Residual Genius

Privacy policy

Residual Genius · Residual Genius LLC · 101 N J St, Suite 2, Lake Worth Beach, FL

Last updated June 21, 2026

Overview

This Privacy policy describes how Residual Genius LLC ("we") collects, uses, and protects information when you use Residual Genius (the "Service"). We are incorporated in Florida with our principal place of business at 101 N J St, Suite 2, Lake Worth Beach, FL.

Information we collect

  • Account data: name, email, organization name, role, authentication identifiers (via Supabase Auth).
  • Financial and operational data you upload: residual reports, Schedule A documents, merchant identifiers, reconciliation results, and related metadata.
  • Payment data: billing status and subscription identifiers processed by Stripe. We do not store full payment card numbers.
  • Usage data: logs, device and browser type, IP address, and product analytics (when enabled). See Analytics below.

How we use information

  • Provide, secure, and improve the Service, including AI-assisted parsing and reconciliation.
  • Authenticate users and enforce organization-level access controls.
  • Process payments and manage subscriptions.
  • Communicate about audits, account status, mediation cases, and support.
  • Comply with law and protect against fraud or abuse.
  • Create de-identified and aggregated data as described in the De-identified and Aggregated Data section.

Organization isolation

Customer Data is isolated per organization ("tenant"). Users within your organization see only data tied to your org_id unless you are a platform administrator with explicit cross-org access. We use organization-scoped queries, role-based permissions, and database row-level security on configured tables so one customer cannot access another customer's uploads, reconciliation rows, or Schedule A materials. We do not use your identifiable organization data to train general-purpose models offered to other customers. We may use de-identified and aggregated data to improve our own products and services as described below.

De-identified and aggregated data

We may create de-identified and aggregated data derived from information processed through the Service. De-identified data has all direct identifiers removed, including business names, merchant identifiers, account numbers, and any information that identifies you, your organization, or your merchants. Aggregated data combines information across many sources so that no individual organization, agent, or merchant can be identified.

We may use de-identified and aggregated data for our own commercial purposes, including to operate, improve, and develop our products and services; to produce industry benchmarks, market analyses, and statistical insights; and to create data products and reporting. Because this data does not identify you, your organization, or your merchants, our use of it is not limited by this Privacy policy, and we may retain and use it after your account closes.

We do not sell, license, or share your identifiable financial data, residual reports, Schedule A materials, or merchant-level records with third parties for their own marketing or commercial purposes. Our use of data for commercial purposes is limited to the de-identified and aggregated form described above.

AI processing

Residual and Schedule A files may be sent to third-party AI providers (for example, Anthropic) to extract structure and reconcile line items. We configure processing to minimize unnecessary data retention by providers per their enterprise or API terms. Do not upload data you are not authorized to share with subprocessors.

Storage and subprocessors

Primary infrastructure includes:

  • Supabase: authentication, PostgreSQL database, and file storage for uploads (United States).
  • Vercel: application hosting and serverless functions.
  • Anthropic: optional AI-assisted parsing and reconciliation when enabled.
  • Stripe: payment processing for subscriptions and usage billing.
  • Resend: transactional email notifications when enabled.

A current subprocessor list and data processing addendum is available on request at info@cardsmart.io.

Retention

We retain Customer Data while your account is active and as needed to provide the Service. You may request deletion subject to legal and backup constraints. Backup copies may persist for a limited period after deletion requests while systems rotate.

Account and organization deletion

You may request deletion of your organization and associated Customer Data by emailing info@cardsmart.io. After we verify your identity, a platform administrator runs our deletion workflow for your organization only. Regular agents cannot delete another organization's data.

When deletion completes, we remove:

  • Residual uploads and stored files for your organization
  • Reconciliation results, uploads, merchants, portfolios, and Schedule A materials
  • Mediation cases, agreements, and related communications
  • Learning signals, intelligence feedback, and org-scoped analytics tied to your account
  • De-identified fact rows in our internal data_intelligence layer that are keyed to your organization pseudonym
  • Your organization record and member login accounts

We may retain the following after deletion:

  • Backup copies: encrypted database and storage backups until rotation (typically up to 35 days on Supabase-managed infrastructure).
  • Legal and billing records: Stripe subscription and invoice history where law or payment-network rules require retention (not your residual file contents).
  • Security audit trail: platform audit_log entries are anonymized (org_id removed) with a final deletion record, not erased.
  • Cross-org aggregates: k-anonymized statistics in data_intelligence that cannot be attributed to a single organization once aggregated.

Analytics

We may collect privacy-respecting product events (for example, signup completed, audit submitted) without embedding personally identifiable information in event payloads. Analytics are flag-gated and disabled by default until configured. We do not use third-party advertising cookies in the product today.

Your rights

Depending on jurisdiction, you may have rights to access, correct, delete, or export personal information. Contact info@cardsmart.io. We respond to access, correction, deletion, and portability requests per applicable law.

Changes

We may update this policy. Material changes will be posted with an updated date. Continued use after changes constitutes acceptance where permitted by law.

Contact

Residual Genius LLC, 101 N J St, Suite 2, Lake Worth Beach, FL
info@cardsmart.io · 610-731-4637