Privacy Policy

ClearCount provides an AI-powered financial management platform for e-commerce operators. We act as the data controller for the information we collect directly from you (account details, usage data). For data we pull from your connected integrations (Shopify, your bank, your ad accounts, etc.) under your instruction, we act as a data processor on your behalf.

Contact for privacy matters: privacy@clearcount.ai.

2.1 Account information

When you register, we collect your name, email address, hashed password (or OAuth identifier if you sign in with a third party), workspace name, and role. We never see your plaintext password.

2.2 Integration data

When you connect an integration, we store the credentials you provide — OAuth access tokens, API keys, refresh tokens — encrypted at rest. Using those credentials (read-only scopes where offered), we then pull the data you've asked us to manage:

• Shopify: orders, refunds, payouts, products, inventory costs, store settings
• Banks (Mercury, Slash): account balances, transactions, payouts
• PayPal: balances, transactions
• Suppliers (Zendrop, DSers): invoices, supplier orders, COGS
• Ad platforms (Meta Ads, Google Ads): daily spend by campaign and ad set
• Google Analytics 4: sessions, conversion rate, traffic sources

This data is stored in our database so the dashboard, reports, and AI assistant can operate without repeatedly polling the source APIs. We never write back to these integrations.

2.3 Usage and technical data

We log basic technical information required to run the service: IP address, browser type, pages visited, and features used. We use this for security, debugging, and product analytics. We do not use behavioral advertising and do not sell data to third-party advertisers.

2.4 Cookies and similar technologies

We use strictly-necessary cookies to keep you signed in (a session cookie set by NextAuth) and optionally functional cookies to remember your UI preferences (theme, sidebar state). We use Vercel's privacy-friendly Analytics for page-load metrics — it does not fingerprint or track individuals across sites.

• To provide the service you signed up for: syncing data, categorizing transactions, reconciling payouts, generating reports.
• To run the AI assistant: we pass relevant context from your workspace to third-party LLM providers (see Section 5) so Nova can answer your questions about your numbers.
• To authenticate you and keep your account secure.
• To send you transactional emails (sign-up confirmations, security alerts, sync failures).
• To monitor service health, debug issues, and improve the product.
• To comply with legal obligations (tax, fraud prevention, subpoena response).

If you're in the EEA, UK, or Switzerland, we rely on the following lawful bases under Articles 6 and 9 of the GDPR:

• Contract (Art. 6(1)(b)) — to provide the service you've signed up for.
• Legitimate interests (Art. 6(1)(f)) — to secure, debug, and improve the service, and to prevent fraud. You can object to this at any time.
• Consent (Art. 6(1)(a)) — for any optional processing (e.g. product emails you've opted into). You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and law-enforcement requirements.

We do not sell your personal information. We share information only with the sub-processors below, under written data-processing agreements, and only for the purposes listed:

We may also share information if required by law, to enforce our Terms, or to protect the rights, property, or safety of ClearCount, our users, or others.

Our primary infrastructure is hosted in the United States. If you access the service from outside the US, your information will be transferred to and processed there. For transfers of EEA, UK, and Swiss personal data outside of those regions, we rely on the European Commission's Standard Contractual Clauses (2021/914) with our sub-processors, supplemented by additional security measures where appropriate.

We retain account data for as long as your workspace is active, plus up to 90 days after deletion for backup rotation. Financial data synced from integrations is retained for the life of the workspace — you can delete it at any time from Settings → Data Management. Audit logs and security records are retained for up to 2 years to meet legal and forensic requirements.

All data is encrypted in transit (TLS 1.2+). Integration credentials are encrypted at rest with a symmetric key held in a separate environment. Database connections use SSL. Access to production systems is restricted to on-call engineers and audited. No security program is perfect — if you believe you've found a vulnerability, please email security@clearcount.ai.

9.1 GDPR rights (EU, UK, Switzerland)

• Access a copy of the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten") where no legal obligation requires us to keep it.
• Restrict processing while a dispute is resolved.
• Portability — receive your data in a machine-readable format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time for processing based on consent.
• Lodge a complaint with your national supervisory authority. For reference: the Irish DPC acts as lead supervisory authority for many EU users.

9.2 California rights (CCPA / CPRA)

California residents have the right to:

• Know what categories of personal information we've collected and how we use it.
• Delete personal information we hold about you, subject to legal exceptions.
• Correct inaccurate personal information.
• Opt out of sale or sharing of personal information for cross-context behavioral advertising. We do not sell or share personal information in this sense.
• Limit the use of sensitive personal information. ClearCount does not use sensitive personal information for purposes beyond providing the service.
• Be free from retaliation for exercising any of these rights.

9.3 Other US states (VA, CO, CT, UT, TX, OR, etc.)

Residents of other US states with comprehensive privacy laws have rights substantially similar to the CCPA — access, deletion, correction, and opt-out from targeted advertising. To exercise any of these rights, email us at privacy@clearcount.ai from the email address on your account, or use the in-app data-management tools. We will respond within 45 days (or 30 days for GDPR requests).

ClearCount is a business tool and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

Our site may link to third-party sites (Shopify Partners, payment providers, etc.). We are not responsible for the privacy practices of those sites. Review their policies before providing information.

The Nova assistant uses large language models to answer your questions about your workspace's data. When you chat with Nova, the relevant context from your data is sent to the LLM provider (Anthropic or OpenAI) named in Section 5. Providers retain chat content per their published policies — typically for a short fraud-prevention window and not used to train their models. Nova does not make consequential automated decisions about you (no credit decisions, no eligibility decisions).

We may update this policy from time to time. Material changes will be announced by email or an in-app notice at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the latest version.

Questions, requests, or complaints: privacy@clearcount.ai.

Postal address for data-protection correspondence: [ClearCount legal entity name, registered address].