1.Who we are
Y Assurance PLLC (the “Firm,” “we,” “us,” or “our”) is a CPA firm licensed by the Texas State Board of Public Accountancy. The Firm owns and operates Chiaro, the platform available at chiarohq.com (the “Platform”).
This policy covers information collected through chiarohq.com and the Platform. Information collected in the course of an audit or advisory engagement is additionally governed by the engagement letter between you and the Firm, and by professional standards.
Contact: privacy@chiarohq.com.
2.What we collect
Account and profile data. When you sign up we collect your name, work email, password (stored hashed), company name and website, your title, team size, and the name, title, and email of the person your organization designates to oversee services.
Billing data. Payments are processed by Stripe. We receive subscription status, plan, and invoice records. We do not store your card number.
Evidence and workspace content. The records your organization chooses to submit to the Platform: answers, documents, system output, and related notes. These may incidentally contain personal data about your personnel or users; you control what is submitted.
Connection and signature records. When you connect an AI tool we record the connection, the tool’s name, and hashed access tokens. When you sign an agreement in the portal we record the signer’s name, title, account email, timestamp, and IP address as the signature record.
Usage telemetry and website logs. Platform activity, timestamps, request metadata, and error logs; standard server logs (IP address, user agent, referrer, pages visited) when you browse chiarohq.com.
We never collect your system credentials. When your AI tool runs commands, they run on your machines. Only the output you choose to submit reaches us.
3.How we use information
- To provide, secure, and support the Platform and your subscription
- To process payments and manage billing
- To execute and retain agreements you sign in the portal
- To communicate with you about your account and, where you opt in, about the product
- To monitor performance, fix bugs, and improve the Platform (using aggregated, de-identified data where possible)
- To meet our legal and professional obligations as a licensed CPA firm
We do not sell your data. We do not use your data for third-party advertising.
4.AI processing
The Platform’s readiness features are storage and methodology: your evidence is not sent to AI models by the Platform during readiness. The AI tool you connect is your own, runs under your control, and is governed by your agreement with its vendor.
Where the Firm uses AI providers in operating the Platform (for example, generating a short product description from your public website during setup) or in performing engagement services under an engagement letter, providers are accessed through APIs configured so that your content is not used to train their models, consistent with the Firm’s AI-use policy.
5.Where data lives, and who has access
Data is stored on infrastructure operated by our service providers, located in the United States. Access is restricted to Firm personnel with a legitimate operational need and to the subprocessors listed in Schedule A of our Data Processing Addendum (currently: Anthropic, Supabase, Railway, Vercel, GitHub, Apple, Microsoft, Stripe, Resend, GoDaddy, and DocuSign), each bound by data-processing terms. We notify active customers of material subprocessor changes within 30 days.
We do not share your data with advertisers, data brokers, or unrelated third parties. We disclose information where required by law and, as a licensed CPA firm, our engagement records may be inspected by peer reviewers and regulators under their own confidentiality obligations.
6.How long we keep data
Account records, workspace content, and telemetry are retained while your account is active. After termination, you have a 30-day export window, after which we delete or de-identify Platform data on a routine schedule.
Records maintained as part of an audit or advisory engagement (workpapers) are the Firm’s property and are retained for a minimum of five years, as required by AICPA professional standards and Texas Administrative Code §501.76. Signed agreements and signature records are retained for the life of the relationship plus applicable limitation periods. These retention requirements override deletion requests for the records they cover.
7.Your rights
Depending on your jurisdiction (for example California, the European Union, or the United Kingdom), you may have the right to access, correct, delete, or port data we hold about you, and to object to certain processing. Email privacy@chiarohq.com and we will respond within 30 days. Deletion is subject to the retention obligations described in Section 6.
If your personal data appears inside another organization’s evidence (for example, you are an employee of a Chiaro customer), we act on that organization’s instructions; please direct requests to them and we will assist.
8.Security, and incident notification
We protect data with technical and organizational measures including encryption in transit and at rest, multi-factor authentication for Firm access, tenant isolation, least-privilege access controls, hashed access tokens, and logging and monitoring. If we confirm a security incident affecting your data, we will notify you without undue delay, with a target of 72 hours from confirmation, and share what we know as the investigation progresses.
9.Cookies
chiarohq.com and the portal use only cookies required for functionality, such as keeping you signed in. We do not use advertising cookies and we do not embed third-party trackers.
10.International users
If you access the Platform from outside the United States, your information is transferred to and processed in the United States. By using the Platform, you consent to this transfer.
11.Children
The Platform is a business service and is not directed at children under 16; account holders must be at least 18. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact privacy@chiarohq.com and we will delete it.
12.Changes and contact
We may update this policy; the effective date above reflects the most recent version, and material changes will be communicated by email or notice on the Platform. Questions: privacy@chiarohq.com.