Privacy Policy
Last updated: May 19, 2026
Flush is a cash flow intelligence platform for founders, fractional executives, and consultants. This policy explains what information we collect, why we collect it, who we share it with, and the choices you have. Plain language, no dark patterns.
1. Who we are
Flush is a product of Halo, LLC, a Wisconsin limited liability company with its principal place of business in Wisconsin, United States. References in this policy to "Flush", "we", "us", and "our" mean Halo, LLC operating the Flush service at flush.cash. For questions about this policy or to exercise your privacy rights, contact jason@halo.ceo.
2. Information we collect
Account information you provide
- Email address (for sign-in via magic link or Google OAuth)
- Name and company name, when you provide them
- Profile preferences (default currency, tax rate, etc.)
Financial data from connected accounts
When you connect a bank, credit card, or investment account through our Plaid integration, we receive the following from Plaid:
- Account names, masked account numbers, and account types
- Current and available balances
- Transaction history (date, description, merchant, amount, category)
- Account holder name and basic identity information returned by your institution
We never see your bank login credentials. You enter those into Plaid's interface; Plaid handles authentication with your institution and returns the data above to us under your authorization.
Data you enter directly
- Invoices, clients, line items, and notes
- Sales pipeline deals, probabilities, and expected close dates
- Equity grants (options, RSUs) and investments (SAFEs, LP interests)
- Tax estimates and quarterly payment records
- Any files you upload (e.g., imported cap-table CSVs)
Payment information
Subscription payments are processed by Stripe. We do not see or store your card number, CVC, or expiration date — those go directly to Stripe. We retain a Stripe customer identifier and subscription status so we know whether your account is active.
Technical and usage information
- IP address, browser type, operating system, and device information
- Pages viewed, features used, and timestamps
- Error reports and performance metrics
- Authentication tokens stored in your browser (used to keep you signed in)
3. How we use your information
- Provide the service — cash flow forecasting, invoicing, reports, alerts
- Generate tax reserve recommendations and pipeline-weighted forecasts
- Process subscription payments and send receipts
- Send transactional emails (sign-in links, invoice notifications, alerts you opt into)
- Diagnose bugs and improve product reliability
- Detect fraud, abuse, or violations of our Terms of Service
- Comply with legal obligations
We do not sell your personal information. We do not use your financial data to train AI models for third parties.
4. AI features
Some features (categorization suggestions, summary text, draft alerts) use the Anthropic Claude API. When we use these features:
- We send only the minimum data necessary for the specific feature
- We do not send bank credentials or full transaction histories without your action
- Anthropic does not use our API traffic to train their models per their API terms
5. Who we share data with
We share data only with the service providers required to operate Flush:
| Provider | Purpose | What they receive |
|---|---|---|
| Plaid | Bank connectivity | Your authorization, our request for account/transaction data |
| Stripe | Subscription billing and invoice payments | Email, customer ID, payment metadata |
| Supabase | Database, authentication, file storage | All data stored in Flush (as our processor) |
| Vercel | Hosting and content delivery | Request metadata and logs |
| Resend | Transactional email delivery | Your email address and message contents |
| Anthropic | AI-powered features | Minimum prompts/data necessary for each feature |
| Optional sign-in (if you choose Google OAuth) | Your Google profile email; nothing else |
We may also disclose information when required by law, valid legal process, or to protect the rights, safety, or property of Flush, our users, or the public.
6. Security
Our security approach is described in detail at flush.cash/security. Highlights:
- All traffic uses TLS 1.2 or higher
- Data is encrypted at rest in our database
- Row-level security (RLS) isolates every user's data at the database layer
- Plaid access tokens are stored server-side only and are never sent to your browser
- Stripe handles card data; we never see or store it
7. Your rights and choices
You can:
- Access the data we hold about you
- Export your invoices, transactions, equity records, and other content
- Correct inaccurate information by editing it in-app or emailing us
- Delete your account and associated data
- Disconnect any linked bank account at any time
- Opt out of non-essential email by following the unsubscribe link
To exercise any of these rights, email jason@halo.ceo. We will respond within 30 days.
If you're in California (CCPA / CPRA)
California residents have additional rights including the right to know what categories of personal information we collect, the right to delete, and the right to opt out of any "sale" of personal information. We do not sell personal information.
If you're in the EEA / UK (GDPR / UK GDPR)
You have the right to access, rectify, port, and erase your personal data, to restrict or object to processing, and to lodge a complaint with your local supervisory authority. Our lawful bases for processing are contract performance (operating the service you signed up for), legitimate interests (security, fraud prevention, product improvement), and consent (for optional features and marketing email).
8. Cookies and tracking
We use a small number of essential cookies and similar technologies to keep you signed in and to remember your preferences. We do not use third-party advertising cookies or cross-site trackers on the application. If we use any analytics on the marketing site (flush.cash), it is configured to be privacy-respecting (no PII, IP truncation).
9. Data retention
- Account data: retained while your account is active
- After account deletion: removed from active systems within 30 days; encrypted backups expire within 90 days
- Transaction history: retained for as long as the linked account is connected, plus a reasonable period to support audit and accounting needs
- Billing records: retained for the period required by tax and accounting law (typically 7 years)
10. International data transfers
Flush is operated by Halo, LLC from Wisconsin, United States. If you access Flush from outside the US, your information will be processed in the US. Our subprocessors (listed in Section 5) may process data in the US and other jurisdictions where they operate. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.
11. Children
Flush is not directed to anyone under 18. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
12. Changes to this policy
We may update this policy as Flush evolves. If we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of Flush after notice constitutes acceptance of the revised policy.