PL
PipeLedgerAI

Data Privacy & AI Governance Policy

Last updated: March 22, 2026

1. Introduction & Scope

This Privacy Policy explains how PipeLedger AI (“PipeLedger,” “we,” “us”) collects, uses, and processes information through our financial orchestration platform (the “Service”). We define “Personal Information” as any data that identifies or could reasonably be linked to an individual. PipeLedger acts as a secure data transformation and enrichment layer; we do not provide accounting, audit, or tax advice.

2. Data Acquisition & Scoped Access

PipeLedger connects to third-party Enterprise Resource Planning (ERP) systems, specifically Intuit QuickBooks Online and Oracle NetSuite.

  • Minimum Permissions. We request the minimum ‘Read-Only’ permissions required to extract your Chart of Accounts, General Ledger (GL) movements, and entity-level metadata. We request ‘Limited-Write’ access solely to enrich records with metadata and custom taxonomy labels; however, all original ERP source columns and financial transaction data remain immutable and unaltered.
  • Operational Metadata. To improve site performance and security, we automatically collect certain log and analytics data, such as IP addresses and browser types, via cookies.

3. Privacy Command Center & Governance Controls

We provide granular tools to ensure that sensitive financial data is governed before it enters any secondary processing layer or AI environment:

  • Free-Text Masking. Administrators can toggle masking to redact transactional memos and descriptions at the source.
  • Column-Level Suppression. You may explicitly disable or mask entire data columns, such as specific PII fields, at the schema level.
  • Egress Filtering. Our delivery tools for the Model Context Protocol (MCP) and REST API allow for the filtering of Row Level Security (RLS) tags and structural identifiers like project_id, customer_id, or vendor_id.
  • Row-Level Security (RLS). We enforce strict RLS to ensure data visibility within your organization is restricted to authorized users based on customer-defined Access Control Rules.

4. Data Processing & AI Safeguards

PipeLedger utilizes deterministic logic to transform raw ERP data into structured financial intelligence:

  • Deterministic Transformation. Core functions like account taxonomy (UAC) and multi-entity consolidation are performed via standardized SQL logic; no Large Language Models (LLMs) are used for these primary classifications.
  • AI Sub-Processors. If LLMs are utilized for secondary data enrichment, we employ enterprise-tier API agreements ensuring your financial data is never used to train foundational AI models.
  • Data Minimization. No personally identifiable information (PII) is shared with AI sub-processors unless masking has been explicitly disabled by an authorized Administrator.

5. Security & Encryption Standards

PipeLedger is built with a “Privacy-by-Design” framework aligned with modern security standards:

  • Encryption. All data is encrypted using AES-256 at rest and TLS 1.3 in transit.
  • Audit Integrity. Every significant configuration change, including reclassifications and security rule updates, is stored in an immutable, append-only audit trail.

6. Data Ownership & Portability

You maintain full ownership of your financial data at all times:

  • Disconnection. You may revoke PipeLedger’s access to your ERP source or API keys at any time.
  • Purge Requests. Upon request, PipeLedger will permanently delete cached transactional records and associated metadata from our production environment.

7. Data Privacy & Administrative Responsibility

PipeLedger acts strictly as a Data Processor. All financial records, metadata, and transformed datasets remain the exclusive property and responsibility of the subscribing Organization (“Client”).

  • Administrative Governance. The Client’s designated Administrator is solely responsible for managing user access, defining Row-Level Security (RLS) rules, and configuring Free-Text Masking to redact sensitive personal identifiers at the source.
  • Redaction by Design. PipeLedger’s architecture is engineered to prevent the ingestion or storage of identifiable personal information (PII) belonging to our clients’ customers. Where masking tools are enabled, PipeLedger cannot identify, locate, or delete individual consumer records, as such data is anonymized before it enters the processing environment.
  • No Data Monetization. PipeLedger does not “sell” user or enterprise data, nor do we utilize client financial information to train foundational AI models.

For organizational data sovereignty or privacy matters, please contact alexander@pipeledger.ai.