Privacy Policy

Effective Date: April 6, 2026
Version: 2.0

This Privacy Policy explains how BrightCube Software LLC (“we,” “us,” or “our”) collects, uses, and protects your information when you use MarathonBooks™ and related services (the “Service”).

What We Collect

Account Information

  • Email address and authentication credentials
  • Phone number (if you enable SMS capture or multi-factor authentication)
  • Google account information (if you sign in with Google)

Business Information

  • Business name, industry, description, and settings
  • Fiscal year, default currency, and country
  • Team members and their roles and permissions

Financial Data

  • Transactions, journal entries, account balances, and financial records
  • Invoices, invoice line items, and payment records
  • Drafts, captured events, notes, and categorization data
  • Recurring entry templates and execution history
  • Asset records (vehicles, equipment, property) including acquisition details and depreciation

Bank Account Data

If you connect a bank account, we collect the following through our bank data provider, Plaid:

  • Account name, type, and last four digits of account number
  • Account balances
  • Transaction history (amounts, dates, merchant names, categories)
  • Connection status and sync metadata

Your bank login credentials are entered directly into Plaid's secure interface and are never transmitted to or stored on our servers.

Customer Data

If you use invoicing or customer communication features, we store information about your customers:

  • Customer names, email addresses, and phone numbers
  • Mailing addresses
  • Invoice and payment history
  • Communication history across all channels

Messages and Communications

If you or your customers interact with MarathonBooks through messaging channels (SMS, Instagram DM, WhatsApp, web chat, or email), we collect:

  • Message content and attachments
  • Sender and recipient identifiers (phone numbers, Instagram handles, email addresses)
  • Conversation history and metadata
  • AI-generated responses sent on your behalf

Documents and Attachments

  • Receipts, photos, and files you upload
  • Documents stored in the document vault
  • Text extracted from uploaded images and documents (via optical character recognition)

Usage and Operational Data

  • AI interaction logs (intents detected, confidence scores, processing duration)
  • API request logs (route, method, status code, duration — used for performance monitoring)
  • How you interact with the app to improve functionality

SMS Messaging

If you opt in to our SMS service, we collect your phone number to send and receive text messages related to your bookkeeping. This includes transaction confirmations, balance inquiries, invoice notifications, expense categorization, and support responses.

  • Opt-In: You opt in by adding your phone number in your account Settings and consenting to receive SMS messages.
  • Opt-Out: You can opt out at any time by replying STOP to any message. You can re-subscribe by replying START.
  • Help: Reply HELP to any message for support, or email support@brightcube.app.
  • Message Frequency: Message frequency varies based on your usage of the SMS feature.
  • Rates: Message and data rates may apply. Check with your carrier for details.

We do not share your phone number or SMS opt-in/opt-out information with third parties for their marketing purposes.

How We Use Your Data

We use your data to provide and improve the Service:

  • Core Features: Process transactions, generate reports, manage invoicing, track assets, and run your bookkeeping
  • AI Assistance: Analyze transactions to suggest categorizations, draft journal entries, and generate responses to messages
  • Bank Feeds: Sync and categorize transactions from connected bank accounts
  • Communications: Send and receive messages on your behalf across enabled channels
  • Payments: Process invoice payments and manage subscriptions
  • Account Management: Authenticate you, manage your businesses, and support multi-user access
  • Notifications: Send transactional emails (invitations, exports, invoice delivery, payment reminders)
  • Product Improvements: Understand how features are used to make the Service better
  • Support: Help you when you contact us with questions or issues

We do not sell your data. Your financial information is never shared with third parties for marketing or advertising purposes.

Data Isolation and Privacy

  • Each business's data is logically isolated and private
  • Users can only access businesses they are members of
  • Row-level security policies enforce data isolation at the database level
  • Your business data is not visible to other users or businesses

AI and Your Data

We use artificial intelligence to analyze your transactions, categorize expenses, draft journal entries, and generate responses to messages.

  • AI suggestions are advisory only and require your review before being posted to your official ledger
  • AI processing is performed by third-party AI providers (see “Third-Party Services” below)
  • Data sent to AI providers includes transaction descriptions, message content, receipt images, and business context necessary to generate accurate suggestions
  • We do not use your data to train custom AI models
  • Third-party AI providers may process your data according to their own data handling policies, which we require to include protections against using your data for model training
  • All AI output should be reviewed by you or a qualified bookkeeper

Data Storage and Security

  • Your data is stored securely using industry-standard encryption in transit and at rest
  • We use Supabase (a trusted cloud database provider) for data storage and authentication
  • Sensitive credentials (bank access tokens, third-party API keys) are encrypted at rest using AES-256 encryption
  • Access to your data is protected by authentication and authorization controls
  • Receipts, documents, and attachments are stored in private cloud storage buckets accessible only to authorized business members
  • API keys are stored as one-way hashes and cannot be retrieved after creation

Cookies

We use a limited number of cookies:

  • Authentication cookies: Required to keep you signed in (essential)
  • Locale cookie: Stores your language preference (essential)
  • Cookie consent cookie: Remembers your cookie preference (essential)

We do not use advertising cookies, tracking pixels, or third-party analytics services such as Google Analytics, Segment, or Mixpanel.

Third-Party Services

We use the following third-party services to operate the Service. Each processes only the data necessary for its function:

Infrastructure & Storage

  • Supabase: Database hosting, authentication, and file storage. All user data is stored in Supabase's cloud infrastructure.
  • Vercel: Application hosting and deployment.

Payments

  • Stripe: Payment processing for invoice payments and subscriptions. Stripe receives your email, payment information, and invoice details. Stripe may also process data related to businesses using Stripe Connect for accepting payments from their customers.

Banking

  • Plaid: Bank account connectivity. Plaid receives your bank login credentials (entered directly in Plaid's interface), account details, and transaction data. Plaid's use of your data is governed by the Plaid End User Privacy Policy.

Communications

  • Twilio: SMS messaging and phone number verification. Twilio receives phone numbers and message content.
  • Resend: Transactional email delivery. Resend receives recipient email addresses, names, and email content (including invoice details and ledger exports when you use those features).
  • Meta (Instagram): Instagram DM integration. Meta receives and transmits message content, sender identifiers, and media attachments for businesses that enable Instagram messaging.

AI Processing

  • OpenAI: Transaction categorization, receipt text extraction (OCR), intent classification, and message generation. OpenAI receives transaction descriptions, receipt images, message content, and business context.
  • Groq: Alternative AI processing provider for the same categories of data as above.

Authentication

  • Google: OAuth sign-in (if you choose to sign in with Google). Google receives standard OAuth authentication data. If you use the Google Sheets export feature, Google also receives your exported ledger data.

These services have their own privacy policies and are contractually required to protect your data. We encourage you to review their policies.

Your Rights

You have the following rights regarding your data:

Access and Export

You can export your financial data at any time through the app's export features, including CSV and Google Sheets export.

Correction

You can update your account information, business details, and financial records at any time through the app.

Delete Your Account

You can delete your account and associated business data at any time through the Settings page. When you delete your account:

  • Your user account will be permanently removed
  • All associated business data will be deleted (if you are the business owner)
  • Attachments, receipts, and documents will be removed from storage
  • Connected bank feeds will be disconnected
  • This action cannot be undone

To delete your account, go to Settings → Delete Account in the app.

Disconnect Bank Accounts

You can disconnect a linked bank account at any time through the Bank Feeds settings. This revokes our access to new transaction data from that account.

Revoke Channel Access

You can disconnect Instagram or other messaging integrations at any time through the app's integration settings.

California and International Users

California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of your personal information (we do not sell personal information)
  • Not be discriminated against for exercising your privacy rights

To exercise these rights, contact us at support@brightcube.app or use the in-app account deletion feature.

European Users (GDPR)

If you are located in the European Economic Area, you have additional rights including:

  • The right to access, rectify, or erase your personal data
  • The right to restrict or object to processing
  • The right to data portability
  • The right to withdraw consent at any time
  • The right to lodge a complaint with a supervisory authority

Our legal basis for processing your data is the performance of the contract (providing the Service), your consent (for optional features like SMS and bank feeds), and our legitimate interests (improving the Service and preventing fraud).

Data Retention

  • Active account data is retained as long as your account is active
  • Deleted data is permanently removed from our primary systems within 30 days
  • Backups may retain deleted data for up to 90 days for disaster recovery purposes
  • Operational logs (API request logs, AI interaction logs) are retained for up to 12 months for performance monitoring and debugging, then automatically purged
  • Verification codes and expired invitations are automatically deleted after expiration

Data Collected from Non-Users

If you are a customer of a business that uses MarathonBooks (for example, you received an invoice or messaged a business through Instagram, SMS, or web chat), we may collect:

  • Your name, email address, phone number, or social media handle as provided by you or by the business
  • Message content you send to the business
  • Payment information processed through Stripe when you pay an invoice

This data is collected on behalf of and controlled by the business you are interacting with. To exercise your privacy rights regarding this data, please contact the business directly. You may also contact us at support@brightcube.app.

Children's Privacy

Our Service is not intended for use by anyone under the age of 18. We do not knowingly collect data from children.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

  • We will update the “Effective Date” and version number at the top of this policy
  • Significant changes will be communicated via email or in-app notification
  • Continued use of the Service after changes constitutes acceptance of the updated policy

Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: support@brightcube.app
Entity: BrightCube Software LLC
United States

Summary

We collect the financial, business, banking, and communication data necessary to provide the MarathonBooks service. We use AI (via third-party providers) to assist with categorization and messaging, but you remain in control of all final decisions. We do not sell your data or use advertising trackers. You can export or delete your data at any time.

Back to login