Privacy Policy

1. What Data We Collect

• Merchant data: business name, business location, merchant bank statement PDFs, and transaction-level data extracted from those PDFs (dates, amounts, memos, running balances).
• Broker account data: name, email address, organization affiliation, authentication session metadata, and feature-usage telemetry.
• Payment data: processed by Stripe. Full card numbers are never transmitted to or stored on ScrublyIQ servers.
• Support communications: emails, in-app messages, and related metadata when you contact us.

2. How We Use It

• To generate Deal Cards — fundability score, tier, DSCR, and narrative.
• To run fraud and anomaly detection on uploaded statements (balance reconciliation, PDF forensics, duplicate-period detection, and related checks).
• To match merchant profiles against the funder qualification criteria stored in the platform.
• To run third-party verification services (OFAC, Middesk, TIN, address, Google Places) when a broker triggers them.
• To meter credit usage, compute billing, and provide receipts.
• To send transactional account emails and security notifications.
• To maintain the security, availability, and integrity of the Service.

3. How We Store It

• Uploaded PDFs are stored in Supabase encrypted object storage and automatically deleted 3 days after upload.
• Analysis results are retained for up to 90 days by default; plans or legal holds may extend this.
• Merchant-identifying fields (business name, location, and related PII) are encrypted at rest using AES-256-GCM at the application layer before being written to the database.
• All data in transit is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced with a 2-year max-age and preload.
• The primary database is hosted on Supabase PostgreSQL with row-level security enabled.
• Encrypted nightly database backups are retained for 90 days and purged on a rolling cycle.

4. Subprocessors and Third-Party Services

All vendors above are contractually bound to process data on ScrublyIQ's behalf only. We do not sell merchant data. ScrublyIQ maintains Zero Data Retention agreements with AI vendors where technically feasible. This list was last updated 2026-04-23 and may change as services are added or removed.

5. AI Processing Disclosure

Bank statement text extracted from your uploads is processed by Anthropic’s API. Anthropic does not use API inputs to train models. ScrublyIQ has requested Zero Data Retention entitlement from Anthropic — this will be updated when confirmed. Until then, requests are subject to Anthropic’s standard 30-day retention for abuse monitoring only. No other AI vendor is used to process bank statement content.

6. Data Sharing

• We do not sell merchant data. Ever.
• We share data with subprocessors listed in the table above only as necessary to provide the Service, and only under contractual privacy and security obligations.
• Third-party verification services run only when the broker explicitly triggers them within the platform.
• We do not transmit merchant data to funders. Any submission of merchant information to a funder is initiated and controlled by the broker outside the Service.
• We may disclose data when legally compelled (subpoena, court order, regulatory demand) and will push back on overbroad requests when appropriate.

7. Broker Responsibilities

For the purposes of applicable data-protection law, brokers are the data controllers for their merchant relationships and ScrublyIQ acts as a data processor on the broker’s behalf. Brokers are responsible for obtaining merchant consent and any underlying legal basis before uploading merchant financial documents, and for responding to merchant requests regarding access, correction, or deletion of their data. ScrublyIQ will assist with such requests when asked by the broker of record.

8. Data Retention and Deletion

• Uploaded PDFs are auto-deleted 3 days after upload by a scheduled retention job.
• Analysis results are deleted when a broker closes their account or on explicit request.
• Brokers may request deletion of specific analyses, their entire account, or any broker-level data at any time by emailing support@scrublyiq.com.
• Encrypted nightly backups are purged on the 90-day rolling cycle. A deletion request is reflected in backups within that window.
• Audit logs (authentication, admin actions, security events) are retained longer for security and compliance purposes and are kept separate from merchant financial data.

9. Security

• AES-256-GCM encryption for merchant PII at rest at the application layer.
• TLS 1.2+ for all data in transit; HSTS enforced.
• Authentication handled by Clerk (SOC 2 Type II certified) with multi-factor authentication available.
• Rate limiting on every API endpoint via Upstash Redis.
• Row-level security on database tables; all access scoped to the authenticated user or organization.
• Comprehensive audit logging for authentication, admin actions, and data access.
• Regular internal security reviews. Vulnerability reports may be sent to security@scrublyiq.com; we acknowledge within 48 hours.

10. GLBA Compliance

ScrublyIQ operates as a financial-services technology platform and treats merchant financial data as "nonpublic personal information" under the Gramm-Leach-Bliley Act (GLBA). Our written information security program aligns with the GLBA Safeguards Rule (16 CFR Part 314), including risk assessment, access controls, encryption at rest and in transit, secure development practices, vendor-management review of subprocessors, incident-response procedures, and an annual review of the program. A designated qualified individual oversees the program. Suspected security incidents are triaged under that program and disclosed to affected brokers as required.