Privacy Policy

Effective date: April 18, 2026 · Last updated: April 18, 2026

DRAFT, under legal review. This policy may be updated before general availability. Existing customers will be notified of material changes.

1. Who we are

StartOS (“StartOS,” “we,” “our,” “us”) provides a financial operations platform for startup and growth-stage companies. This Privacy Policy describes how we collect, use, share, and protect information when you use the StartOS platform and related services (the “Services”).

If you have questions, contact privacy@startos.io.

2. Information we collect

Account information. Name, email, authentication provider (email/password or Google), profile details you provide.

Organization data. Financial records, chart of accounts, transactions, contacts (customers and vendors), employees, invoices, bills, subscriptions, forecasts, and related documents you or your integrations upload to your workspace.

Integration data. When you connect a third-party service (Stripe, Plaid, QuickBooks, Xero, HubSpot, Salesforce, Gusto, etc.), we receive data from that service in accordance with the permissions you grant.

Usage data. Pages viewed, actions taken, features used, and error diagnostics. Collected via server logs and minimal client-side telemetry.

Analytics. We use Vercel Web Analytics and Speed Insights to measure aggregate site traffic and page performance. These are cookieless, do not track you across other websites, and do not collect personally identifiable information.

Cookies. Session cookies for authentication; no third-party advertising cookies and no analytics cookies.

3. How we use your information

We use your information to:

  • Provide, maintain, and improve the Services
  • Authenticate you and secure your workspace
  • Compute financial reports, metrics, and AI-generated insights within your workspace
  • Sync data with integrations you enable
  • Respond to support requests and platform alerts
  • Meet legal and regulatory obligations (tax records, audit logs, data retention)
  • Detect and prevent fraud or abuse

4. Aggregated and De-identified Use

We may produce aggregated and de-identified statistics that describe operational patterns across our customer base as a whole, such as median gross margins by stage and sector, or classification patterns for common vendor categories. These aggregates:

  • Are subject to a minimum cohort size of 10 organizations, enforced at the query layer. No aggregate statistic is generated from fewer than 10 peer organizations. We may apply additional noise and outlier suppression to further reduce re-identification risk.
  • Never expose an individual organization's data, identity, or financial position. Customer names, account IDs, employee lists, customer lists, contract terms, and any other non-aggregated data are never shared with or visible to other customers.
  • May be included in published benchmark reports, market intelligence products, our platform's built-in benchmark features, or disclosed to third parties (including consultancies, financial institutions, investors, and researchers) subject to the same anonymization guarantees.

Your organization's participation in aggregated statistics is controlled by the administrator of your workspace. You can review and change these preferences at any time in Settings → Privacy:

  • Actuals aggregation (historical financial data): enabled by default.
  • Forecast aggregation (forward-looking plans and forecasts): disabled by default; requires explicit opt-in.

When you disable a consent toggle, your organization is excluded from all future aggregate calculations of that type. Historical aggregates already computed using prior consent are not retroactively recomputed. You may request such re-computation by contacting privacy@startos.io.

5. Sharing with third parties

Service providers (sub-processors). We rely on a small number of infrastructure providers. A current list is available at privacy@startos.io and includes our hosting and analytics provider (Vercel), database provider (Supabase), email provider (Resend), AI model provider (Anthropic), and payment processors for our own billing (Stripe).

Integrations you enable. Data flows to and from services you connect through the Integrations page. Your use of those third-party services is governed by their own terms and privacy policies.

Legal. We may disclose information to comply with applicable law, enforce our terms, or protect the rights, property, or safety of StartOS, our customers, or the public.

Business transfers. If StartOS is acquired or merged, customer data may be transferred to the successor entity subject to this Privacy Policy.

No sale of personal data. We do not sell personal data. Aggregated and de-identified statistics (Section 4) are not personal data.

6. Data retention

We retain your organization's data for as long as your account is active. When you close an account, we retain data for 90 days to allow recovery and to comply with legal obligations, then delete or de-identify it. Aggregated statistics already derived from your data prior to account closure may be retained in perpetuity, as they do not identify you.

7. Security

We use industry-standard safeguards including encryption in transit and at rest, role-based access controls, and audit logging. Security controls and their status are documented in-platform at Settings → Security. No system is perfectly secure; we follow the principle of defense in depth and continuously improve our posture.

8. Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete personal data we hold about you. Contact privacy@startos.io to exercise these rights. We respond within 30 days.

9. International data transfers

StartOS operates infrastructure in the European Union (primary region: eu-west-3). Data transfers outside the customer's jurisdiction are governed by standard contractual clauses or equivalent legal mechanisms where applicable.

10. Children

The Services are not directed at children under 13 (or under 16 in jurisdictions that require it). We do not knowingly collect data from children.

11. Changes to this policy

We may update this Privacy Policy as the Services evolve. Material changes will be communicated in-product and via email at least 30 days before taking effect. Continued use of the Services after a change constitutes acceptance.

12. Contact

Questions, requests, or complaints: privacy@startos.io
Postal: StartOS, Inc. (address pending incorporation)