— what we do with your data

privacy policy.

last updated · may 18, 2026

— what we collect

three buckets of data, each used for a specific purpose:

• account data — your name, email, billing address, plan. used to identify you, bill you, and contact you about the service.
• business data — clients, agreements, invoices, payment records, messages sent or received through accountable, attachments you upload. used to run the product.
• usage data — events like “invoice sent” or “reminder opened”, error logs, performance metrics. used to improve the product.

we do not collect: the contents of your inbox outside of threads you forward to accountable. browsing history. location beyond country-level. anything from third-party trackers (because we don't run them — see “cookies”).

— why we collect it

each category maps to a clear purpose:

• to provide the product (deliver invoices, send reminders, hold your records)
• to bill you (process subscription payments)
• to keep things working (debug, scale, prevent fraud)
• to improve the product (anonymized usage analytics, never personal content)
• to comply with law (tax, anti-money-laundering, lawful requests)

— who sees it

only the people and services strictly required to deliver accountable:

• stripe — for subscription billing and client payment processing.
• postmark — for transactional email delivery (invoices, reminders, magic links).
• aws — for hosting and storage (us-east region).
• openai & anthropic — for agreement extraction and reminder drafting. no training rights granted; data not retained past the request.

each vendor is contracted with a data-processing agreement that mirrors these commitments. we share with no one else — no advertisers, no data brokers, no resellers. ever.

— ai & training

accountable uses ai to read agreements, draft reminders, and answer questions about your business records. when we send your data to an ai vendor:

• we use zero-retention endpoints where available.
• we send only the minimum content required to complete the task — not your whole archive.
• we have explicit contractual prohibitions against the vendor using your data to train models.

we don't train our own models on your data either. if we ever choose to, it will be opt-in, clearly described, and reversible.

— your rights

regardless of where you live, you can:

• access — request a full export of your data within 7 days.
• correct — fix anything inaccurate, directly in-app or by email.
• delete — close your account and we delete within 30 days (financial records retained 7 years per law).
• port — receive your data in a machine-readable format (csv / json).
• object — opt out of marketing emails at any time (transactional emails continue while you have an account).

email privacy@accountable.work to exercise any right. we respond within 5 business days.

— cookies

we use a single session cookie to keep you logged in, and one preferences cookie for things like light/dark theme. we run no third-party analytics, advertising, or tracking pixels. that's the whole list.

— security

data is encrypted in transit (tls 1.3) and at rest (aes-256). access to production systems is gated by hardware-key mfa and limited to engineering on-call. we run quarterly penetration tests and publish post-mortems for any incident materially affecting customer data within 72 hours.

— contact

privacy questions, data requests, or a security report:

privacy@accountable.work · pgp key on request

data controller: accountable, inc · brooklyn, ny · two humans, currently.