Privacy Policy

Effective date: April 14, 2026

This Privacy Policy explains how Fireworks Effect AI, LLC ("Fireworks", "we", "us") collects, uses, and shares information when you use Fireworks for Square and the websites at fireworkseffect.com and app.fireworkseffect.com.

What we collect

• Account data: Square merchant identifier, business name, email address, and encrypted Square OAuth tokens.
• Usage events: Product analytics events (pageviews, clicks, feature usage) — see our events documentation for the full taxonomy.
• Session recordings: We record a sample of app sessions for debugging and product-quality purposes. All input fields are masked; we never capture what you type.
• IP address and device data: Standard web request metadata — IP, user agent, timezone, referrer.
• Cookies: Used for analytics stitching across subdomains. Consent-gated on the marketing site.
• Content you upload: Vendor invoices, images, and CSV files you submit. These are stored in our AWS infrastructure and processed by our AI extraction pipeline.

Who we share with

We share data only with the service providers that run Fireworks:

• Amazon Web Services (AWS) — hosting, storage (S3), compute (Lambda), database (DynamoDB), email (SES). Data stays in us-east-1.
• PostHog — product analytics and session recording. Hosted in the United States.
• Stripe — subscription billing and payment processing. We never store your full card number; Stripe tokenizes it.
• Anthropic — vendor document extraction via the Claude API. Uploaded document contents are sent to Anthropic for extraction but are not used to train their models.
• Square — we exchange data with Square's Catalog, Inventory, and Orders APIs on your behalf, using the OAuth scopes you granted.

We do not sell your data. We do not share it with advertisers.

Data retention

• Active accounts: data is retained for as long as your account is active.
• Cancelled accounts: data is retained for 180 days after cancellation, then deleted.
• Feedback submissions: retained for 90 days.
• Session recordings: retained for 30 days.
• You can request earlier deletion at any time by emailing privacy@fireworkseffect.com.

Cookies

The marketing site at fireworkseffect.com shows a cookie-consent banner on your first visit. Analytics cookies are only set if you click Accept. Cookies are scoped to .fireworkseffect.com so we can stitch your marketing-site visit to your in-app activity with a consistent analytics ID.

Inside the app at app.fireworkseffect.com, analytics are on by default for authenticated merchants as part of the Service. You can opt out from Settings.

Email tracking

Transactional and notification emails sent via AWS SES include open and click tracking for product-improvement purposes (for example, to confirm that order-confirmation emails are reaching you). Unsubscribe links are included where applicable.

Security

Square OAuth tokens are encrypted at rest using AWS KMS. Data in transit is encrypted via TLS. Access to production systems is restricted to the Fireworks engineering team and logged.

Your rights

You can request access to, correction of, or deletion of your personal data at any time by emailing privacy@fireworkseffect.com. California residents: you have the rights described in the CCPA/CPRA. EU/UK residents: you have the rights described in the GDPR/UK GDPR.

Changes

We may update this policy from time to time. Material changes will be announced by email or in-app notice before they take effect.

Contact

Fireworks Effect AI, LLC
privacy@fireworkseffect.com