Privacy Policy

Effective date: July 28, 2025

Company: Firebrain LLC ("Company," "we," "us," or "our")

Website/Service: trydocu.com and the TryDocu applications, APIs, and related services (collectively, the "Service")

Contact: david@firebrain.co

TryDocu provides tools to upload bank statements and similar documents, extract transactions, categorize income and NSF events, generate summaries and risk flags (including manipulation signals), and export results (CSV/XLSX). This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use the Service and describes your rights and choices. If you are a business customer, this Policy should be read together with your agreement with us (e.g., Terms of Service, Data Processing Addendum).

1) Scope & Roles

Direct use (Controller): When individuals or businesses sign up and use the Service directly, we generally act as an independent controller of personal information.

Enterprise use (Processor/Service Provider): When we process documents and data on behalf of a business customer (e.g., lender, landlord, loan broker, mortgage processor), we act as that customer's processor/service provider (e.g., under GDPR/UK GDPR, CPRA/CCPA, and, where applicable, GLBA Safeguards). In such cases, the customer's privacy notice governs, and we process personal information per our agreement with the customer.

2) Information We Collect

A. Account & Contact Information

Name, company, role, email, phone (optional), password or auth credentials (stored using industry-standard hashing), and account preferences.

B. Payment Information

Billing contact details and transaction metadata from our payment processor. We do not store full payment card numbers.

C. Uploaded Content & Derived Data (Core Processing)

• Documents you upload (e.g., PDF/image bank statements, CSV files) and metadata (file name, size, page count).
• Extracted data (e.g., transaction dates, descriptions, amounts; balances; fees; NSF events).
• Classifications & summaries (e.g., income categories, recurring transactions, merchant/category tags, income/NSF summaries).
• Manipulation detection signals (e.g., mismatched totals/page counts, layout/metadata anomalies).
• Templates & configuration (e.g., mortgage/tenant screening templates you apply).

D. Usage & Device Data

IP address, timestamps, user agent, referrer, device identifiers, feature usage, error reports, performance metrics, and cookie data.

E. Support Interactions

Support tickets, chat transcripts, emails, feedback, and—if applicable—call recordings.

F. Public/Third-Party Sources

Limited business contact info or lead data where permitted by law.

Sensitive data note: Bank statements may contain financial information and other sensitive personal information. We process such data only to provide and secure the Service, perform integrity checks, improve accuracy, support users, and comply with law.

3) How We Use Information

We use personal information to:

• Provide & maintain the Service: account creation, authentication, document ingestion, OCR (optional), extraction, categorization, summaries, risk flags, and exports.
• Detect manipulation & reduce fraud: identify inconsistencies and integrity issues.
• Improve & develop: measure accuracy; tune extraction heuristics; develop features; fix bugs; conduct analytics.
• Security & compliance: monitoring, auditing, preventing abuse, enforcing terms, responding to lawful requests.
• Communications: service notices, support responses, and (where permitted) product updates; you may opt out of non-essential marketing.
• Billing & account management: subscriptions, invoicing, refunds, and collections.

No ads using your uploads: We do not use uploaded documents or extracted financial data for interest-based advertising, and we do not sell/share such data for cross-context behavioral advertising.

4) Legal Bases (EEA/UK/Switzerland)

Where GDPR/UK GDPR applies, we rely on:

• Contract performance: necessary to provide the Service you've requested.
• Legitimate interests: improving the Service, security, fraud prevention, aggregated analytics (balanced against your rights).
• Legal obligation: retaining data to comply with laws, responding to lawful requests.
• Consent: where required, such as for marketing emails, optional features, or cookies (where law requires).

5) Sharing & Disclosures

We share personal information only as follows:

• Service providers/sub-processors: cloud hosting, storage, OCR engines, authentication, billing, analytics, support, and security vendors who act on our behalf under contract.
• Enterprise customers: if you upload documents on behalf of an employer/client, or if a business customer uploads documents related to you (e.g., your bank statement), the enterprise customer controls that data and we act as their processor.
• Legal & compliance: to comply with law, court orders, subpoenas, government requests; to protect rights, safety, or property; to enforce terms.
• Business transfers: in connection with a merger, acquisition, asset sale, or bankruptcy (with notice where feasible).
• With consent: if you direct or authorize us to share.

No sale/behavioral ads: We do not sell personal information or share it for cross-context behavioral advertising.

6) Data Retention

• Uploaded documents: retained for 90 days by default (unless deleted sooner), or as specified in your plan. Enterprise customers may set retention.
• Account data: retained while your account is active and for a reasonable period thereafter for legal/accounting purposes.
• Derived data: de-identified, aggregated metrics may be retained for analytics.
• Backups: deleted data may persist in backups for up to 90 days.

7) Security

We implement appropriate technical and organizational safeguards, including:

• Encryption in transit (TLS) and at rest.
• Access controls, logging, and monitoring.
• Regular security assessments.
• Employee training and confidentiality agreements.

No system is 100% secure—please protect your credentials and notify us of suspected breaches at david@firebrain.co.

8) Cookies & Analytics

• Necessary cookies: for authentication, security, and preferences.
• Analytics cookies: to understand usage patterns (e.g., Google Analytics); only with consent or where law permits.
• Your choices: adjust browser settings; use opt-out tools; for analytics, use Google's opt-out browser add-on.

9) Automated Processing & Risk Flags

The Service uses automated processing to extract, categorize, and flag potential risks/anomalies. Outputs are assistive and intended for human review. In jurisdictions where you have a right not to be subject to purely automated decision-making with legal/significant effects, note that the Service outputs are not final decisions—they require human interpretation. If you believe an output is incorrect, contact david@firebrain.co to request human review or contest an output.

10) Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If we learn we have done so, we will delete it.

11) International Data Transfers

We are based in the U.S. and use service providers globally. If you are outside the U.S., your data may be transferred to and processed in the U.S. or other countries. We use appropriate safeguards, such as:

• Data Processing Addenda with Standard Contractual Clauses (SCCs) or UK Addendum where required.
• Adequacy decisions where applicable.
• Other lawful mechanisms under applicable law.

12) Your Rights & Choices

Depending on your location and our role (controller vs. processor), you may have rights to:

• Access: request a copy of your personal information.
• Deletion/erasure: request deletion, subject to exceptions.
• Correction/rectification: update inaccurate data.
• Portability: receive your data in a structured format.
• Restriction: limit processing in certain circumstances.
• Object/opt-out: object to processing based on legitimate interests or opt out of marketing.
• Withdraw consent: where processing is based on consent.
• Non-discrimination: (California residents) not receive discriminatory treatment for exercising rights.

How to exercise: Contact david@firebrain.co with your request. We may verify your identity. For enterprise use where we are a processor, contact the enterprise customer.

Complaints: You may lodge a complaint with your data protection authority (e.g., ICO in the UK, or your EU member state authority).

13) California Privacy Rights (CPRA/CCPA)

This section applies to California residents. For the "Information We Collect," "How We Use," and "Sharing" sections above, here is the CPRA category mapping:

• Identifiers: name, email, IP address (Sections 2A, 2D).
• Customer records: name, email, billing info, uploaded documents (Sections 2A, 2B, 2C).
• Commercial information: subscription, usage data (Section 2D).
• Internet/electronic activity: usage data, cookies (Section 2D).
• Geolocation: approximate location from IP.
• Professional information: company, role (Section 2A).
• Inferences: risk flags, categorizations (Section 2C).
• Sensitive personal information: financial account data within uploaded statements (Section 2C); we use/disclose this only to provide the Service, detect security incidents, and resist fraud.

No sale/sharing for behavioral ads: We do not sell or share personal information for cross-context behavioral advertising.

Retention: See Section 6.

Rights: California residents have rights to know, delete, correct, portability, opt-out (though not applicable as we don't sell/share), and limit use of sensitive personal information (we already limit use). Contact david@firebrain.co or use the webform at trydocu.com/privacy-request. We will verify your request and respond within 45 days.

Authorized agent: You may designate an agent to submit requests; we may require proof of authorization.

Shine the Light: We do not disclose personal information to third parties for their direct marketing.

14) U.S. State Privacy Laws

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights to those described in Section 13. Contact david@firebrain.co to exercise your rights.

15) GLBA (U.S. Financial Services Customers)

If you are a financial institution subject to the Gramm-Leach-Bliley Act (GLBA) and we process nonpublic personal information on your behalf, we will:

• Maintain appropriate safeguards per the Safeguards Rule.
• Use such information only to provide the agreed services.
• Not disclose except as directed by you or as required by law.

16) Business Customers & DPA

If you are a business customer and we process personal data on your behalf as a processor/service provider, our data processing terms are in your agreement with us or a separately executed Data Processing Addendum (DPA). This Privacy Policy describes our practices when we are a controller; when we are your processor, your privacy notice governs.

17) Third-Party Links & Services

The Service may contain links to third-party websites or services not operated by us. We are not responsible for their privacy practices.

18) Changes to This Policy

We may update this Policy from time to time. We will notify you of material changes by posting the new Policy and updating the "Effective date." Continued use after changes means acceptance.

19) Contact Us

For questions, requests, or complaints:

Email: david@firebrain.co
Company: Firebrain LLC

© 2025 Firebrain LLC. All rights reserved.