Privacy Policy
Last updated April 1, 2026. Your privacy matters to us. This policy explains how Theorem collects, uses, and protects your data.
1. Introduction
Theorem Inc. ("Theorem," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-native financial operating system, APIs, dashboards, and related services (the "Services"). By using our Services, you consent to the practices described in this policy.
2. Information We Collect
We collect information you provide directly to us, including: account registration data (name, email, organization), financial data you submit for processing (transactions, invoices, payroll data, tax information), API credentials and integration configurations, and communications you send to us. We also automatically collect usage data including IP addresses, browser type, device information, pages visited, and feature usage patterns.
3. How We Use Your Information
We use your information to: provide, maintain, and improve the Services; process financial transactions and run AI agents on your behalf; send service notifications and security alerts; analyze usage patterns to improve our platform; comply with legal obligations and enforce our Terms of Service; and provide customer support. We do not use your financial data to train our AI models without your explicit consent.
4. Data Processing & AI Agents
Our AI agents process your financial data solely to provide the Services you have requested. Agent processing includes transaction categorization, reconciliation, compliance checks, and automated reporting. All agent actions are logged with full audit trails. You maintain ownership of all data processed by our agents, and we act as a data processor on your behalf.
5. Data Sharing & Disclosure
We do not sell your personal information. We may share your information with: service providers who assist in delivering the Services (subject to confidentiality agreements); financial institutions and payment processors as necessary to complete transactions; law enforcement or regulatory bodies when required by law; and parties involved in a merger, acquisition, or sale of assets (with advance notice to you).
6. Data Security
We implement comprehensive security measures including: AES-256 encryption for data at rest; TLS 1.3 encryption for data in transit; SOC 2 Type II certified infrastructure; regular penetration testing and vulnerability assessments; role-based access controls with multi-factor authentication; 24/7 security monitoring and incident response; and geographically distributed data centers with redundancy.
7. Data Retention
We retain your data for as long as your account is active or as needed to provide the Services. Financial transaction data is retained in accordance with applicable regulatory requirements (typically 7 years). Upon account termination, you may request data export within 30 days. After the export period, data is securely deleted from our systems within 90 days, except where retention is required by law.
8. Your Rights
Depending on your jurisdiction, you may have the right to: access the personal data we hold about you; correct inaccurate or incomplete data; delete your personal data (subject to legal retention requirements); restrict or object to certain processing activities; receive your data in a portable format; and withdraw consent where processing is based on consent. To exercise these rights, contact privacy@theorem.co.
9. GDPR Compliance
For users in the European Economic Area (EEA), we process personal data under the following legal bases: contract performance (to provide the Services), legitimate interests (to improve and secure the Services), legal obligations (regulatory compliance), and consent (where specifically requested). We have appointed a Data Protection Officer and maintain records of processing activities as required by the GDPR.
10. CCPA Compliance
For California residents, we comply with the California Consumer Privacy Act (CCPA). You have the right to know what personal information we collect and how it is used, request deletion of your personal information, opt out of the sale of personal information (we do not sell personal information), and receive equal service regardless of exercising your privacy rights.
11. Cookies & Tracking
We use essential cookies for authentication, security, and session management. We use analytics cookies to understand how users interact with our Services. You can control cookie preferences through your browser settings. We do not use third-party advertising cookies or cross-site tracking.
12. International Data Transfers
Your data may be processed in data centers located in the United States and other jurisdictions. For transfers from the EEA, we rely on Standard Contractual Clauses approved by the European Commission. We ensure that all international transfers provide an adequate level of data protection consistent with this Privacy Policy.
13. Children's Privacy
The Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete that information promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated with at least 30 days advance notice via email or in-product notification. The "Last updated" date at the top of this page indicates when this policy was last revised. Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy or our data practices, contact our privacy team at privacy@theorem.co. For data protection inquiries in the EEA, you may also contact our Data Protection Officer at dpo@theorem.co.