Skip to main content

Legal

Privacy Policy

Last updated May 12, 2026

Who we are

PCI (Profit & Control Index) is a product of White Sports Ventures LLC (“WSV”, “we”, “us”). This policy describes how we collect, use, and protect data when you use PCI at pci.whitesportsventures.com.

What we collect

  • Account data: name, email address, hashed password (via Neon Auth).
  • Financial data: profit & loss statements, accounts receivable aging, revenue by business line, either connected live from QuickBooks or uploaded as CSV/JSON.
  • Diagnostic data: your PCI interrogation responses, risk flags, confidence metrics, and business-line classifications.
  • Payment data: processed by Stripe. We store your Stripe customer ID and subscription status but never your card number.
  • Usage data: agent run history, alert history, chat messages with AI agents.
  • Technical data: IP address, browser type, reCAPTCHA score (used only for spam prevention).

How we use your data

  • To run your PCI diagnostic and produce your PCI score and deliverables.
  • To power your 9 AI monitoring agents (margin, collections, concentration, cash flow, deal prep, lead qualifier, benchmark, PCI assessment, owned-channel intelligence).
  • To send transactional emails (welcome, payment receipts, payment failure alerts, agent notifications).
  • To send a summary of new intake and interrogation submissions to authorized WSV personnel for service follow-up (the summary contains your contact details, segment, decision, and headline metrics).
  • To process your subscription payments via Stripe.
  • To improve our product (aggregate, anonymized usage patterns only).

You can submit a PCI interrogation before creating an account. If you later register for a PCI account using the same email address, your prior interrogation responses are automatically associated with your account so they appear in your dashboard and are covered by your account's export and deletion rights. Lead-intake form entries (the short qualification form on our website) are stored separately in our lead-management database and are not automatically associated with later accounts or included in the in-product export and deletion flows; email us at the address below to have those entries amended or deleted. If you never register, interrogation responses remain unassociated and are handled under the retention rules below.

Third-party services

Your data is processed by these services under their respective privacy policies:

  • Stripe: payment processing and subscription billing.
  • Neon: PostgreSQL database hosting (account data, subscriptions, diagnostics).
  • Supabase: PostgreSQL hosting for the public lead-intake form.
  • Cloudflare: AI agent worker hosting and execution.
  • Anthropic (Claude): AI model powering agent analysis. Your financial data is sent to Claude API calls for analysis. Anthropic does not train on API inputs.
  • OpenAI: AI model used for the adversarial-debate step in PCI report generation. Your financial summary is sent to OpenAI API calls for that step. OpenAI does not train on API inputs.
  • Resend: transactional email delivery.
  • Brave Search: web search used by select agents for market context (no financial data is sent to Brave).
  • Intuit (QuickBooks): if you connect QuickBooks, we access your financial data via OAuth. You can revoke access at any time in Settings.
  • Google reCAPTCHA v3: invisible spam prevention on registration.
  • Vercel: web application hosting.

B2B customers can find our full sub-processor list, international-transfer mechanisms, and processor terms in our Data Processing Addendum.

Data retention

Your account and financial data are retained while your subscription is active. If you request account deletion (Account → Delete my account), your data is marked for deletion and permanently purged after a 30-day grace period. During the grace period you can cancel the deletion from your account page. Stripe retains payment and invoice records in anonymized form for 7 years to comply with US and EU tax requirements.

Cookies

We use a session cookie (better-auth.session_token) for authentication and Google reCAPTCHA v3 for spam prevention. We do not use advertising cookies or third-party tracking.

Your rights

  • Access & export. Visit Account → Export my data to generate a ZIP archive of every record we hold for your account: profile, intakes, interrogations, agent runs and alerts, uploaded files, and generated PDF reports. You’ll receive an email with a signed download link (expires in 48 hours) — typically within 1–5 minutes of requesting. This satisfies the right of access under GDPR Article 15 and the right to know under CCPA §1798.100.
  • Deletion. Visit Account → Delete my account to mark your account for deletion. Your subscription is cancelled immediately and your data is locked; all records are permanently purged after a 30-day grace period. You can cancel the deletion from your account page during the grace window. This satisfies the right to erasure under GDPR Article 17 and the right to delete under CCPA §1798.105.
  • Correction. Update your profile in Account settings, or email us for corrections to records you cannot edit yourself.
  • Revoke QuickBooks or Xero access. Disconnect in Settings at any time.

Security

Financial data at rest is stored in Neon PostgreSQL and (for the public intake form) Supabase, both of which apply storage-layer encryption to all data. OAuth tokens (QuickBooks, Xero) receive an additional layer of application-level encryption using AES-256-GCM with per-subscriber keys before being written to Cloudflare Durable Object storage. All connections use TLS. We do not store card numbers (Stripe handles this).

Contact

For privacy questions or data requests: jeremiah@whitesportventures.com