StoneroseStonerose Treasury

Legal Center

Review our Terms, Privacy, and Security practices. You can accept on the Security page.

Privacy Policy

This policy explains how Stonerose Treasury Limited (“we,” “us,” or “Stonerose”) collects, uses, and protects your data within the SLOS App environment.

1. What We Collect

Collected data categories

  • Account Information: Name, professional email address, job role, and company name provided during registration and admin approval.
  • Treasury Data: Financial records, bank balances, and cash flow forecasts you upload via CSV or XLSX templates.
  • AI Interaction Metadata: We log metadata from your conversations with Mala AI, including user ID, tenant ID, timestamps, and the specific report views queried.
  • Usage Data: Diagnostic logs, including IP addresses and browser types, to monitor system health and prevent unauthorized access.
  • Payment Metadata: When you subscribe, we collect billing identifiers. We do not see or store your raw credit card details, which are handled entirely by our payment processor, Stripe.

2. How We Use Your Data

  • Service Delivery: To generate your daily cash visibility, 13-week forecasts, and long-term financial reports.
  • AI Insights: Mala AI uses curated, aggregated slices of your data to provide natural language treasury insights. No raw transactional rows are ever sent to the Large Language Model (LLM).
  • Security & Audit: To enforce strict tenant isolation via Row-Level Security (RLS) and maintain an audit trail of who accessed or exported specific reports.
  • Compliance: To meet financial reporting standards and legal obligations.

3. Data Isolation and Sharing

  • Tenant Isolation: Your data is stored in a dedicated, isolated PostgreSQL database. We do not share data across clients.
  • Third-Party Providers: We share data with essential service providers under strict contract:
    • Microsoft Azure: For secure cloud hosting, database management, and AI processing via Azure OpenAI.
    • Stripe: For secure billing and subscription management.
  • No Sale of Data: We do not sell your personal or financial data to third parties.

4. Retention and Deletion

  • Operational Records: Raw data uploads (CSV/XLSX) are subject to an automated 90-day lifecycle auto-delete policy to minimize data footprint.
  • Backups: Encrypted database backups are retained for 30–60 days for disaster recovery purposes.
  • Account Deletion: You may request account deletion at any time. Upon off-boarding, we perform a "Verified Delete" job to purge your tenant-scoped data from our production environment.

5. Security Measures

  • Identity Protection: We utilize email verification, TOTP 2FA, and feature-flagged Entra ID SSO.
  • Encryption: Data is protected by industrial-grade encryption both in transit (TLS) and at rest (AES).
  • Data Minimization: Our AI architecture strips sensitive identifiers like bank account numbers or IBANs before processing data for insights.
  • Access Control: All data access is governed by Row-Level Security (RLS), ensuring users only see the specific rows mapped to their verified identity.
← Back: TermsNext: Security →