Privacy Policy — EverCFO

EverCFO is operated by Celeste Business Advisors LLP (“EverCFO”, “we”, “our”, or “us”). This Privacy Policy explains what personal and business information we collect when you use EverCFO, how we use it, who we share it with, and the rights you have over it.

EverCFO is a financial analytics platform for small and medium-sized businesses. We read data from the accounting, commerce, and banking platforms you choose to connect, and surface insights and recommendations inside your own EverCFO workspace. We are a B2B product; we do not sell to or knowingly collect data from individuals under 18.

1. Information we collect

1.1 Information you provide directly

Account information. Name, email address, organization name, and password (stored hashed). Optional profile fields you fill in (job title, photo, time zone).
Onboarding answers. Information you provide during onboarding about your business model, revenue range, industry, sales channels, fulfillment model, and financial goals.
Custom instructions and memory. Any notes, preferences, or instructions you explicitly save to EverCFO for the AI to remember across future conversations.
Communications. Messages you send our support team and any feedback you submit through the product.

1.2 Information from connected integrations

When you connect a third-party service (e.g. Shopify, QuickBooks Online, Xero), we read business data through that provider’s authorized API:

Accounting platforms (QuickBooks Online, Xero): invoices, bills, customers, vendors, accounts, items, payments, journal entries, and account balances.
Commerce platforms (Shopify): orders, customers (name, email, billing/shipping city + postal code, order history), products, inventory, refunds, transactions.
Connection metadata.Store domain, organization identifier, last sync timestamp, and OAuth token state. We do not store the raw OAuth tokens ourselves — tokens are held and rotated by our authentication broker (Nango).

We do notread or store payment instrument details (card numbers, bank account numbers), employee government IDs, Shopify customer phone numbers, Shopify customer IP addresses, Shopify client/session fingerprint data (browser, user agent, session hash, browser dimensions), or end-customer browsing behavior. Our Shopify sync layer recursively scrubs these fields from raw payloads before they reach our database, and the canonical customer transform drops phone for Shopify-sourced rows. For QuickBooks Online and Xero connections, we do read phone numbers from the merchant’s customer + vendor contact records because phone is a standard B2B contact field for accounting data and is required for those analytics; see section 8 for the Shopify-specific scope statement.

1.3 Information collected automatically

Usage analytics. Pages you visit inside EverCFO, features you use, errors you encounter. Collected via PostHog for product improvement.
Session and security logs. Sign-in events, IP address at sign-in, device + browser type, and timestamps, used to detect suspicious activity.
AI interaction logs. The prompts you send to the AI, the responses you receive, and the data sources the AI consulted for each response. Used to ground responses, to improve recall, and to audit accuracy on your request.

2. How we use your information

To provide and operate the EverCFO product.
To compute financial KPIs, generate reports and deliverables, and surface AI-driven insights inside your workspace.
To send service-related notifications (e.g. integration failures, security alerts, billing receipts).
To improve the product and diagnose technical issues. We aggregate and anonymize usage data wherever possible.
To comply with legal, regulatory, and tax obligations.

We do not sell your data, share it with advertisers, or use it to train general-purpose AI models on behalf of third parties.

3. Sub-processors and data sharing

We rely on the following sub-processors to operate EverCFO. Each is bound by a data processing agreement and may access only the data needed to perform its function:

Supabase — Primary database (PostgreSQL with row-level security), authentication, and file storage. Data is tenant-isolated; queries are scoped to your organization identifier at the database level.
Vercel — Hosting for the EverCFO web application (Next.js front-end).
Railway — Hosting for the EverCFO back-end services (FastAPI).
Cloudflare — DNS resolution and web-application-firewall routing for evercfo.ai, plus inbound mail routing for our privacy@, security@, billing@, and legal@ inboxes via Cloudflare Email Routing.
Nango — OAuth and webhook broker for connected third-party integrations. Stores and rotates the OAuth tokens that authorize EverCFO to read your accounting and commerce data. For Shopify connections, EverCFO's Nango sync code scrubs Protected Customer Data fields (Shopify customer phone, browser IP, and client/session fingerprint) from every record before Nango stores it, so Nango never persists the fields EverCFO does not request access for. Identical scrubbing runs again in EverCFO's backend before raw data lands in our database.
Hookdeck — Inbound webhook routing — receives webhooks from providers (Shopify, QuickBooks, Xero, Nango) and forwards them to EverCFO's backend with retry and signature-verification guarantees.
OpenRouter — Routing layer that brokers requests to large-language-model providers (Anthropic, Google). Configured with data_collection: deny so prompts and responses are not retained by OpenRouter beyond what is necessary to fulfill the request.
Anthropic — Large-language-model provider used to generate chat responses, deliverables, and classifications. We configure routing through OpenRouter to Anthropic's paid API tier, whose terms exclude using customer prompts and responses to train Anthropic models.
Google — Large-language-model provider used for pre-pass classification (intent detection). We configure routing through OpenRouter to Google's paid API tier, whose terms exclude using customer prompts and responses to train Google models. We do not use unpaid Google AI Studio quota or any tier whose terms permit training on submitted content for any customer data.
OpenAI — Text-embedding model used to power semantic search across your past conversations with EverCFO. We use the paid API tier, whose terms do not use API content to train OpenAI's public models by default.
Langfuse — Observability for AI prompts and responses. Receives the system prompt, the user message, the AI-generated assistant output, and tool-call payloads from EverCFO's AI orchestrator so we can debug accuracy regressions and compare prompt versions across model swaps. Hosted on Langfuse's US cloud (us.cloud.langfuse.com); the Langfuse company entity is in the EU.
PostHog — Product analytics, session replay, and error tracking.
BetterStack — Uptime monitoring and incident response.
Trigger.dev — Background job scheduling and execution — runs daily reconciliation jobs, integration syncs, and other scheduled work against your tenant data.
Infisical — Secret management for the infrastructure listed above.
Resend — Transactional email delivery.
Paddle — Subscription billing and payment processing (handles payment-card data; we do not see or store it).
Plaid — Bank account aggregation. When you connect a bank account via Plaid Link, Plaid acts as the data controller for the connection-consent flow itself, and EverCFO becomes the data controller for the analytical layer that uses the aggregated balances, transactions, and the institution-and-masked-account-number mapping to compute cash analytics, AR/AP reconciliation, and runway projection. EverCFO does not request or store full bank account numbers or routing numbers — those are Plaid Auth-product data used for money movement, which is not part of EverCFO's bank-integration scope. Plaid's Transactions endpoint refreshes one or more times per day, not in real time (per plaid.com/docs/transactions/); bank data surfaced inside EverCFO is stamped with the source provider and as-of timestamp per our LOCK-030 grounding contract. Bank integration is offered as a forthcoming feature on the EverCFO roadmap — tenants who do not connect a bank account never share data with Plaid.

We may also disclose information when required by law (e.g. response to a valid subpoena), to enforce our terms, or to protect the rights, property, or safety of EverCFO, our users, or third parties. We will notify you of any such request unless prohibited by law.

4. Where your data lives

Your business data is stored in Supabase, hosted on AWS infrastructure. Your data is logically isolated from other EverCFO customers using row-level security keyed to your organization identifier. Cross-tenant access is blocked at the database layer, not just the application layer.

Customer data stored in Supabase is encrypted at rest with AES-256 and transmitted between our services over TLS. Our hosting providers and sub-processors use industry-standard encryption controls; we do not contractually guarantee a single TLS version across every sub-processor. Sub-processors located outside your country may process your data; standard contractual clauses or equivalent safeguards apply where required by law (e.g. GDPR Chapter V), and you can request a copy of the relevant safeguards by emailing privacy@evercfo.ai.

4a. Legal bases and transparency details (GDPR / UK GDPR)

For users in the European Economic Area or the United Kingdom, this section provides the specific transparency information required by Articles 13 and 14 of the GDPR and the UK GDPR. EverCFO is the data controller for account-identifying information and the data processor for Customer Data we process on a merchant’s instructions (e.g. Shopify customer + order records).

Lawful bases by processing purpose

Account, sign-in, and security log data — necessary for performing our contract with you (Article 6(1)(b)) and our legitimate interest in product security (Article 6(1)(f)).
Subscription billing data— necessary for performing our contract with you (Article 6(1)(b)) and compliance with tax and accounting law (Article 6(1)(c)).
Connected accounting and commerce records — processed on the merchant’s instructions to provide the Service (Article 6(1)(b) for the merchant who instructed the processing, Article 6(1)(f) as a processor acting on the controller’s lawful basis for the end-customer data the merchant has lawfully collected).
AI interaction logs and durable memory — necessary for performing our contract with you (Article 6(1)(b)) and our legitimate interest in product improvement (Article 6(1)(f)).
Product usage analytics— our legitimate interest in product improvement (Article 6(1)(f)); you can opt out in your account settings without losing access to the Service.
Service-related notifications (email) — necessary for performing our contract with you (Article 6(1)(b)).

Sources of personal data we did not collect from you directly

When you connect a third-party service, EverCFO processes personal data that the merchant’s end customers originally provided to the merchant, not to EverCFO. Article 14 disclosures:

Source:the merchant’s connected Shopify, QuickBooks Online, or Xero account; brokered to EverCFO via Nango under the merchant’s authorization.
Categories: name, email, billing/shipping city + postal code, order details (for Shopify); name, email, billing address, invoice/bill records (for QuickBooks Online and Xero).
Recipients: EverCFO sub-processors listed in section 3.
Where to direct rights requests: primary rights handler is the merchant who connected the data source; EverCFO assists merchants in fulfilling rights requests under our data processing terms. Section 7 covers rights you can exercise directly with EverCFO.

International data transfers

Some sub-processors listed in section 3 are located outside the European Economic Area, the United Kingdom, or Canada (notably US-based providers such as Vercel, Railway, Supabase, OpenAI, Anthropic, Google, PostHog, Resend, Hookdeck, BetterStack, and Paddle). Where transfers of personal data occur to a country without an adequacy decision, we rely on the European Commission’s standard contractual clauses (or the equivalent UK International Data Transfer Agreement and Canada/Quebec safeguards), supplemented by the encryption, access-control, and tenant-isolation measures described elsewhere in this Policy. Copies of the applicable safeguards are available on request to privacy@evercfo.ai.

Automated processing

EverCFO uses AI to compute analyses, surface insights, and draft documents. EverCFO does notuse personal data to make decisions producing legal or similarly significant effects on individuals based solely on automated processing. AI outputs are decision support; a human at the merchant’s organization is the decision-maker. Our Terms of Service require human review for any consequential action and prohibit using the Service to make legally-significant decisions about individuals without independent human review.

5. How long we keep your data

We retain your business data for the duration of your account and for up to seven (7) years after account closure, consistent with the record-keeping period required for business financial records in the United States and Canada. Account-identifying information (email, name) is retained for the same period to satisfy tax and audit requirements.

You can request earlier deletion of specific records (subject to limited legal exceptions for fraud, tax, and accounting obligations). See section 7 below.

6. AI and your data

EverCFO uses AI to compute analyses and answer questions about your books. Three things you should know:

Grounding. When the AI cites a number, that number must come from a tool call that read your actual data during that turn. The AI is instructed to never fabricate numbers and to clearly disclose when data is missing or stale.
Memory. The AI maintains a memory of facts you have explicitly asked it to remember and a queue of candidate facts that have not yet been promoted to memory. Candidate facts are never used in prompts until you approve them in your settings.
No training on your data. We do not train any EverCFO-owned models on Customer Data. We configure model routing to use paid Anthropic, paid Google, and paid OpenAI API tiers whose terms do not use customer prompts and responses to train provider models. We do not use free-tier Google AI Studio or any other LLM tier whose terms permit training on submitted content for any customer data. See section 3 for the full sub-processor list.

7. Your rights

Depending on your jurisdiction, you may have the following rights over your personal information:

Access. Request a copy of the personal information we hold about you.
Correction. Ask us to fix inaccurate information.
Deletion. Ask us to delete personal information we no longer need.
Portability. Receive an export of your data in a structured, commonly used machine-readable format.
Objection. Object to certain uses of your data (e.g. analytics).
Withdraw consent where processing is based on consent.

To exercise any of these rights, contact us at privacy@evercfo.ai. We will respond within 30 days. We may need to verify your identity before fulfilling certain requests.

If you are located in the European Economic Area, the United Kingdom, Quebec, or California, you have additional rights under GDPR, UK GDPR, Quebec Law 25, or CCPA respectively. You also have the right to lodge a complaint with your local data protection authority.

For users in Quebec (Loi 25 / Quebec Law 25)

EverCFO is operated by Celeste Business Advisors LLP, a Quebec-based enterprise, and complies with the Quebec Act respecting the protection of personal information in the private sector (P-39.1, as amended by Law 25).

Person responsible for protection of personal information. Jobin Ebanezer, Co-founder, serves as the person responsible for protection of personal information at EverCFO. You can reach the person responsible at privacy@evercfo.ai or at Celeste Business Advisors LLP, Montreal, Quebec.
Confidentiality incident posture.If we become aware of a confidentiality incident (as defined by Loi 25) that presents a risk of serious injury, we will notify the Commission d’accès à l’information du Québec and the affected individuals without delay, in accordance with our confidentiality incident response procedure. We maintain a confidentiality incident register that documents every incident, its circumstances, the categories of personal information affected, the measures taken, and notifications made.
Governance. EverCFO maintains internal policies and practices covering the protection of personal information, including roles and responsibilities for personnel, training, retention and destruction, the processing of access and rectification requests, and handling of confidentiality incidents. A summary is available on request to the person responsible above.
Automated decisions.EverCFO does not use personal information to render decisions about individuals based exclusively on automated processing. AI outputs are decision support reviewed by a human at the merchant’s organization before any consequential action. If this changes, we will notify affected individuals as required by Article 12.1 of P-39.1.
Rights. You have rights of access, rectification, withdrawal of consent, portability (where applicable), and the right to cease dissemination or to de-index personal information in certain circumstances. Exercise any of these rights by contacting the person responsible above.
Complaints.If you are not satisfied with our response, you have the right to file a complaint with the Commission d’accès à l’information du Québec.

For users elsewhere in Canada (PIPEDA)

EverCFO complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial private-sector privacy laws. The Quebec contact above is the accountable individual for personal information under PIPEDA Principle 1. You have the right to file a complaint with the Office of the Privacy Commissioner of Canada if you believe your rights have been infringed.

For users in California (CCPA / CPRA)

EverCFO is a small B2B SaaS and is not currently subject to the California Consumer Privacy Act (as amended by the California Privacy Rights Act) because it does not meet any of the statutory thresholds (annual revenue, volume of personal information processed, or revenue from sale of personal information). EverCFO does not sell or share personal information for cross-context behavioural advertising, does not knowingly process sensitive personal information beyond what is described in this Policy, and extends the access and deletion rights described in section 7 to California residents as a matter of policy. If our circumstances change so that we become subject to the CCPA / CPRA, we will publish a California-specific rights notice covering categories of information collected, sources, purposes, disclosures, and the request methods required by the CCPA / CPRA, and update this Policy accordingly.

8. Shopify Protected Customer Data

When you connect a Shopify store, EverCFO reads customer name, email, billing/shipping city + postal code, and order details to compute analytics such as repeat-customer rate, AR aging, and top customers. We do not read or store Shopify customer phone numbers, IP addresses, browsing behavior, or any Level 2 sensitive data.

Shopify’s required compliance webhooks (customers/data_request, customers/redact, shop/redact) are authenticated against our backend with constant-time HMAC verification on every request. When a valid webhook is received, our operations team is alerted and we complete the requested data export or deletion within Shopify’s 30-day requirement. Receipt, fulfillment, and completion are tracked in our internal records system. If you are a Shopify merchant or end customer and want to confirm receipt of a specific request, contact us at privacy@evercfo.ai and reference the Shopify request identifier.

9. Cookies and similar technologies

EverCFO uses first-party cookies and similar technologies to keep you signed in, remember your preferences, and measure product usage. We use PostHog for analytics; you may opt out of analytics tracking in your account settings. Disabling authentication cookies will prevent you from signing in.

10. Connected bank accounts (Plaid)

Bank-account aggregation is offered as a forthcoming feature on the EverCFO roadmap. When you choose to connect a bank account via Plaid Link, EverCFO reads account-holder identity, account balances, the institution name with the masked account number (last four digits), and (when you authorize the Transactions scope) account transactions. We use that data to compute cash analytics, AR/AP reconciliation, and runway projection. EverCFO does not request or store full bank account numbers or routing numbers — those are Plaid Auth-product fields used for money movement, which is not part of EverCFO’s bank-integration scope. Plaid is the data controller for the consent flow inside Plaid Link itself; EverCFO is the data controller for the analytical layerthat uses the aggregated balances and transactions inside your workspace. Bank values surfaced inside EverCFO are stamped with the source provider and the as-of timestamp per our grounding contract; Plaid’s Transactions endpoint refreshes one or more times per day rather than in real time, so the UI surfaces staleness when applicable. Tenants who do not connect a bank account never share data with Plaid.

Your right to disconnect. You may disconnect a Plaid-aggregated bank account at any time from your Integrations page. Disconnecting revokes the Plaid access token, and EverCFO removes the raw bank rows from active production stores within thirty (30) days of disconnect. This thirty-day window is the deletion of activeproduction data only and remains subject to the retention exceptions described in section 5 above — specifically backups, security and fraud logs, billing and tax records, and other financial records EverCFO is required to retain under applicable US and Canadian record-keeping obligations. See section 7 for the full data subject rights process, and contact privacy@evercfo.ai for any bank-data-specific request.

11. Children

EverCFO is a B2B product. We do not target, market to, or knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to the account owner at least 30 days before they take effect. The “Last updated” date at the top of this page always reflects the current version. Continued use of EverCFO after the effective date constitutes acceptance of the revised policy.

13. Contact us

EverCFO is operated by Celeste Business Advisors LLP. For any privacy-related question, request, or concern, contact:

Email: privacy@evercfo.ai
General support: jobin@celesteadvisory.com