Privacy Policy

Just Cause Insurance Services, LLC, doing business as Camber ("Company", "we", "us", or "our"), operates the Spire Ledgers platform (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect information you provide directly, including:

• Full name
• Email address
• Phone number
• Password (stored only in hashed form using industry-standard bcrypt hashing)
• Organization name, legal name, and business address
• Tax identification number (EIN/SSN), if provided
• Billing and payment information (processed and stored securely by our payment processor, Stripe)

1.1.1 Card Fingerprints (Trial-Fraud Prevention)

To prevent abuse of our 30-day free trial, we store an opaque card fingerprint — a one-way hash generated by Stripe — alongside each account. We do not store, process, or transmit your card number, CVV, or expiration date; those are handled exclusively by Stripe under PCI DSS. The fingerprint cannot be used to reconstruct your card number and is not shared with any third party. We use it solely to detect when the same physical card is used to open multiple free-trial accounts and to block trial-cycling fraud. You may request deletion of your fingerprint after subscription cancellation by emailing privacy@spireledgers.com.

1.2 Financial Data

In the course of using the Service, you may submit financial data including:

• Chart of accounts and general ledger entries
• Invoices, bills, and payment records
• Customer and vendor information
• Employee payroll information (names, compensation, tax withholding data)
• Bank account information for bank feed connections
• Inventory, asset, and expense records
• Tax-related calculations and data

This financial data is considered your proprietary data. We do not claim ownership of it and process it solely to provide the Service to you. See Section 3 regarding how this data is protected and shared.

1.3 Usage Data

We automatically collect certain information when you access or use the Service, including:

• IP address
• Browser type and version
• Operating system
• Pages visited and features used within the Service
• Date, time, and duration of your sessions
• Referring URL
• Device identifiers

1.4 Cookies and Similar Technologies

We use only essential cookies that are strictly necessary for the operation of the Service. These include:

• Session cookies: Used to maintain your authenticated session and remember your login state. These are httpOnly cookies that cannot be accessed by client-side scripts.
• Security cookies: Used to prevent cross-site request forgery (CSRF) and other security threats.
• Preference cookies: Used to remember your display preferences (e.g., organization selection, dashboard layout).

We do not use advertising cookies, tracking pixels, or any third-party analytics or advertising technologies. We do not engage in cross-site tracking or behavioral advertising.

Fleet Mileage Portal (spireledgers.com/mileage)

If your employer or organization uses our Fleet Mileage feature, you may sign in to a separate portal that collects:

• Your name and email address as enrolled by your organization's administrator.
• A bcrypt-hashed PIN issued by your administrator (we never store the plaintext PIN).
• Photos of your vehicle's odometer that you capture from your phone camera.
• Your device's GPS latitude and longitude at the moment each photo is taken — only if you grant location permission in the browser prompt.
• Your IP address, user-agent, and the timestamps of each capture and session.

Trip records are retained for seven (7) years to satisfy IRS Pub 463 substantiation requirements and SOX §302/404 audit-trail retention, then purged on the organization's next routine cleanup cycle. Session cookies expire after 30 days.

Your organization is the data controller for trip records; Spire Ledgers acts as the data processor. To request access, correction, or deletion of your fleet mileage data, contact your organization's administrator. You may also contact privacy@spireledgers.com with concerns.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Providing and Maintaining the Service

• Creating and managing your account
• Processing and storing your financial data
• Generating reports, calculations, and financial summaries
• Enabling features such as invoicing, payroll calculation, and bank reconciliation
• Providing customer support

2.2 Billing and Payment Processing

• Processing subscription payments through our payment processor (Stripe)
• Managing your subscription status, upgrades, and renewals
• Sending invoices and payment receipts

2.3 Improving the Service

• Analyzing usage patterns to improve features and user experience (using only aggregated, anonymized data)
• Identifying and fixing bugs, errors, and performance issues
• Developing new features and functionality

2.4 Communication

• Sending transactional emails (account verification, password resets, billing notifications)
• Sending service announcements, security alerts, and updates to our Terms of Service or Privacy Policy
• Sending marketing communications only if you have explicitly opted in (you may opt out at any time)

2.5 Security and Legal Compliance

• Detecting, preventing, and investigating security incidents, fraud, and abuse
• Maintaining audit logs as required for financial software integrity
• Complying with applicable laws, regulations, and legal processes

3. Data Sharing and Disclosure

We do not sell, rent, trade, or otherwise commercially transfer your personal information or financial data to third parties for their marketing or advertising purposes. We will never monetize your data.

We may share your information only in the following limited circumstances:

3.1 Payment Processor

We share billing information with Stripe, Inc., our payment processor, solely for the purpose of processing your subscription payments. Stripe's handling of your payment information is governed by their own privacy policy and PCI DSS compliance. We do not store your full credit card numbers on our servers.

3.2 Service Providers

We may engage trusted third-party service providers to perform functions on our behalf, such as cloud hosting (infrastructure), email delivery (transactional emails), and error monitoring. These service providers are contractually obligated to use your information only as necessary to provide services to us and are bound by confidentiality obligations. We select service providers that maintain appropriate security measures and data protection practices.

3.3 Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to:

• Comply with a legal obligation, subpoena, court order, or governmental request
• Protect and defend the rights or property of the Company
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public
• Protect against legal liability

Where permitted by law, we will notify you of any legal request for your data before disclosing it, unless we are legally prohibited from doing so.

3.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or use of your personal information, as well as any choices you may have regarding your information.

3.5 With Your Consent

We may share your information with third parties when you have given us your explicit consent to do so, such as when you enable a third-party integration through our API.

3a. Subprocessors and AI Providers

We use a small set of named subprocessors to deliver the Service. Each is bound by a written data-processing agreement that limits use of your data to providing services to us. The current list:

• Stripe, Inc. (USA) Payment processing, subscription billing, customer-portal cancellation, and trial-fraud card fingerprinting. Stripe is PCI DSS Level 1 certified. Data shared: name, email, billing address, card token (we never see your full PAN).
• Plaid Inc. (USA) — optional Bank-feed aggregation when you choose to link a checking, savings, or credit-card account for automatic transaction import. Linking is opt-in per account; you can unlink at any time from Settings → Connected Banks. Data shared with Plaid: institution selection and the credentials you enter directly into Plaid Link (Spire never sees them). Data Plaid returns to us: account balances, transactions, and account/routing numbers for accounts you authorize.
• Anthropic, PBC (USA) — Gwen AI assistant Spire's in-app assistant ("Gwen") sends your typed prompts and minimal contextual snippets (e.g., the report you are currently viewing) to Anthropic's Claude API to generate responses. Per our agreement with Anthropic, prompts and responses are NOT used to train Anthropic's models and are retained by Anthropic only for the abuse-monitoring window required by their trust-and-safety policy. Sensitive identifiers (full SSNs, full bank account numbers, student IDs) are redacted client-side before transmission. You can disable Gwen entirely at the org level under Settings → AI Features.
• Cloud hosting and email delivery We use commercial cloud-infrastructure providers and a transactional-email vendor to host the Service and deliver receipts, password resets, and notifications. These vendors process data on our behalf under their standard data-processing terms; they are contractually prohibited from using your data for any other purpose.

We will update this list when we add or remove a subprocessor. Material changes (e.g., adding a new AI vendor) will be announced via in-app banner and email at least thirty (30) days before the change takes effect.

4. Data Security

We take the security of your data seriously and implement multiple layers of protection:

4.1 Encryption

• In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• At rest: All data stored in our databases and file storage systems is encrypted using AES-256 encryption.
• Passwords: User passwords are hashed using bcrypt with a work factor of 12 and are never stored in plaintext.

4.2 Access Controls

• Role-based access controls (RBAC) limit access to data based on user roles and permissions.
• Employee access to production systems is restricted to authorized personnel on a need-to-know basis.
• All access to user data by Company personnel is logged in our audit trail.

4.3 Infrastructure Security

• Our infrastructure is hosted in secure data centers located in the United States.
• Regular security assessments and vulnerability scanning are performed.
• Automated monitoring and alerting for suspicious activity.

4.4 Compliance

We are actively pursuing SOC 2 Type II compliance certification to provide independent assurance of our security, availability, and confidentiality controls. Information about our compliance status is available upon request by contacting privacy@spireledgers.com.

4.5 Incident Response

In the event of a data breach that affects your personal information, we will notify you and any applicable regulatory authorities in accordance with applicable data breach notification laws, including without limitation within seventy-two (72) hours of becoming aware of the breach where required by law.

5. Data Retention

5.1 Active Accounts

We retain your account information and User Data for as long as your account is active and your subscription is in good standing. Financial data, transaction records, and audit logs are retained for the duration of your account to support your ongoing accounting and compliance needs.

5.2 Cancelled Accounts

Upon cancellation or termination of your account, we will retain your User Data for ninety (90) days. During this period, you may reactivate your account and regain access to your data, or request a data export. After the 90-day retention period, your User Data will be permanently deleted from our active systems.

5.3 Backup Retention

After deletion from active systems, your data may persist in our encrypted backup systems for up to thirty (30) additional days as part of our routine backup cycle. After this period, all copies of your data will be permanently destroyed.

5.4 Legal Obligations

Notwithstanding the above, we may retain certain data for longer periods as required by applicable law, regulation, or legal process, or to establish, exercise, or defend legal claims.

6. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

6.1 Right to Access

You have the right to request a copy of the personal information we hold about you. You can access most of your information directly through your account settings and the Service's data export features.

6.2 Right to Correction

You have the right to request correction of any inaccurate or incomplete personal information we hold about you. You can update most information directly through your account settings.

6.3 Right to Deletion

You have the right to request deletion of your personal information, subject to certain exceptions (such as data we are required to retain for legal or compliance purposes). To request deletion, contact us at privacy@spireledgers.com. Account deletion requests will be processed within thirty (30) days.

6.4 Right to Data Export (Portability)

You have the right to export your data from the Service in a structured, commonly used, machine-readable format. The Service provides built-in export functionality for your financial data in CSV, PDF, and other standard formats.

6.5 Right to Opt Out of Marketing

You may opt out of receiving marketing communications from us at any time by clicking the "unsubscribe" link in any marketing email, updating your email preferences in your account settings, or contacting us at privacy@spireledgers.com. Please note that even if you opt out of marketing communications, we will continue to send you transactional and service-related communications (such as billing notifications and security alerts).

6.6 Right to Restrict Processing

You may have the right to request that we restrict the processing of your personal information in certain circumstances, such as when you contest the accuracy of your data or object to our processing.

To exercise any of these rights, please contact us at privacy@spireledgers.com. We will respond to your request within thirty (30) days, or as required by applicable law.

7. Cookies and Tracking Technologies

As described in Section 1.4, we use only essential cookies that are strictly necessary for the operation of the Service. We provide further detail here:

We do not use:

• Google Analytics or any third-party analytics services
• Advertising cookies or tracking pixels
• Social media tracking cookies
• Cross-site tracking technologies
• Browser fingerprinting

Because we only use essential cookies that are strictly necessary for the Service to function, a separate cookie consent banner is not required under most cookie consent laws. However, you can configure your browser to block or delete cookies; note that doing so may prevent you from using the Service, as the session cookie is required for authentication.

8. Children's Privacy

The Service is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to promptly delete such information from our systems.

In compliance with the Children's Online Privacy Protection Act ("COPPA"), we do not knowingly collect, use, or disclose personal information from children under the age of 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@spireledgers.com, and we will delete that information.

8a. K-12 Districts and FERPA

When a K-12 school district uses Spire Ledgers, the district is the data controller for any student-related records that flow through the platform (for example, student-activity-fund receipts and disbursements). Spire Ledgers acts as a "school official" with a legitimate educational interest under 34 CFR §99.31(a)(1)(i)(B), processing district data only on the district's documented instructions.

Students do not directly use Spire Ledgers. Where the platform incidentally stores personally identifiable information from education records, we treat that data with the same protections as the district's own systems. A district may request a Data Processing Addendum that restates these obligations in writing; see the FERPA DPA at /legal/ferpa-dpa.

8a. K-12 Districts and FERPA→

9. International Users

The Service is operated from and our servers are located in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

By using the Service, you consent to the transfer, storage, and processing of your information in the United States. We will take reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

9-bis. Comprehensive Privacy Notice (Mexican Users)

If you reside in the United Mexican States, your personal data is processed in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares — "LFPDPPP"), its Regulations, and the Privacy Notice Guidelines. This Comprehensive Privacy Notice (Aviso de Privacidad Integral) describes the processing of your personal data in accordance with Article 16 of the LFPDPPP:

1. Identity and address of the data controller

The controller of your personal data is Just Cause Insurance Services LLC, doing business as Camber (the "Controller"), with its mailing address at 9987 Agena Ln, El Paso, TX 79924.

2. Purposes of processing

Primary purposes (necessary for the legal relationship): Provision of the accounting and financial-administration service, including creation and management of user accounts, billing and collection of the subscription, bank reconciliation, payroll management, calculations and reports for tax compliance, generation of audit logs, and customer support.

Secondary purposes (not necessary for the legal relationship): Product-usage analysis for statistical purposes, service improvements, and marketing communications regarding new features, plans, or promotions. You may object to processing for secondary purposes at any time by emailing privacy@spireledgers.com; your objection will not be grounds for denying you the primary contracted services.

3. Personal data collected

To fulfill the purposes above, we collect the following categories of personal data: name, email address, telephone number, mailing address, Federal Taxpayer Registry (RFC), bank data obtained through Plaid when you link an account, payment data processed by Stripe, and product-usage data (IP address, browser type, pages visited, session timestamps). We do not collect sensitive personal data within the meaning of Article 3.VI of the LFPDPPP.

4. Transfers of personal data

Your personal data may be transferred to the following third parties, each for the purpose and location indicated:

• Stripe, Inc. (United States of America) — payment processing and subscription billing.
• Plaid, Inc. (United States of America) — bank connection and transaction aggregation (only if you choose to link an account).
• Anthropic, PBC (United States of America) — Gwen artificial-intelligence assistant, when you use it.
• Amazon Web Services, Inc. (United States of America) — hosting and backup infrastructure, where applicable.

International transfers of data to the United States of America are necessary for the maintenance and performance of the legal relationship between you and the Controller, and therefore do not require your additional consent pursuant to Article 37, section III of the LFPDPPP. All third parties referenced above are contractually bound to process your personal data solely for the purposes described herein and to maintain security measures equivalent to those required by the LFPDPPP.

5. Mechanism for revoking consent and exercising ARCO rights

You have the right to know what personal data we hold about you, what we use it for, and the conditions of its use (Access); to request correction of your information if it is outdated, inaccurate, or incomplete (Rectification); to request that we delete it from our records or databases when you believe it is not being used in accordance with the principles, duties, and obligations established by law (Cancellation); and to object to the use of your personal data for specific purposes (Objection). You may also revoke at any time the consent you have granted us to process your personal data. To exercise any of these rights, or to revoke your consent, send your written request to privacy@spireledgers.com, attaching: (a) a copy of a valid official identification; (b) a clear and precise description of the personal data over which you are exercising the right; (c) any element or document that facilitates locating the data. We will respond to your request within a maximum of twenty (20) business days from receipt, in accordance with Article 32 of the LFPDPPP, and, if applicable, will give effect to the request within the fifteen (15) business days following the date of the response.

6. Notification of changes to this Privacy Notice

Any modification to this Comprehensive Privacy Notice will be notified to you by publication on this page, with the date of the last update indicated in the header. Material changes will also be announced by email to the address registered in your account and via an in-app banner at least thirty (30) days before they take effect.

The National Institute for Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales — INAI) is the competent data-protection authority in Mexico. You may file a complaint with INAI if you believe your personal-data rights have been infringed.

10. California Residents — CCPA Rights

If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), provides you with additional rights regarding your personal information:

10.1 Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share the information.

10.2 Right to Delete

You have the right to request that we delete your personal information, subject to certain exceptions provided by law.

10.3 Right to Correct

You have the right to request that we correct inaccurate personal information that we maintain about you.

10.4 Right to Opt Out of Sale or Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes. Therefore, there is no need to opt out of the "sale" or "sharing" of your personal information as defined under the CCPA/CPRA.

10.5 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge you different prices, provide a different level of service, or suggest that you will receive a different level of service for exercising your rights.

10.6 How to Exercise Your Rights

To exercise your CCPA rights, you may contact us at privacy@spireledgers.com. We will verify your identity before processing your request. You may also designate an authorized agent to submit a request on your behalf, provided the agent has your written permission to do so.

10.7 Categories of Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information (as defined by the CCPA):

• Identifiers: Name, email address, phone number, IP address
• Commercial information: Subscription records, billing history, transaction data
• Financial information: Payment method details (processed by Stripe), financial records you input into the Service
• Internet or electronic network activity: Browser type, pages visited, session duration
• Professional or employment-related information: Business name, role within organization

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Provide at least thirty (30) days' prior notice via email to the address associated with your account
• Post a notice within the Service
• Update the "Last Updated" date at the top of this Privacy Policy

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you should stop using the Service and contact us to delete your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: