Sign In Start Free Trial

Privacy Policy

Last Updated: February 11, 2026

Open Mind Archives LLC ("Company," "we," "us," or "our") operates the TransactionFlow product of Nalepa Labs™ platform ("Platform," "Service") accessible at omtransactionflow.com. This Privacy Policy describes how we collect, use, disclose, and protect your personal information and financial data when you use our Platform. By accessing or using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

We understand the sensitive nature of financial data and are committed to protecting your privacy. Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

1. Information We Collect

1.1 Account Information

When you register for an account, we collect:

  • Full name
  • Email address
  • Password (stored as a cryptographic hash; we never store your plaintext password)
  • Organization or team name
  • Business entity type and tax filing information you provide

1.2 Financial Data

The core function of our Platform is bookkeeping and financial management. In the course of providing our Service, we collect and process the following financial data:

  • Bank Statements: PDF documents of bank and credit card statements that you upload for parsing and transaction categorization.
  • Transactions: Individual financial transactions extracted from uploaded statements, including dates, amounts, descriptions, payees, and categories.
  • General Ledger Entries: Double-entry bookkeeping records created from your categorized transactions.
  • Chart of Accounts: Your accounting chart of accounts, including account names, numbers, types, and IRS Schedule C line mappings.
  • Tax Information: Business income, expense categories, depreciation schedules, vehicle usage logs, home office deduction data, estimated tax calculations, and other tax-related information you input or that we generate from your financial data.
  • Client Data: If you are an accountant or firm user, information about your bookkeeping clients including business names, entity types, fiscal year data, and associated financial records.

1.3 QuickBooks Online (QBO) Data

If you connect your QuickBooks Online account:

  • OAuth Tokens: Encrypted access and refresh tokens that authorize our Platform to communicate with your QBO account on your behalf.
  • Company Information: QBO company name, company ID, and related metadata.
  • Accounting Data: Chart of accounts, vendors, journal entries, profit and loss statements, balance sheets, trial balances, and general ledger data synced from your QBO account.

1.4 Plaid-Connected Bank Data

If you connect a bank account through Plaid:

  • Bank Account Metadata: Institution name, account name, account type, and masked account number.
  • Transaction Data: Transactions retrieved from your connected bank accounts, including dates, amounts, merchant names, and categories.
  • Important Note: Your bank login credentials are never transmitted to or stored by our Platform. Plaid handles all credential management directly. We receive only a secure access token from Plaid, which is encrypted at rest on our systems.

1.5 Payment Information

When you subscribe to our Service or purchase write-up packages, payment processing is handled entirely by Stripe, Inc. We do not collect, store, or have access to your full credit card number, debit card number, or bank account number for payment purposes. We receive from Stripe only:

  • Confirmation of payment status
  • Subscription plan details
  • Last four digits of your payment method (for your reference)
  • Billing email address

1.6 Uploaded Files and Media

Files you upload to the Platform (including bank statement PDFs, team logos, and other documents) are stored on our cloud storage infrastructure. These files are associated with your team account and are subject to the data retention policies described in Section 6.

1.7 Usage and Technical Data

We automatically collect certain information when you use the Platform:

  • Session Data: We use Django sessions stored in our PostgreSQL database to maintain your authenticated state.
  • Log Data: Server logs that may include your IP address, browser type, pages visited, and timestamps.
  • Usage Analytics: Basic usage patterns to help us improve the Service.

1.8 Voice and Chat Data

If you interact with our AI assistant ("Business Assistant"):

  • Voice Input: Audio recordings of your voice commands, which are transcribed and then processed.
  • Chat Messages: Text messages you send to the AI assistant.
  • Voice Output: Text generated for voice synthesis responses to you.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Providing and Operating the Service

  • Parsing and extracting transactions from uploaded bank statements
  • Categorizing transactions and posting to your general ledger
  • Generating financial reports (Profit & Loss, Balance Sheet, Trial Balance)
  • Generating IRS Schedule C, estimated tax calculations, and other tax forms
  • Syncing data with QuickBooks Online when you authorize a connection
  • Syncing transactions from your bank via Plaid when you authorize a connection
  • Running S-Corp compliance checks and generating corporate documents
  • Processing depreciation schedules and asset tracking
  • Providing AI-assisted bookkeeping guidance through the Business Assistant

2.2 Account Management

  • Creating and managing your account
  • Processing subscription payments and managing billing
  • Enforcing subscription-based feature access (entitlements)
  • Providing customer support

2.3 Communication

  • Sending transactional emails (account verification, password reset, subscription confirmations)
  • Sending service-related notifications
  • Responding to your inquiries and support requests

2.4 Improvement and Development

  • Analyzing usage patterns to improve the Platform
  • Identifying and fixing bugs and performance issues
  • Developing new features and services

2.5 Legal and Compliance

  • Complying with applicable laws and regulations
  • Enforcing our Terms of Service
  • Protecting our rights, privacy, safety, or property

3. Artificial Intelligence Data Processing

Our Platform uses artificial intelligence services to provide core functionality. We believe in full transparency about how your data is processed by AI systems. The following third-party AI services receive and process your data:

3.1 Anthropic (Claude API)

  • Data Sent: Bank statement PDF content (text extracted from uploaded statements) for automated transaction parsing and extraction; chat messages you send to the Business Assistant along with contextual information about your current page and onboarding progress.
  • Purpose: Automated bank statement parsing, transaction categorization assistance, and interactive AI bookkeeping guidance.
  • Retention by Anthropic: Subject to Anthropic's Privacy Policy. Under Anthropic's API Terms of Service, data submitted through their API is not used to train their models.

3.2 OpenAI (Whisper API)

  • Data Sent: Audio recordings of your voice when you use voice input with the Business Assistant.
  • Purpose: Speech-to-text transcription of voice commands.
  • Retention by OpenAI: Subject to OpenAI's Privacy Policy. Under OpenAI's API data usage policy, data submitted through the API is not used to train their models.

3.3 ElevenLabs (Text-to-Speech API)

  • Data Sent: Text content generated by the AI assistant for spoken responses to you.
  • Purpose: Converting text responses into natural-sounding voice audio.
  • Retention by ElevenLabs: Subject to ElevenLabs' Privacy Policy.

Important: We select AI providers that commit to not using API-submitted data for model training. However, we encourage you to review each provider's current privacy policy for the most up-to-date information on their data handling practices.

4. Third-Party Data Sharing and Processors

We share your information with third-party service providers only as necessary to operate the Platform. We do not sell your personal information or financial data to third parties. The following is a comprehensive list of third-party processors that may receive your data:

Service Provider Data Received Purpose
Anthropic Bank statement content (text), chat messages, page context AI-powered statement parsing and bookkeeping assistant
OpenAI Voice audio recordings Speech-to-text transcription (Whisper)
ElevenLabs Text content for voice responses Text-to-speech synthesis
Intuit / QuickBooks Online Accounting data (journal entries, chart of accounts, vendors, financial reports) via user-authorized OAuth connection Two-way accounting data synchronization
Plaid Bank credentials (handled directly by Plaid, not by us), bank account metadata Secure bank account linking and transaction retrieval
Stripe Billing email, payment method details, subscription selections Payment processing and subscription management
Cloudflare (R2 Storage) Uploaded files (bank statement PDFs, team logos, media) Secure cloud file storage
Railway.app All application data (hosted infrastructure) Cloud hosting, PostgreSQL database, Redis cache

4.1 User-Authorized Connections

Connections to Intuit/QuickBooks Online and Plaid are initiated only by you through explicit authorization flows (OAuth). You may disconnect these services at any time through the Platform. Disconnecting will stop future data syncing but will not automatically delete data already imported into the Platform. You may request deletion of imported data separately.

4.2 Legal Disclosures

We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to:

  • Comply with a legal obligation, subpoena, court order, or government request
  • Protect and defend the rights or property of Open Mind Archives LLC
  • Prevent or investigate possible wrongdoing in connection with the Service
  • Protect the personal safety of users of the Service or the public

4.3 Business Transfers

If Open Mind Archives LLC is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

5. Data Security

We implement industry-standard technical and organizational measures to protect your data. Given the sensitive nature of financial information, we take the following precautions:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. We enforce HTTPS via SECURE_SSL_REDIRECT and HTTP Strict Transport Security (HSTS).
  • Field-Level Encryption at Rest: Sensitive data fields, including QBO OAuth tokens and other credentials, are encrypted at rest using dedicated encryption keys.
  • CSRF Protection: All form submissions are protected against Cross-Site Request Forgery attacks.
  • Secure Session Cookies: Session cookies are set with Secure and HttpOnly flags, preventing JavaScript access and ensuring transmission only over HTTPS.
  • Password Security: Passwords are stored as cryptographic hashes using Django's password hashing framework. We never store plaintext passwords.
  • Multi-Tenant Data Isolation: All data is scoped to your team. Strict team-based access controls ensure that no user can access another team's data.
  • No Credit Card Storage: We never store, process, or have access to your full payment card data. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor.
  • Access Controls: Role-based access controls restrict data access based on user roles (Platform Admin, Accountant, Client Owner).

While we implement robust security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data.

6. Data Retention and Deletion

6.1 Active Subscribers

If you have an active paid subscription, your data is retained for as long as your subscription remains active. Upon cancellation, your data is retained for thirty (30) days to allow you to reactivate your subscription. After the 30-day retention period, your data is permanently deleted.

6.2 Trial Users

If you use our free trial and do not convert to a paid subscription, your data is retained for thirty (30) days after the trial period expires. After the 30-day retention period, your data is permanently and automatically deleted by our automated data purge system. During the trial period, certain features are restricted (limited number of accounts and a limited date range for statements).

6.3 Permanent Deletion

When data is permanently deleted, the following are removed:

  • Client records and all associated child records (transactions, GL entries, chart of accounts, tax data, depreciation assets, compliance data)
  • Categorization rules associated with deleted clients
  • Uploaded files associated with deleted records

We do not delete your team account, membership records, or subscription records as part of the data purge, as these are needed for account management purposes.

6.4 User-Requested Deletion

You may request deletion of your data at any time by contacting us at info@openmindarchive.org. We will process your request within thirty (30) days. Please note that certain data may be retained as required by law or for legitimate business purposes (e.g., transaction records for tax compliance or legal obligations).

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

7.1 General Rights (All Users)

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may request that we correct inaccurate or incomplete personal information.
  • Deletion: You may request that we delete your personal information, subject to legal retention requirements.
  • Portability: You may request your data in a commonly used, machine-readable format. Our Platform provides export functionality (including Excel export) for your financial data.
  • Objection: You may object to certain processing of your personal information.
  • Withdrawal of Consent: Where processing is based on your consent, you may withdraw that consent at any time.

To exercise any of these rights, please contact us at info@openmindarchive.org. We will respond to your request within thirty (30) days.

8. California Residents — CCPA/CPRA Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

8.1 Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which your information is collected, the business purpose for collecting your information, and the categories of third parties with whom we share your information.

8.2 Right to Delete

You have the right to request that we delete personal information we have collected from you, subject to certain exceptions provided by law.

8.3 Right to Correct

You have the right to request that we correct inaccurate personal information that we maintain about you.

8.4 Right to Opt-Out of Sale or Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out of sale or sharing.

8.5 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you different prices, provide a different level of quality, or suggest that you may receive a different price or level of quality for exercising your rights.

8.6 Categories of Personal Information Collected

Under the CCPA, we collect the following categories of personal information:

  • Identifiers: Name, email address, account name, IP address.
  • Commercial Information: Subscription records, purchasing history, financial data you upload or generate.
  • Financial Information: Bank statement data, transaction records, general ledger entries, tax-related data. (Note: Credit card numbers are processed by Stripe, not by us.)
  • Internet/Electronic Activity: Browsing history on our Platform, interaction with our Service, log data.
  • Audio Information: Voice recordings when using the Business Assistant.
  • Professional/Employment Information: Business entity type, industry information you provide.
  • Inferences: Financial categorizations and tax calculations derived from your data.

8.7 How to Submit a Request

To submit a request to exercise your CCPA/CPRA rights, please contact us at info@openmindarchive.org. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

9. European Economic Area (EEA) Residents — GDPR Rights

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

9.1 Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract Performance: Processing necessary to provide you the Service you have subscribed to (Article 6(1)(b) GDPR).
  • Legitimate Interest: Processing necessary for our legitimate business interests, such as improving the Service, preventing fraud, and ensuring security (Article 6(1)(f) GDPR).
  • Consent: Where you have given explicit consent, such as connecting your QuickBooks Online or bank accounts, or using the AI voice assistant (Article 6(1)(a) GDPR).
  • Legal Obligation: Processing necessary to comply with legal obligations (Article 6(1)(c) GDPR).

9.2 Your GDPR Rights

In addition to the general rights listed in Section 7, you have the right to:

  • Restriction of Processing: Request that we restrict the processing of your personal data in certain circumstances.
  • Data Portability: Receive your personal data in a structured, commonly used, and machine-readable format.
  • Lodge a Complaint: File a complaint with your local data protection authority if you believe we have violated your data protection rights.

9.3 International Data Transfers

Our Service is hosted in the United States. If you access our Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States, where our servers are located and our central database is operated. The data protection laws of the United States may differ from those in your jurisdiction. By using our Service, you consent to the transfer of your information to the United States.

We rely on standard contractual clauses and other legally approved transfer mechanisms where applicable to ensure adequate protection of your personal data when transferred internationally.

9.4 Data Protection Officer

For GDPR-related inquiries, you may contact us at info@openmindarchive.org.

10. Cookies and Tracking Technologies

We use a limited number of cookies that are essential for the operation of our Service. For full details on the cookies we use, please see our Cookie Policy.

In summary, we use the following cookies:

  • Session Cookie (sessionid): Essential for maintaining your authenticated session. Expires when you close your browser or after the server-side session timeout.
  • CSRF Token (csrftoken): Essential for protecting against Cross-Site Request Forgery attacks on form submissions.
  • Language Preference (django_language): Stores your selected language preference.

We do not use advertising cookies, social media tracking cookies, or third-party behavioral analytics cookies.

11. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information. If you believe that a child under 18 has provided us with personal information, please contact us at info@openmindarchive.org.

12. Third-Party Links

Our Service may contain links to third-party websites or services that are not operated by us, including links to Intuit/QuickBooks Online, Plaid, and Stripe. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this document. For material changes, we will also send a notification to the email address associated with your account.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us:

For privacy-specific requests (data access, correction, deletion, or portability), please email info@openmindarchive.org with the subject line "Privacy Request" and include your account email address so we can verify your identity.

15. Governing Law

This Privacy Policy is governed by the laws of the State of Florida, United States, without regard to its conflict of laws provisions, except where superseded by applicable federal law or the mandatory data protection laws of your jurisdiction (such as the GDPR for EEA residents or the CCPA for California residents).