Privacy Policy
Effective Date: 02/13/26
Last Updated: 04/24/26
CodeWright LLC ("CodeWright," "we," "us," or "our") operates the FiSTWorks platform (the "Service"). This Privacy Policy explains how we collect, use, store, protect, and delete your personal information when you use the Service. By using the Service, you agree to the practices described in this policy.
1. Information We Collect
1.1 Information You Provide
When you create an account and use the Service, we collect:
| Category | Examples |
|---|---|
| Account information | Name, email address, display name |
| Organization information | Organization name, member roles |
| Banking information | Bank names, routing numbers, account numbers (for ACH file generation) |
| Recipient information | Recipient names, bank account details, identification numbers |
| ACH file data | Transaction amounts, types, effective dates, SEC codes |
| SFTP connection details | Hostnames, ports, usernames, passwords, SSH keys |
| Payment information | Billing details processed through Stripe (we do not store credit card numbers) |
1.2 Information Collected Automatically
When you access the Service, we automatically collect:
- Authentication data — Identity tokens and session information from Clerk.
- Usage data — Features used, files generated, pages visited, and timestamps.
- Device and browser data — IP address, browser type, and operating system (collected by our hosting infrastructure).
- Log data — Server logs including request URLs, response codes, and error information.
- Anonymous validator rate-limit data — If you use the ACH file validator without creating an account, we briefly record your IP address (and set a short-lived cookie) so we can apply a monthly free-use limit. This data is used only to prevent abuse, is retained for 30 days, and is then automatically deleted. Legal basis under GDPR is our legitimate interest in preventing abuse of a free service (Article 6(1)(f)).
1.3 Information from Third Parties
If you connect third-party services, we receive:
- QuickBooks Online — Company name, vendor and customer names, email addresses, bill and invoice details. We do not receive bank account information from QuickBooks.
- Clerk — Your identity claims (name, email, unique identifier) used for authentication.
- Stripe — Subscription status and payment confirmations. We do not receive or store your full credit card number.
2. How We Use Your Information
We use your information only to provide and operate the Service:
| Purpose | Data used |
|---|---|
| Account management | Name, email, identity claims |
| ACH file generation | Recipient data, banking information, transaction details |
| SFTP file transmission | SFTP connection credentials, generated files |
| Billing | Subscription plan, payment status (via Stripe) |
| Security and fraud prevention | Authentication data, usage patterns, IP addresses |
| Anti-abuse rate limiting (anonymous validator) | Your IP address (retained 30 days) and a short-lived cookie, used to apply a free-use monthly limit on the anonymous ACH validator |
| Audit logging | User actions, timestamps, event details |
| Service improvement | Aggregated, anonymized usage statistics |
| Customer support | Account information, usage history |
We do not:
- Sell your personal information to third parties.
- Use your data for advertising or marketing purposes beyond our own service communications.
- Share your banking or financial data with anyone except as described in Section 4.
- Train AI models on your data.
2.1 Email Communications
We send two categories of email to your account email address:
Transactional emails — file notifications, password-reset codes, security alerts, billing receipts, invitation acceptances, and admin actions. These are necessary to operate your account and are always sent. You cannot opt out of transactional email while your account is active.
Non-transactional emails — product engagement communications including usage tips, feature announcements, and re-engagement messages for accounts that have been inactive. The legal basis under US CAN-SPAM is accurate-header commercial email with a functional opt-out mechanism; under GDPR it is our legitimate interest (Article 6(1)(f)) in helping you get value from a service you have signed up for. You can unsubscribe at any time via the one-click link in any non-transactional email or from your account profile settings. We honor opt-outs immediately (well within CAN-SPAM's ten-business-day requirement).
3. How We Protect Your Information
We implement multiple layers of security to protect your data:
3.1 Encryption
- In transit — All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
- At rest — Sensitive fields including bank account numbers, SFTP credentials, and authentication tokens are encrypted in the database using column-level encryption. Encrypted data cannot be read by database administrators or in the event of a database breach.
3.2 Data Masking
- Recipient banking information is protected with data masking so that partial account details are never exposed in application logs, error messages, or support interactions.
3.3 Access Controls
- The Service uses a multi-tenant architecture where each organization's data is strictly isolated.
- User authentication is handled by Clerk with one-time verification codes (passwordless).
- Role-based access controls restrict administrative functions to organization administrators.
3.4 Infrastructure
- The Service is hosted on Microsoft Azure with data stored in Azure SQL Database.
- Our infrastructure benefits from Azure's SOC 1, SOC 2, and ISO 27001 certifications.
- Database backups are encrypted and retained per Azure's standard backup policies.
4. When We Share Your Information
We share your information only in these limited circumstances:
4.1 Service Providers
We use the following third-party services to operate the platform:
| Provider | Purpose | Data shared |
|---|---|---|
| Microsoft Azure | Cloud hosting and database | All service data (encrypted at rest) |
| Azure Communication Services | Email delivery (transactional and non-transactional) | Recipient email address, subject, body |
| Clerk | Authentication | Name, email, identity tokens |
| Stripe | Payment processing | Billing details, subscription status |
| Intuit (QuickBooks) | Accounting integration (optional) | OAuth tokens; we receive vendor/customer data |
These providers process data on our behalf under contractual obligations to protect it. Azure Communication Services operates under a service-provider agreement and does not sell or share email addresses for cross-context behavioral advertising.
4.2 Your SFTP Endpoints
When you transmit ACH files via SFTP, the generated file is delivered to the server you configure. We do not control or monitor your bank's SFTP server.
4.3 Legal Requirements
We may disclose your information if required by law, subpoena, court order, or government request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
4.4 Business Transfers
If CodeWright LLC is acquired, merged, or sells substantially all its assets, your information may be transferred as part of that transaction. We will notify you of any such change.
5. Data Retention
5.1 Active Accounts
We retain your data for as long as your account is active and your organization exists.
5.2 Account Closure
When you close your individual account, your profile is soft-deleted (removed from active views) and your organization memberships are revoked. See our Account Closure & Data Deletion page for details.
5.3 Organization Closure
When your organization is closed, all organization data enters a 30-day grace period, after which it is permanently and irreversibly deleted. This includes ACH files, recipient records, bank configurations, SFTP profiles, templates, scheduled transmissions, and audit logs. See our Account Closure & Data Deletion page for the complete list.
5.4 Billing Records
Subscription and payment records maintained by Stripe are retained independently by Stripe per their data retention policies and applicable tax and legal requirements.
5.5 Server Logs
Infrastructure and application logs are retained for up to 90 days for security and debugging purposes, after which they are automatically deleted.
5.6 Anonymous Validator Rate-Limit Data
If you use the ACH file validator without an account, the IP address you connect from is recorded briefly to enforce a monthly free-use limit (5 files per month). These records are automatically purged 30 days after they are created. No other information from your visit is retained from the anonymous validator — your uploaded ACH files themselves are validated in memory and are never stored, whether you use the validator anonymously or while signed in.
5.7 Email Campaign Send Records
For each non-transactional email we send you, we retain a send record (campaign identifier, date, delivery status) indefinitely as a suppression list so we can honor the "at most once per campaign per recipient" rule and so you do not receive repeat re-engagement messages. If you exercise a right to erasure under Section 6, your user identifier on these records is anonymized; the suppression record itself (hashed email, campaign, date) is retained under legitimate interest to continue honoring your opt-out preferences.
6. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
6.1 Access
You can view your profile information, organization details, and data at any time through the Service.
6.2 Correction
You can update your display name through your Profile settings. To correct other account information, contact us via our Contact page.
6.3 Deletion
You can delete your account and/or organization at any time through the Service. See Account Closure & Data Deletion for the process and timeline.
6.4 Data Portability
You can export your ACH files by downloading them from the ACH Drafter before closing your account. We do not currently offer a bulk data export feature for all account data. If you need a copy of your data, contact us.
6.5 Opt-Out
You may disconnect third-party integrations (such as QuickBooks) at any time from your Organization settings. You may also opt out of non-transactional email at any time via the one-click unsubscribe link in any campaign message or via the Email Preferences card on your account profile settings; transactional email continues regardless of your choice (see Section 2.1).
6.6 California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- Right to know — You may request details about the categories and specific pieces of personal information we have collected.
- Right to delete — You may request deletion of your personal information, subject to certain exceptions.
- Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.
- No sale of personal information — We do not sell personal information as defined by the CCPA.
To exercise any of these rights, contact us via our Contact page.
7. Cookies and Tracking
7.1 Essential Cookies
The Service uses only essential cookies required for the application to function. These cookies cannot be disabled without breaking core functionality.
| Cookie | Purpose | Retention |
|---|---|---|
Authentication cookie (.cw-auth) |
Maintains your signed-in session | Session (expires on browser close or after idle timeout) |
| Antiforgery token | Protects form submissions against cross-site request forgery | Session |
| Invitation verification | Verifies email ownership during team invitation acceptance | 24 hours |
fw_anon_validator |
Anti-abuse rate limit for the anonymous ACH validator (no account required). Tracks how many validations you have used in a rolling 30-day window. Not gated on cookie consent because it is strictly necessary to provide the free validator you have requested. | 30 days, rolling |
7.2 Browser Storage
The Service uses browser localStorage (not cookies) for user preferences. This data never leaves your browser and is not transmitted to our servers.
| Key | Purpose | Retention |
|---|---|---|
fw-theme |
Remembers your dark/light mode preference | Until cleared |
cookieConsent |
Records your cookie consent choice (all or essential) |
Until cleared |
7.3 Advertising Cookies (Opt-In Only)
If you click "Accept All" on our cookie consent banner, we load Google Ads conversion tracking. This allows us to measure whether our ads lead to sign-ups. The following cookies may be set by Google:
| Cookie | Purpose | Retention |
|---|---|---|
_gcl_au |
Links ad clicks to conversions on our site | 90 days |
_gac_* |
Stores campaign information for Google Ads | 90 days |
What is shared with Google: An anonymous conversion signal indicating that a sign-up occurred. No personally identifiable information (name, email, financial data) is shared.
How to opt out: Click "Essential Only" on the cookie consent banner. If you previously accepted all cookies, clear your browser's localStorage for this site to reset your choice. You can also use your browser's built-in cookie controls to block third-party cookies from googletagmanager.com.
If you click "Essential Only" or have not yet made a choice, no Google scripts are loaded and no advertising cookies are set. All fonts and icons are self-hosted — no requests are made to external CDNs (Google Fonts, jsDelivr, etc.) that could track your IP address.
8. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly.
9. International Data Transfers
The Service is hosted in the United States (Microsoft Azure, Central US region). If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last Updated" date. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.
11. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
CodeWright LLC PO Box 2264, Centennial, CO 80161 Website: Contact Us