Privacy Policy

Effective March 5, 2026

1. Overview

This Privacy Policy describes how PopUp Technologies ("FlowCheck", "we", "us") collects, uses, stores, and protects your information when you use our financial reconciliation API and dashboard.

2. Information We Collect

Account Information

When you sign up, we collect your name, email address, and Google account profile information through Google OAuth. We do not store your Google password.

Payment Processor Data (Stripe)

When you connect your Stripe account, we collect and store:

  • Payout records (amounts, dates, status, bank destination)
  • Balance information (available and pending amounts)
  • Your Stripe restricted API key (encrypted at rest with AES-256-GCM)

We only request read access to Payouts and Balance. We do not access your customer data, charges, or products through Stripe.

Banking Data (Plaid)

When you connect your bank account through Plaid, we collect and store:

  • Transaction history (amounts, dates, descriptions, merchant names, categories)
  • Account balances (current and available)
  • Institution name and account identifiers
  • Plaid access token (encrypted at rest with AES-256-GCM)

Banking data is retrieved via Plaid's transaction sync API. We only access transaction data. We do not access your account numbers, routing numbers, or login credentials.

Usage Data

We record API request metadata (endpoint, method, response status, latency) for billing, rate limiting, and service improvement. We do not log request or response bodies.

3. How We Use Your Data

  • Reconciliation: Matching Stripe payouts to bank deposits and detecting discrepancies
  • Dashboards and reporting: Displaying your financial data in the FlowCheck dashboard
  • API responses: Returning your financial data through authenticated API endpoints
  • Alerts: Generating webhook notifications for matched payouts, discrepancies, and threshold events
  • Billing: Tracking API usage for credit-based billing

We do not sell, rent, or share your financial data with third parties. We do not use your data for advertising or marketing purposes.

4. Data Storage and Security

  • All data is stored in PostgreSQL hosted on Neon, with encryption at rest
  • Sensitive credentials (Stripe keys, Plaid tokens, webhook secrets) are encrypted with AES-256-GCM before storage
  • API keys are stored as irreversible SHA-256 hashes. We cannot retrieve your API key after creation
  • All data in transit is encrypted with TLS 1.2+
  • Multi-tenant isolation: every database query is scoped to your tenant ID, derived from your authenticated session or API key
  • Soft-deleted bank transactions retain a deletion timestamp for audit purposes

5. Data Retention

We retain your financial data for as long as your account is active. When you disconnect a service (Stripe or Plaid), we stop syncing new data but retain existing records for continued reconciliation access. If you delete your account, all data is permanently removed within 30 days.

6. Third-Party Services

We integrate with the following third-party services:

  • Stripe: Payment processing and payout data retrieval. Subject to Stripe's Privacy Policy
  • Plaid: Bank account connection and transaction data. Subject to Plaid's Privacy Policy
  • Google: Authentication only (OAuth). We receive your name, email, and profile image.
  • Vercel: Application hosting
  • Neon: Database hosting

7. Your Rights

You may at any time:

  • Disconnect your Stripe or Plaid accounts from the dashboard settings
  • Request a full export of your data
  • Request deletion of your account and all associated data
  • Revoke your API keys

To exercise these rights, contact us at privacy@usepopup.com.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or dashboard notification at least 14 days before they take effect.

9. Contact

For privacy-related questions, contact privacy@usepopup.com.