data: Server logs including access times, error messages (with sensitive data redacted), and system activity

2. How We Use Your Information

We use the collected information for the following purposes:

2.1 Service Delivery

• Provide, operate, and maintain the Incremenza platform
• Process and reconcile financial transactions from connected integrations
• Automatically categorize transactions to provide financial insights
• Calculate financial metrics (revenue, expenses, profit, burn rate, runway)
• Generate business performance reports and analytics
• Manage your account, subscriptions, and billing
• Process payments through our embedded payment system (1.5% platform fee applies in addition to Stripe's standard processing fees)

2.2 AI-Powered Features

We use Google's Gemini AI API (paid tier) to:

• Automatically classify and categorize financial transactions based on merchant names and transaction patterns
• Generate business insights based on aggregated financial summaries (revenue, expenses, profit trends)

Data Privacy: We use Google's paid Gemini API tier, which means your data is not used to train Google's AI models. Before sending data to the AI service, we:

• Remove personally identifiable information (addresses, phone numbers) from merchant names
• Send only aggregated financial summaries (not individual transaction details) for insight generation
• Never send full bank account numbers, credit card numbers, or authentication credentials

2.3 Communication

• Send transactional emails (account notifications, integration status, sync alerts)
• Provide customer support and respond to inquiries
• Send product updates, feature announcements, and service-related information
• Send marketing communications (you may opt out at any time)

2.4 Security and Compliance

• Detect, prevent, and address technical issues, fraud, and security threats
• Monitor system health and integration connectivity
• Comply with legal obligations and enforce our Terms of Service
• Maintain audit logs for security and compliance purposes

2.5 Analytics and Improvement

• Analyze usage patterns to improve our Service and develop new features
• Conduct aggregated analytics (anonymized data only)
• Track feature adoption and user satisfaction via Google Analytics

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

3.1 Service Providers (Sub-Processors)

We share data with trusted third-party service providers who perform services on our behalf:

• Stripe: Payment processing, subscription management, embedded payments (PCI DSS compliant)
• Plaid: Bank account and credit card transaction synchronization
• Square: Point-of-sale and payment transaction synchronization
• PayPal: PayPal transaction and subscription synchronization
• QuickBooks (Intuit): Accounting data synchronization
• Google Gemini AI: Transaction classification and business insights (paid tier - data not used for training)
• Sentry: Error tracking and monitoring (sensitive data automatically redacted)
• Resend / Postmark: Transactional and marketing email delivery
• Google Analytics: Usage analytics and product improvement
• Google LLC — Authentication (Google Sign-In): Name, email address, and profile identifier when you sign in with Google
• Microsoft Corporation — Authentication (Microsoft Sign-In): Name, email address, and profile identifier when you sign in with Microsoft
• DigitalOcean (via Laravel Forge): Cloud hosting and database storage (San Francisco region)

All service providers are contractually obligated to protect your data and use it only for the purposes we specify. A complete list of sub-processors is available in our Data Processing Addendum.

3.2 Legal Requirements

We may disclose your information if required by law, court order, or legal process, or if we believe disclosure is necessary to:

• Comply with legal obligations or government requests
• Enforce our Terms of Service or other agreements
• Protect the rights, property, or safety of Incremenza, our users, or others
• Detect, prevent, or address fraud, security, or technical issues

3.3 Business Transfers

If Incremenza is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership or control of your information.

3.4 With Your Consent

We may share your information for other purposes with your explicit consent or at your direction.

4. Data Security

We implement industry-standard security measures to protect your information:

4.1 Encryption

• Data in Transit: All data transmitted to and from Incremenza is encrypted using TLS 1.2 or higher
• Data at Rest: OAuth access tokens and refresh tokens are encrypted in our database using industry-standard encryption algorithms
• Payment Data: Credit card information is handled and stored exclusively by Stripe (PCI DSS Level 1 compliant) - we never store full payment card numbers

4.2 Access Controls

• Multi-tenant architecture with strict data isolation - users can only access their company's data
• Role-based access controls (Admin, Manager, User roles)
• Authentication required for all sensitive operations
• Regular security audits and authorization checks
• Account Access by Staff: Authorized Incremenza staff members may access your account for customer support and quality assurance purposes. All such access is logged with the staff member's identity, the account accessed, and the time and duration of access.

4.3 Infrastructure Security

• Hosted on DigitalOcean infrastructure (San Francisco region) via Laravel Forge managed services
• Automated database backups with two separate backup copies maintained
• Error monitoring with automatic redaction of sensitive data (tokens, card numbers, credentials)
• Regular security patches and software updates

4.4 Integration Security

• OAuth 2.0 for secure third-party integrations (Plaid, QuickBooks, Stripe, Square, PayPal)
• Users can disconnect integrations at any time - we immediately revoke OAuth tokens with the provider
• Historical transaction data is retained after disconnection for business continuity (deleted only when you close your account)
• Webhook signature verification to prevent unauthorized data injection

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the confidentiality of your account credentials.

5. Data Retention

We retain your information for as long as necessary to provide our Service and fulfill the purposes outlined in this Privacy Policy:

• Active Accounts: We retain all account and financial data while your account is active
• Disconnected Integrations: When you disconnect an integration (e.g., Plaid, QuickBooks), we retain historical transaction data to preserve your financial records and enable reconnection. This data is deleted only when you close your account.
• Closed Accounts: When you close your Incremenza account, we permanently delete your personal information and financial data within 90 days, except as required by law
• Legal Retention: We may retain certain information longer if required by law (e.g., tax records for 7 years in the United States) or to resolve disputes and enforce agreements
• Backup Data: Deleted data may persist in backup systems for up to 90 days before permanent deletion
• Aggregated Data: We may retain anonymized, aggregated data indefinitely for analytics and product improvement

6. Your Rights and Choices

You have the following rights regarding your personal information:

6.1 Access and Portability

• Request a copy of your personal information in a structured, machine-readable format
• Export your financial data (transactions, customers, objectives) from within the Incremenza platform

6.2 Correction and Update

• Update your account information, company profile, and user details directly in the application
• Request correction of inaccurate or incomplete information

6.3 Deletion

• Close your account and request deletion of your data at any time
• Disconnect individual integrations while retaining your Incremenza account
• Request deletion of specific data (subject to legal retention requirements)

6.4 Objection and Restriction

• Opt out of marketing communications (transactional emails cannot be disabled)
• Object to processing of your data for certain purposes
• Request restriction of processing in certain circumstances

6.5 Cookie Management

• Manage cookie preferences through your browser settings
• Opt out of Google Analytics tracking

To exercise these rights, contact us at [email protected]. We will respond to your request within 30 days. For EU residents, you also have the right to lodge a complaint with your local data protection authority.

7. International Data Transfers

Incremenza is based in the United States (San Francisco, California). Our servers are located in the United States (DigitalOcean San Francisco region). If you access our Service from outside the United States, your information will be transferred to, stored, and processed in the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to transfer personal data from the EEA to the United States. Our Data Processing Addendum (DPA) contains these clauses and is available upon request.

8. Children's Privacy

Incremenza is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will take steps to delete such information promptly.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
• Right to Delete: Request deletion of your personal information (subject to certain exceptions)
• Right to Opt-Out: We do not sell personal information, so there is nothing to opt out of
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us at [email protected]. We will verify your identity before processing your request.

10. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

• Lawful Basis for Processing: We process your data based on contract performance (to provide our Service), legitimate interests (analytics, fraud prevention), and consent (marketing communications)
• Data Subject Rights: Access, rectification, erasure, restriction of processing, data portability, objection to processing
• Withdrawal of Consent: Where we rely on consent, you may withdraw it at any time
• Supervisory Authority: You have the right to lodge a complaint with your local data protection authority

For GDPR-related requests or to obtain our Data Processing Addendum, contact [email protected].

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Privacy Policy on this page with a new "Last Updated" date
• Sending an email notification to the address associated with your account
• Displaying a prominent notice within the Incremenza platform

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes acceptance of the changes. We encourage you to review this Privacy Policy periodically.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: