Privacy Policy
Last Updated: 2026-06-07
This Privacy Policy explains how Human Beyond LLC ("MainBook", "Company", "we", "us", "our"), a Florida limited liability company with its principal place of business at 1818 Hollywood Blvd, Hollywood, FL 33020, collects, uses, shares, and protects personal information in connection with the MainBook service available at mainbook.ai (the "Service").
This Privacy Policy is incorporated by reference into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service. If you do not agree with this Privacy Policy, you may not access or use the Service.
This Privacy Policy is supplemented by our Data Processing Agreement, AI Disclosure, Cookie Policy, and Sub-Processors list.
1. Who Is Responsible for Your Data
The data controller for personal information processed under this Privacy Policy is Human Beyond LLC, a Florida limited liability company, contactable at:
- Email: hello@human-beyond.ai
- Mail: Human Beyond LLC, 1818 Hollywood Blvd, Hollywood, FL 33020, United States
For data-protection inquiries, including requests under the General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), or other applicable privacy laws, please contact us at the email address above.
2. Whose Data Is This About
The Service processes several distinct categories of data. It is important to understand the distinction, particularly if you are a professional (bookkeeper, accountant, certified public accountant, tax preparer, or financial advisor) processing documents on behalf of clients.
2.1 Your personal data (you, the User). This includes your name, email address, account credentials, payment-related identifiers, IP address, device fingerprint, and usage data generated by your interaction with the Service. We are the data controller for this information.
2.2 Third-party personal data contained in documents you upload. When you upload a bank or credit card statement, that document may contain personal data of third parties — for example, the names, addresses, account numbers, transaction descriptions, and other identifying information of the account holder, employers, payees, vendors, customers, or others. If you are using the Service in a professional capacity for your clients, you are the data controller for this third-party data, and MainBook acts as a processor on your instructions. This relationship is governed by our Data Processing Agreement.
2.3 Aggregated and anonymized data. We may generate aggregated or anonymized statistics, performance metrics, and operational telemetry from the use of the Service. Such data, once anonymized so that no individual can reasonably be identified, is not personal data and may be used by us for any legitimate business purpose.
3. Your Representations as the Uploader
When you upload a document containing personal data of third parties, you represent and warrant that:
(a) you have all legal authority required to process such data through the Service, including any consent or notification required under applicable law;
(b) you have provided all required privacy notices to the data subjects whose data is contained in the document;
(c) you accept full responsibility as the data controller for such third-party data; and
(d) MainBook acts solely as your processor for such third-party data on your documented instructions.
If you are unable to make these representations, you must not upload the document.
4. Personal Data We Collect from You
4.1 Account data. Email address, password (stored in hashed form using industry-standard hashing algorithms), display name (if provided), and authentication-related identifiers (including identifiers from Google OAuth if you sign in via Google).
4.2 Onboarding data. If you complete the onboarding quiz, your responses (used to tailor the Service experience).
4.3 Profile and settings data. Any settings, preferences, dashboard layout choices, two-factor authentication configuration (including TOTP and backup codes, both stored hashed), and similar customization data you create or modify.
4.4 Content you upload. Bank statement and credit card statement PDFs, images, or other document files you submit for conversion.
4.4.1 Document unlock passwords. If a document you upload is password-protected (encrypted), we may ask you to enter that document's password so we can unlock it for conversion. We receive this password over an encrypted connection and use it one time, on our server, solely to decrypt that specific file. We do not store it in our database or our logs, do not use it for any other purpose, and discard it after the single decryption attempt.
4.5 Output data. Structured data generated by the Service from your uploaded documents (extracted transactions, balances, account metadata, and exported files in XLSX, CSV, or JSON format).
4.6 Payment-related data. When you purchase Credits, our payment processor (Stripe) collects your payment-method information directly. We receive a transaction identifier, the package code purchased, the amount paid, and a receipt URL. We do not receive or store your full payment-card number.
4.7 Communications data. If you contact us (for example, via the in-product help form or by email), we receive and retain the content of your communications, your email address, and any attachments you provide.
4.8 Technical and usage data. IP address, user agent (browser type, operating system version, device type), referral URL, timestamps of access, pages or features accessed, document processing metadata (file size, page count, processing duration, success or error status), and similar diagnostic information.
4.9 Device fingerprint. A device fingerprint generated from technical signals (used for anti-fraud and guest-tier abuse prevention).
4.10 Anti-fraud signals. Cloudflare Turnstile challenge results and similar anti-fraud telemetry generated during your interaction with the Service.
4.11 Error and crash telemetry. Diagnostic information about errors and crashes within the Service (collected via our error-tracking sub-processor, Sentry, configured to exclude personally identifiable information by default).
4.12 Analytics data. With your consent, we collect web-analytics data via Google Analytics 4 — the pages and features you view, events you trigger, approximate (region-level) location derived by Google from your IP address, device and browser metadata, and a Google Analytics client identifier. This data is not collected until you accept analytics cookies on our cookie-consent banner; before you consent (and if you decline), any measurement is cookieless and aggregated. See our Cookie Policy for the cookies involved and the consent mechanism.
4.13 Advertising and measurement data (Meta Pixel). With your consent, we use the Meta Pixel (Facebook Pixel) for advertising conversion measurement and audience building for our Meta (Facebook/Instagram) ad campaigns. When enabled, it collects online identifiers (the value of Meta's first-party _fbp browser-identifier cookie and, only if you arrived from a Meta ad link, the _fbc click-identifier cookie), the page URL and referrer, your IP address (used by Meta), and device and browser metadata, and sends them to Meta on a standard PageView event. We do not enable Meta's Advanced Matching feature — we do not send hashed email, phone number, or name to Meta — and we do not transmit your uploaded documents, the extracted data (Output), financial amounts, or your account credentials or passwords to Meta. This data is not collected until you accept advertising cookies on our cookie-consent banner; before you consent (and if you decline), the Meta Pixel is held with consent revoked and does not fire or set any cookie. See our Cookie Policy for the cookies involved and the consent mechanism.
5. How We Use Personal Data
We use personal data for the following purposes:
5.1 To provide the Service. Authenticating you, creating and managing your Account, processing documents you upload, generating Output, delivering exports, charging you for Credits, sending Service notifications, and providing customer support.
5.2 To secure the Service. Detecting and preventing fraud, abuse, unauthorized access, and security incidents; enforcing our Terms of Service and Acceptable Use Policy; and maintaining the integrity, availability, and confidentiality of the Service.
5.3 To comply with our obligations. Meeting our legal, regulatory, tax, accounting, audit, dispute resolution, and contractual obligations, including obligations imposed by our payment processor, financial-services partners, and other sub-processors.
5.4 To operate, analyze, and improve the Service. Generating aggregated and anonymized analytics, monitoring performance, identifying bugs and errors, improving the reliability and accuracy of the conversion pipeline, prioritizing engineering work, and similar internal operational purposes. This includes, with your consent, first-party web analytics collected via Google Analytics 4, and advertising conversion measurement and audience building for our Meta (Facebook/Instagram) ad campaigns collected via the Meta Pixel.
5.5 To communicate with you. Sending transactional and Service-related communications (including notifications about your Account, document processing status, billing, security, and material changes to our Terms or this Privacy Policy). With your separate opt-in consent, we may also send product updates, tips, or other non-transactional communications; you may withdraw such consent at any time using the unsubscribe link in those messages.
5.6 To enforce our rights. Establishing, exercising, or defending legal claims, and complying with valid legal process.
6. Lawful Basis for Processing (GDPR)
Where the GDPR or UK GDPR applies to our processing of your personal data, we rely on the following lawful bases under Article 6:
| Purpose | Lawful Basis |
|---|---|
| Providing the Service to you (Section 5.1) | Performance of a contract (Article 6(1)(b)) |
| Securing the Service, preventing fraud and abuse (Section 5.2) | Legitimate interests in protecting our business, our users, and our infrastructure (Article 6(1)(f)) |
| Complying with legal obligations (Section 5.3) | Legal obligation (Article 6(1)(c)) |
| Operating, analyzing, and improving the Service (Section 5.4) | Legitimate interests in operating, maintaining, and improving a useful product (Article 6(1)(f)) |
| Web analytics via Google Analytics (Section 4.12) | Consent (Article 6(1)(a)) — only when you accept analytics on our cookie banner |
| Advertising and conversion measurement via Meta Pixel (Section 4.13) | Consent (Article 6(1)(a)) — only when you accept cookies on our banner |
| Transactional communications (Section 5.5) | Performance of a contract (Article 6(1)(b)) |
| Non-transactional product updates (Section 5.5) | Consent (Article 6(1)(a)) — only when you have opted in |
| Defending legal claims (Section 5.6) | Legitimate interests, or where required, legal obligation |
You have the right to object to processing based on legitimate interests, as set out in Section 11.
7. We Do Not Sell Your Personal Data
We do not sell your personal data for monetary consideration. Except where you have consented to analytics and advertising cookies as described in our Cookie Policy, we do not engage in cross-context behavioral advertising, and we do not authorize our service providers to use your personal data for purposes other than providing services to us.
With your consent (given via our cookie-consent banner), we use Google Analytics and, for advertising measurement connected to our Google Ads campaigns, transmit online identifiers (such as a Google Analytics client identifier and cookie data) and usage data to Google; and we use the Meta Pixel (Facebook Pixel) for advertising conversion measurement connected to our Meta (Facebook/Instagram) ad campaigns, transmitting online identifiers (such as the Meta _fbp / _fbc cookie values) and usage data to Meta. Depending on your jurisdiction, either of these may be treated as "sharing" for cross-context behavioral advertising under the CCPA or other U.S. state privacy laws (the CCPA treats pixel-based ad sharing as "sharing"). You can decline at any time by choosing Reject on our banner or by changing your choice via the footer "Cookie settings" link, and we honor Global Privacy Control signals; that is our opt-out mechanism. We do not sell personal data for monetary consideration.
8. Whom We Share Your Data With
We share personal data only as described in this Section 8 and in our Sub-Processors list.
8.1 Service providers (sub-processors). We engage third-party service providers to perform functions necessary to operate the Service. Each sub-processor processes personal data only on our documented instructions and is contractually bound to confidentiality, security, and data-protection obligations. The current list, the category of data each processes, and their location is published at Sub-Processors. The list as of the effective date above includes:
- Mistral AI (France) — optical character recognition (OCR) of uploaded documents
- Google LLC (United States) — large-language-model structured extraction of transaction data via the Gemini API (accessed on a paid basis), authentication (Google OAuth, only if you sign in via Google), and audience analytics via Google Analytics 4 (only with your consent)
- Meta Platforms, Inc. (United States) — advertising conversion measurement and audience building via the Meta Pixel (Facebook Pixel), only with your consent
- Stripe, Inc. (United States) — payment processing
- Plus Five Five, Inc. d/b/a Resend (United States) — transactional email delivery
- DigitalOcean, LLC (United States) — application hosting and object storage (Spaces)
- Vercel, Inc. (United States) — front-end application hosting and content delivery
- Functional Software, Inc. d/b/a Sentry (United States) — error tracking
- Cloudflare, Inc. (United States) — anti-fraud challenges (Turnstile)
- Telegram (Telegram Messenger Inc.) — internal operator alerts only (we send ourselves a short notification, which for signup and payment events includes your email address; not a user-facing messaging feature)
8.2 Legal and protective disclosures. We may disclose personal data when we reasonably believe disclosure is required to: (a) comply with a valid legal obligation, subpoena, court order, or other legal process; (b) enforce our Terms or other policies; (c) protect our rights, property, safety, or those of our Users or others; or (d) detect, prevent, or address fraud, security, or technical issues.
8.3 Government access requests. If we receive a request from a governmental or public authority to disclose personal data, and unless we are legally prohibited from doing so or determine in good faith that an urgent risk of serious harm requires immediate disclosure, we will: (a) endeavor to redirect the requesting authority to obtain the data directly from you; (b) assess the request and challenge it where we determine it is unlawful, overly broad, or disproportionate; and (c) disclose only the minimum amount of personal data strictly required.
8.4 Business transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of all or part of our assets, or similar transaction, personal data may be transferred as part of that transaction, subject to the acquirer or successor honoring this Privacy Policy (or providing equivalent protections) as it applies to the transferred data.
8.5 With your consent. We may share personal data with other parties when you have given us your consent to do so.
9. International Data Transfers
9.1 Cross-border processing. The Service is operated from the United States. Most of our sub-processors are located in the United States or the European Union. Your personal data may be transferred to, stored in, and processed in countries other than the country in which you reside. These countries may have data-protection laws that differ from those of your country.
9.2 EU/UK to U.S. transfers. Where personal data subject to the GDPR or UK GDPR is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the European Commission or equivalent body, we rely on the Standard Contractual Clauses ("SCCs") approved by the European Commission (Module 2: controller-to-processor; or Module 3: processor-to-processor, as applicable), the UK International Data Transfer Addendum to the EU SCCs, or another lawful transfer mechanism, as applicable. A copy of the relevant transfer mechanism is available on request to hello@human-beyond.ai.
9.3 Supplementary measures. Where required, we apply supplementary technical and organizational measures (such as encryption in transit and at rest, access controls, and contractual restrictions on government-access requests) to protect transferred personal data.
10. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected and as set out below. After the applicable retention period, we delete or anonymize the data, except where we are required to retain it for a longer period to comply with a legal obligation, defend or assert legal claims, or for similar legitimate purposes.
| Category of data | Retention period |
|---|---|
| Uploaded documents (your Content) | Ninety (90) days from the date of upload, after which the files are automatically deleted. We retain this period to support customer-dispute windows, re-download convenience, support investigations, and security-incident response. |
| Output (extracted transactions, exports) | The same retention period as the underlying uploaded document. |
| Account data (email, hashed password, settings, two-factor configuration) | For the duration of your Account, plus a short reasonable period after Account closure for backup integrity and dispute resolution. |
| Payment, billing, and tax records | Up to seven (7) years from the date of the transaction, as required by U.S. federal and state tax and bookkeeping laws (including IRS recordkeeping requirements). |
| Audit logs, security logs, and incident records | Up to seven (7) years from the date of the event, for security, fraud-prevention, dispute resolution, and legal-defense purposes. |
| Anti-fraud signals (device fingerprint, Turnstile results) | For as long as reasonably required to prevent abuse, typically the lifetime of the Account plus a short reasonable period. |
| Error and crash telemetry (Sentry) | Up to ninety (90) days by default, subject to Sentry's retention configuration. |
| Communications you send to us | For the duration of your Account, plus a reasonable period thereafter for record-keeping and dispute resolution. |
| Anonymized or aggregated data | Indefinitely, as it is no longer personal data. |
If you delete your Account, we will delete or anonymize your personal data within a reasonable period (typically thirty (30) days), except for data we are required to retain under the schedule above or by applicable law. Account deletion permanently anonymizes (rather than deletes) records that we must retain for tax, audit, or legal-defense purposes (payments, audit logs, transaction records), in accordance with our Terms of Service and applicable laws including IRS recordkeeping rules and the GDPR Article 17(3)(b) exception (retention for the establishment, exercise, or defense of legal claims).
11. Your Privacy Rights
Depending on where you reside, you may have certain statutory rights in relation to your personal data. We will respect and honor these rights to the extent required by applicable law.
11.1 Rights you may have. Subject to applicable law, you may have the right to:
(a) access personal data we hold about you;
(b) rectify personal data that is inaccurate or incomplete;
(c) erase ("right to be forgotten") personal data, subject to applicable retention obligations;
(d) restrict processing of your personal data in certain circumstances;
(e) object to processing based on legitimate interests;
(f) data portability — receive your personal data in a structured, commonly used, machine-readable format;
(g) withdraw consent at any time where we rely on your consent (this does not affect the lawfulness of processing carried out before withdrawal);
(h) lodge a complaint with your local data-protection authority (in the EU/EEA, the supervisory authority of your member state; in the UK, the Information Commissioner's Office);
(i) not be subject to automated decisions producing legal or similarly significant effects without human review (we do not currently make such automated decisions about you).
11.2 California residents (CCPA / CPRA). Subject to the CCPA and related California laws, California residents have the rights to (a) know what personal data we collect, use, disclose, and (where applicable) sell or share; (b) request deletion of their personal data; (c) correct inaccurate personal data; (d) limit the use and disclosure of "sensitive personal information"; and (e) not be discriminated against for exercising any privacy right. We do not sell your personal data for monetary consideration. We "share" personal data for cross-context behavioral advertising only where you have consented to analytics and advertising cookies — specifically, the consent-based use of Google Analytics and the Meta Pixel (Facebook Pixel) described in Section 7 and our Cookie Policy; note that the CCPA treats pixel-based ad sharing as "sharing." You may opt out at any time via the "Reject" option, the footer "Cookie settings" link, or a Global Privacy Control signal.
11.3 How to exercise your rights. To exercise any of these rights, contact us at hello@human-beyond.ai. We will respond within the time period required by applicable law (generally within 30 days under the GDPR; within 45 days under the CCPA, with a possible 45-day extension where allowed). We will require you to verify your identity before fulfilling your request. Verifiable requests are free of charge. We may charge a reasonable fee or decline to act on a request that is manifestly unfounded or excessive (for example, repetitive requests), as permitted by applicable law (GDPR Article 12(5)).
11.4 Authorized agents (California). California residents may designate an authorized agent to make a request on their behalf. We may require the agent to provide proof of authorization and may require you to verify your own identity directly with us.
11.5 Limits. We may decline a request or partially comply where required or permitted by law, including where we cannot verify your identity, where compliance would adversely affect the rights of others, or where we are required to retain the data under another legal obligation.
12. Security
We implement commercially reasonable technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures currently include encryption of data in transit (using TLS 1.2 or higher), encryption of data at rest where supported by our hosting and storage providers, role-based access controls within our internal systems, password hashing using industry-standard algorithms, two-factor authentication for sensitive operations, error monitoring with PII filtering (including redaction of any document unlock password described in Section 4.4.1, so that it is not retained in our error-monitoring records), anti-fraud challenge mechanisms, and routine security review.
No method of transmission over the Internet or method of electronic storage is 100% secure. While we use commercially reasonable efforts to protect your personal data, we cannot guarantee absolute security.
In the event of a personal data breach affecting your personal data, we will notify you without undue delay following our discovery of the breach. For incidents affecting personal data subject to the GDPR or UK GDPR, we will notify affected Users or, where applicable, the data controller, no later than forty-eight (48) hours after we become aware of the breach. Notification will describe the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures we have taken or propose to take in response, consistent with GDPR Article 33(3). Any such notification will not be deemed an acknowledgment of fault or liability on our part.
13. AI and Machine Learning
The Service uses optical character recognition and large-language-model technology provided by third-party AI sub-processors. We do not use your uploaded documents, the extracted data, or your Output to train or improve our own AI models. We engage AI sub-processors that, in accordance with their published terms applicable to commercial or API customers, are configured for no-training defaults or are contractually committed not to use Customer data to train their models, in each case where such configuration or commitment is available. For full disclosure of our current AI sub-processors and their specific data-use commitments, please see our AI Disclosure, which we update as our sub-processor mix changes.
14. Cookies and Local Storage
We use a small number of strictly necessary cookies and local-storage items required to operate the Service (including authentication tokens, CSRF tokens, anti-fraud signals, and limited UI preferences) and, only with your consent, Google Analytics 4 analytics cookies and Meta Pixel (Facebook Pixel) advertising cookies (_fbp / _fbc). No analytics or advertising cookies are set until you accept them on our cookie-consent banner. Full details and the consent mechanism are in our Cookie Policy.
15. Children
The Service is not directed to, and we do not knowingly collect personal data from, children under the age of eighteen (18). If we become aware that we have collected personal data from a person under eighteen (18), we will delete that data as soon as reasonably practicable. If you believe we may have collected personal data from a person under eighteen (18), please contact us at hello@human-beyond.ai.
16. Third-Party Links and Services
The Service may link to or integrate with third-party websites or services that we do not control. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of any third party. Please review the privacy policies of those third parties before providing them with your personal data.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this Privacy Policy reflects the date of the most recent change. If we make a material change, we will provide at least thirty (30) days' advance notice by email to the address associated with your Account or by prominent notice within the Service. Material changes take effect at the end of the notice period; your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.
Non-material changes (such as formatting, typographical corrections, or clarifications that do not adversely affect your rights) take effect immediately upon posting.
18. Contact
For privacy questions, complaints, or to exercise your rights:
Human Beyond LLC Attn: Privacy 1818 Hollywood Blvd Hollywood, FL 33020 United States Email: hello@human-beyond.ai
EU and UK data subjects: if you are not satisfied with our response, you may lodge a complaint with your local data-protection authority. We are based in the United States; if you require a U.S.-based point of contact for your privacy inquiry, the email address above is our designated contact.