Legal

Privacy Policy

Effective Date: April 21, 2026  ·  Last Updated: April 21, 2026
CNSVCS ("we," "us," or "our") is committed to protecting the privacy and confidentiality of your financial and personal information. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights. Because we handle sensitive financial information, we apply strict data handling standards consistent with professional financial services practices.
01
Who We Are

CNSVCS is a fractional CFO and financial operations firm based in Brooklyn, New York. We provide financial operations services, back-office systems, reporting infrastructure, and strategic advisory to startups and scaling businesses. Our client portal ("Portal") allows authorized clients to access their financial data, documents, and communicate with our team.

02
Information We Collect

Account & Identity Information

  • Full name, business email address, and company name
  • Hashed password (we never store plaintext passwords)
  • Account role and access level

Financial Data

  • QuickBooks-synced data including transactions, income, expenses, accounts receivable, accounts payable, cash position, and profit & loss figures
  • Financial projections and budget plans entered into the Portal
  • KPI snapshots generated from your accounting data
  • Invoices and financial documents you upload or that we prepare

Communication Data

  • Messages sent between you and the CNSVCS team through the Portal
  • Requests for information and advisor responses
  • Contact form submissions from our public website

Technical & Usage Data

  • IP address, browser type, and device information (for security purposes)
  • Session tokens stored in secure, HTTP-only cookies
  • Application logs for security and debugging
03
How We Use Your Information

We use your information solely to deliver and improve our services:

  • To provide fractional CFO and financial operations services under your engagement agreement
  • To operate, maintain, and secure your Portal account
  • To sync, display, and analyze your financial data from QuickBooks
  • To generate reports, KPI dashboards, and financial summaries
  • To power the AI CFO Assistant (see Section 7)
  • To communicate with you regarding your account, deliverables, and updates
  • To detect fraud, unauthorized access, and security incidents
  • To comply with applicable legal, regulatory, and professional obligations

We do not sell, rent, or trade your personal or financial information to any third party for marketing or commercial purposes. Ever.

04
QuickBooks Integration

With your explicit authorization, we connect to your QuickBooks Online account via Intuit's OAuth 2.0 API to sync financial data. The following applies:

  • We access only the data necessary to deliver your contracted services
  • QuickBooks access tokens are stored encrypted and refreshed automatically
  • You may revoke QuickBooks access at any time from within your QuickBooks account settings or by contacting us
  • Synced data is stored in your isolated account in our database and is never shared with other clients
  • Intuit's Privacy Policy governs data held within your QuickBooks account
05
Data Security

We implement industry-standard security measures appropriate for financial data:

  • Encryption in transit: All data is encrypted via TLS/HTTPS
  • Authentication: Short-lived JWT access tokens (15-minute expiry) with rotating refresh tokens in secure HTTP-only cookies
  • Password security: Passwords are hashed using bcrypt with a work factor of 12 — never stored in plaintext
  • Access isolation: Role-based access controls ensure each client can only access their own data
  • Rate limiting: Login attempts are rate-limited; accounts are temporarily locked after repeated failures
  • Audit logging: Significant account actions are logged for security review

No system is impenetrable. In the event of a data breach affecting your information, we will notify you as required by applicable law and take immediate remediation steps.

06
Third-Party Service Providers

We use a minimal set of trusted providers. Each processes your data only as necessary for their specific function:

  • Render (render.com): Cloud hosting and database infrastructure, located in the United States
  • Intuit / QuickBooks Online: Accounting data integration, governed by Intuit's Privacy Policy
  • Groq, Inc.: Powers the AI CFO Assistant. Financial context is transmitted via encrypted API calls. Groq does not use API data to train models per their API terms of service.
  • SMTP Email Provider: Delivers account notifications and advisor communications

We do not use Google Analytics, Meta Pixel, advertising networks, or any behavioral tracking tools on the client Portal.

07
AI CFO Assistant

The Portal includes an AI-powered CFO Assistant. When you send a message, the following context is transmitted to Groq's API to generate a response:

  • Your name and company name
  • Current KPI snapshot (cash position, revenue, burn rate, runway, etc.)
  • Up to 15 recent QuickBooks transactions
  • Your budget projections and upcoming calendar events
  • Recent document names and statuses

Conversation history exists only within your active browser session and is not stored on our servers. You may opt out by simply not using the chat feature — all other Portal functions remain unaffected.

AI-generated responses are informational only and do not constitute licensed financial, legal, tax, or investment advice. See our Terms of Service for full disclaimers.

08
Cookies & Session Management

We use strictly necessary cookies only — no advertising or analytics cookies:

  • Refresh token cookie: An HTTP-only, Secure, SameSite=Strict cookie that maintains your authenticated session. It expires after 7 days of inactivity.
  • Access tokens: Stored in memory only — not in localStorage or cookies — and expire after 15 minutes.

Because we use only strictly necessary cookies, no cookie consent banner is required. You may clear cookies at any time via your browser settings, which will log you out of the Portal.

09
Data Retention
  • Active client data is retained for the duration of your engagement plus 7 years, consistent with financial record-keeping standards
  • Upon account cancellation, your data is retained for 90 days before permanent deletion, allowing time to request an export
  • Security and audit logs may be retained for up to 3 years
  • You may request a data export or deletion at any time by contacting us (subject to legal retention requirements)
10
Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of your data
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion (subject to legal retention requirements)
  • Portability: Request your financial data in a portable format
  • Objection: Object to certain processing activities

To exercise any right, contact us using the information below. We will respond within 30 days.

11
Children's Privacy

Our services are intended for business professionals and are not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has submitted information to us, please contact us immediately for removal.

12
Changes to This Policy

We may update this Privacy Policy to reflect changes in our services, technology, or legal requirements. When we make material changes, we will update the "Last Updated" date and notify active clients via the Portal or email. Continued use of our services after such changes constitutes acceptance of the updated policy.

Privacy Inquiries & Contact

CNSVCS
Brooklyn, New York

For privacy inquiries, data requests, or security concerns, contact us via our contact page or at hello@cnsvcs.com.

This Privacy Policy is governed by the laws of the State of New York.