Effective April 7, 2026

Privacy Policy

DayZero Payments, Inc. (“DayZero,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use the DayZero platform, website, APIs, and related services (collectively, the “Service”). Please read this policy carefully.

1. Information We Collect

Account information

When you create an account, we collect information through our authentication provider (Clerk), including:

  • Email address
  • First and last name
  • Profile photo (if provided)
  • Authentication identifiers

Business & onboarding information

When you set up a business or advisory firm, we collect:

  • Business name and type
  • Employer Identification Number (EIN)
  • Business address
  • Business logo
  • Email mailbox address
  • Currency and fiscal year preferences
  • For advisory firms: firm name, accountant count, and current tool usage

Financial data

Through your use of the Service and enabled integrations, we process:

  • Banking data: Bank account names, masks, balances, and transaction history (via Plaid).
  • Payment data: Payment transactions, invoices, and payout information (via Stripe, Square, Ramp).
  • E-commerce data: Orders, products, customer data, and financial summaries (via Shopify, Square).
  • Payroll data: Payroll transactions and employee payment data (via Finch, connecting 250+ payroll providers).
  • Accounting records: Journal entries, ledger accounts, invoices, bills, credit memos, reconciliations, budgets, and fixed assets.
  • Inventory data: Products, locations, orders, transfers, production recipes, shipments, and adjustments.

Customer and vendor data

When you manage customers and vendors in the Service, we store:

  • Names, email addresses, phone numbers
  • Mailing and billing addresses
  • Tax identification numbers
  • Payment terms and credit limits
  • Contact persons and their roles

Communications

We collect communications data including:

  • Emails processed through DayZero mailboxes (sender, recipient, subject, body, attachments)
  • Client-advisor messages exchanged through the Service
  • Internal team comments and thread discussions
  • Business notes
  • Inbox messages and notifications

AI interaction data

When you use our AI features, we collect:

  • Conversation history and messages
  • AI preferences and configuration settings
  • Contextual memories generated from your interactions (to improve response quality)
  • Saved scripts and custom workflows
  • Feedback and ratings on AI outputs
  • Usage metrics (request counts, token usage)

Files and uploads

Files you upload to the Service (documents, spreadsheets, images, PDFs) are stored securely in cloud storage. We store file metadata including name, type, size, and upload date.

Usage and device data

We automatically collect:

  • Pages visited within the Service (stored locally in your browser for navigation shortcuts, not sent to our servers for marketing analytics)
  • Error and crash reports (via Sentry, when enabled) which may include browser type, operating system, and session replay data for troubleshooting
  • Audit log entries recording actions taken within the Service (timestamp, user, action type, affected entity)

API access data

If you use our API, we log: token identifiers, request timestamps, and last-used dates. We do not log full API request or response bodies.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Process financial data, generate reports, sync integrations, and deliver AI features.
  • Maintain your account: Authenticate your identity, manage permissions, and enforce access controls.
  • Communicate with you: Send transactional emails (welcome messages, invoice notifications, scheduled reports, client messages), and respond to support inquiries.
  • Improve the Service: Analyze usage patterns to improve features, fix bugs, and develop new functionality. AI interaction data may be used to improve AI response quality for your account.
  • Ensure security: Detect fraud, prevent unauthorized access, and maintain audit trails.
  • Comply with legal obligations: Respond to legal requests and enforce our Terms of Service.

We do not:

  • Sell your personal information or financial data to third parties.
  • Use your financial data for advertising or marketing purposes.
  • Share your data with third parties for their independent marketing purposes.

3. How We Share Your Information

We share your information only in the following circumstances:

  • With your authorized users: Other users in your organization or Advisory Firm who have been granted access to your Business.
  • With service providers: Third-party vendors who process data on our behalf to provide the Service (see Section 4).
  • With your integrations: Third-party services you connect through the Service (Plaid, Stripe, Shopify, etc.) to enable data synchronization.
  • For legal compliance: When required by law, subpoena, court order, or to protect our rights or safety.
  • In a business transfer: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

4. Third-Party Services

We use the following categories of third-party services to operate the Service. Each processes data on our behalf under appropriate agreements:

Authentication

  • Clerk — User authentication, session management, and multi-factor authentication. Processes: email, name, profile photo, session data.

Financial data providers

  • Plaid — Bank account linking and transaction retrieval. Processes: bank credentials (via Plaid Link), account information, transaction data. Governed by Plaid's End User Privacy Policy.
  • Teal — Accounting engine for general ledger, chart of accounts, and financial statement generation. Processes: journal entries, account balances, transaction data.

Payment processing

  • Stripe — Payment processing and subscription billing. Processes: payment method details, billing information, transaction data. Governed by Stripe's Privacy Policy.

Integrations

  • Shopify — E-commerce data. Processes: orders, products, customer information, payouts.
  • Square — POS data. Processes: payments, refunds, payouts.
  • Ramp — Corporate expenses. Processes: transactions, receipts, card holder details.
  • Finch — Unified payroll/HRIS (250+ providers). Processes: payroll transactions, employee payment data.
  • HubSpot — CRM sync. Processes: contact and company information.
  • Slack — Notifications only. Processes: message content for notifications you configure.

AI & machine learning

  • OpenAI and Anthropic — AI features. Processes: queries and contextual financial data necessary to generate responses. We do not send your full financial database to AI providers — only the data relevant to your specific query.

Infrastructure

  • Amazon Web Services (AWS) — Cloud hosting, file storage (S3), and email delivery (SES). All data is stored in the United States.
  • Sentry — Error monitoring and optional session replay for debugging. Processes: error reports, browser metadata, and (when enabled) session replay data.
  • ClickHouse — Audit log storage. Processes: action logs, timestamps, entity metadata.
  • Temporal — Background workflow orchestration. Processes: workflow state and execution metadata.

5. AI Features & Data

Our AI features require special attention regarding data handling:

  • Conversation data is stored to maintain chat history and allow you to reference previous interactions. You may delete individual conversations.
  • AI memories are contextual notes the AI retains to improve future responses for your account. These can be viewed and deleted through the Service or by contacting us.
  • Semantic cache stores anonymized query patterns to improve response speed. This data does not contain raw financial figures.
  • AI usage metrics (request counts, token counts, model usage) are aggregated at the business level for billing and monitoring.
  • Financial data sent to AI providers (OpenAI, Anthropic) is sent via their API and is subject to their data processing agreements. We use API endpoints that do not use your data to train their models.

6. Data Retention

We retain your information as follows:

  • Account data: Retained for as long as your account is active. Upon account deletion, core account data is removed; some records may be retained in anonymized form for audit purposes.
  • Financial data: Retained for as long as your account is active. Many records use “soft deletion” (marked as deleted but recoverable) to maintain data integrity and audit trails.
  • AI data: Conversation history and memories are retained until you delete them or close your account. Usage metrics are retained in aggregated form.
  • Audit logs: Retained for compliance purposes per applicable recordkeeping requirements.
  • Application logs: Retained for 7 days in development and 30 days in production.
  • Backups: Retained for 7 days in development and 30 days in production.

After account termination, we retain User Data for 30 days to allow for data export. After this period, data may be permanently deleted.

7. Data Security

We implement industry-standard security measures to protect your information, including:

  • Encryption of data in transit (TLS) and at rest (AES-256).
  • Field-level encryption for sensitive integration tokens and credentials.
  • Hashed storage of API tokens (SHA-256); we do not store raw API tokens after issuance.
  • Role-based access controls enforced at the API level.
  • Multi-factor authentication support through Clerk.
  • Rate limiting on API endpoints.
  • Regular security scanning in our development pipeline.
  • Comprehensive audit logging of all data-modifying actions.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate personal information.
  • Deletion: Request deletion of your personal information, subject to legal retention requirements.
  • Export/Portability: Request your data in a portable format. The Service provides built-in export features for financial data.
  • Restriction: Request that we limit processing of your personal information in certain circumstances.
  • Objection: Object to certain types of processing of your personal information.
  • Withdrawal of consent: Where processing is based on consent, you may withdraw consent at any time.

To exercise any of these rights, contact us at legal@ondayzero.com. We will respond to verified requests within 30 days (or sooner if required by applicable law).

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes, and the third parties we share it with.
  • Right to delete: You may request deletion of your personal information, subject to exceptions.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising. There is no need to opt out.
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of personal information collected (per CCPA categories): Identifiers (name, email), financial information (bank and payment data), commercial information (transaction records), internet activity (usage data, error logs), and professional information (business and firm details).

To submit a request, email legal@ondayzero.com with the subject line “CCPA Request.” We will verify your identity before processing.

10. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, the following applies:

Legal bases for processing

  • Contract: Processing necessary to provide the Service you have requested.
  • Legitimate interest: Processing necessary for our legitimate business interests (security, fraud prevention, service improvement), balanced against your rights.
  • Consent: Processing based on your explicit consent (e.g., optional AI features, Sentry session replay).
  • Legal obligation: Processing required to comply with applicable laws.

Your GDPR rights

In addition to the rights listed in Section 8, you have the right to:

  • Lodge a complaint with your local data protection authority.
  • Request restriction of processing while we verify the accuracy of your data or the legitimacy of our processing.

Data transfers

Your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards for cross-border data transfers.

Data Protection Officer

For GDPR inquiries, contact us at legal@ondayzero.com with the subject line “GDPR Request.”

11. Canadian Privacy Rights (PIPEDA)

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) provides you with rights regarding your personal information:

  • You have the right to access your personal information held by us and to challenge its accuracy.
  • We collect and use personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
  • We obtain meaningful consent for the collection, use, and disclosure of your personal information.
  • You may withdraw consent at any time, subject to legal or contractual restrictions.
  • You may file a complaint with the Office of the Privacy Commissioner of Canada if you believe we have violated your privacy rights.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at legal@ondayzero.com.

13. International Data Transfers

DayZero Payments, Inc. is based in the United States. Our primary data infrastructure is located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States and acknowledge that data protection laws in the United States may differ from those in your jurisdiction.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy and changing the “Effective” date at the top. For material changes, we will also send an email notification at least 30 days before the changes take effect.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

DayZero Payments, Inc.
legal@ondayzero.com

This Privacy Policy was last updated on April 7, 2026. We recommend that you review this policy periodically for any changes.