Privacy Policy

1. INTRODUCTION

MiTara Enterprises LLC, doing business as PomJuice (hereinafter referred to as "PomJuice," "we," "our," "us," or the "Company"), is committed to protecting the privacy and maintaining the confidentiality of information provided by its users. This Privacy Policy (the "Policy") governs the collection, use, disclosure, retention, protection, and other processing of your personal information, financial data, and other information when you use our AI-powered accounting assistant Tara and related services (collectively, the "Service").

This Policy constitutes a legally binding agreement between you and PomJuice. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by the terms and conditions of this Policy. If you do not agree with any provision of this Policy, you must immediately discontinue your access to and use of the Service.

2. SCOPE AND APPLICATION

2.1 Covered Entities

This Policy applies to all interactions with PomJuice's Service by:

All end users of PomJuice AI services, whether authorized directly or indirectly;
Business clients and their duly authorized representatives, employees, contractors, and agents;
Integration partners and third-party service providers engaged in the provision, maintenance, or improvement of the Service;
Website visitors and prospective clients accessing PomJuice digital properties;
Mobile application users regardless of installation source or operating system; and
API consumers and services connecting through authorized integrations.

2.2 Excluded Activities

This Policy does not apply to:

Information collected by third parties who may link to or be accessible via our Service;
Information collected by third-party websites, platforms, or services that you may access through links available on our Service; or
Information collected through offline means unrelated to the Service.

3. DEFINITIONS

For purposes of this Policy, the following terms shall have the meanings ascribed to them below:

Aggregated Data: Data that has been combined with other data such that it does not identify or permit identification of any specific individual and cannot be linked back to an identifiable individual.
AI Processing: Automated analysis, categorization, interpretation, prediction, or other processing of data using artificial intelligence algorithms, machine learning techniques, natural language processing, or similar technologies.
Anonymized Data: Data that has been processed to permanently remove all identifiers such that the information does not identify, and cannot reasonably be used to identify, an individual person.
Authorized User: An individual who has been granted permission by a business client to access and use the Service on the client's behalf.
Business Client: The legal entity that has entered into a subscription agreement with PomJuice for the provision of the Service.
Data Controller: The entity that determines the purposes and means of processing personal information.
Data Processor: The entity that processes personal information on behalf of the Data Controller.
Financial Data: Any information related to financial transactions, accounts, balances, payment methods, invoices, payroll, taxes, or other business operations having monetary implications.
Integration Data: Information received from or transmitted to connected third-party services authorized by you or your organization.
Personal Information: Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular individual or household.
Sensitive Data: Special categories of Personal Information that warrant enhanced protection, including but not limited to government-issued identification numbers, financial account numbers, precise geolocation, biometric information, health information, or information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, or sexual orientation.
Service Data: Information generated through the use of the Service, including but not limited to usage statistics, feature adoption, performance metrics, and interaction patterns.
Third Party: A person or entity other than you, PomJuice, or an entity processing information on behalf of PomJuice.

4. INFORMATION WE COLLECT

PomJuice collects various categories of information in connection with the operation, provision, maintenance, and improvement of the Service. The specific information collected depends on the nature of your relationship with PomJuice and your use of the Service. We collect this information when you provide it directly, through automated means, and from third parties.

4.1 Account Information

Legal business name, type, and structure (e.g., corporation, LLC, partnership)
Employer Identification Number (EIN), tax identification numbers, and related government-issued identifiers
Authorized representatives' full name, job title, role, email, phone, and mailing address
User credentials, authentication tokens, and multi-factor authentication settings
Service preferences, settings, configurations, and operational parameters
Billing information, subscription details, payment history, and account status
Account creation date, modification history, and account activity timestamps

4.2 Financial Information

Bank account details, transaction data, and payment processing records
Accounting records, financial statements, and tax documents
Vendor and customer payment data
Payroll, compensation details, benefits, and deductions
Asset and liability information, including loan terms and depreciation schedules

4.3 Business Operations Data

Customer and vendor records, including contact details and transaction histories
Employee information, including performance metrics
Inventory and product data, including SKUs and movement histories
Contract and agreement details, including terms and signatory information
Business documents, including incorporation and operational records
Communication histories, including emails, chat logs, and call records
Service usage patterns and interaction metrics

4.4 Technical Data

Device identifiers, including MAC addresses, serial numbers, and unique IDs
IP addresses, VPN information, and geographical location data
Browser type, version, plugins, and configurations
Operating system details, including type, version, and update status
Mobile device specifications, including carrier and installed applications
Access timestamps, session duration, and feature usage
Error logs, crash reports, and performance metrics

4.5 AI Interaction Data

Chat histories, query patterns, and contextual indicators
Response accuracy measurements, correction rates, and confidence scores
User feedback, corrections, and clarifications
Learning patterns, preference indications, and personalization data
Custom rules and specialized processing instructions

5. DATA COLLECTION METHODS

5.1 Direct Collection

User inputs, form submissions, and manual data entry
Document uploads, file transfers, and content imports
Communications including emails, chat messages, support tickets, and feedback forms
Account creation, registration information, and service configuration
Survey responses, questionnaires, and explicit feedback mechanisms

5.2 Automated Collection

System logs, performance metrics, and operational records
Cookie data, web beacons, pixel tags, and similar tracking technologies
Analytics tracking, event monitoring, and usage statistics
API communications, data transfers, and system integrations
Integration synchronization, data imports, and automated workflows
Error reporting, crash analytics, and diagnostic information

5.3 Third-Party Sources

Connected accounting platforms and financial management systems
Banking institutions, financial service providers, and payment networks
Payment processors, gateways, and financial transaction facilitators
Business credit reports, credit bureaus, and financial information services
Public records, government databases, and regulatory filing systems
Integration partners, service providers, and authorized data suppliers

6. USE OF INFORMATION

PomJuice uses the information collected as described in Section 4 for the following purposes:

6.1 Core Service Operations

Account management, maintenance, authentication, and security;
Financial transaction processing, verification, reconciliation, and record-keeping;
Document generation, management, classification, and retrieval;
Report creation, analysis, visualization, and distribution;
Communication facilitation between users, systems, and service components;
Customer support provision, issue resolution, and service recovery;
Service optimization, performance monitoring, and enhancement.

6.2 AI and Machine Learning Operations

Model training, fine-tuning, validation, and algorithmic refinement;
Pattern recognition, trend analysis, and statistical modeling;
Predictive modeling, forecasting, and scenario analysis;
Anomaly detection, fraud prevention, and risk mitigation;
Natural language processing, semantic analysis, and linguistic interpretation;
Automated decision-making processes governed by configurable rules and parameters;
Performance optimization, efficiency improvements, and accuracy enhancements.

6.3 Security and Compliance

Identity verification, authentication, and access management;
Fraud detection, prevention, investigation, and remediation;
Risk assessment, management, mitigation, and reporting;
Regulatory compliance monitoring, documentation, and verification;
Audit trail maintenance, transaction logging, and accountability records;
Security incident investigation, resolution, and preventative measure implementation;
Access control, authorization management, and permission enforcement.

6.4 Service Improvement

Feature development, testing, deployment, and refinement;
User experience optimization, interface improvements, and workflow enhancements;
Performance monitoring, bottleneck identification, and capacity planning;
Bug fixing, error resolution, and quality assurance;
Service reliability enhancement, availability improvements, and redundancy planning;
Integration optimization, API performance tuning, and connectivity enhancements;
Documentation development, knowledge base expansion, and support material creation.

7. DATA PROCESSING AND AI SYSTEMS

7.1 AI Model Architecture and Data Handling

7.1.1 Model Infrastructure

OpenAI GPT-4 integration specifications, including API parameters, rate limits, and service level agreements;
Custom fine-tuning implementations, including domain-specific adaptations, specialized training routines, and optimization techniques;
Proprietary PomJuice AI enhancement layers, including financial domain knowledge graphs, accounting-specific processing modules, and custom logic components;
Distributed processing architecture, including load distribution, parallel processing capabilities, and resource allocation systems;
Real-time inference optimization, including caching strategies, prediction acceleration, and response time minimization;
Load balancing and failover systems, including redundancy mechanisms, automatic scaling, and resilience protocols.

7.1.2 Data Processing Standards

ISO 27001 compliant data processing throughout the entire information lifecycle;
AICPA SOC 2 Type II certification for security, availability, processing integrity, confidentiality, and privacy;
Automated data validation protocols, including format verification, consistency checks, and integrity monitoring;
Real-time data quality monitoring, including completeness assessment, accuracy validation, and error detection;
Continuous integration testing, including regression analysis, compatibility verification, and functional validation;
Performance benchmarking systems, including response time measurement, throughput analysis, and resource utilization monitoring.

7.1.3 Training Data Management

Deterministic anonymization protocols, including identifier removal, substitution mechanisms, and re-identification prevention;
Synthetic data generation methods, including simulation techniques, statistical modeling, and artificial sample creation;
Data augmentation techniques, including variation generation, contextualization, and diversity enhancement;
Privacy-preserving learning models, including federated learning, differential privacy implementation, and localized processing;
Federated learning implementations where applicable, allowing model improvement without centralized data collection;
Differential privacy standards implementation, including noise addition, query limitation, and statistical disclosure control.

7.1.4 Model Governance

Version control and change management for all AI models and components.
A/B testing protocols for model improvements, feature enhancements, and optimization initiatives.
Model performance metrics tracking, including accuracy, precision, recall, F1 scores, and domain-specific KPIs.
Bias detection and mitigation processes, including fairness assessments, demographic impact analysis, and corrective measures.
Ethical AI guidelines compliance, including transparency provisions, explainability requirements, and fairness principles.
Regular model audits and reviews, including drift detection, performance degradation assessment, and improvement opportunities.

7.1.5 Data Lifecycle Management

Training data selection criteria, including relevance assessment, quality evaluation, and representativeness verification.
Data freshness monitoring, including timestamp validation, update frequency, and currency verification.
Staleness detection and handling, including expiration policies, refresh triggers, and obsolescence management.
Historical data archiving, including retention scheduling, accessibility provisions, and retrieval mechanisms.
Training data rotation, including introduction of new samples, retirement of outdated examples, and diversity maintenance.
Regular retraining schedules, including incremental updates, model refreshes, and complete rebuild protocols.

7.2 Data Processing Procedures

Data cleaning and normalization, including duplicate removal, inconsistency resolution, and standardization.
Anonymization protocols, including identifier removal, pseudonymization techniques, and re-identification prevention.
Aggregation methodologies, including summation techniques, statistical combination, and individual record obscuration.
Error detection and correction, including validation rules, exception handling, and remediation procedures.
Quality control measures, including accuracy verification, completeness checks, and consistency validation.
Processing pipeline monitoring, including step verification, throughput measurement, and bottleneck identification.

7.3 AI Training Safeguards

Data selection criteria, including relevance assessment, quality standards, and bias prevention.
Privacy-preserving techniques, including anonymization, aggregation, and minimization.
Bias detection and mitigation, including fairness metrics, representation balancing, and outcome equity.
Model validation procedures, including cross-validation, independent testing, and performance verification.
Performance benchmarking, including baseline comparisons, competing model assessment, and objective metrics.
Regular auditing processes, including bias evaluation, drift detection, and alignment verification.

8. DATA SHARING AND DISCLOSURE

PomJuice may share your information with third parties in the following circumstances and subject to the following restrictions:

8.1 Service Providers

PomJuice may share your information with service providers who perform services on our behalf, including:

Cloud infrastructure providers hosting our applications and data;
Payment processing services facilitating financial transactions;
Authentication providers securing access to the Service;
Analytics services measuring performance and usage;
Customer support platforms enabling issue resolution;
Security services protecting our systems and data;
Professional services firms providing specialized expertise.

All service providers are contractually obligated to use the information solely as necessary to provide the contracted services to PomJuice and are prohibited from using or disclosing the information for any other purpose. All service providers are required to maintain appropriate security measures to protect the information from unauthorized access, use, or disclosure.

8.2 Integration Partners

With your explicit authorization, PomJuice may share your information with integration partners, including:

Accounting software providers such as QuickBooks, Xero, and FreshBooks;
Banking institutions and financial service providers;
Payment processors and transaction facilitators;
Tax preparation services and compliance solutions;
Payroll providers and workforce management systems;
Enterprise Resource Planning (ERP) systems;
Customer Relationship Management (CRM) platforms.

Such sharing is limited to the information necessary to facilitate the authorized integration and is subject to the privacy policies and security practices of the integration partners. You may revoke authorization for any integration at any time through your account settings.

8.3 Professional Services

With your explicit authorization, PomJuice may share your information with professional service providers you designate, including:

Certified Public Accountants (CPAs) and accounting professionals;
Tax professionals, preparers, and advisors;
Financial advisors, planners, and wealth management professionals;
Legal counsel, attorneys, and paralegals;
Auditors, examiners, and compliance reviewers;
Compliance consultants, regulatory advisors, and governance specialists.

Such sharing is limited to the information necessary to provide the professional services you have requested and is subject to the professional obligations, confidentiality requirements, and security practices of these service providers. You may revoke authorization for any professional service provider at any time through your account settings or by contacting our Privacy Office.

8.4 Legal and Regulatory

PomJuice may share your information as required by law or to protect our rights and interests, including:

In response to a court order, subpoena, or similar legal process;
In connection with regulatory investigations, examinations, or compliance verification;
In response to valid requests from law enforcement agencies with proper jurisdiction and legal authority;
To comply with legal obligations, regulatory requirements, or mandatory reporting;
In connection with a merger, acquisition, corporate restructuring, sale of assets, or bankruptcy;
To enforce our Terms of Service, detect fraud, or protect our legal rights;
To protect the safety, security, and integrity of our Service, systems, and users.

When legally permissible, we will make reasonable efforts to notify you of such disclosures before they occur.

9. DATA SECURITY

PomJuice implements and maintains reasonable administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of your information.

9.1 Technical Security Measures and Financial Data Protection

9.1.1 Encryption Standards

End-to-end encryption utilizing AES-256 bit encryption for data at rest
Transport Layer Security (TLS) version 1.3 or higher for all data in transit
Hardware Security Module (HSM) integration for cryptographic key management
Quantum-resistant encryption algorithm preparation and implementation roadmap
Secure key management systems including key rotation, separation, and access controls
Certificate authority verification and certificate pinning where applicable
Regular encryption methodology review and cryptographic algorithm rotation

9.1.2 Authentication and Access Control

Mandatory multi-factor authentication (MFA) for all administrative access
Biometric authentication options including fingerprint and facial recognition where supported
Single Sign-On (SSO) integration with major identity providers and enterprise authentication systems
Role-based access control (RBAC) with granular permission management
Principle of least privilege enforcement across all systems and access levels
Session management including inactivity timeouts, forced re-authentication, and token expiration
IP whitelisting capabilities for enterprise clients requiring network-level restrictions
Device registration and verification for trusted endpoint management

9.1.3 Financial Data Security Standards

Payment Card Industry Data Security Standard (PCI DSS) Level 1 compliance for payment processing
National Automated Clearing House Association (NACHA) compliance for ACH transactions
Society for Worldwide Interbank Financial Telecommunication (SWIFT) security compliance
Bank-grade security protocols including account verification and transaction authentication
Real-time transaction monitoring for anomaly and fraud detection
Automated fraud detection systems using behavioral analytics and pattern recognition
Secure payment processing channels with tokenization and credentialing
Financial data segregation from general operational systems

9.1.4 Network Security

Next-generation firewall protection with application-level filtering and deep packet inspection
Intrusion Detection Systems (IDS) with real-time monitoring and alert generation
Intrusion Prevention Systems (IPS) with automated threat neutralization capabilities
Distributed Denial of Service (DDoS) mitigation through advanced traffic filtering and absorption
Network segmentation separating critical systems, data storage, and processing environments
Zero-trust architecture requiring verification of all access requests regardless of source
Virtual Private Network (VPN) requirements for all remote administrative access
Regular network penetration testing conducted by qualified third-party security firms

9.1.5 Monitoring and Incident Response

24/7 Security Operations Center (SOC) with trained security analysts
Real-time security event monitoring, correlation, and analysis
Automated threat detection using machine learning and behavioral analytics
Comprehensive incident response procedures with defined roles and responsibilities
Digital forensic investigation capabilities for security incident analysis
Breach notification protocols compliant with applicable regulations
Business continuity and disaster recovery planning with regular testing

9.1.6 Compliance and Audit

SOC 1 Type II and SOC 2 Type II certifications
ISO 27001 certification for information security management
NIST Cybersecurity Framework implementation
Regular external security audits
Continuous compliance monitoring through automated scanning and verification
Annual comprehensive penetration testing
Quarterly vulnerability assessments and remediation programs

9.2 Organizational Security

Comprehensive security policies and procedures
Mandatory employee security training
Privileged access management protocols
Detailed incident response plans
Business continuity planning
Regular internal and external security audits
Background checks for employees with access to sensitive data

9.3 Data Storage Security

Encrypted data storage utilizing AES-256 bit encryption
Secure backup systems with encryption and access controls
Data center security compliant with ISO 27001 and SOC 2 Type II
Physical access controls including multi-factor authentication
Environmental controls for fire suppression, climate control, and redundancy
Regular backup verification and integrity checking

10. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information.

10.1 Consumer Rights

Know what personal information is collected, used, shared, or sold;
Delete personal information held by businesses and their service providers;
Correct inaccurate personal information;
Obtain a copy of your personal information in a portable format;
Opt-out of the sale or sharing of your personal information;
Limit the use and disclosure of sensitive personal information;
Non-discrimination for exercising your privacy rights.

10.2 Business Requirements

Provides notice at collection regarding the categories of personal information collected and purposes of use;
Maintains a comprehensive privacy policy with all required disclosures;
Implements and maintains reasonable security procedures and practices;
Implements mechanisms for consumers to exercise their privacy rights;
Includes specific provisions in agreements with service providers, contractors, and third parties;
Provides training to all personnel responsible for handling consumer inquiries about privacy practices;
Maintains documentation of compliance with California privacy requirements;
Conducts annual cybersecurity audits and regular risk assessments.

10.3 Verification Procedures

Identity verification methods appropriate to the sensitivity of the request;
Request processing procedures that document verification steps and outcomes;
Response timelines in accordance with statutory requirements;
Documentation requirements for all requests and responses;
Appeal procedures for denied requests or incomplete resolutions.

To exercise your California privacy rights, please contact our Privacy Office using the information provided in Section 17.

11. Additional Privacy Regulations

11.1 GLBA Compliance

Financial privacy notice requirements with clear explanations of information practices.
Information sharing restrictions and limitations.
Safeguards rule compliance through comprehensive security program.
Customer verification procedures for access to financial information.
Opt-out rights for certain types of information sharing.

11.2 SOX Compliance

Financial data integrity measures through access controls and validation.
Audit trail requirements through comprehensive logging and monitoring.
Internal control documentation and testing procedures.
Record retention policies compliant with statutory requirements.
Security control testing and verification processes.

11.3 State Privacy Laws

State-specific requirements for Virginia, Colorado, Connecticut, Utah, and other jurisdictions.
Cross-border data transfer provisions and limitations.
Breach notification requirements with varying timelines and content.
Data protection obligations specific to each applicable jurisdiction.
Consumer rights variations across different state laws.

Data Retention and Deletion

12.1 Retention Periods

Active account data: Duration of service relationship plus 7 years.
Transaction records: Minimum of 7 years from transaction date.
Communication records: 3 years from date of communication.
Technical logs: 12 months for security and troubleshooting purposes.
Backup retention: 5 years with progressive archiving protocols.
Archived data: As required by applicable laws and regulations.

12.2 Deletion Procedures

User-initiated deletion through self-service tools where available.
Account termination process with clear information retention disclosures.
Data purge procedures including secure deletion and overwrite techniques.
Backup removal according to backup rotation and retention schedules.
Archive handling with appropriate deletion upon expiration of retention period.
Verification processes to confirm successful and complete deletion.

13. INTERNATIONAL DATA TRANSFERS

13.1 Transfer Mechanisms

When transferring personal information across international borders, PomJuice utilizes the following mechanisms to ensure adequate protection:

Standard contractual clauses approved by relevant regulatory authorities;
Adequacy decisions from regulatory authorities where applicable;
Binding corporate rules for intra-organizational transfers;
Privacy Shield compliance for applicable transfers;
Data transfer agreements with specific security and privacy provisions;
Implementation of additional safeguards as required by applicable laws.

13.2 Data Localization

PomJuice maintains the following data localization practices:

Primary data storage location in secure data centers within the United States;
Backup storage locations with appropriate security measures and legal compliance;
Processing locations limited to jurisdictions with adequate data protection laws;
Cross-border transfer routes secured with encryption and access controls;
Compliance with jurisdictional requirements for data residency where applicable.

14. SPECIAL CIRCUMSTANCES

14.1 Business Transactions

In the event of a business transaction affecting PomJuice, the following provisions apply:

Merger considerations including privacy impact assessments and data protection;
Acquisition procedures with data transfer protocols and security verification;
Asset sale provisions restricting information use to disclosed purposes;
Bankruptcy procedures protecting confidentiality of customer information;
Restructuring impacts with continuity of privacy protections;
Transition services maintaining security and privacy during organizational changes.

14.2 Emergency Situations

In emergency situations, PomJuice will take reasonable steps to maintain privacy and security, including:

Force majeure event protocols with emergency access procedures;
Security incident response with escalation procedures and containment measures;
System failure recovery procedures with data integrity verification;
Natural disaster contingency plans with geographic redundancy;
Service interruption communication protocols and restoration priorities;
Business continuity measures to maintain essential services and protections.

15. User Choices and Controls

15.1 Privacy Preferences

PomJuice provides the following user choices and controls regarding privacy:

Data sharing options through account settings and preference controls
Marketing preferences allowing opt-out from promotional communications
AI training participation controls allowing exclusion from model improvement
Integration permissions management for third-party connections
Communication preferences for service updates, security alerts, and announcements
Profile visibility settings controlling information accessibility

15.2 Access Controls

User permission levels with granular control over data access
Authentication methods including password complexity requirements and MFA
Session management including timeout controls and active session monitoring
Device authorization tools for managing trusted devices
Integration access controls for third-party service connections
API key management for programmatic access to the Service

16. Updates and Notifications

16.1 Policy Updates

Email notifications for material changes
Material change definition includes changes to information collection, use, sharing, or security
Update frequency based on service changes or regulatory requirements
User acknowledgment may be required for certain material changes
Version tracking with date stamps and change summary
Archive maintenance of previous policy versions for reference

16.2 Service Notifications

Security alerts for suspicious activities or potential threats
Privacy updates including policy changes and regulatory developments
Service changes affecting functionality or information practices
Maintenance notices for scheduled downtime or system updates
Compliance updates regarding regulatory changes affecting the Service
Feature announcements for new capabilities or enhancements

17. Contact Information

17.1 Privacy Office

Privacy Officer: Amir Khan
Email: info@pomjuice.app
Phone: +1 (415) 317-5549
Address: 6064 Kerry Rd, Rohnert Park, CA 94928

17.2 Support Channels

Support Email: info@pomjuice.app
Support Phone: +1 (415) 317-5549
Support Address: 6064 Kerry Rd, Rohnert Park, CA 94928
Online Support Portal: Available through your user account

18. Additional Resources

18.1 Documentation

Privacy guides explaining our practices in plain language
Security whitepapers detailing our security architecture and controls
Compliance certifications and attestation reports
User manuals covering all aspects of the Service
Integration guides for connecting third-party services
Best practices documentation for secure and effective use

18.2 Training Materials

Privacy awareness training for users and administrators
Security guidelines for securing your account and data
Compliance procedures for regulatory requirements
User tutorials for efficient Service utilization
Integration setup guides for third-party connections
Best practice documentation for optimal configuration

19. Effective Date and History

This Privacy Policy is effective as of March 25, 2025. A history of major revisions is maintained in our documentation system and is available upon request by contacting our Privacy Office.

By using our Service, you acknowledge that you have read, understood, and agree to be bound by the terms and conditions of this Privacy Policy.