Privacy Policy

At The Tributum Group ("we," "us," or "our"), we are committed to protecting your privacy and ensuring the security of your personal and financial information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Client Portal and related services.

1. Information We Collect

1.1 Information You Provide to Us

• Account Information: Name, email address, company name, business address, phone number
• Authentication Data: Password (encrypted), multi-factor authentication codes
• Business Information: Tax ID, business structure, number of locations, industry type
• Communication Data: Messages you send us, support requests, feedback

1.2 Financial Information via Plaid

When you connect your bank accounts through Plaid Link, we collect:

• Bank Account Details: Account numbers, routing numbers, account balances
• Transaction History: Transaction amounts, dates, merchant names, categories
• Institution Information: Bank name, account type (checking, savings, credit card)

Important: We use Plaid, a trusted third-party service, to securely connect to your financial institutions. Plaid does not share your login credentials with us. All financial data is encrypted at rest using industry-standard encryption.

1.3 Automatically Collected Information

• Usage Data: Pages viewed, features used, time spent, clicks
• Device Information: IP address, browser type, operating system, device identifiers
• Authentication Logs: Login times, failed login attempts, MFA verification events
• Performance Data: Page load times, errors, system performance metrics

2. How We Use Your Information

2.1 To Provide Our Services

• Display your financial data in personalized dashboards and reports
• Perform cash flow analysis and financial forecasting
• Generate financial insights and recommendations
• Provide CFO advisory and strategic planning services
• Sync and update your financial data from connected accounts

2.2 To Maintain Security

• Authenticate your identity using multi-factor authentication
• Detect and prevent fraud, unauthorized access, and security breaches
• Monitor system security and investigate suspicious activity
• Maintain audit logs for compliance and security purposes

2.3 To Improve Our Services

• Analyze usage patterns to enhance user experience
• Develop new features and functionality
• Troubleshoot technical issues
• Conduct research and analytics (using aggregated, anonymized data)

2.4 To Communicate With You

• Send account notifications and security alerts
• Respond to your inquiries and support requests
• Provide updates about our services
• Send marketing communications (with your consent, and you may opt out at any time)

2.5 For Legal and Compliance Purposes

• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service and other agreements
• Protect our rights, privacy, safety, and property
• Respond to legal requests and prevent illegal activity

3. How We Protect Your Information

3.1 Encryption

• In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 protocol
• At Rest: Sensitive financial data (access tokens, account numbers, routing numbers) is encrypted at rest using XChaCha20-Poly1305 AEAD encryption
• Database Layer: AES-256 encryption for all database storage via Supabase

3.2 Access Controls

• Multi-Factor Authentication: Required for all client portal access using TOTP (Time-based One-Time Passwords)
• Row Level Security: Database policies ensure you can only access your own data
• Principle of Least Privilege: Staff and systems have minimal access necessary to perform their functions
• Audit Logging: All access to sensitive data is logged for security monitoring

3.3 Infrastructure Security

• Hosting: Vercel cloud platform with automatic security updates and DDoS protection
• Database: Supabase PostgreSQL with enterprise-grade security and automatic backups
• Monitoring: 24/7 security monitoring and intrusion detection
• Vulnerability Management: Regular security scans and dependency updates

4. Information Sharing and Disclosure

4.1 Third-Party Service Providers

We share information with trusted service providers who help us operate our business:

• Plaid: Financial data aggregation and bank account connectivity
• Supabase: Database hosting and authentication services
• Vercel: Web hosting and content delivery

These providers are contractually obligated to protect your information and use it only for the purposes we specify.

4.2 Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders, subpoenas, or other legal processes
• Government or regulatory requests
• Legal claims or investigations
• Circumstances involving potential threats to safety

4.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Your Rights and Choices

5.1 Access and Portability

You have the right to:

• Access your personal information
• Request a copy of your data in a portable format
• View and export your financial data from your dashboard

5.2 Correction and Updates

You can update your account information at any time through your dashboard settings. Contact us if you need assistance updating your information.

5.3 Deletion

You have the right to request deletion of your personal information. You can:

• Disconnect individual bank accounts from your dashboard
• Request complete account deletion by contacting us
• Note: Some information may be retained for legal or compliance purposes (e.g., audit logs for 7 years)

5.4 Opt-Out Rights

• Marketing Communications: Unsubscribe from marketing emails using the link in any message
• Data Collection: Disconnect your bank accounts to stop new data collection

5.5 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect and how we use it
• Right to delete your personal information (with certain exceptions)
• Right to opt-out of the sale of personal information (we do not sell your information)
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at privacy@thetributumgroup.com.

5.6 European Residents (GDPR)

If you are in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR):

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict or object to processing
• Right to data portability
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

6. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Until you delete your account
• Financial Data: Until you disconnect your bank accounts
• Transaction History: 7 years for tax and accounting compliance
• Audit Logs: 7 years for security and compliance purposes
• Authentication Logs: 1 year for security monitoring

After these periods, we securely delete or anonymize your information. Anonymized data may be retained indefinitely for analytics and research.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Required for authentication and security (cannot be disabled)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use our services

You can control cookies through your browser settings, but disabling certain cookies may limit functionality.

8. Third-Party Links

Our services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

9. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect information from children. If we learn that we have collected information from a child, we will promptly delete it.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy and applicable laws.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Email notification to your registered email address
• Prominent notice on our website or dashboard
• Updating the "Last Updated" date at the top of this policy

Your continued use of our services after changes take effect constitutes acceptance of the updated policy.

12. Security Incident Notification

In the event of a data breach affecting your personal information, we will:

• Notify you within 72 hours of discovering the breach
• Provide details about what information was affected
• Explain steps we are taking to address the breach
• Offer guidance on protecting yourself
• Notify relevant regulatory authorities as required by law

This Privacy Policy was last updated on February 5, 2026. Version 1.0