Legal
Privacy Policy
Last updated July 4, 2026
Kestro holds some of the most sensitive data a company has — its spend, bank connections, and general ledger. This policy explains, plainly, what we collect, why, who we share it with, and the control you keep over it.
01Scope of this policy
This Privacy Policy explains how Kestro (“we,” “us”) handles personal data in connection with the Kestro service. For most Customer Data we act as a processor on behalf of your organization (the controller), which decides why the data is processed. For account administration and our own operations, we act as a controller. This policy covers both roles.
02Information we collect
- Account information — name, work email, organization, role, and authentication identifiers from Firebase Authentication (we never see your password).
- Financial and transaction data — bank/card transactions and account metadata from providers you connect (via Plaid), receipts you upload, coding, approvals, reimbursements, and journal entries.
- Integration tokens — encrypted OAuth tokens for the accounting and banking systems you link. We never store full card numbers (PANs).
- Billing information — subscription and payment status; card details are handled by our payment processor, not stored by us.
- Usage and device data — logs, IP address, and basic telemetry used to operate, secure, and improve the Service.
03How we use information
We use personal data to provide and secure the Service, process transactions and sync them to your accounting system, enforce your spend policies, communicate with you (including verification and notification emails and SMS), prevent fraud and abuse, comply with legal obligations, and improve the product. We do not sell personal data, and we do not use your Customer Data to train models for other customers.
04Legal bases (EEA/UK)
Where GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the Service), legitimate interests (to secure and improve the Service and prevent fraud), legal obligation (for example, tax and accounting record-keeping), and consent where required. Where we act as a processor, our processing is governed by our agreement with your organization.
05Sharing and subprocessors
We share data only with service providers who process it on our behalf under contract, and only as needed to run the Service:
- Google Cloud Platform — hosting, database, and AI processing of receipts;
- Firebase Authentication — sign-in and identity;
- Plaid — bank and card account connections;
- Intuit QuickBooks and Xero — accounting sync (only for organizations that connect them);
- Stripe — subscription billing and payment processing;
- Resend — transactional email; Twilio — SMS notifications.
06International transfers
We and our subprocessors may process data in countries other than yours. Where required, we use appropriate safeguards for cross-border transfers, such as Standard Contractual Clauses. Each record in Kestro carries a region tag — the foundation for keeping a customer’s data in a chosen region as we expand.
07Data retention
We retain Customer Data for as long as your account is active and as needed to provide the Service. After termination, you may export your data for a reasonable period, after which it is deleted. We may retain limited records where required for legal, tax, or security reasons. Our audit log is append-only by design and retained to preserve its integrity.
08Security
We protect data with tenant isolation at the database (Postgres row-level security), a least-privilege application role, TLS in transit, AES-256-GCM encryption of integration tokens at rest, a tamper-evident audit trail, and separation of internal support access. See our Security & Trust page for details. No system is perfectly secure, but we design for defense in depth.
09Your rights
Depending on your location, you may have rights to access, correct, export, delete, or restrict processing of your personal data, and to object or withdraw consent. Kestro provides self-serve export and deletion of an organization’s data; deletion cascades across our systems. For personal data we control, contact us to exercise your rights. Where we act as a processor, please direct requests to your organization, and we will assist it.
10Cookies
We use strictly necessary cookies to keep you signed in (a secure, HttpOnly session cookie) and to operate the Service. We do not use advertising cookies. Because our cookies are essential to the Service, disabling them will prevent sign-in.
11Children
The Service is for organizations and their staff, and is not directed to children under 16. We do not knowingly collect data from children.
12Changes and contact
We may update this policy from time to time and will notify you of material changes before they take effect. For privacy questions or to exercise your rights, contact privacy@trykestro.com.
Questions about this document? Email legal@trykestro.com. See also our Terms of Service, Privacy Policy, and Security & Trust page.