Privacy Policy

What we collect

Account data

• Email address, hashed password, sign-in timestamps, IP address of last sign-in
• Organisation and entity names you create
• Optional: passkey and TOTP enrolment metadata

Entity and tax-form data (provided by you)

• Legal name, US Employer Identification Number (EIN), state of formation, date of incorporation, mailing address
• Principal business activity description and NAICS code
• Owner name, country of residence, country of citizenship, mailing address, and (where applicable) foreign tax identification number

Financial data (ingested from connected sources)

• Bank transactions you import via CSV or that we fetch from a bank you connect (Mercury or others), including amount, date, description, counterparty, and balance
• Categorisations and notes you add
• Receipts and attachments you upload

Operational data

• Application and server logs (request paths, status codes, timestamps), retained no longer than 30 days
• Error reports captured by our self-hosted error-tracking instance; we strip cookies, authorisation headers, and CSRF tokens before storage

We do not collect government identification documents, biometric data, or marketing-tracker IDs. The Service contains no third-party analytics, ad pixels, or social-network trackers.

Why we collect it

• To provide the Service — produce bookkeeping ledgers and the year-end PDF packages you came here for.
• To authenticate you — sign-in, password reset, two-factor enrolment.
• To maintain security — detect intrusion, investigate incidents, prevent fraud and abuse.
• To comply with law — respond to lawful requests, meet our own tax and accounting obligations.
• To communicate with you — transactional emails (verification, password reset, billing). We do not send marketing email without your explicit opt-in.

Where your data lives

Each customer organisation is provisioned its own isolated PostgreSQL database. There is no shared customer-data table.

Cross-tenant queries are physically impossible in our architecture.

Databases and application servers run on infrastructure hosted with our compute provider in Germany. Daily encrypted backups are retained for 30 days. OAuth tokens issued by banks (e.g., Mercury) are stored encrypted at rest using AES-256-GCM keyed off a key-encryption-key (KEK) held by the application, separate from the database.

Who we share it with

We share data only with the categories of service providers necessary to operate the Service, and only the minimum required for them to perform their role. Each is bound by a written data-processing agreement.

We do not sell, rent, or trade your data. We do not share data with advertisers. We do not use your financial data to train machine-learning models, either ours or anyone else's.

Your rights

You can, at any time and free of charge:

• Access your data — most of it is visible in-app; a full structured export is available on request
• Correct data you provided, directly in-app
• Delete your account and the data tied to it — we will erase your tenant database within 30 days of confirmation, subject to the retention requirements below
• Export your data in a machine-readable format
• Disconnect any bank connection at any time; the access token is revoked and we no longer fetch new data from that source
• Object to processing, where the legal basis is our legitimate interest

To exercise these rights, email privacy@dissregarded.com from the address on your account. We respond within 30 days.

Equal treatment across jurisdictions

Whether you're in the EU, California, or anywhere else, the rights above apply to you. We don't tier them by jurisdiction.

The GDPR's right to access, rectification, erasure, portability, and objection — and the CCPA's right to know, delete, correct, and opt out of sale (we don't sell, so there's nothing to opt out of) — are all exercisable through the single privacy mailbox above.

Retention

We keep account and transaction data for as long as your account is active. On account deletion we erase the tenant database within 30 days. We may retain (a) backups for up to a further 30 days after which they expire automatically, (b) limited records required by law, such as billing records for tax compliance, and (c) anonymised aggregate metrics that no longer identify you.

Security

Data in transit is encrypted with TLS 1.2 or higher. Bank OAuth tokens are encrypted at rest with AES-256-GCM. Passwords are hashed with a memory-hard algorithm. Each customer organisation has a physically separate database. Production secrets are not exposed to build environments. Errors captured for debugging have sensitive headers stripped before storage.

We do not, and have no business reason to, ever look at your transactions.

Access by Dissregarded personnel is restricted to investigating support tickets or security incidents you raise. Report suspected vulnerabilities to security@dissregarded.com.

Children

The Service is not directed at and may not be used by anyone under 18. We do not knowingly collect data from minors.

International transfers

If you access the Service from outside the United States, your data may be transferred to and processed in the United States and other countries where our service providers operate. Where required, we rely on standard contractual clauses or equivalent safeguards.

Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated through the Service or by email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

Contact

Privacy questions or requests: privacy@dissregarded.com.
Security reports: security@dissregarded.com.