Privacy Impact Assessment
Last updated: April 2026
1. Overview
SuperCFO is an AI-powered financial analytics platform that processes uploaded financial documents (Excel, PDF, CSV, images) to generate interactive dashboards, reports, and analysis. This assessment documents how personal and financial data flows through the system, who has access, and what protections are in place.
2. Data Categories Collected
| Category | Examples | Lawful Basis |
|---|---|---|
| Account data | Email address, Google profile name | Contractual necessity |
| Uploaded documents | Financial statements, invoices, receipts, spreadsheets | Contractual necessity + consent |
| Extracted text | Parsed content from uploaded files (numbers, labels, tables) | Contractual necessity |
| Generated outputs | Dashboards, Excel files, presentations, reports | Contractual necessity |
| Usage data | API calls, token usage, credit transactions, timestamps | Legitimate interest |
| Payment data | Subscription tier, Stripe customer ID (card details held by Stripe) | Contractual necessity |
3. Data Flow
- Upload — User uploads a file via browser. File is transmitted over TLS to our server.
- Processing — File is parsed in memory. For PDFs/images, text is extracted via AI (Google Gemini via OpenRouter).
- Analysis — Extracted text is sent to AI models (Anthropic Claude, OpenAI GPT-4o) via OpenRouter for analysis/generation.
- Storage — Extracted text and generated outputs are stored in our PostgreSQL database on DigitalOcean.
- Delivery — Generated dashboards/files are served to the user's browser over TLS.
- Deletion — Users can delete individual items or request full account deletion via self-serve API.
4. Sub-Processors
| Provider | Purpose | Data Shared | Data Retention |
|---|---|---|---|
| Supabase | Authentication (Google OAuth) | Email, auth tokens | Until account deletion |
| OpenRouter | AI model routing (Claude, GPT-4o, Gemini) | Extracted text for analysis | Not retained (pass-through) |
| Anthropic | AI generation (Claude SDK with skills) | Extracted text for file generation | Not retained (API usage) |
| DigitalOcean | Hosting, managed PostgreSQL database | All stored data | Until deletion; backups for 7 days |
| Stripe | Payment processing | Email, subscription tier | Per Stripe's retention policy |
| Docker Hub | Container image registry | No user data | N/A |
5. Data Retention
- User account data — retained until the user deletes their account.
- Uploaded files — original files are not stored. Only extracted text is retained.
- Generated outputs (dashboards, Excel, PPTX) — retained until the user deletes them.
- API usage logs — retained for 12 months for billing and debugging purposes.
- Audit logs — retained for 24 months for compliance.
- Database backups — automated daily backups retained for 7 days (DigitalOcean managed).
6. Cross-Border Data Transfers
SuperCFO's primary infrastructure is hosted on DigitalOcean in the Singapore (SGP1) region. AI processing requests are routed to OpenRouter and Anthropic servers, which may process data in the United States. All transfers are encrypted in transit (TLS 1.3). AI providers do not retain user data after processing.
7. User Rights
Under PDPA (Malaysia) and GDPR (where applicable), users have the right to:
- Access — view all data associated with their account via the app.
- Rectification — update account information via settings.
- Erasure — delete individual items or request full account deletion (self-serve API available).
- Portability — download generated files (Excel, PDF, PPTX) at any time.
- Objection — contact support to opt out of non-essential data processing.
8. Security Measures
- TLS 1.3 encryption in transit with HSTS (2-year policy)
- SSL-enforced database connections with certificate validation
- Google OAuth authentication (no passwords stored)
- Role-based access control with user ownership verification
- File upload validation (MIME type, extension, size limits)
- Rate limiting on all API endpoints
- Security headers (CSP, X-Frame-Options, HSTS, Referrer-Policy)
- Non-root Docker containers with pinned base images
- 30-minute session timeout with secure cookie flags
- Parameterized SQL queries (no SQL injection)
- Audit logging of key user actions
- Automated vulnerability scanning before every deployment
9. Contact
For privacy-related inquiries, data deletion requests, or to exercise your rights, contact us at support@supercfo.app.