Privacy Policy

CairnTrail Software LLC ("CairnTrail," "we," "us," or "our"), an Ohio limited liability company, operates the Cairn suite of accounting tools (the "Service"). This Privacy Policy explains how we collect, use, store, and protect information when you use the Service.

1. Information We Collect

1.1. Account Information

When you create an account or are invited to a Firm, we collect:

• Name and email address
• Firm name and affiliation
• Role assignment (user, admin)

Account authentication is handled through Auth0. We store your Auth0 user identifier and email locally; passwords are managed entirely by Auth0 and are never stored by CairnTrail.

1.2. Firm Data

Data uploaded, entered, or generated through the Service by your Firm and its authorized users, including:

• Bank statement PDFs and extracted transaction data
• QuickBooks chart of accounts, vendor lists, and transaction records
• Client information and engagement records
• Tax return tracking data (household, individual, and business entity information)
• Documents uploaded through Cairn Docs
• AI categorization patterns and per-client instructions
• Activity logs and usage metrics

1.3. Payment Information

Payment processing is handled by Stripe. CairnTrail does not store credit card numbers, bank account details, or other payment credentials. We receive from Stripe: subscription status, invoice history, and billing contact information.

1.4. Usage Data

We collect information about how the Service is used, including:

• Feature usage and interaction patterns (e.g., number of statements processed, active users)
• Error logs and performance metrics
• Browser type, device information, and IP address

1.5. Waitlist Information

If you join our waitlist, we collect your name, email address, and optionally your firm name. This information is used solely to contact you about Service availability.

2. How We Use Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Authenticate users and manage access permissions
• Process bank statements and financial documents using AI-powered extraction and categorization
• Sync data with QuickBooks and other integrated services at your direction
• Process payments and manage subscriptions
• Send transactional communications (account invitations, billing notifications, service updates)
• Monitor and improve Service performance, reliability, and security
• Comply with legal obligations

We do NOT use Firm Data to:

• Train AI or machine learning models (third-party or our own)
• Sell or share with third parties for their own purposes
• Target advertising
• Profile users across Firms

3. AI Data Processing

The Service uses third-party AI services for bank statement extraction and transaction categorization. When AI features are used:

• Document content is transmitted to third-party AI providers for processing
• We use AI provider APIs with data processing terms that prohibit providers from using your data to train their models
• AI processing results are returned to and stored within your Firm's dedicated database
• Per-client AI instructions and learned categorization patterns remain within your Firm's data and are not shared with other Firms
• We log AI inputs and outputs locally for quality assurance, debugging, and cost tracking

4. Data Isolation and Storage

4.1. Database Isolation

Each Firm's data is stored in a dedicated PostgreSQL database, separate from all other Firms. This is not row-level filtering within a shared database. Each Firm has a physically separate database that can be independently backed up, restored, or deleted.

4.2. Cloud Storage

Uploaded files (bank statement PDFs, documents) are stored in Amazon S3 with firm-specific path prefixes. Files are encrypted at rest using AWS server-side encryption (AES-256).

4.3. Infrastructure

The Service is hosted on DigitalOcean (application servers) and DigitalOcean Managed PostgreSQL (databases). All data is stored in the United States.

4.4. Access Controls

Access to Firm Data is restricted by authentication (Auth0), role-based permissions, and database-level isolation. Only authenticated users with appropriate Firm membership and role can access data within their Firm's database.

5. Cross-Application Data Sharing Within Your Firm

Several applications in the Cairn Suite share data internally to support unified workflows within your Firm. This sharing occurs solely within the boundary of your Firm's data, and it never crosses Firm boundaries or reaches third parties.

Examples of cross-application data sharing within a single Firm:

• Cairn Contacts aggregates client information from Cairn Returns, Cairn Docs, Cairn Books, Cairn Statements, and Cairn Time to present a unified client profile to your Firm's authorized users
• Cairn Stack (the central portal) issues short-lived, signed authentication tokens that allow you to move between applications without re-logging in
• Usage and billing data is reported from individual applications back to Cairn Stack for consolidated subscription management

These integrations use authenticated internal APIs with bearer-token authorization. The same database isolation, role-based access controls, and security measures described above apply to all internal data sharing. Your data is never used to provide service to other Firms or to third parties through these mechanisms.

6. Data Sharing With Third Parties

We share information with third parties only in these circumstances:

6.1. Third-Party Service Providers

We use the following third-party services to operate the Service:

We may update the providers listed above as the Service evolves. Where a change is material (for example, the addition or replacement of a provider that processes Firm Data), we will reflect the change in an updated version of this Privacy Policy and, where reasonably possible, notify Firm administrators by email at least 30 days before the new provider begins processing Firm Data. If you object to a material change, you may terminate your subscription before the change takes effect; the data deletion provisions in Section 7 will apply on termination.

6.2. QuickBooks (at Your Direction)

When you enable QuickBooks integration, we access and sync data between the Service and your QuickBooks account as directed by you. This includes reading your chart of accounts and vendor lists, querying existing transactions for reconciliation, and writing approved transactions that you have explicitly chosen to sync.

6.3. Legal Requirements

We may disclose information if required by law, subpoena, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

6.4. Business Transfer

In the event of a merger, acquisition, or sale of assets, Firm Data may be transferred as part of the transaction. We will notify affected Firms before any such transfer.

We do NOT sell personal information or Firm Data to third parties.

7. Data Retention

• Active Subscriptions: Firm Data is retained for the duration of the subscription.
• After Cancellation: Firm Data is retained for at least 30 days to allow for export. After the retention period, your Firm's dedicated databases and associated cloud storage files are scheduled for deletion. Deletion from active systems generally completes within the retention window; deletion of all remaining copies, including operational backups, may take up to 60 additional days. You may request expedited deletion by contacting privacy@cairntrail.com.
• Account Information: Basic account records (name, email, firm affiliation) may be retained for up to 12 months after termination for legal and accounting purposes.
• Usage Data: Aggregated, anonymized usage data may be retained indefinitely for service improvement.
• Waitlist Data: Retained until you are onboarded or request removal.

8. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your information, including:

• Encryption in transit (TLS/HTTPS for all communications)
• Encryption at rest (AES-256 for stored files)
• Database-level isolation per Firm
• Role-based access controls
• Secure authentication via Auth0 (supporting multi-factor authentication)
• Regular security updates and dependency patching

No method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8.1. Security Incident Notification

If we become aware of a security incident affecting Firm Data, we will notify affected Firm administrators by email without undue delay and, where reasonably possible, within 72 hours of confirming the incident. Notification will describe the nature and scope of the incident, the categories of data affected, the steps we are taking, and any actions you may need to take. Where notification to a regulator, law-enforcement authority, or integration partner (including Intuit) is required by applicable law or by contract, CairnTrail will make those notifications in addition to notifying affected Firms.

Suspected incidents may be reported at any time to security@cairntrail.com. We acknowledge such reports within one business day.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete your personal information (subject to data retention requirements and our obligations under contract or applicable law)
• Export your Firm Data, either through self-service export tools available within the Service or by request to privacy@cairntrail.com
• Withdraw consent for optional data processing

To exercise these rights, contact us at privacy@cairntrail.com. We will respond within 30 days, except that this period may be extended by such additional time as is permitted by applicable law for complex or voluminous requests, in which case we will inform you of the extension and the reason for it. Where you have provided personal information through your Firm rather than directly to CairnTrail, we may direct your request to your Firm administrator and assist them in responding.

9.1. California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights regarding your personal information. These include the right to know what personal information we have collected, the right to delete personal information, the right to correct inaccurate information, the right to limit the use and disclosure of sensitive personal information, and the right to opt out of the "sale" or "sharing" of personal information as those terms are defined under California law. CairnTrail does not sell personal information and does not share personal information for cross-context behavioral advertising. To exercise any of these rights, contact us at privacy@cairntrail.com. You will not be discriminated against for exercising these rights.

9.2. Other Jurisdictions

The Service is offered to accounting firms and their personnel located in the United States. You may have additional rights under privacy laws applicable in your jurisdiction, and where those laws grant you the right to lodge a complaint with a supervisory authority, you may do so. To exercise rights described in this Section 9, contact us at privacy@cairntrail.com.

10. QuickBooks-Specific Disclosures

In connection with our integration with Intuit QuickBooks Online and QuickBooks Desktop:

• We access QuickBooks Online data only with your explicit authorization via OAuth 2.0. For QuickBooks Desktop, access is established by installing our connection in the QuickBooks Web Connector with credentials you control
• We request only the permissions necessary to provide the Service: reading your chart of accounts and vendor lists, querying existing transactions for reconciliation, and writing approved transactions that you have explicitly chosen to sync
• OAuth refresh tokens for QuickBooks Online are stored encrypted at rest. Tokens are protected by application-layer authenticated encryption (Fernet, with PBKDF2-HMAC-SHA256 key derivation using 100,000 iterations and a per-record random salt) and by AES-256 storage encryption provided by our managed database infrastructure. OAuth credentials are never written to application logs and are scrubbed from error reports
• You may revoke our access to your QuickBooks Online account at any time. Disconnecting within the Cairn Statements interface calls Intuit's OAuth token revocation endpoint, clears your stored OAuth credentials, and invalidates cached account metadata (including the chart of accounts). You may also revoke access through your Intuit account settings or by removing CairnTrail from the list of connected apps in QuickBooks. For QuickBooks Desktop, you may remove our connection from the QuickBooks Web Connector at any time
• Following disconnection, transactions previously synced to QuickBooks at your direction, and per-client categorization patterns learned during the engagement, remain in your Firm's database to support audit and historical reference. These records are deleted under the data-retention schedule in Section 7 of this Privacy Policy when your subscription is cancelled, or earlier on request to privacy@cairntrail.com
• QuickBooks data accessed through the integration is stored within your Firm's dedicated database and is subject to the same data isolation and security measures described in this policy
• We do not use QuickBooks data for any purpose other than providing the Service to your Firm. QuickBooks data is never used to train AI or machine learning models, sold or shared with third parties, or used for advertising or cross-Firm analytics

11. Children's Privacy

The Service is designed for use by accounting professionals and is not directed at individuals under the age of 18. We do not knowingly collect information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Where a change is material, we will, where reasonably possible, communicate the change via email to Firm administrators at least 30 days before it takes effect. The "Last Updated" date at the top of this page reflects the most recent revision.

13. Contact

For questions about this Privacy Policy or our data practices:

CairnTrail Software LLC
Ohio, United States
Privacy and data protection: privacy@cairntrail.com
Product support: cairntrail.com/support · support@cairntrail.com