Legal

Privacy Policy

Your privacy matters deeply to us. This policy explains how Circlevine collects, uses, and safeguards your information.

Last updated:

1. Overview

Circlevine ("we", "our", "us") operates a cloud-based club management and financial reconciliation platform at circlevine.com. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you visit our website, register for an account, join our waitlist, or use any of our services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Information We Collect

2.1 Account & Registration Data

When you create an account, we collect:

  • Email address (used as your unique login identifier)
  • First name and last name
  • Password (stored in a securely hashed format — we never store plain-text passwords)

2.2 Waitlist / Access Request Data

If you join our waitlist before full access is available, we collect:

  • Your name
  • Your email address
  • Your organization name

2.3 Organization & Member Data

When you set up an organization, you and your team may enter:

  • Organization name and invoicing details (bank account numbers, tax numbers, etc.)
  • Member information: names, email addresses, phone numbers, and custom fields you define
  • Customer information: names, email addresses, phone numbers, and custom fields you define
  • Team member invitations: email addresses, names, and assigned roles/permissions

2.4 Financial & Transactional Data

As a financial reconciliation tool, we process the following data that you upload or enter:

  • Bank statements (CSV/Excel files) containing transaction dates, descriptions, amounts, balances, and reference numbers
  • Account details: bank name, account number, and currency
  • Invoices: amounts, line items, due dates, and associated member/customer records
  • Ledger entries: charges, payments, adjustments, and waivers
  • Events & collections: event names, dates, expected contribution amounts
  • Categorization rules: pattern-matching conditions you create to automate transaction classification
  • Notes and reminders

Important: We do not have direct access to your bank account. All financial data is uploaded by you or your authorized team members. We never initiate, authorise, or process actual bank transactions on your behalf.

2.5 Inbound Email Data

If you use our inbound email feature to submit statements, we process the sender email address, the recipient address (to identify your organization), and any file attachments. We do not read or store the body text of the email beyond what is needed to process the attached statements.

2.6 Automatically Collected Data

When you interact with the Service, we may automatically collect:

  • IP address (used for security and reCAPTCHA verification)
  • Session data (via cookies, to keep you logged in)
  • Browser type and device information (via standard HTTP headers)

3. How We Use Your Data

We use collected information to:

🏗️ Provide the Service

Create and manage your account, organization, members, customers, and financial records.

🔄 Process Financial Data

Parse bank statements, reconcile transactions, generate invoices, and track ledger balances.

📧 Send Transactional Emails

Deliver invoices, team invitations, portal access links, import confirmations, and waitlist notifications.

📊 Generate Reports

Produce dashboards, analytics, monthly summaries, category reports, and PDF exports.

🤖 Automate Workflows

Apply categorization rules, smart-match transactions to members, and auto-settle invoices.

🛡️ Protect the Platform

Verify human users via reCAPTCHA, prevent spam, detect fraud, and enforce access permissions.

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share data only with the following categories of service providers who help us operate the Service:

Resend (Email Delivery)

We use Resend via SMTP to send transactional emails such as invoices, team invitations, and import confirmations. Resend processes the recipient email address and email content on our behalf.

Google reCAPTCHA v3 (Bot Protection)

Our waitlist form uses Google reCAPTCHA v3 to protect against automated submissions. This service may collect your IP address, browser characteristics, and interaction patterns. Google's use of this data is governed by their Privacy Policy and Terms of Service.

Render (Hosting Infrastructure)

Our application is hosted on Render. All data is stored on Render's secure infrastructure. Render acts as a data processor and processes data in accordance with their privacy policy.

Django Allauth (Authentication)

We use Django Allauth for secure authentication flows (sign-up, login, password management). This library operates within our infrastructure and does not share data with third parties independently.

We may also disclose information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Data Retention

We retain your data according to the following principles:

  • Account data is retained for as long as your account is active. If you request account deletion, we will remove your personal data within 30 days, unless we are legally required to retain certain records.
  • Organization data (members, transactions, invoices, ledger entries, statements) is retained for the lifetime of the organization. The organization owner may export and request deletion of all organizational data.
  • Waitlist submissions are retained until processed (you are onboarded or you request removal).
  • Uploaded statement files are stored securely and can be deleted by authorized organization members at any time via the Files management interface.
  • Server logs containing IP addresses and request metadata are retained for up to 90 days for security and debugging purposes.

7. Security

We take the security of your data seriously and employ multiple layers of protection:

HTTPS encryption for all data in transit
Password hashing using industry-standard algorithms
CSRF protection on all forms and state-changing requests
Role-based access control (Owner, Admin, User, Reader)
Organization-scoped data isolation — users cannot access another organization's data
Granular permissions for transactions, members, events, reports, accounts, categories, and rules
Transaction deduplication using SHA-256 hashing to prevent double-imports
Clickjacking protection via X-Frame-Options middleware

While we implement reasonable safeguards, no method of electronic storage or transmission is 100% secure. We encourage you to use strong, unique passwords and report any suspicious activity promptly.

8. Cookies & Tracking

We use only essential cookies required for the Service to function:

Cookie Purpose Duration
sessionid Maintains your authenticated session Session (expires when you log out or close your browser)
csrftoken Protects against cross-site request forgery attacks 1 year
messages Stores temporary notification messages (e.g. "File uploaded successfully") Session

We do not use: advertising cookies, analytics trackers, social media pixels, or any third-party tracking technologies. Google reCAPTCHA may set its own cookies on the landing page — see Google's Privacy Policy for details.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right of Access: Request a copy of the personal data we hold about you.
Right of Rectification: Request correction of inaccurate or incomplete data.
Right of Erasure: Request deletion of your personal data, subject to legal retention requirements.
Right to Data Portability: Receive your data in a structured, machine-readable format (we support CSV and PDF exports).
Right to Restrict Processing: Request that we limit how we use your data.
Right to Object: Object to processing based on legitimate interests.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at hello@circlevine.com. We will respond within 30 days.

10. International Data Transfers

Our hosting infrastructure and third-party service providers may process data outside of your country of residence. When transferring data internationally, we ensure appropriate safeguards are in place, including:

  • Contractual clauses with service providers requiring adequate data protection
  • Use of service providers that comply with recognized data protection frameworks
  • Encryption of data in transit and at rest where applicable

11. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at hello@circlevine.com and we will promptly delete the data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically. For significant changes that affect how we use your personal data, we will make reasonable efforts to notify you via email or an in-app notification.

13. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please reach out to us:

Circlevine

hello@circlevine.com

circlevine.com

© 2026 Circlevine. All rights reserved.