Privacy Policy

Last Updated: March 2026

CairnTrail Software LLC ("CairnTrail," "we," "us," or "our"), an Ohio limited liability company, operates the Cairn suite of accounting tools (the "Service"). This Privacy Policy explains how we collect, use, store, and protect information when you use the Service.

1. Information We Collect

1.1. Account Information

When you create an account or are invited to a Firm, we collect:

  • Name and email address
  • Firm name and affiliation
  • Role assignment (user, admin)

Account authentication is handled through Auth0. We store your Auth0 user identifier and email locally; passwords are managed entirely by Auth0 and are never stored by CairnTrail.

1.2. Firm Data

Data uploaded, entered, or generated through the Service by your Firm and its authorized users, including:

  • Bank statement PDFs and extracted transaction data
  • QuickBooks chart of accounts, vendor lists, and transaction records
  • Client information and engagement records
  • Tax return tracking data (household, individual, and business entity information)
  • Documents uploaded through Cairn Docs
  • AI categorization patterns and per-client instructions
  • Activity logs and usage metrics

1.3. Payment Information

Payment processing is handled by Stripe. CairnTrail does not store credit card numbers, bank account details, or other payment credentials. We receive from Stripe: subscription status, invoice history, and billing contact information.

1.4. Usage Data

We collect information about how the Service is used, including:

  • Feature usage and interaction patterns (e.g., number of statements processed, active users)
  • Error logs and performance metrics
  • Browser type, device information, and IP address

1.5. Waitlist Information

If you join our waitlist, we collect your name, email address, and optionally your firm name. This information is used solely to contact you about Service availability.

2. How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Authenticate users and manage access permissions
  • Process bank statements and financial documents using AI-powered extraction and categorization
  • Sync data with QuickBooks and other integrated services at your direction
  • Process payments and manage subscriptions
  • Send transactional communications (account invitations, billing notifications, service updates)
  • Monitor and improve Service performance, reliability, and security
  • Comply with legal obligations

We do NOT use Firm Data to:

  • Train AI or machine learning models (third-party or our own)
  • Sell or share with third parties for their own purposes
  • Target advertising
  • Profile users across Firms

3. AI Data Processing

The Service uses third-party AI services for bank statement extraction and transaction categorization. When AI features are used:

  • Document content is transmitted to third-party AI providers for processing
  • We use AI provider APIs with data processing terms that prohibit providers from using your data to train their models
  • AI processing results are returned to and stored within your Firm's dedicated database
  • Per-client AI instructions and learned categorization patterns remain within your Firm's data and are not shared with other Firms
  • We log AI inputs and outputs locally for quality assurance, debugging, and cost tracking

4. Data Isolation and Storage

4.1. Database Isolation

Each Firm's data is stored in a dedicated PostgreSQL database, separate from all other Firms. This is not row-level filtering within a shared database — each Firm has a physically separate database that can be independently backed up, restored, or deleted.

4.2. Cloud Storage

Uploaded files (bank statement PDFs, documents) are stored in Amazon S3 with firm-specific path prefixes. Files are encrypted at rest using AWS server-side encryption (AES-256).

4.3. Infrastructure

The Service is hosted on DigitalOcean (application servers) and DigitalOcean Managed PostgreSQL (databases). All data is stored in the United States.

4.4. Access Controls

Access to Firm Data is restricted by authentication (Auth0), role-based permissions, and database-level isolation. Only authenticated users with appropriate Firm membership and role can access data within their Firm's database.

5. Data Sharing

We share information only in these circumstances:

5.1. Third-Party Service Providers

We use the following third-party services to operate the Service:

Provider Purpose Data Shared
Auth0 Authentication and identity management Email, name, firm membership
Stripe Payment processing Billing contact, subscription details
Anthropic AI document extraction and categorization Document content for processing
Amazon Web Services (S3) File storage Uploaded documents
DigitalOcean Application and database hosting All Service data (hosted infrastructure)
Resend Transactional email Email addresses, notification content

5.2. QuickBooks (at Your Direction)

When you enable QuickBooks integration, we access and sync data between the Service and your QuickBooks account as directed by you. This includes reading your chart of accounts and vendor lists, and writing approved transactions.

5.3. Legal Requirements

We may disclose information if required by law, subpoena, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4. Business Transfer

In the event of a merger, acquisition, or sale of assets, Firm Data may be transferred as part of the transaction. We will notify affected Firms before any such transfer.

We do NOT sell personal information or Firm Data to third parties.

6. Data Retention

  • Active Subscriptions: Firm Data is retained for the duration of the subscription.
  • After Cancellation: Firm Data is retained for 30 days to allow for export, then permanently deleted including dedicated databases and cloud storage files.
  • Account Information: Basic account records (name, email, firm affiliation) may be retained for up to 12 months after termination for legal and accounting purposes.
  • Usage Data: Aggregated, anonymized usage data may be retained indefinitely for service improvement.
  • Waitlist Data: Retained until you are onboarded or request removal.

7. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your information, including:

  • Encryption in transit (TLS/HTTPS for all communications)
  • Encryption at rest (AES-256 for stored files)
  • Database-level isolation per Firm
  • Role-based access controls
  • Secure authentication via Auth0 (supporting multi-factor authentication)
  • Regular security updates and dependency patching

No method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Delete your personal information (subject to data retention requirements)
  • Export your Firm Data through the Service's available export features
  • Withdraw consent for optional data processing

To exercise these rights, contact us at privacy@cairntrail.com. We will respond within 30 days.

9. QuickBooks-Specific Disclosures

In connection with our integration with Intuit QuickBooks:

  • We access QuickBooks data only with your explicit authorization via OAuth 2.0
  • We request only the permissions necessary to provide the Service (reading chart of accounts, vendor lists, and writing approved transactions)
  • You may revoke our access to your QuickBooks account at any time through your Intuit account settings or through the Cairn Statements interface
  • QuickBooks data accessed through the integration is stored within your Firm's dedicated database and is subject to the same data isolation and security measures described in this policy
  • We do not use QuickBooks data for any purpose other than providing the Service to your Firm

10. Children's Privacy

The Service is designed for use by accounting professionals and is not directed at individuals under the age of 18. We do not knowingly collect information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to Firm administrators at least 30 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision.

12. Contact

For questions about this Privacy Policy or our data practices:

CairnTrail Software LLC
Ohio, United States
Email: privacy@cairntrail.com

For data protection inquiries specifically: privacy@cairntrail.com