Privacy Policy

1. Introduction

James Analytics LLC (“James Analytics,” “we,” “our,” or “us”) is committed to protecting your privacy and the security of your personal and financial information. This Privacy Policy describes how we collect, use, store, share, and protect your information when you use our website, platform, APIs, and related services (collectively, the “Service”).

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, you should not use the Service.

2. Information We Collect

2.1 Information You Provide

• Account information: Name, email address, password (hashed), company name, and industry
• Financial data: Transaction records, financial statements, budgets, and other financial data you upload or sync via integrations
• Payment information: Billing details processed securely through Stripe. We do not store credit card numbers on our servers
• Communications: Messages you send to us via support channels or feedback forms
• AI interactions: Queries you submit to our AI analysis features (“Ask James”)

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, clicks, session duration, and interaction patterns
• Device information: Browser type, operating system, device type, and screen resolution
• Network information: IP address, approximate geographic location (city/region level)
• Cookies and similar technologies: Session cookies, authentication tokens, and analytics identifiers
• Audit logs: Authentication events, data access patterns, and security-relevant actions for compliance purposes

2.3 Information from Third Parties

• Accounting integrations: If you connect QuickBooks, Xero, or other accounting platforms, we receive transaction data, chart of accounts, and related financial information you authorize
• Google SSO: If you sign in with Google, we receive your name and email address from your Google profile
• Payment processor: Stripe provides us with subscription status and billing events (not full card details)

3. How We Use Your Information

We use your information for the following purposes:

• Provide the Service: Generate financial statements, dashboards, forecasts, budgets, AI insights, and reports
• Account management: Create and manage your account, authenticate sessions, and process payments
• Communications: Send transactional emails (password resets, payment confirmations, subscription updates), service announcements, and optional newsletter content
• Security and compliance: Detect and prevent fraud, enforce acceptable use, maintain audit logs, and comply with legal obligations
• Improvement: Analyze usage patterns to improve Service functionality, performance, and user experience
• Support: Respond to your inquiries and resolve issues

We do not sell your personal information. We do not use your financial data for advertising or profiling purposes.

4. AI Processing

Our Service uses AI technology powered by Anthropic's Claude to analyze your financial data and generate insights. Important details about our AI processing:

• No model training: Your financial data is never used to train, fine-tune, or improve AI models. Data is processed in real-time for analysis and is not retained by the AI provider
• Data minimization: We send only the data necessary to generate the requested analysis to the AI provider
• Secure transmission: All data sent to AI providers is encrypted in transit via TLS 1.3
• Informational only: AI-generated outputs are not financial advice and may contain errors. See our Terms of Service for full disclaimers

5. Data Security

We maintain a security program aligned with the SOC 2 Trust Services Criteria framework. Our security measures include:

• Encryption: All data is encrypted at rest using AES-256 and in transit using TLS 1.3
• Authentication: Bcrypt password hashing, JWT-based session management with server-side token revocation, and optional two-factor authentication (TOTP)
• Access controls: Role-based permissions (viewer, editor, admin, owner), tier-based feature gating, and company-level data isolation
• Rate limiting: Protection against brute-force attacks and abuse on authentication, upload, and API endpoints
• Audit logging: Structured logging of authentication events, subscription changes, data exports, and other security-relevant actions
• Infrastructure: Hosted on Vercel (frontend), Railway (backend), and Supabase (database) with automatic backups, redundancy, and uptime monitoring
• Payment security: All payment processing is handled by Stripe, a PCI-DSS Level 1 certified service provider. We never store or process credit card numbers directly
• Regular audits: We conduct internal security assessments aligned with SOC 2 criteria to continuously identify and remediate vulnerabilities

While we implement commercially reasonable security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

6. Data Sharing and Disclosure

We may share your information in the following circumstances:

• Service providers: Trusted third parties who assist in operating the Service, including Stripe (payments), Anthropic (AI processing), Supabase (database), Resend (email delivery), and Vercel/Railway (hosting). Each provider is bound by their own privacy policies and data processing agreements
• Legal compliance: When required by law, subpoena, court order, or government regulation
• Safety and rights: To protect the rights, property, or safety of James Analytics, our users, or the public
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the successor entity
• With your consent: For any other purpose with your explicit consent

We do not sell, rent, or trade your personal information or financial data to third parties for marketing or advertising purposes.

7. Data Retention

We retain your data for as long as your account is active or as reasonably needed to provide the Service. Specific retention periods:

• Account data: Retained while your account is active and for up to 30 days after account deletion to allow for recovery
• Financial data: Retained while your account is active. Deleted upon account closure after the retention period
• Audit logs: Retained for 90 days for security and compliance purposes
• Revoked authentication tokens: Retained until their natural expiry date, then automatically purged
• Backup data: May persist in encrypted backups for up to 30 days after deletion from production systems

You may request deletion of your data at any time by contacting us. We will process deletion requests within 30 days, subject to legal retention requirements.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete personal data
• Deletion: Request deletion of your personal data, subject to legal retention requirements
• Portability: Export your financial data in standard formats (CSV, Excel, PDF)
• Objection: Object to certain processing activities
• Restriction: Request that we limit processing of your data in certain circumstances
• Marketing opt-out: Unsubscribe from marketing communications at any time via the link in any email or by contacting us

To exercise any of these rights, contact us at support@jamesanalytics.com. We will respond within 30 days.

9. Cookies and Tracking

We use the following types of cookies and similar technologies:

• Essential cookies: Required for authentication, session management, and security. Cannot be disabled
• Functional cookies: Remember your preferences and settings (e.g., dark mode, selected company)
• Analytics: We use Meta Pixel for conversion tracking on our marketing site. This helps us understand how users find and interact with our website. You can opt out via your browser's cookie settings or a tracking blocker

We do not use cookies for behavioral advertising. You can control cookie settings through your browser. Disabling essential cookies may prevent you from using the Service.

10. International Data Transfers

James Analytics is based in the United States. If you access the Service from outside the United States, your data may be transferred to, stored, and processed in the United States or other jurisdictions where our service providers operate. By using the Service, you consent to the transfer of your data to these jurisdictions, which may have data protection laws that differ from your jurisdiction.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal data from a child, we will take steps to delete that information promptly.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact us at support@jamesanalytics.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we will also notify you via email or in-app notification. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

James Analytics LLC
Email: support@jamesanalytics.com
Website: www.jamesanalytics.com

We aim to respond to all privacy inquiries within 30 days.