Part II — Privacy Policy

1. Introduction

1.1 Purpose of This Policy

This Privacy Policy explains how the company, doing business as Capital Workbench, collects, uses, discloses, retains, and protects personal information when you use the Service.

This Policy applies to our website, web application, dashboards, AI-assisted features, integrations, subscription services, support channels, communications, and other services that link to this Policy.

1.2 Roles and Organization Accounts

In some circumstances, we act as an independent controller or business for personal information, such as account registration, billing, security, website analytics, and direct communications. In other circumstances, we may process personal information on behalf of an organization customer, such as when the organization controls a workspace and determines how personal information is used within that workspace.

If you use the Service through an organization account, your organization may control certain information and settings. You may need to contact your organization to exercise certain rights relating to workspace content.

1.3 Summary

We collect information needed to operate Capital Workbench, provide accounts and subscriptions, secure the Service, process payments, support users, power analytics and AI-assisted workflows, connect integrations you choose, and comply with law.

We do not intend to sell personal information or share it for cross-context behavioral advertising. If our practices change, or if our analytics or advertising practices trigger legal opt-out rights, we will update this Policy and provide required choices.

2. Personal Information We Collect

2.1 Account and Profile Information

We may collect account and profile information, such as name, email address, username, password hash or authentication credentials, company or organization name, role, title, workspace membership, permissions, account preferences, and communication settings.

2.2 Subscription and Billing Information

We may collect subscription and billing information, such as plan type, subscription status, billing frequency, invoice history, payment processor customer ID, transaction ID, billing address, tax location, refund status, cancellation status, and limited payment metadata provided by our payment processor.

We do not intend to store full payment card numbers or card verification codes.

2.3 User Content and Workspace Data

We may process content that you or your authorized users submit to or generate through the Service, including uploaded files, financial data, company lists, saved analyses, dashboards, chart configurations, notes, comments, prompts, generated outputs, reports, exports, workspace settings, and other project materials.

2.4 AI Prompts, Context, and Outputs

If you use AI-assisted features, we may process prompts, instructions, contextual information selected or retrieved from your workspace, uploaded content, connected data, generated outputs, feedback, safety metadata, and troubleshooting logs.

AI features may involve third-party AI providers. Before publication, this policy should identify the applicable categories of AI providers and state whether prompts, context, and outputs are retained, used for training, or subject to enterprise-specific controls.

2.5 Integration Information

If you connect a third-party service, we may collect provider name, linked account identifier, authorization tokens, scopes, permissions, imported files or metadata, synchronization status, logs, error messages, and information sent to or from the integration at your direction.

2.6 Usage, Device, and Log Information

We may automatically collect information such as IP address, device type, browser type, operating system, referring URLs, pages viewed, features used, timestamps, session activity, approximate location derived from IP address, crash reports, error logs, authentication events, and security logs.

2.7 Cookies and Similar Technologies

We may use cookies, pixels, local storage, SDKs, and similar technologies to keep you signed in, remember preferences, secure the Service, detect fraud, measure usage, improve performance, and support analytics or marketing where permitted.

2.8 Support and Communications

We may collect information you provide when you contact us, including support tickets, emails, chat messages, call notes, bug reports, feedback, attachments, screenshots, and other communications.

2.9 Public and Third-Party Source Information

We may collect information from public filings, SEC datasets, company websites, public databases, APIs, RSS feeds, data providers, and other third-party sources to provide financial analysis, research, and related product features. Some of this information may not be personal information. If it includes personal information, we process it as described in this Policy.

3. Sources of Personal Information

3.1 Information You Provide

We collect information directly from you when you create an account, subscribe, upload content, enter prompts, configure dashboards, connect integrations, contact support, respond to surveys, or otherwise use the Service.

3.2 Information Collected Automatically

We collect information automatically from your browser, device, and interactions with the Service, including usage, device, log, cookie, and security information.

3.3 Information From Third Parties

We may receive information from organization administrators, payment processors, identity providers, integration providers, analytics providers, security vendors, support tools, public sources, and other third parties that support the Service.

4. How We Use Personal Information

4.1 Providing and Operating the Service

We use personal information to create and manage accounts, authenticate users, provide dashboards and analyses, generate reports and exports, operate workspaces, process user content, enable collaboration, connect integrations, and deliver requested features.

4.2 Billing and Account Administration

We use personal information to process subscriptions, payments, invoices, taxes, renewals, cancellations, refunds, plan changes, and account communications.

4.3 AI-Assisted Features

We use prompts, context, user content, generated outputs, feedback, and related metadata to provide AI-assisted features, generate requested outputs, monitor abuse, troubleshoot issues, maintain security, and improve the Service as permitted by law and applicable agreements.

4.4 Security and Abuse Prevention

We use personal information to protect accounts, detect unauthorized access, prevent fraud, monitor abuse, enforce our Terms, investigate suspicious activity, maintain logs, and protect the Service, users, and third parties.

4.5 Product Improvement and Analytics

We use usage, device, log, support, and feedback information to understand how the Service is used, diagnose issues, improve features, develop new features, and measure performance.

4.6 Communications

We use personal information to send service messages, account notices, billing notices, security alerts, support responses, product updates, marketing communications where permitted, and other communications.

4.7 Legal and Compliance Purposes

We use personal information to comply with legal obligations, respond to lawful requests, maintain records, resolve disputes, enforce agreements, protect rights, and support audits, tax, accounting, and regulatory obligations.

5. Legal Bases for Processing

5.1 Contract

Where applicable, we process personal information as necessary to provide the Service, manage accounts, process subscriptions, deliver requested features, provide support, and perform our contractual obligations.

5.2 Legitimate Interests

We may process personal information for legitimate interests, such as securing the Service, preventing fraud, improving products, communicating with users, enforcing terms, and protecting rights, where those interests are not overridden by individual rights.

5.3 Consent

We may process personal information based on consent, such as for certain cookies, optional marketing communications, or other activities where consent is required. You may withdraw consent where applicable.

5.4 Legal Obligations

We may process personal information to comply with legal obligations, including tax, accounting, billing, privacy, consumer protection, security, and regulatory obligations.

6. How We Disclose Personal Information

6.1 Service Providers and Processors

We may disclose personal information to vendors and service providers that perform services on our behalf, such as hosting, storage, databases, payment processing, authentication, analytics, AI model services, support, email delivery, security monitoring, logging, diagnostics, error tracking, tax, accounting, and professional services.

6.2 AI Providers

If you use AI-assisted features, we may disclose prompts, context, user content, outputs, and related metadata to AI providers as necessary to provide the requested feature, maintain security, troubleshoot issues, and prevent abuse. We will update this language before publication to reflect actual provider commitments regarding retention and training.

6.3 Payment Processors

Payment processors collect and process payment information. We may receive limited billing metadata, such as subscription status, transaction IDs, invoice details, card brand, and last four digits.

6.4 Integrations You Choose

If you enable an integration, we may disclose information to the third-party service as necessary to provide the integration or as directed by you.

6.5 Organization Administrators

If you use an organization-managed workspace, we may disclose account, usage, workspace, support, and content information to authorized administrators of that organization.

6.6 Legal and Safety Disclosures

We may disclose information if we believe disclosure is reasonably necessary to comply with law, legal process, or government requests; enforce our Terms; detect or prevent fraud, security, or technical issues; protect rights, property, or safety; investigate violations; or respond to disputes or claims.

6.7 Business Transactions

We may disclose or transfer information in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction.

6.8 Aggregated or De-Identified Information

We may use and disclose aggregated, anonymized, or de-identified information for analytics, benchmarking, research, product improvement, marketing, or other lawful purposes, provided it does not identify you.

7. Sale, Sharing, and Targeted Advertising

7.1 No Sale or Sharing by Default

We do not intend to sell personal information or share personal information for cross-context behavioral advertising. We also do not intend to use sensitive personal information for purposes that would require a right to limit under California law, except as permitted by law.

7.2 If Practices Change

If our practices change, or if our use of analytics, advertising, or tracking technologies constitutes a sale, sharing, targeted advertising, or similar activity under applicable law, we will update this Policy and provide required notices and choices.

7.3 Opt-Out Preference Signals

Where required by law, we will honor valid opt-out preference signals, such as Global Privacy Control, in accordance with applicable requirements.

8. Cookies and Tracking Choices

8.1 Types of Cookies

We may use essential cookies that are necessary to provide the Service, preference cookies that remember settings, analytics cookies that help us understand usage, and marketing cookies if we enable marketing or advertising features.

8.2 Managing Cookies

You may manage cookies through your browser settings and, where available, through our cookie settings tool. Disabling some cookies may affect Service functionality.

8.3 Non-Essential Cookies

Where required by law, we will obtain consent before using non-essential cookies or similar technologies. We should ensure that any cookie banner, preference center, and tracking configuration match the statements in this Policy.

9. Data Retention

9.1 Retention Principles

We retain personal information for as long as reasonably necessary for the purposes described in this Policy, including to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, maintain security, prevent fraud, support backups, and operate legitimate business records.

9.2 Retention by Category

Subject to applicable law, product configuration, workspace settings, and legal requirements, our retention practices are expected to follow these principles:

• Account and profile information is generally retained while the account is active and for a reasonable period after closure as needed for security, legal, tax, support, and dispute purposes.
• Subscription, invoice, and payment metadata is retained for tax, accounting, audit, chargeback, fraud-prevention, and legal compliance periods.
• User content and workspace data is generally retained while the account or workspace is active, subject to user deletion, administrator controls, backup cycles, and legal holds.
• AI prompts, AI context, and AI outputs are retained according to product settings, provider terms, abuse-monitoring needs, troubleshooting needs, and any enterprise-specific controls.
• Security logs, authentication logs, and audit logs may be retained for a period reasonably necessary to protect the Service, investigate incidents, prevent fraud, and comply with legal obligations.
• Support communications may be retained for support quality, training, dispute resolution, and operational recordkeeping.
• Privacy request records may be retained as necessary to document compliance with privacy obligations.

9.3 Deletion and Backups

When personal information is no longer needed, we will delete, de-identify, or aggregate it according to our retention practices. Deletion from active systems may not immediately remove information from backups, logs, or legally required records.

9.4 Legal Holds and Compliance Exceptions

We may retain information longer where necessary to comply with law, preserve evidence, resolve disputes, enforce agreements, protect the Service, investigate abuse, respond to legal process, or maintain tax, accounting, security, or compliance records.

10. Security

10.1 Security Measures

We use administrative, technical, and organizational measures designed to protect personal information, such as access controls, authentication, encryption where appropriate, monitoring, logging, vendor controls, and security review processes.

10.2 No Absolute Security

No method of transmission or storage is completely secure. We cannot guarantee absolute security. You are responsible for keeping credentials secure, configuring workspace permissions appropriately, and promptly notifying us of suspected unauthorized access.

11. International Data Transfers

11.1 Processing Locations

We may process personal information in the United States and other countries where we or our service providers operate. These countries may have data protection laws different from those in your jurisdiction.

11.2 Transfer Safeguards

Where required by law, we use appropriate safeguards for cross-border transfers, such as adequacy decisions, standard contractual clauses, data processing agreements, or comparable legal mechanisms.

12. Your Privacy Rights and Choices

12.1 Rights Available to You

Depending on your location and applicable law, you may have the right to access personal information, obtain a copy or export, correct inaccurate information, delete information, object to or restrict processing, withdraw consent, opt out of marketing, opt out of sale or sharing where applicable, limit certain uses of sensitive personal information where applicable, appeal a denied request where required, and not be discriminated against for exercising privacy rights.

12.2 How to Submit Requests

You may submit privacy requests through the feedback page or by email (contact@capital-workbench.com). We may need to verify your identity before fulfilling a request.

12.3 Verification and Response Timing

We will respond to privacy requests within the time required by applicable law. We may ask for information reasonably necessary to verify your identity, confirm your authority to act on behalf of another person, locate relevant records, or clarify the scope of your request.

12.4 Organization-Managed Accounts

If your account is managed by an organization, we may direct certain requests to that organization or ask the organization to respond, particularly where the organization controls the relevant workspace content.

12.5 Appeals

Where applicable law provides a right to appeal a denied privacy request, you may appeal by following the instructions provided in our response or by contacting contact@capital-workbench.com.

12.6 Marketing Choices

You may opt out of marketing emails by using the unsubscribe link or contacting us. Even if you opt out of marketing, we may still send transactional or service-related communications, such as account, billing, security, legal, and support messages.

13. California Privacy Notice

13.1 Scope

This Section applies to California residents to the extent the California Consumer Privacy Act, as amended by the California Privacy Rights Act, applies to us.

13.2 Categories of Personal Information

In the preceding 12 months, we may have collected the following categories of personal information: identifiers; customer records; commercial information; internet or electronic network activity; approximate geolocation information; professional or employment-related information; audio, electronic, or visual information if provided in support interactions; inferences; and sensitive personal information if you choose to provide it or if needed for account security, billing, or compliance.

13.3 Purposes of Collection and Use

We collect and use these categories for the purposes described in this Policy, including operating the Service, billing, support, security, analytics, AI-assisted features, integrations, communications, compliance, and product improvement.

13.4 Categories of Recipients

We may disclose these categories to service providers, processors, payment processors, AI providers, integration providers, organization administrators, professional advisors, authorities where required, and parties to business transactions.

13.5 California Rights

California residents may have the right to know, access, delete, correct, opt out of sale or sharing, limit certain uses of sensitive personal information, and not be discriminated against for exercising CCPA rights.

Requests may be submitted through the Feedback page or by email to contact@capital-workbench.com. Authorized agents may submit requests as permitted by law. We may require proof of authorization and identity verification.

13.6 Sensitive Personal Information

We do not intend to use or disclose sensitive personal information for purposes that require a right to limit, except as permitted by law. If our practices change, we will provide required notices and choices.

14. European, UK, and Swiss Privacy Rights

14.1 Rights

If you are located in the European Economic Area, United Kingdom, or Switzerland, you may have rights under applicable data protection laws, including the right to access, correct, delete, restrict processing, object to processing, data portability, withdraw consent, complain to a supervisory authority, and receive information about cross-border transfer safeguards.

14.2 Controller and Processor Roles

Where we process personal data on behalf of an organization customer, we may act as a processor and the organization may act as controller. In that case, we may direct requests to the organization unless otherwise required by law.

14.3 Supervisory Authority Complaints

Where applicable, you may have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first so we can try to address your concern.

15. Children’s Privacy

15.1 Age Limits

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. Users must be at least 16 years old unless we revise this policy.

15.2 Deletion of Children’s Information

If we learn that we collected personal information from a child without required authorization, we will delete it as required by law.

16. Security Incidents

16.1 Incident Response

If we discover a security incident involving personal information, we will investigate and take steps appropriate to the nature of the incident. Where required by law, we will notify affected individuals, customers, regulators, or other parties.

17. Third-Party Links and Services

17.1 Third-Party Responsibility

The Service may contain links to third-party websites, data sources, applications, or services. This Policy does not apply to third-party services that we do not control. You should review the privacy policies of those third parties.

18. Changes to This Privacy Policy

18.1 Updates

We may update this Privacy Policy from time to time. If changes are material, we will provide reasonable notice, such as by email, in-product notice, or posting an updated version.

The updated Policy will be effective as of the date stated at the top unless otherwise specified.

19. Contact Us

19.1 Privacy Contact

For questions or requests, contact: contact@capital-workbench.com