Privacy Policy — Trailing Paper

Effective Date: April 24, 2026 | Last Updated: April 24, 2026

1. Introduction

Trailing Paper ("Trailing Paper," "we," "us," or "our") operates a B2B SaaS platform that enables small businesses to create invoices, send estimates, collect card payments from clients, and manage business finances. We are committed to protecting the privacy of the individuals and businesses that use our platform. This Privacy Policy explains what information we collect, how we use and share it, and the choices you have with respect to your data.

Please read this Privacy Policy carefully. By registering for an account, accessing the Service, or interacting with any Trailing Paper client-facing page (such as an invoice or estimate link), you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy is incorporated into and forms part of our Terms of Service.

This Privacy Policy does not constitute legal advice. If you have questions about your specific legal obligations or rights, consult qualified legal counsel.

2. Who This Policy Applies To

This Privacy Policy applies to two distinct groups of individuals who interact with Trailing Paper:

Merchants — businesses and individuals who register for a Trailing Paper account to create invoices, send estimates, accept payments, and manage their business finances. Merchants undergo a full account registration and, where applicable, KYC onboarding through Finix. The majority of this Privacy Policy addresses data collected from and about Merchants.
Clients — third parties (the customers of Merchants) who receive invoices or estimates via unique URLs and may interact with those pages to view charges, approve estimates, or submit payment. Clients are not required to create a Trailing Paper account. The data Trailing Paper directly collects from Clients is limited and is described separately below.

If you are a Client visiting an invoice or estimate page, your primary data relationship for payment processing is with Finix Payments, Inc., not with Trailing Paper. Please review Finix's privacy policy for information on how your payment card data is handled.

3. Information We Collect

3.1 Merchant Account Information

When you register for a Trailing Paper account, we collect:

Full name and email address
Password (stored in irreversibly hashed form — we do not store your plaintext password)
Profile data you choose to add (such as business name or phone number during account setup)
If you authenticate via Google Sign-In: your name, email address, and Google profile ID (see Section 8)

3.2 KYC and Identity Verification Data

To enable payment acceptance through Finix, Trailing Paper is required by federal law — including the Bank Secrecy Act (BSA) and applicable Anti-Money Laundering (AML) regulations — to collect Know Your Customer (KYC) information. This data is collected through our onboarding flow and transmitted to Finix for merchant underwriting. KYC data we collect includes:

Legal business name and business type (e.g., sole proprietorship, LLC, corporation)
Employer Identification Number (EIN) or, for sole proprietors, Social Security Number (SSN)
Business address and business phone number
Owner's legal name, date of birth (DOB), SSN, and home address
Ownership percentage (for multi-owner entities)

Collection of this data is not optional for Merchants who wish to accept card payments. See Section 5 for details on how KYC data is handled and protected.

3.3 Bank Account Information

To receive settlement funds from card payments, you must link a business bank account. Bank account linking is facilitated through Plaid Inc. (see Section 7). Through the Plaid connection process, we receive your bank account routing number and account number solely for the purpose of configuring your settlement destination with Finix. We do not use your bank account credentials for any other purpose.

3.4 Business and Transaction Data

In the course of your use of the Service, we collect and store the business data you create or input, including:

Invoices and line items (descriptions, quantities, amounts, due dates)
Estimates and associated approval records
Client records (client names, email addresses, and contact information you add to your account)
Payment history and transaction records associated with invoices
Notes and custom fields you create within the platform

3.5 Subscription and Billing Data

If you subscribe to a paid Trailing Paper plan, we collect information related to your subscription, including your chosen plan tier, billing cycle, and payment method metadata (such as the last four digits of your card and card type). Trailing Paper does not receive, store, or process your full card number, CVV, or expiration date for subscription billing — that data is handled by our billing processor in compliance with PCI-DSS standards.

3.6 Usage and Technical Data

We automatically collect certain technical data when you use the Service, including:

IP address and approximate geographic location
Browser type and version, device type, and operating system
Session data including pages viewed, features used, and time spent
Referral URL and click-path data within the platform
Log data including error reports and diagnostic information

This data is used to operate, maintain, secure, and improve the Service. It is not used to build advertising profiles or shared with advertising networks.

3.7 Data Collected from Client-Facing Pages

Clients who visit invoice or estimate pages shared by Merchants interact with pages hosted by Trailing Paper. The data we directly collect from Clients on those pages is limited to:

IP address and browser/device information for security and fraud prevention purposes
Page view and interaction events (e.g., when an invoice was viewed or when an estimate was approved)

Trailing Paper does not collect or store payment card numbers, CVV codes, or card expiration dates from Clients. Card payment data submitted on invoice pay pages is transmitted directly to Finix's PCI-DSS-compliant infrastructure. If Finix collects a Client's name or email address for receipt delivery, that information is governed by Finix's own privacy policy. Trailing Paper may receive limited transaction confirmation metadata from Finix (such as a transaction ID and status) but not raw cardholder data.

4. How We Use Information

We use the information we collect for the following purposes:

Provide and operate the Service. To create and maintain your account, enable invoicing and payment functionality, process your subscription, and deliver the features of the Trailing Paper platform.
Payment processing and merchant onboarding. To transmit KYC data to Finix for merchant underwriting, configure your settlement bank account through Plaid, and facilitate card payment acceptance on your behalf.
Compliance with legal obligations. To fulfill requirements under applicable federal and state law, including BSA/AML requirements, financial recordkeeping obligations, and responding to lawful requests from governmental authorities.
Fraud prevention and security. To detect, investigate, and prevent fraudulent transactions, unauthorized account access, abuse of the Service, and other harmful or illegal activity.
Customer support. To respond to your inquiries, troubleshoot issues, and provide assistance with your account.
Service improvement. To analyze usage patterns, diagnose technical problems, develop new features, and improve the overall quality and reliability of the Service.
Communications. To send you important notices about your account, subscription, changes to the Service, or this Privacy Policy. We may also send you product updates or newsletters if you have opted in; you may opt out at any time.
Legal defense and enforcement. To enforce our Terms of Service, protect our rights, and defend against legal claims.

We do not use your personal information to serve you third-party advertising, build advertising profiles, or engage in behavioral targeting across other websites or platforms.

5. KYC Data — Special Handling

KYC data — including SSN, DOB, EIN, and home address — is among the most sensitive personal information we collect. We treat it accordingly with the following protections and limitations:

Legal basis for collection. Collection of KYC data is required by federal law, specifically the Bank Secrecy Act and FinCEN's Customer Due Diligence (CDD) rule, as a condition of enabling payment processing through Finix. We do not collect KYC data beyond what is required for this purpose.
Encryption. KYC data is encrypted both in transit (using TLS 1.2 or higher) and at rest (using AES-256 or equivalent encryption) on our systems.
Access controls. Access to KYC data within Trailing Paper is strictly limited to personnel and systems that require it for onboarding operations. Access is logged and audited.
Transmission to Finix. KYC data is transmitted to Finix Payments, Inc. for the purpose of merchant underwriting and identity verification. Once transmitted, the handling of that data within Finix's systems is governed by Finix's privacy policy and applicable regulatory requirements.
No sale or rent. We do not sell, rent, license, or otherwise commercially exploit KYC data. We do not share KYC data with any party other than Finix (for onboarding purposes) and governmental authorities when required by law.
Retention. We retain KYC data for the period required by law or by Finix's merchant program requirements, which is generally a minimum of five (5) years following the termination of your merchant relationship, consistent with BSA recordkeeping requirements.

6. Payment Card Data

Trailing Paper does not receive, store, process, or transmit payment card numbers, CVV codes, or card expiration dates. All payment card data submitted through Trailing Paper invoice payment pages is collected exclusively by Finix Payments, Inc. and processed within Finix's PCI-DSS-certified infrastructure. Trailing Paper is not in scope for PCI-DSS cardholder data environment requirements with respect to card numbers.

When a Client submits a card payment on an invoice page, the card data is transmitted directly from the Client's browser to Finix using Finix's tokenization libraries or hosted payment fields. Trailing Paper receives only non-sensitive confirmation data from Finix after a transaction is processed, such as a transaction ID, payment status, and the last four digits of the card used. This confirmation metadata is stored by Trailing Paper solely to update the invoice payment status in your account.

For information about how Finix handles payment card data, please review Finix's Privacy Policy at finix.com/privacy-policy.

7. Bank Account Linking — Plaid

Trailing Paper uses Plaid Inc. ("Plaid") to facilitate secure bank account linking for settlement purposes. When you connect your bank account through Trailing Paper, you will be redirected to or presented with a Plaid-hosted authentication interface. Plaid acts as an intermediary between you and your financial institution using an OAuth-based flow.

Through the Plaid connection, Trailing Paper receives your bank account routing number and account number in order to configure your settlement account with Finix. Trailing Paper does not receive your online banking username or password. Trailing Paper does not use your linked bank account data for any purpose other than configuring payment settlement.

Your use of Plaid's services is also governed by Plaid's Privacy Policy, which you are encouraged to review. You may disconnect your linked bank account at any time through your Trailing Paper account settings, subject to any pending settlement activity. Disconnecting your bank account will not delete previously transmitted routing and account information already on file with Finix.

8. Google Sign-In Data

If you choose to register or log in to Trailing Paper using Google Sign-In, Google shares the following information with us: your full name, email address, and Google profile ID. We use this information exclusively for the purpose of authenticating your identity and associating your Trailing Paper account with your Google account.

Trailing Paper does not receive your Google account password. We do not use Google Sign-In data for advertising purposes, and we do not share the data obtained through Google Sign-In with any third party except as otherwise described in this Privacy Policy (e.g., for account-level communications or legal compliance). We do not access any Google services, contacts, Drive files, or other Google account data beyond the profile fields described above.

Your use of Google Sign-In is also subject to Google's Privacy Policy and Google's Terms of Service. You may disconnect Google Sign-In from your Trailing Paper account through your account settings, provided you have configured an alternative authentication method (such as an email and password) first.

9. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We share your information only in the following circumstances:

Service providers. We share information with third-party vendors and service providers who assist us in operating the Service, such as cloud hosting providers, database infrastructure providers, email delivery services, and customer support tools. These providers are contractually obligated to use your information only as directed by Trailing Paper and to maintain appropriate security measures.
Finix Payments, Inc. We share KYC data, bank account information, and transaction-related data with Finix as required to provide payment processing services, comply with financial regulations, and fulfill our obligations under the Finix sub-merchant program. Finix's use of this data is governed by its own privacy policy and applicable law.
Plaid Inc. We share information necessary to initiate and complete bank account linking through Plaid's platform. Plaid's use of information obtained during this process is governed by Plaid's Privacy Policy.
Legal requirements. We may disclose your information when required by applicable law, regulation, court order, subpoena, or other valid legal process, including requests from tax authorities, financial regulators, or law enforcement agencies. Where permitted by law, we will attempt to notify you of such requests before disclosing your information.
Protection of rights. We may disclose information if we believe in good faith that disclosure is necessary to prevent fraud, protect the security of the Service, enforce our Terms of Service, or protect the rights, property, or safety of Trailing Paper, our users, or the public.
Business transfers. In the event of a merger, acquisition, asset sale, reorganization, or other business transfer involving Trailing Paper, your information may be transferred to the acquiring entity as part of that transaction. We will notify you via email or in-app notice if your information becomes subject to a materially different privacy policy as a result of such a transaction.
With your consent. We may share your information for any other purpose with your explicit consent.

10. Data Security

We implement technical and organizational security measures designed to protect your information from unauthorized access, loss, misuse, alteration, or destruction. These measures include:

Encryption of data in transit using TLS 1.2 or higher for all communications between your browser and our servers
Encryption of sensitive data at rest, including KYC data and account credentials, using industry-standard algorithms
Role-based access controls limiting employee and system access to personal data on a need-to-know basis
Regular review of security practices and infrastructure
Password hashing using modern, computationally resistant hashing algorithms (plaintext passwords are never stored)

No method of data transmission or storage is completely secure. While we take reasonable and appropriate steps to protect your information, we cannot guarantee the absolute security of data transmitted to or stored on our systems. You use the Service at your own risk. In the event of a data breach affecting your rights, we will notify you as required by applicable law.

11. Cookies and Tracking Technologies

Trailing Paper uses cookies and similar technologies to operate the Service effectively. We use the following categories of cookies:

Strictly necessary cookies. These cookies are required for the Service to function. They include session authentication tokens that keep you logged in, CSRF protection tokens, and cookies that remember your security preferences. You cannot opt out of these cookies while using the Service.
Preference cookies. These cookies remember your settings and preferences within the platform (such as display preferences or saved filter states) so that you do not need to reconfigure them each session.
Analytics cookies. We may use first-party analytics tools to understand how the Service is used, identify areas for improvement, and measure feature adoption. This data is aggregated and not used to identify individual users for advertising purposes.

Trailing Paper does not use third-party advertising cookies, does not participate in cross-site behavioral advertising networks, and does not share cookie-derived data with advertising platforms. You can control cookies through your browser settings, but disabling strictly necessary cookies may impair your ability to use the Service.

12. Data Retention

We retain different categories of data for different periods based on legal requirements, operational necessity, and your instructions:

KYC data. Retained for the period required by applicable law and Finix's program requirements — generally a minimum of five (5) years after termination of the merchant relationship, consistent with BSA recordkeeping obligations.
Financial records (invoices, estimates, payment history). Retained for up to seven (7) years following the date of the record, consistent with common business recordkeeping and tax compliance requirements.
Account information. Retained for the duration of your account, plus a reasonable period thereafter to facilitate reactivation, comply with legal obligations, and resolve disputes. Upon confirmed account deletion, identifying account data is deleted or anonymized within 90 days, subject to the exceptions below.
Usage logs and technical data. Retained for 30 to 180 days depending on the type of log and its purpose (security logs are retained longer than routine usage logs).
Backup copies. Data may exist in encrypted backup copies for 30 to 90 days on a rolling basis following deletion from primary systems.

Notwithstanding any deletion request, we may retain data that we are legally required to retain, that is necessary to resolve pending disputes, to enforce our agreements, or that has been de-identified or aggregated such that it can no longer be associated with you.

13. Your Rights and Choices

Subject to applicable law, you may have the following rights with respect to your personal information:

Access. You may request a copy of the personal information we hold about you.
Correction. You may request that we correct inaccurate or incomplete personal information about you. Many fields can be corrected directly within your account settings.
Deletion. You may request that we delete your personal information. We will honor deletion requests to the extent permitted by law and subject to our legal retention obligations (including BSA/AML requirements for KYC data and financial recordkeeping requirements for transaction records).
Data portability. You may request an export of certain data associated with your account in a machine-readable format, where technically feasible.
Withdrawal of consent. Where our processing of your data is based on your consent, you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred prior to withdrawal.
Account deletion. You may request deletion of your Trailing Paper account by contacting us at support@trailingpaper.com. Account deletion will result in the cessation of the Service for your account and will be processed subject to our data retention obligations.

To exercise any of these rights, please contact us at support@trailingpaper.com with "Privacy Request" in the subject line. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

14. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information. This section supplements the rest of this Privacy Policy and applies to California residents only.

Categories of personal information collected. In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA: identifiers (name, email, IP address), commercial information (invoices, payment history, subscription data), financial information (bank account data, KYC data), internet or other electronic network activity information (usage logs, session data), and geolocation data (approximate location derived from IP address). We have not collected biometric information, audio/visual data, or inferences drawn from personal information to create consumer profiles for advertising purposes.

Right to Know. You have the right to request that we disclose what personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete. You have the right to request deletion of personal information we have collected about you, subject to certain exceptions (including legal retention obligations).

Right to Correct. You have the right to request correction of inaccurate personal information we maintain about you.

Right to Opt Out of Sale or Sharing. Trailing Paper does not sell your personal information and does not share your personal information with third parties for cross-context behavioral advertising purposes. You therefore do not need to submit an opt-out request for these purposes, but if you believe we have done so in error, please contact us at support@trailingpaper.com.

Non-Discrimination. We will not discriminate against you for exercising your CCPA/CPRA rights. We will not deny you the Service, charge you different prices, or provide you with a lower quality of service because you exercised your privacy rights.

How to submit a request. California residents may submit a request by emailing support@trailingpaper.com with "Privacy Request" in the subject line, or by submitting a request through the account settings page. We will respond within 45 days. We may extend this period by an additional 45 days where reasonably necessary, with notice.

15. Children's Privacy

The Service is designed for use by businesses and is not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age. If you are under 18, you are not permitted to register for or use the Service.

If we become aware that we have inadvertently collected personal information from a minor under 18 without appropriate consent, we will take prompt steps to delete that information from our records. If you believe that we may have collected information from a minor, please contact us immediately at support@trailingpaper.com.

16. International Users

Trailing Paper is operated in and from the United States. If you access or use the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country or jurisdiction.

By using the Service or providing information to us, you consent to the transfer of your information to the United States and to the processing of your data in the United States in accordance with this Privacy Policy. If you are located in the European Economic Area, United Kingdom, or other jurisdictions with data transfer restrictions, please be aware that we do not currently offer a separate data processing agreement or EU Standard Contractual Clauses. The Service is primarily intended for U.S.-based businesses.

17. Third-Party Links and Services

The Service integrates with and may contain links to third-party services and websites, including but not limited to Finix Payments, Inc., Plaid Inc., and Google. These third parties operate independently and have their own privacy policies, which govern their collection and use of your information. Trailing Paper is not responsible for the privacy practices or content of any third-party services.

We encourage you to review the privacy policies of these services before sharing information with them:

Finix Payments, Inc. — finix.com/privacy-policy
Plaid Inc. — plaid.com/legal/privacy-policy
Google LLC — policies.google.com/privacy

The inclusion of any link or integration does not imply endorsement by Trailing Paper of the linked service, and your use of third-party services is entirely at your own risk and subject to their respective terms.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will notify you by sending an email to the address associated with your account and/or by displaying a prominent notice within the Service at or before the time the changes take effect. The updated Privacy Policy will be posted at trailingpaper.com/privacy-policy with a revised "Last Updated" date.

Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the revised policy. If you do not agree to the updated policy, you must stop using the Service and may request deletion of your account as described in Section 13. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

19. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:

Email: support@trailingpaper.com
Subject line for privacy requests: "Privacy Request"
Privacy Policy URL: trailingpaper.com/privacy-policy
Terms of Service: trailingpaper.com/terms-condition

We will make reasonable efforts to respond to all legitimate privacy inquiries within 30 days. For legal notices or formal requests, please include "Privacy Request" in your email subject line so that your message is routed to the appropriate team.