1.Who we are

Y Assurance PLLC (the “Firm,” “we,” “us,” or “our”) is a CPA firm licensed by the Texas State Board of Public Accountancy. The Firm owns and operates Chiaro, the platform available at chiarohq.com (the “Platform”).

This policy covers information collected through chiarohq.com and the Platform. Information collected in the course of an audit or advisory engagement is additionally governed by the engagement letter between you and the Firm, and by professional standards.

Contact: privacy@chiarohq.com.

2.What we collect

In plain terms: Account details, billing status (not card numbers), the evidence you choose to submit, connection and signature records, and standard logs. Never your system credentials.

Account and profile data. When you sign up we collect your name, work email, password (stored hashed), company name and website, your title, team size, and the name, title, and email of the person your organization designates to oversee services.

Billing data. Payments are processed by Stripe. We receive subscription status, plan, and invoice records. We do not store your card number.

Evidence and workspace content. The records your organization chooses to submit to the Platform: answers, documents, system output, and related notes. These may incidentally contain personal data about your personnel or users; you control what is submitted.

Connection and signature records. When you connect an AI tool we record the connection, the tool’s name, and hashed access tokens. When you sign an agreement in the portal we record the signer’s name, title, account email, timestamp, and IP address as the signature record.

Usage telemetry and website logs. Platform activity, timestamps, request metadata, and error logs; standard server logs (IP address, user agent, referrer, pages visited) when you browse chiarohq.com.

We never collect your system credentials. When your AI tool runs commands, they run on your machines. Only the output you choose to submit reaches us.

3.How we use information

We do not sell your data. We do not use your data for third-party advertising.

4.AI processing

In plain terms: During readiness, our platform stores evidence; it does not send your evidence to AI models. Where we do use AI providers, they are configured not to train on your content.

The Platform’s readiness features are storage and methodology: your evidence is not sent to AI models by the Platform during readiness. The AI tool you connect is your own, runs under your control, and is governed by your agreement with its vendor.

Where the Firm uses AI providers in operating the Platform (for example, generating a short product description from your public website during setup) or in performing engagement services under an engagement letter, providers are accessed through APIs configured so that your content is not used to train their models, consistent with the Firm’s AI-use policy.

5.Where data lives, and who has access

Data is stored on infrastructure operated by our service providers, located in the United States. Access is restricted to Firm personnel with a legitimate operational need and to the subprocessors listed in Schedule A of our Data Processing Addendum (currently: Anthropic, Supabase, Railway, Vercel, GitHub, Apple, Microsoft, Stripe, Resend, GoDaddy, and DocuSign), each bound by data-processing terms. We notify active customers of material subprocessor changes within 30 days.

We do not share your data with advertisers, data brokers, or unrelated third parties. We disclose information where required by law and, as a licensed CPA firm, our engagement records may be inspected by peer reviewers and regulators under their own confidentiality obligations.

6.How long we keep data

In plain terms: Platform data lives while your account does, plus a short export window. Engagement workpapers are different: professional standards require the Firm to keep them at least five years.

Account records, workspace content, and telemetry are retained while your account is active. After termination, you have a 30-day export window, after which we delete or de-identify Platform data on a routine schedule.

Records maintained as part of an audit or advisory engagement (workpapers) are the Firm’s property and are retained for a minimum of five years, as required by AICPA professional standards and Texas Administrative Code §501.76. Signed agreements and signature records are retained for the life of the relationship plus applicable limitation periods. These retention requirements override deletion requests for the records they cover.

7.Your rights

Depending on your jurisdiction (for example California, the European Union, or the United Kingdom), you may have the right to access, correct, delete, or port data we hold about you, and to object to certain processing. Email privacy@chiarohq.com and we will respond within 30 days. Deletion is subject to the retention obligations described in Section 6.

If your personal data appears inside another organization’s evidence (for example, you are an employee of a Chiaro customer), we act on that organization’s instructions; please direct requests to them and we will assist.

8.Security, and incident notification

In plain terms: Encryption, MFA, least-privilege access. If an incident affects your data, we aim to notify you within 72 hours of confirming it.

We protect data with technical and organizational measures including encryption in transit and at rest, multi-factor authentication for Firm access, tenant isolation, least-privilege access controls, hashed access tokens, and logging and monitoring. If we confirm a security incident affecting your data, we will notify you without undue delay, with a target of 72 hours from confirmation, and share what we know as the investigation progresses.

9.Cookies

chiarohq.com and the portal use only cookies required for functionality, such as keeping you signed in. We do not use advertising cookies and we do not embed third-party trackers.

10.International users

If you access the Platform from outside the United States, your information is transferred to and processed in the United States. By using the Platform, you consent to this transfer.

11.Children

The Platform is a business service and is not directed at children under 16; account holders must be at least 18. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact privacy@chiarohq.com and we will delete it.

12.Changes and contact

We may update this policy; the effective date above reflects the most recent version, and material changes will be communicated by email or notice on the Platform. Questions: privacy@chiarohq.com.