Privacy Policy

1. Introduction

Persu ("we", "us", or "our") is an AI-powered financial assistant that helps small businesses understand their finances. This Privacy Policy explains how we collect, use, store, and protect your information when you use our application at app.persu.io and our website at persu.io (together, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

Account Information

When you create an account, we collect your email address, password (stored as a secure hash), display name, and business details including business name, industry, and preferred currency.

Financial Data from Integrations

When you connect a third-party financial data provider (such as Xero, QuickBooks, FreeAgent, Sage, or other accounting platforms), we access and store financial data from your account. This may include transactions, chart of accounts, profit and loss reports, balance sheets, and transaction categories. We only access data that is necessary to provide you with financial insights.

Open Banking Data

If you connect a bank account through an open banking service, we may access account balances, transaction history, and other financial data made available through regulated open banking APIs. This data is used solely to provide you with financial insights and is handled in accordance with applicable open banking regulations.

Chat and AI Interaction Data

When you use our AI chat feature, we store your messages, the AI's responses, and any chat memories (saved notes) you choose to create. This data is used to provide contextual, personalised financial insights.

Usage and Device Data

We collect information about how you interact with the Service, including device trust tokens (used to remember trusted devices for up to 30 days), browser type, and general usage patterns. This data helps us improve the Service and maintain security.

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Service
Sync and analyse your financial data to deliver AI-powered insights
Respond to your questions about your business finances via our chat interface
Authenticate your identity and secure your account
Remember your trusted devices to streamline the login process
Send you important service-related communications (such as verification emails)
Detect, prevent, and address technical issues or security threats

We do not sell your personal data or financial information to third parties. We do not use your financial data for advertising purposes.

4. Third-Party Services

We rely on the following third-party services to operate the Service. Each has its own privacy policy governing how they handle data:

Supabase

We use Supabase for authentication, database hosting, and serverless functions. Your account data, financial data, and chat data are stored in Supabase's infrastructure with row-level security policies enforced.

Anthropic (Claude AI)

Our AI chat feature is powered by Anthropic's Claude. When you ask a question, relevant portions of your financial data and chat history may be sent to Anthropic's API to generate a response. Anthropic does not use this data to train its models.

Accounting and Financial Data Providers

When you connect an accounting platform (such as Xero, QuickBooks, FreeAgent, or Sage), we use OAuth to securely access your data. We store OAuth tokens encrypted at rest. You can disconnect your account at any time, which revokes our access to new data from that provider.

Open Banking Providers

If you connect a bank account through an open banking service, we access your data through regulated APIs in compliance with applicable financial regulations. You can revoke access at any time through the Service or directly with your bank.

Hosting and Infrastructure

Our marketing site and web application are hosted on Vercel. Vercel may process standard web server logs including IP addresses and request metadata.

5. Data Security

We take the security of your data seriously and implement multiple layers of protection:

Encryption at rest: OAuth tokens and sensitive credentials are encrypted using AES-256-GCM before being stored in our database.
Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
Row-level security: Our database enforces row-level security (RLS) policies, ensuring you can only access your own data.
Authentication: We support email/password authentication with email-based OTP verification. Trusted device tokens are securely generated and expire after 30 days.
Access controls: Internal access to production data is strictly limited and audited.

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to following industry best practices.

6. Data Retention and Deletion

We retain your data for as long as your account is active or as needed to provide you with the Service. Specifically:

Account data: Retained until you delete your account.
Financial data: Retained until you disconnect the relevant integration or delete your account.
Chat data: Retained until you delete individual conversations or your account.
Device trust tokens: Automatically expire after 30 days.

When you delete your account, we will delete or anonymise all of your personal data within 30 days, except where we are required by law to retain certain information.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: You can request a copy of the personal data we hold about you.
Correction: You can update or correct inaccurate personal data through your account settings.
Deletion: You can request deletion of your account and all associated data.
Portability: You can request an export of your data in a structured, commonly used format.
Objection: You can object to certain processing of your personal data where applicable.
Withdrawal of consent: Where processing is based on consent, you can withdraw that consent at any time.

To exercise any of these rights, please contact us at hello@persu.io. We will respond to your request within 30 days.

8. Cookies and Local Storage

Persu uses browser local storage and session storage to maintain your authentication state and preferences. We do not use third-party tracking cookies or advertising cookies.

Specifically, we store authentication tokens and session data in your browser's local storage to keep you signed in and to remember your trusted device status. This data remains on your device and is not shared with third parties.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Effective date" at the top of this page and, where appropriate, by sending you an email notification.

We encourage you to review this policy periodically to stay informed about how we are protecting your data.