Privacy Policy

Advisorist LLC ("Advisorist," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, share, and protect Personal Information when you visit our website at advisorist.net, use the Advisorist platform and related services, or otherwise interact with us.

Advisorist provides a cloud-hosted software platform that enables business owners and their professional teams (including bookkeepers, CPAs, CFOs, family-office staff, and similar advisors) to aggregate financial information, organize tasks and deadlines, and collaborate on financial operations. Advisorist is headquartered in Lubbock, Texas and the Services are currently offered only to users located in the United States.

If you have questions, contact us at privacy@advisorist.net.

1. Scope and Controller/Processor Roles

Where Advisorist is the Controller

We act as the controller of Personal Information collected about website visitors, account holders, billing contacts, prospects, and others who interact with us directly. This Policy governs our processing of that information.

Where Advisorist is a Processor

When business customers — such as RIAs, CPA firms, family offices, and other advisory firms (each, a "Customer") — use the Services, the Customer decides what data to upload, connect, or generate. That information is "Customer Data." Advisorist processes Customer Data on behalf of, and at the direction of, the Customer. Our processing of Customer Data is governed by our Platform Agreement, not this Privacy Policy. Queries about Customer Data should be directed to the Customer.

2. Personal Information We Collect

2.1 Information You Provide Directly

Account Information. Name, work email, phone number (optional), role/title, employer name, billing details, and authentication credentials.

Communications. When you contact us via support, sales, or website forms — your name, email, message contents, and any other information you share.

Marketing. If you subscribe to a newsletter or register for an event — your name, email, firm, and role.

2.2 Information Collected Automatically

Log Data. IP address, browser type, operating system, referring/exit pages, and request timestamps.

Usage Data. Feature usage, session frequency and duration, AI feature query volume, performance metrics, and error logs.

Device Information. Device name, identifiers, operating system, and browser.

Cookies & Similar Technologies. See Section 12.

2.3 Information from Third Parties

Financial Data Sources. When a Customer connects a financial institution or accounting system (via Plaid, Finicity, MX, or direct integrations), we receive account data and transactions at the Customer's direction — typically processed as Customer Data.

Authentication Providers. If you sign in via Google or Microsoft, we receive basic profile info (name, email, profile image).

Payment Processors. Confirmation of transactions and limited card metadata (last four digits, expiration). We do not store full card numbers.

Marketing Partners. Information from marketing vendors and analytics providers to help us identify and reach business prospects.

2.4 Information We Do Not Intentionally Collect

The Services must not receive: (i) biometric or genetic data, (ii) Protected Health Information under HIPAA, (iii) full payment card numbers, or (iv) classified government information. If such information is submitted, we may delete it and require its removal.

3. How We Use Personal Information

We use Personal Information (as controller) for the following purposes:

• Providing, operating, maintaining, and supporting the Services and website;
• Authenticating users, managing accounts, and maintaining security and audit logs;
• Billing, payment processing, refunds, and financial records;
• Developing, improving, testing, and optimizing the Services, including training and evaluating our own internal AI models;
• Communicating about your account, service updates, security notices, and policy changes;
• Marketing our Services to you and to business prospects, subject to your opt-out rights;
• Preventing fraud, abuse, security incidents, and misuse;
• Complying with legal obligations and enforcing our Terms;
• Generating aggregated, de-identified data for product improvement and benchmarking; and
• Conducting corporate transactions or reorganizations.

4. How We Share Personal Information

We share Personal Information only as described below. We do not sell Personal Information to third parties for monetary payment.

4.1 Affiliates

With our corporate affiliates for IT, security, customer support, and business operations consistent with this Policy.

4.2 Service Providers and Subprocessors

With vendors who perform services on our behalf under written contracts that restrict their use, including:

• Cloud hosting and infrastructure providers (e.g., Amazon Web Services);
• Financial data aggregators (e.g., Plaid, Finicity, MX);
• Accounting-software integrations (e.g., QuickBooks, Xero);
• Payment processors and billing platforms;
• Email, messaging, support, and communication vendors;
• Analytics, error-monitoring, and product-telemetry providers;
• AI model and inference providers powering AI Features;
• Identity, authentication, and security vendors; and
• Legal, accounting, and professional advisors.

A current list of material subprocessors is available at advisorist.net/legal/subprocessors.

4.3 With Your Organization

If you access the Services through an employer-provisioned account, we may share account and usage information with that organization.

4.4 Legal and Safety Disclosures

We may disclose Personal Information to comply with law, court orders, or government requests; enforce our Terms; detect or prevent fraud or illegal activity; or protect the rights, property, or safety of Advisorist, our users, or others.

4.5 Business Transfers

In connection with a merger, acquisition, financing, or sale of assets, Personal Information may be disclosed to counterparties and transferred to a successor. We will notify affected individuals as required by law.

4.6 With Your Consent

We may share Personal Information with your consent or at your direction, such as when you authorize a third-party integration.

5. Financial Information and the Gramm-Leach-Bliley Act (GLBA)

Advisorist is not itself a "financial institution" under GLBA. However, our Customers include financial institutions, registered investment advisers, CPA firms, and family offices subject to GLBA and similar laws. When we process nonpublic personal information ("NPI") on behalf of such a Customer, we act as the Customer's service provider and process NPI only for purposes set forth in our Platform Agreement, consistent with GLBA reuse-and-redisclosure limitations and the SEC's Regulation S-P where applicable.

We do not disclose NPI to unaffiliated third parties except as needed to provide the Services, as directed by the Customer, or as permitted by an applicable GLBA exception. We maintain administrative, technical, and physical safeguards designed to protect NPI consistent with the FTC Safeguards Rule and Regulation S-P.

Customers that are financial institutions are responsible for delivering their own privacy notices to their consumers under GLBA, Regulation S-P, and state analogs.

6. Data Retention

We retain Personal Information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. General guidelines:

• Account Information: for the life of the account plus a reasonable period for records, tax, audit, and legal purposes (generally up to seven years);
• Customer Data: retained during the subscription term; securely deleted within 30 days of termination, subject to backup cycles and legal hold;
• Log and Usage Data: typically up to 24 months, longer for security-relevant records;
• Marketing and Communications: until you unsubscribe or the data is no longer needed; and
• Aggregated or De-Identified Data: may be retained indefinitely.

7. Data Security

We maintain an information-security program designed to be consistent with the AICPA's SOC 2 Trust Services Criteria. Current controls include encryption in transit and at rest, role-based access controls, multi-factor authentication for administrative access, vulnerability monitoring, audit logging, and incident-response procedures.

No information system is impenetrable. You are responsible for protecting your account credentials, devices, and networks, and for promptly notifying us of any suspected unauthorized access.

8. Your Choices and Privacy Rights

8.1 Account Controls

You can review, update, and delete certain Personal Information through your account settings or by contacting privacy@advisorist.net. Certain information may be retained as described in Section 6.

8.2 Marketing Opt-Out

You can opt out of marketing emails by clicking "unsubscribe" in any marketing email or by contacting privacy@advisorist.net. You will continue to receive transactional and service-related communications.

8.3 Cookies and Tracking

You can manage cookies through your browser settings and, where available, our cookie preferences center. See Section 12.

8.4 Do Not Track

Our website does not currently respond to "Do Not Track" browser signals. We do honor Global Privacy Control signals where legally required.

9. California Privacy Rights (CCPA / CPRA)

This section supplements the rest of this Policy for California residents and applies to Personal Information we collect as a business under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA").

9.1 Sensitive Personal Information

We collect account-login credentials, which are "sensitive personal information" under CCPA. We use this information only for purposes permitted under CCPA § 1798.121, including providing the Services, authenticating users, and preventing security incidents. We do not use sensitive personal information to infer characteristics about you.

9.2 Sales and Sharing

We do not sell Personal Information for money. We do not engage in "sharing" of Personal Information for cross-context behavioral advertising. If we use advertising cookies that constitute "sharing" under CCPA, we will provide a "Do Not Sell or Share My Personal Information" link and honor Global Privacy Control signals.

9.3 California Rights

California residents have the following rights, subject to exceptions under CCPA:

• Right to know the categories and specific pieces of Personal Information we have collected;
• Right to delete Personal Information we have collected;
• Right to correct inaccurate Personal Information;
• Right to opt out of sale or sharing (we do not sell or share for targeted advertising);
• Right to limit the use of sensitive personal information;
• Right to non-discrimination for exercising your rights; and
• Right to appeal a denial of a request.

To exercise your rights, email privacy@advisorist.net or submit a request at advisorist.net/privacy. We will respond within the time required by law.

10. Texas, Other State, and Federal Privacy Rights

Residents of Texas, Virginia, Colorado, Connecticut, Utah, Oregon, Montana, and other states with comprehensive consumer privacy laws may have rights similar to those in Section 9, including rights of access, correction, deletion, portability, opt-out of targeted advertising, and appeal. To exercise these rights, contact privacy@advisorist.net.

If you are a Texas resident, the Texas Data Privacy and Security Act (TDPSA) provides rights similar to those described above. We respond to TDPSA requests in accordance with the statute.

11. Children's Privacy

The Services are intended for professionals and businesses and are not directed to anyone under 18. We do not knowingly collect Personal Information from children. If you believe a child has provided Personal Information to us, contact privacy@advisorist.net and we will delete it.

12. Cookies and Tracking Technologies

We use cookies, pixels, local storage, and similar technologies ("Cookies") to operate our website and Services, remember preferences, authenticate users, measure usage, and improve performance. Cookie categories:

• Strictly Necessary: Required for authentication, session management, security, and basic functionality. These cannot be disabled.
• Functional: Remember preferences such as language and display settings.
• Analytics and Performance: Help us understand how the Services are used so we can improve them (e.g., Google Analytics).
• Marketing: Used on our marketing website to measure campaign effectiveness. Marketing cookies are not used inside the authenticated Services.

You can manage Cookie preferences through your browser and, where available, our cookie banner. A separate Cookie Policy, when published, will provide additional detail.

13. Third-Party Data Sources and Links

The Services integrate with third-party financial institutions, accounting systems, and other providers at Customer direction (e.g., Plaid, Finicity, MX, QuickBooks, Xero). These third parties are not controlled by Advisorist. Their collection and use of information is governed by their own privacy policies. We encourage you to review those policies before connecting an account.

Our website and Services may contain links to third-party websites. We are not responsible for the privacy practices of those sites.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify Customers and account holders by email or in-product notice, and we will update the "Last Updated" date at the top. Your continued use of the Services after the effective date constitutes acceptance of the revised Policy.

15. Contact Us

If you have questions about this Policy, wish to exercise a privacy right, or wish to file a complaint:

• Email: privacy@advisorist.net
• Mail: Advisorist LLC, Attn: Privacy, Lubbock, Texas (mailing address available on request)
• Legal notices: legal@advisorist.net