Privacy Policy
Effective date: March 27, 2026
1. Introduction
Steward ("the Service") is operated by Paul Mason ("we," "us," or "our"). This Privacy Policy describes how we collect, use, and protect your information when you use the Service.
2. Information We Collect
We collect the following types of information:
Account Information: When you sign up, we collect your name, email address, and organization details through our authentication provider (PropelAuth).
Financial Data: The Service processes financial information including vendor details, payment amounts, bank account numbers, invoice data, and check records. This data is provided by you or synced from connected third-party services.
Integration Data: When you connect third-party services (QuickBooks Online, DocuSign, Lob), we store OAuth tokens and connection metadata necessary to maintain those integrations. We access only the data required to provide the Service's functionality.
Usage Data: We collect server logs including IP addresses, request timestamps, and error information for operational and security purposes.
3. How We Use Your Information
We use your information to:
- Provide and maintain the Service
- Process payment requests, approvals, and check issuance
- Synchronize data with connected third-party services
- Send transactional notifications related to your account
- Monitor and improve the Service's performance and security
- Comply with legal obligations
4. Data Storage and Security
Your data is stored in a PostgreSQL database hosted on infrastructure we control. We implement the following security measures:
- All connections are encrypted via TLS/SSL
- Sensitive fields (such as bank account numbers) are encrypted at rest using AES-256 when an encryption key is configured
- OAuth tokens for third-party integrations are stored securely and refreshed automatically
- Access to the Service requires authentication via PropelAuth
5. Third-Party Services
The Service integrates with the following third-party providers. Each has its own privacy policy governing the data they process:
- QuickBooks Online (Intuit): Vendor data, chart of accounts, and financial transactions. Intuit Privacy Policy
- DocuSign: Document signing and approval workflows. DocuSign Privacy Policy
- Lob: Physical check printing and mailing. Lob Privacy Policy
- PropelAuth: User authentication and session management. PropelAuth Privacy Policy
- Amazon Web Services: Webhook relay infrastructure. AWS Privacy Policy
6. Data Sharing
We do not sell your personal information. We share data only in the following circumstances:
- With third-party services you have explicitly connected (as described above)
- When required by law, regulation, or legal process
- To protect the rights, property, or safety of our users or the public
7. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. Financial records are retained in accordance with applicable record-keeping requirements. You may request deletion of your account and associated data by contacting us.
8. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data
- Export your data in a portable format
- Withdraw consent for data processing
To exercise these rights, contact us at dev@paulmason.me.
9. Cookies
The Service uses essential cookies for authentication and session management. We do not use tracking cookies, analytics cookies, or advertising cookies.
10. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the effective date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the updated policy.
12. Contact
If you have questions about this Privacy Policy, please contact us at dev@paulmason.me.