Legal Document

Privacy Policy

Effective Date December 18, 2025
Version 1.0
Governing Law State of Delaware
Questions [email protected]
This Privacy Policy describes how CFO Engine, Inc. collects, uses, stores, and protects information in connection with our enterprise financial management platform. We are committed to transparency and to the responsible stewardship of your data.

This Privacy Policy ("Policy") applies to CFO Engine, Inc. ("CFO Engine," "we," "us," or "our") and governs the collection, use, disclosure, and protection of information obtained through our software-as-a-service platform and related services (the "Service"). This Policy applies to enterprise customers ("Customers") and their authorized users ("Users") who access the Service under a subscription agreement.

This Policy should be read in conjunction with our End User License Agreement. In the event of any conflict between this Policy and the EULA with respect to data handling, the terms of the applicable Data Processing Addendum (if executed) shall control.

1. INFORMATION WE COLLECT

1.1 Customer-Provided Financial and Business Data

The Service is designed to receive, store, and process enterprise financial data submitted by our Customers. This data is provided at the Customer's direction and may include:

  • General ledger data, journal entries, trial balances, and chart of accounts information;
  • Financial statements including income statements (P&L), balance sheets, and cash flow statements;
  • Accounts receivable (AR) and accounts payable (AP) data, including aging reports, vendor records, and customer invoices;
  • Payroll data, including employee compensation records, benefits information, and payroll tax filings;
  • Budget and forecast models, including variance analyses and multi-scenario financial projections;
  • Cap table data, equity compensation records (stock options, RSUs, warrants), and equity round documentation (SAFEs, convertible notes, priced rounds);
  • Tax records and documentation, including federal and state filings, R&D tax credit analyses, and supporting workpapers;
  • Board of directors materials, investor reporting packages, and related strategic financial communications;
  • SaaS and operational KPIs, including ARR, MRR, churn rates, CAC, LTV, burn rate, and runway metrics;
  • Banking, treasury, and cash management data, including bank statements and cash flow forecasts;
  • Integration data imported from connected third-party systems, which may include QuickBooks, Xero, NetSuite, Rippling, Gusto, Carta, Bill.com, Ramp, and similar platforms.

1.2 Account and Registration Information

When a Customer establishes an account, we collect information necessary to create and manage the account, including:

  • Company legal name, doing-business-as name (if applicable), and jurisdiction of formation;
  • Authorized administrator name, email address, and title;
  • Billing address and payment information (processed through our PCI-DSS compliant payment processor; we do not store raw payment card data);
  • Subscription tier and Order Form details.

1.3 User Account Information

For each Authorized User provisioned under a Customer account, we collect:

  • Name, email address, and job title;
  • Role-based access level (e.g., administrator, analyst, read-only);
  • Authentication credentials (passwords are stored using industry-standard hashing; we do not store plaintext passwords);
  • Multi-factor authentication configuration.

1.4 Usage and Technical Data

We automatically collect certain technical and usage data when you access or use the Service, including:

  • IP address, browser type and version, operating system, and device identifiers;
  • Pages and features accessed, time spent, and navigation patterns within the Service;
  • API call logs, including endpoints accessed and response codes (excluding request and response payloads containing Customer Data);
  • Error logs and diagnostic data used to identify and resolve technical issues;
  • Session identifiers and authentication tokens.

1.5 Communications and Support Data

We collect information you provide when you contact us for support, send us feedback, or otherwise communicate with us, including the content of such communications and associated metadata.

2. HOW WE USE INFORMATION

2.1 Service Delivery

The primary purpose for which we process Customer Data is to provide, operate, and maintain the Service as described in our EULA and Order Forms. This includes:

  • Hosting, storing, and processing financial data submitted to the Service;
  • Enabling data imports from and exports to integrated third-party financial systems;
  • Generating reports, analyses, dashboards, and outputs as directed by the Customer;
  • Facilitating multi-user collaboration and role-based access to financial data;
  • Maintaining audit logs of platform activity for security and accountability purposes.

2.2 Service Improvement and Development

We use usage and technical data, as well as de-identified and aggregated information derived from Customer Data, to:

  • Monitor Service performance, availability, and reliability;
  • Identify, diagnose, and resolve technical issues and bugs;
  • Develop new features, improve existing functionality, and enhance the user experience;
  • Conduct internal analytics and research regarding platform usage patterns.

2.3 Security and Fraud Prevention

We use technical and usage data to: detect and prevent unauthorized access, fraudulent activity, and security threats; enforce our EULA and acceptable use policies; and protect the rights, property, and safety of CFO Engine, our Customers, and third parties.

2.4 Customer Communication

We use account and contact information to: communicate with Customers and Authorized Users regarding their accounts, subscriptions, and support requests; provide product updates, release notes, and service announcements; and send billing-related communications. Customers may opt out of non-essential marketing communications at any time.

2.5 Legal and Compliance

We may process information as necessary to comply with applicable legal obligations, respond to lawful requests from government authorities, enforce our legal rights, and protect against legal claims.

2.6 Aggregated Industry Insights

We may use de-identified and aggregated data (from which individual Customer identity has been removed) to produce industry benchmarks, market trend analyses, and similar reports. Such outputs will never identify a specific Customer or allow identification of a Customer's data.

3. HOW WE SHARE INFORMATION

3.1 No Sale of Customer Data

CFO Engine does not sell, rent, or trade Customer Data to any third party for any commercial purpose. We do not permit third parties to use Customer Data for their own marketing, advertising, or commercial purposes.

3.2 Service Providers and Subprocessors

We engage carefully vetted third-party service providers ("Subprocessors") who process Customer Data on our behalf in connection with the operation of the Service. These include providers of cloud infrastructure and hosting, data backup and disaster recovery, security monitoring, customer support software, and billing systems. All Subprocessors are bound by contractual obligations requiring them to: (a) process Customer Data only on our documented instructions; (b) maintain appropriate technical and organizational security measures; and (c) not further disclose Customer Data without authorization.

A current list of our principal Subprocessors is available upon request at [email protected].

3.3 Third-Party Integrations

At Customer's direction and with Customer's authorization, the Service may connect to and exchange data with third-party financial platforms (including accounting systems, payroll platforms, and cap table management tools). CFO Engine is not responsible for the privacy practices of these third-party platforms. Customers should review the privacy policies of any platforms they choose to integrate.

3.4 Legal Disclosures

We may disclose Customer Data or account information if we believe in good faith that such disclosure is necessary to: (a) comply with applicable law, regulation, or valid legal process; (b) respond to requests from government or regulatory authorities; (c) protect the rights, property, or safety of CFO Engine, our Customers, or the public; or (d) detect, prevent, or address fraud or security issues. Where legally permitted, we will provide prior notice to the affected Customer before disclosing Customer Data pursuant to a legal demand.

3.5 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets, Customer Data and account information may be transferred to the acquiring entity, provided that the acquiring entity agrees to honor the data protection commitments set forth in this Policy and applicable agreements.

3.6 Aggregated and De-Identified Data

We may share aggregated, de-identified data that cannot reasonably be used to identify a Customer or any individual with third parties for industry research, benchmarking, and analytical purposes.

4. DATA SECURITY

4.1 Security Program

CFO Engine maintains a comprehensive information security program commensurate with the sensitivity of the financial data we process. Key elements of our security program include:

  • Encryption of all Customer Data in transit using TLS 1.2 or higher;
  • Encryption of Customer Data at rest using AES-256 or equivalent encryption;
  • Role-based access controls (RBAC) ensuring personnel access Customer Data only on a need-to-know basis;
  • Multi-factor authentication (MFA) enforcement for all internal staff accessing Customer Data environments;
  • Network segmentation, firewalls, and intrusion detection systems;
  • Regular third-party penetration testing and vulnerability assessments;
  • Background checks for personnel with access to Customer Data environments;
  • Employee security awareness training conducted at least annually;
  • Ongoing security audit and compliance activities, including CFO Engine's program to achieve SOC 2 Type II certification.

4.2 Security Incident Response

In the event of a confirmed security incident that involves unauthorized access to or disclosure of Customer Data, CFO Engine will: (a) promptly investigate and contain the incident; (b) notify affected Customers within seventy-two (72) hours of confirming that Customer Data was affected; (c) provide reasonable information regarding the nature and scope of the incident; and (d) cooperate with Customers in their own response obligations under applicable law.

4.3 Customer Security Responsibilities

Customers are responsible for: maintaining the security of access credentials for their accounts; configuring appropriate role-based access permissions for Authorized Users; promptly reporting any suspected unauthorized access to CFO Engine; and implementing appropriate controls over the devices and networks used to access the Service.

5. DATA RETENTION

5.1 Retention During Subscription

Customer Data is retained for the duration of the applicable Subscription Term, plus a post-termination export period of thirty (30) days during which Customers may retrieve their data.

5.2 Post-Termination Deletion

Following the expiration of the export period, CFO Engine will delete or render irrecoverable Customer Data from active systems within ninety (90) days, and from backup systems within ninety (90) days, except as necessary to comply with applicable legal obligations (including document retention requirements applicable to financial services firms).

5.3 Retention of Account and Usage Data

Account registration data and usage logs may be retained for a period of up to seven (7) years following the end of the Customer relationship to satisfy legal, regulatory, and audit requirements. De-identified usage data may be retained indefinitely.

5.4 Legal Holds

Notwithstanding the foregoing, CFO Engine may retain Customer Data for longer periods as required by applicable law or in connection with pending or reasonably anticipated legal proceedings.

6. CUSTOMER AND USER RIGHTS

6.1 Access and Portability

Authorized Users may access and export Customer Data through the self-service tools provided within the Service at any time during the Subscription Term. Customers who require assistance with data access or export may contact our support team.

6.2 Correction and Update

Customers and Authorized Users may update their account information and User profile data through the platform's account settings at any time. Corrections to Customer Data may be made directly within the platform.

6.3 Deletion

Customers may request deletion of their account and associated data by submitting a written request to [email protected]. Deletion of Customer accounts is subject to the terms of the applicable EULA, including applicable notice periods and the Customer's right to export data prior to deletion.

6.4 Restriction of Processing

Customers may restrict CFO Engine's processing of Customer Data (other than processing necessary to maintain the Service) by configuring data access settings within the platform or by contacting us at [email protected].

6.5 Applicable Privacy Law Rights

To the extent required by applicable data protection laws (including CCPA, GDPR, or other applicable privacy regulations), individuals whose personal data is processed through the Service as part of Customer Data may have additional rights. Customers, as the data controller for their Customer Data, are responsible for facilitating any such requests from their employees, end customers, or other individuals. CFO Engine will cooperate with Customers in responding to such requests as required under applicable law.

7. INTERNATIONAL DATA TRANSFERS

7.1 Data Location

Customer Data is stored and processed in data centers located within the United States. Customers who require Customer Data to remain within specific geographic regions should contact their account representative prior to initiating their subscription.

7.2 Cross-Border Transfers

To the extent that Customer Data originates from or includes personal data of individuals located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with transfer restrictions, such data will only be transferred to recipients that provide adequate safeguards as required by applicable data protection law (including, where applicable, through Standard Contractual Clauses or other approved transfer mechanisms). Customers with cross-border transfer compliance requirements should contact [email protected] to discuss their specific needs.

8. COOKIES AND TRACKING TECHNOLOGIES

CFO Engine uses cookies and similar tracking technologies in connection with the Service for the following purposes:

  • Session management and authentication (required for Service functionality);
  • Security and fraud detection;
  • Service performance monitoring and error logging;
  • User preference storage (e.g., display settings).

We do not use cookies for cross-site behavioral advertising or to track Users across third-party websites. Users may configure their browser settings to decline cookies, but doing so may affect Service functionality. We do not currently respond to "Do Not Track" signals.

9. CHILDREN'S PRIVACY

The Service is designed for enterprise business use and is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected personal information from an individual under 18, we will take prompt steps to delete such information.

10. CHANGES TO THIS POLICY

CFO Engine may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will provide notice of material changes by: (a) posting the updated Policy on our website with an updated effective date; and (b) delivering written notice to the primary Customer contact on file at least thirty (30) days prior to the effective date of material changes. Customer's continued use of the Service following the effective date of any updated Policy constitutes acceptance of the revised terms.

The version history of this Policy is available upon request.

11. CONTACT INFORMATION

For questions, concerns, or requests regarding this Privacy Policy or CFO Engine's data practices, please contact:

For privacy-related inquiries, including requests to exercise data subject rights or to escalate a data protection concern, please contact us at [email protected].