Growth Line LLC — Privacy Policy
Last Updated: April 21, 2026
Growth Line LLC ("Growth Line," "Company," "we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Growth Line software platform, including all related websites, applications, and services (collectively, the "Services").
By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use our Services.
Please also review our End User License Agreement (EULA) and Terms of Service, which govern your use of the Services.
1. Information We Collect
1.1 Account Information
When you create an account, we collect: your name, business name, email address, phone number, and login credentials. Passwords are cryptographically hashed using bcrypt with per-user salts. We never store plaintext passwords.
1.2 Financial Data
Depending on which features you use and which accounts you connect, we may collect and process:
- Transaction records imported from accounting software (such as QuickBooks Online), including invoices, bills, payments, journal entries, and other transaction types
- Transaction records imported from connected bank accounts and credit cards via Plaid or similar aggregation services
- Chart of accounts and general ledger mappings
- Vendor names, addresses, and payment terms
- Invoice and receipt documents (PDFs and images uploaded by you)
- Product and inventory data imported from point-of-sale systems
- Department and category classifications
- Payroll summary data imported from payroll providers or uploaded reports
- Personal financial transaction data (for personal finance tracking features)
1.3 Platform Usage Data
We collect data about how you use the Services, including:
- Audit logs of actions within the platform (logins, data changes, exports, system events)
- Conversations with the AI bookkeeping assistant
- Learned business rules generated from your interactions with the AI assistant
- Session metadata (timestamps, device information for session security)
1.4 Information We Do NOT Collect or Store
- Credit card numbers or payment card data (payment processing is handled by third-party processors)
- Social Security numbers
- Bank login credentials (when you connect bank accounts via Plaid or similar services, authentication is handled entirely by the aggregation service — we store only access tokens, never your bank username or password)
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Services
- Process and categorize your financial transactions
- Generate reports, dashboards, and financial summaries
- Power the AI bookkeeping assistant's responses and recommendations
- Improve and develop new features for the Services
- Communicate with you about your account, updates, and support
- Detect and prevent fraud, security incidents, and technical issues
- Comply with legal obligations
We do not sell, rent, or share your personal information with third parties for their marketing purposes.
3. AI Data Processing
The Services use artificial intelligence, including large language model APIs provided by Anthropic (Claude API), to power features such as transaction categorization, document parsing, conversational assistance, and report generation.
How your data is used in AI processing:
- Financial data included in AI queries — such as transaction details, vendor names, amounts, and your questions — is sent to Anthropic's Claude API for processing.
- As of the effective date of this policy, Growth Line uses Anthropic's commercial API under terms that prohibit the use of your data for AI model training. Your financial data is processed for the sole purpose of generating responses within the Growth Line platform and is not retained by Anthropic beyond the duration of the API request.
- Growth Line will monitor any changes to Anthropic's data usage terms and update this policy accordingly.
- Growth Line may change AI service providers in the future. Any replacement provider will be subject to equivalent or stronger data protection terms, and this policy will be updated to reflect the change.
4. How We Protect Your Data
4.1 Encryption in Transit
All data transmitted between your browser and Growth Line is encrypted using HTTPS (TLS 1.2 or higher). We enforce HTTPS on all connections with no fallback to unencrypted HTTP.
4.2 Encryption at Rest
- Integration credentials (such as QuickBooks Online OAuth tokens) are encrypted using AES-256 symmetric encryption (Fernet) before storage. Encryption keys are stored separately from the database in secured environment variables.
- Database hosting is provided by Railway, which encrypts storage volumes at rest.
- Uploaded files (invoices, receipts, documents) are stored in Cloudflare R2 with server-side encryption enabled. Files are never accessible via public URLs; access requires authenticated, time-limited pre-signed URLs that expire after 15 minutes.
4.3 Multi-Tenant Data Isolation
Growth Line is a multi-tenant platform. Every database query is scoped to your organization's unique identifier. Your data is logically isolated from all other users at the application layer. No user can access, view, or modify another user's data.
4.4 Authentication and Session Security
- Passwords are hashed using bcrypt with per-user salts
- Sessions enforce secure cookie flags (Secure, HttpOnly, SameSite)
- Sessions expire after 30 minutes of inactivity with an absolute timeout of 8 hours
- Device fingerprinting provides additional session binding
4.5 Access Controls
Growth Line implements role-based access control with defined permission levels. Each role has specific capabilities, and permissions can be customized on a per-user basis. Access to administrative functions is restricted to authorized roles.
4.6 Audit Logging
All significant actions within the platform are recorded in an audit log, including logins, data modifications, exports, and system events. Sensitive field values are redacted from error logs and system tracebacks.
4.7 Infrastructure Security
All application secrets (API keys, encryption keys, database credentials) are stored in environment variables, never in source code or database tables. The production environment runs with debug mode disabled.
5. Third-Party Service Providers
Growth Line uses the following third-party services to operate the platform. Each processes certain data as described:
| Service | What They Process | Purpose |
|---|---|---|
| Railway | All platform data (database and application hosting) | Infrastructure provider |
| Cloudflare R2 | Uploaded files (invoices, receipts, documents) | Encrypted file storage |
| Anthropic (Claude API) | Financial data included in AI assistant queries — transaction details, vendor names, amounts, and user questions | AI-powered bookkeeping assistant and document parsing |
| Intuit (QuickBooks Online) | Financial transactions, chart of accounts, vendor data — via authenticated OAuth connection | Two-way accounting data synchronization |
| Plaid (when active) | Bank account connection tokens — authentication handled entirely by Plaid | Bank and credit card feed integration |
We may use additional third-party services in the future, including point-of-sale system providers, payroll service providers, and payment processors. This policy will be updated to reflect any material changes to our third-party service providers.
We are not responsible for the privacy practices, terms of service, or data handling of any third-party service. We encourage you to review the privacy policies of any third-party services you connect to through Growth Line.
6. Bank Account Connectivity (Plaid)
If you connect bank accounts, credit cards, or other financial accounts through Plaid or similar aggregation services:
- Growth Line receives read-only transaction data from connected accounts. We do not have access to your bank login credentials. Authentication is handled entirely by the aggregation service.
- By connecting your accounts, you authorize Growth Line and the aggregation service to access, retrieve, and process your account information and transaction data for the purpose of providing the Services.
- You may disconnect any linked account at any time through your account settings. When you disconnect, we revoke the access token and cease retrieving new data from that account.
- Your use of Plaid is also subject to Plaid's own privacy policy, available at https://plaid.com/legal.
- Growth Line requests only the data categories necessary to provide the Services (account balances and transaction history). We do not request identity verification, income verification, or asset data unless a specific feature requires it and you have been informed.
7. Data Retention
7.1 During Your Account
We retain your data for the duration of your account and maintain commercially reasonable backup and recovery procedures.
7.2 After Account Closure
Upon account closure, we retain your data for ninety (90) days, during which you may request a data export. After ninety (90) days, we may permanently delete your data from active systems, with the following exceptions:
- Financial transaction data and supporting documents: We may retain these for up to seven (7) years after account closure to comply with IRS record retention requirements for financial data.
- Audit logs: We may retain audit logs for up to seven (7) years for compliance and legal purposes.
- AI conversation history and learned rules: Deleted within ninety (90) days of account closure upon request.
- Account credentials: Deleted immediately upon account closure.
- Integration tokens (OAuth, Plaid): Revoked and deleted immediately upon account closure or disconnection.
7.3 Deletion vs. Retention Conflicts
Where a deletion request conflicts with a legal retention requirement, we will: (a) delete or anonymize all data not subject to the legal requirement; (b) retain only the minimum data required by law; (c) restrict access to retained data to authorized personnel only; (d) delete retained data as soon as the legal retention period expires; and (e) notify you of what was deleted and what was retained, and why.
8. Your Privacy Rights
8.1 All Users
Regardless of where you are located, you have the right to:
- Access your data through the platform's export features
- Correct inaccurate data by editing it within the platform or contacting us
- Delete your account and request deletion of your data, subject to the retention provisions in Section 7
- Export your data in standard machine-readable formats (such as CSV)
- Disconnect any linked third-party account at any time
8.2 California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You may request that we disclose the categories of personal information we collect, the sources from which it is collected, the business purpose for collecting it, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions including legal retention requirements.
- Right to Opt Out of Sale: Growth Line does not sell personal information to third parties for monetary or other valuable consideration. We do not share personal information with third parties for cross-context behavioral advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights. You will receive the same service and pricing regardless of whether you exercise these rights.
- Right to Correct: You may request correction of inaccurate personal information.
To exercise any of these rights, contact us at michael@growthlineworks.com. We will respond to verifiable requests within 45 days, as required by law.
8.3 Oregon Residents
If you are an Oregon resident, you may have additional rights under the Oregon Consumer Privacy Act, including the right to access, correct, delete, and obtain a copy of your personal data. To exercise these rights, contact us at the email address above.
9. Data Security Incidents
In the event of a confirmed security breach affecting your data, we will: (a) notify you within seventy-two (72) hours of discovery; (b) provide a description of the nature of the breach and the types of data affected; (c) describe the steps we are taking to address the breach; and (d) cooperate in any investigation or regulatory notification required by applicable law.
10. Children's Privacy
The Services are not directed to anyone under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a person under 18, we will delete that information promptly. If you believe we have inadvertently collected information from a minor, please contact us immediately.
11. Cookies and Tracking
The Services use session cookies that are essential to the operation of the platform (authentication, session management, security). We do not use advertising cookies, third-party tracking cookies, or cross-site tracking technologies. We do not serve advertisements within the Services.
12. International Data
The Services are hosted in the United States. If you access the Services from outside the United States, your data will be transferred to and processed in the United States. By using the Services, you consent to this transfer.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last Updated" date at the top of this page and notify you by email or through the Services. Your continued use of the Services after changes become effective constitutes acceptance of the updated policy.
We will not materially reduce your privacy protections without providing you with notice and, where required by law, obtaining your consent.
14. Contact
For questions, concerns, or requests related to this Privacy Policy or your data, contact:
Growth Line LLC Email: michael@growthlineworks.com Website: https://growthlineworks.com