Introduction
Welcome to CFOTechStack, operated by Steeled Inc., a Delaware Corporation. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our Platform. We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and all applicable data protection laws.
Data Controller
Steeled Inc.
Email: cfotechstack@polsia.app
Information We Collect
1. Account Information
Name, email address, phone number, company name, job title, hashed and encrypted password, billing address, and account preferences.
2. Business and Submission Data
Uploaded documents, text and data inputs, business metrics, communications with us, and feedback you provide.
3. Payment Information
Billing name, billing address, email address, and payment method. We do not store credit card data. All payment card data is handled by Stripe (PCI DSS compliant). See stripe.com/privacy for details.
4. Usage and Technical Data
IP address, device information, pages visited, session data, and error logs.
5. AI Interaction Data
Prompts you submit, outputs generated, interaction patterns, corrections you make, and feedback you provide on AI outputs.
6. Cookies and Tracking Technologies
Essential cookies (always active), analytics cookies (Google Analytics), and marketing cookies (Meta). A cookie consent banner is displayed on first visit.
7. Third-Party Data
Data received from Stripe, Google Analytics, Meta, and social login providers.
How We Use Your Information
- Service Delivery and Account Management — To create and manage your account, deliver platform features, and provide customer support.
- Service Improvement and Development — To improve the Platform, develop new features, and fix issues.
- AI Model Improvement — Using aggregated, anonymized data only. No personal or sensitive data is used for AI training without your explicit consent.
- Payment Processing — To process transactions via Stripe.
- Legal Compliance — To comply with applicable laws and regulations.
- Marketing and Communication — To send you updates and promotional communications, with consent where required by law.
- Security and Fraud Prevention — To protect the Platform and our users.
AI Training Data
AI-generated outputs on CFOTechStack are based on training data with a knowledge cutoff date and may not reflect current conditions. Verify time-sensitive information against current sources. We use only aggregated and anonymized data for AI model improvement — your personal or company data is not used to train AI models without explicit consent.
Legal Basis for Processing (GDPR)
- Contract Performance (Art. 6(1)(b)) — Processing necessary to perform our contract with you.
- Legitimate Interests (Art. 6(1)(f)) — Processing for our legitimate business interests where not overridden by your rights.
- Consent (Art. 6(1)(a)) — Where you have given explicit consent (e.g., marketing communications).
- Legal Obligation (Art. 6(1)(c)) — Processing required to comply with applicable law.
Data Sharing and Disclosure
We share data only in the following circumstances:
- Service Providers — Polsia (infrastructure), Stripe (payments), Google Analytics (analytics), Meta (advertising), AWS (cloud hosting), SendGrid (email) — all operating under data processing agreements.
- Legal Requirements — When required by law or valid legal process.
- Business Transfers — In connection with a merger, acquisition, or sale of assets.
- With Your Consent — For any other purpose with your explicit consent.
- Aggregated/Anonymized Data — Data that cannot reasonably be used to identify you.
We do NOT sell your personal information for monetary compensation. Note: sharing data with Meta for targeted advertising may constitute a "sale" or "share" of personal information under CCPA. California residents may opt out as described in the California Disclosures section below.
International Data Transfers
Your data is processed primarily in the United States. For transfers of personal data from the European Union, we use Standard Contractual Clauses as required by GDPR Article 46.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Active + 12 months after deletion |
| AI outputs | Deleted within 30 days of account deletion |
| Payment/transaction records | 7 years (tax and accounting compliance) |
| Anonymized/aggregated data | Indefinitely |
| Cookies | 12–26 months |
| Support records | 3 years |
| Log data | 90 days |
Privacy Rights
GDPR Rights (EU)
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restrict Processing (Art. 18)
- Data Portability (Art. 20)
- Object (Art. 21)
- Withdraw Consent
- Lodge Complaint with DPA
CCPA Rights (California)
- Right to Know (§1798.100)
- Right to Delete (§1798.105)
- Right to Opt-Out (§1798.120)
- Right to Non-Discrimination (§1798.125)
Virginia, Colorado, Connecticut, and Utah residents have similar privacy rights under their respective state laws.
To exercise any privacy right, contact us at cfotechstack@polsia.app. We will respond within 45 days (extendable by an additional 45 days for complex requests).
Cookies
- Essential Cookies — Always active. Required for the Platform to function.
- Analytics Cookies — Google Analytics. You may opt out via the cookie consent banner.
- Marketing Cookies — Meta. You may opt out via the cookie consent banner or Meta Ad Preferences.
A cookie consent banner is displayed to all new visitors on their first visit.
Children's Privacy
The Platform is not directed at children under 13 years of age. We comply with the Children's Online Privacy Protection Act (COPPA). Users under 16 in the European Union require verifiable parental consent. If you believe a child has provided personal data to us, contact us immediately at cfotechstack@polsia.app.
Security
We implement commercially reasonable technical and organizational security measures, including:
- TLS 1.2+ encryption in transit
- AES-256 encryption at rest
- bcrypt password hashing
- Multi-factor authentication for administrative access
- Role-based access control
- Firewalls and intrusion detection
- Regular penetration testing
- Employee security training
- Documented incident response plan
California-Specific Disclosures (CCPA)
Categories of Personal Information Collected
- Identifiers (name, email, IP address)
- Commercial information (subscription and purchase history)
- Internet or other electronic network activity (usage logs, interactions)
- Geolocation data (IP-based)
- Professional or employment-related information
- Inferences drawn from the above
- Sensitive Personal Information: payment method (not stored by us — handled by Stripe)
Do Not Sell or Share My Personal Information
To opt out of the sharing of your personal information with Meta for targeted advertising purposes, email cfotechstack@polsia.app or use the cookie consent banner on the Platform.
Changes to This Policy
We will provide 30 days' notice for material changes to this Privacy Policy. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.
Dispute Resolution
Any disputes arising under this Privacy Policy are governed by California law. The exclusive legal venue for any proceedings is San Diego County, California.
Contact
Steeled Inc.
Email: cfotechstack@polsia.app