Version v1.3

Effective April 20, 2026

NOESIS CFO - Privacy Policy

Effective Date: April 20, 2026

Version: v1.3

Operator: Athena Core Technologies ("Athena", "we", "our")

Platform posture: Business-to-Business FinTech SaaS. The Platform is offered to business entities and their authorized users; it is not intended for consumer or household use.

This Privacy Policy describes how Athena Core Technologies collects, uses, and protects information in connection with the NOESIS CFO platform. It supplements the Terms of Service and the Data Handling Terms, which together govern how Customer Data (financial figures you upload) is processed.

1. Information We Collect

1.1 Account Information

When you register or request access, we collect:

Name, work email address, firm name, and role

Password (stored as a one-way cryptographic hash - never in plaintext)

1.2 Financial Data You Upload

When you use the Platform's financial intelligence features, you upload or input:

Financial statements (trial balances, P&L, balance sheet, cash flow data)

Property inputs (NOI, purchase price, operating expenses, debt terms)

Business acquisition inputs (revenue, EBITDA, growth rates)

This data is processed to generate your requested outputs and stored in your account. It is not used for any purpose other than delivering the services you requested.

1.3 Usage Data

We automatically collect limited technical data:

IP address (used for security logging, rate limiting, and geographic abuse detection)

Browser type and version (user-agent string)

Pages visited and features used (for product improvement)

API request logs (for security monitoring and debugging)

1.4 Payment Information

Payment is processed by Stripe, Inc. Athena does not store payment card numbers or bank account information. Stripe's privacy policy governs their handling of payment data.

1.5 Legal Acceptance Records

We record your acceptance of legal agreements including document version, timestamp, IP address, and context (e.g., signup, checkout).

2. How We Use Your Information

We use your information to:

Deliver and operate the Platform - process uploads, run analysis, generate reports

Authenticate and secure accounts - verify identity, detect fraud, enforce rate limits

Communicate with you - send access approvals, password resets, billing notifications

Comply with legal obligations - respond to lawful requests from courts or regulators

Improve the Platform - analyze aggregate, anonymized usage patterns

We do not:

Sell your personal data or financial data to third parties

Use your customer financial data to train or fine-tune machine learning or AI models

Share your data with advertisers

Build behavioral advertising profiles

3. Third-Party Services

We use a limited set of trusted third-party processors:

Provider	Purpose	Data Shared
Neon (PostgreSQL)	Database hosting	All structured data
Stripe	Payment processing	Email, billing details
Resend	Transactional email	Email address, name
Vercel	Platform hosting and CDN	All web traffic

Each provider operates under its own privacy policy and data processing agreements. We require all processors to maintain appropriate security and confidentiality standards.

4. Cookies and Tracking

The Platform uses a signed session cookie ("noesis_session") to maintain your authenticated session. This cookie:

Is HTTP-only and Secure (not accessible to JavaScript)

Is HMAC-signed to prevent tampering

Does not contain your password or financial data

Expires when you log out or your session expires

We do not use third-party tracking cookies, advertising pixels, or behavioral analytics on the authenticated platform. The public marketing pages may include limited analytics (e.g., page view counters).

5. Data Retention (No-Retention Posture)

NOESIS operates a no-retention posture: we do NOT retain your financial data beyond what is strictly necessary to serve you. Working data is temporarily stored to power the features you actively use and is purged on termination or on request.

Data Category	Retention Period
Financial uploads, normalized line items, KPI snapshots, forecasts, insights, generated reports	Lifetime of active subscription; removable any time via Settings → Profile → Purge my data (clears within 24 hours, backups within 30 days)
Active account identity (email, name, hashed password, org name)	Lifetime of subscription; preserved after termination only as long as required by tax, accounting, or AML/KYC law (up to 7 years)
Payment records (Stripe invoices, charge IDs, subscription state)	7 years or as required by Stripe, the IRS, and applicable financial regulation
Legal acceptance records (Terms, Privacy, Data Handling click-throughs)	7 years (statute-of-limitations defense)
Security event logs (auth failures, admin actions, destructive-action audit)	13 months rolling
Email delivery metadata (recipient, timestamp, delivery status)	90 days, then purged

Self-Serve Deletion. Any workspace owner may purge all content-level data (uploads, analyses, insights, forecasts, integration tokens) directly from Settings → Profile → Purge my data. The purge requires password step-up, typed email confirmation, and the literal string `PURGE`, and is irreversible.

Request-Based Deletion. To request account-level deletion (identity + billing + legal records, subject to legal holds), email support@noesiscfo-io.us. We acknowledge within 5 business days and complete within 10 business days unless a legal hold applies. We will tell you exactly what we are legally required to retain and for how long.

Backups. Encrypted backups are purged on a 30-day rolling cycle; data you delete from the live system is removed from backups within 30 days.

6. Your Rights

Depending on your jurisdiction, you may have rights to:

Access - request a copy of data we hold about you

Correction - request correction of inaccurate data

Deletion - request deletion of your account and data (subject to legal retention requirements)

Portability - request your data in a machine-readable format

Objection - object to certain types of processing

To exercise these rights, contact support@noesiscfo-io.us. We will respond within 30 days.

7. Security

We implement the following security measures:

TLS 1.2+ encryption for all data in transit

AES-256 encryption for sensitive data at rest (via Neon/Vercel infrastructure)

HMAC-signed session cookies

IP-based rate limiting on authentication endpoints

Security event logging for authentication failures and admin actions

Access controls limiting employee access to customer data

No security measure is perfect. In the event of a material data breach affecting your personal data, we will notify you as required by applicable law.

8. Children's Privacy

The Platform is designed for business use only and is not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has submitted information, contact us immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the version number and effective date, and require re-acceptance from active users before they continue accessing protected features.

10. Contact

Athena Core Technologies

Email: support@noesiscfo-io.us

Subject: Privacy Inquiry

For data subject requests: Include your name, email address, and a description of your request.