Privacy Policy
Effective Date: 02/13/26
Last Updated: 02/13/26
CodeWright LLC ("CodeWright," "we," "us," or "our") operates the FISTWorks platform (the "Service"). This Privacy Policy explains how we collect, use, store, protect, and delete your personal information when you use the Service. By using the Service, you agree to the practices described in this policy.
1. Information We Collect
1.1 Information You Provide
When you create an account and use the Service, we collect:
| Category | Examples |
|---|---|
| Account information | Name, email address, display name |
| Organization information | Organization name, member roles |
| Banking information | Bank names, routing numbers, account numbers (for ACH file generation) |
| Recipient information | Recipient names, bank account details, identification numbers |
| ACH file data | Transaction amounts, types, effective dates, SEC codes |
| SFTP connection details | Hostnames, ports, usernames, passwords, SSH keys |
| Payment information | Billing details processed through Stripe (we do not store credit card numbers) |
1.2 Information Collected Automatically
When you access the Service, we automatically collect:
- Authentication data — Identity tokens and session information from Microsoft Entra ID.
- Usage data — Features used, files generated, pages visited, and timestamps.
- Device and browser data — IP address, browser type, and operating system (collected by our hosting infrastructure).
- Log data — Server logs including request URLs, response codes, and error information.
1.3 Information from Third Parties
If you connect third-party services, we receive:
- QuickBooks Online — Company name, vendor and customer names, email addresses, bill and invoice details. We do not receive bank account information from QuickBooks.
- Microsoft Entra ID — Your identity claims (name, email, unique identifier) used for authentication.
- Stripe — Subscription status and payment confirmations. We do not receive or store your full credit card number.
2. How We Use Your Information
We use your information only to provide and operate the Service:
| Purpose | Data used |
|---|---|
| Account management | Name, email, identity claims |
| ACH file generation | Recipient data, banking information, transaction details |
| SFTP file transmission | SFTP connection credentials, generated files |
| Billing | Subscription plan, payment status (via Stripe) |
| Security and fraud prevention | Authentication data, usage patterns, IP addresses |
| Audit logging | User actions, timestamps, event details |
| Service improvement | Aggregated, anonymized usage statistics |
| Customer support | Account information, usage history |
We do not:
- Sell your personal information to third parties.
- Use your data for advertising or marketing purposes beyond our own service communications.
- Share your banking or financial data with anyone except as described in Section 4.
- Train AI models on your data.
3. How We Protect Your Information
We implement multiple layers of security to protect your data:
3.1 Encryption
- In transit — All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
- At rest — Sensitive fields including bank account numbers, SFTP credentials, and authentication tokens are encrypted in the database using column-level encryption. Encrypted data cannot be read by database administrators or in the event of a database breach.
3.2 Data Masking
- Recipient banking information is protected with data masking so that partial account details are never exposed in application logs, error messages, or support interactions.
3.3 Access Controls
- The Service uses a multi-tenant architecture where each organization's data is strictly isolated.
- User authentication is handled by Microsoft Entra ID with one-time verification codes (passwordless).
- Role-based access controls restrict administrative functions to organization administrators.
3.4 Infrastructure
- The Service is hosted on Microsoft Azure with data stored in Azure SQL Database.
- Our infrastructure benefits from Azure's SOC 1, SOC 2, and ISO 27001 certifications.
- Database backups are encrypted and retained per Azure's standard backup policies.
4. When We Share Your Information
We share your information only in these limited circumstances:
4.1 Service Providers
We use the following third-party services to operate the platform:
| Provider | Purpose | Data shared |
|---|---|---|
| Microsoft Azure | Cloud hosting and database | All service data (encrypted at rest) |
| Microsoft Entra ID | Authentication | Name, email, identity tokens |
| Stripe | Payment processing | Billing details, subscription status |
| Intuit (QuickBooks) | Accounting integration (optional) | OAuth tokens; we receive vendor/customer data |
These providers process data on our behalf under contractual obligations to protect it.
4.2 Your SFTP Endpoints
When you transmit ACH files via SFTP, the generated file is delivered to the server you configure. We do not control or monitor your bank's SFTP server.
4.3 Legal Requirements
We may disclose your information if required by law, subpoena, court order, or government request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
4.4 Business Transfers
If CodeWright LLC is acquired, merged, or sells substantially all its assets, your information may be transferred as part of that transaction. We will notify you of any such change.
5. Data Retention
5.1 Active Accounts
We retain your data for as long as your account is active and your organization exists.
5.2 Account Closure
When you close your individual account, your profile is soft-deleted (removed from active views) and your organization memberships are revoked. See our Account Closure & Data Deletion page for details.
5.3 Organization Closure
When your organization is closed, all organization data enters a 30-day grace period, after which it is permanently and irreversibly deleted. This includes ACH files, recipient records, bank configurations, SFTP profiles, templates, scheduled transmissions, and audit logs. See our Account Closure & Data Deletion page for the complete list.
5.4 Billing Records
Subscription and payment records maintained by Stripe are retained independently by Stripe per their data retention policies and applicable tax and legal requirements.
5.5 Server Logs
Infrastructure and application logs are retained for up to 90 days for security and debugging purposes, after which they are automatically deleted.
6. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
6.1 Access
You can view your profile information, organization details, and data at any time through the Service.
6.2 Correction
You can update your display name through your Profile settings. To correct other account information, contact us via our Contact page.
6.3 Deletion
You can delete your account and/or organization at any time through the Service. See Account Closure & Data Deletion for the process and timeline.
6.4 Data Portability
You can export your ACH files by downloading them from the ACH Drafter before closing your account. We do not currently offer a bulk data export feature for all account data. If you need a copy of your data, contact us.
6.5 Opt-Out
You may disconnect third-party integrations (such as QuickBooks) at any time from your Organization settings.
6.6 California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- Right to know — You may request details about the categories and specific pieces of personal information we have collected.
- Right to delete — You may request deletion of your personal information, subject to certain exceptions.
- Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.
- No sale of personal information — We do not sell personal information as defined by the CCPA.
To exercise any of these rights, contact us via our Contact page.
7. Cookies and Tracking
7.1 Essential Cookies
The Service uses essential cookies for authentication and session management. These cookies are required for the Service to function and cannot be disabled.
| Cookie | Purpose |
|---|---|
| Authentication cookie | Maintains your signed-in session |
| Antiforgery cookie | Protects against cross-site request forgery |
7.2 No Tracking Cookies
We do not use analytics cookies, advertising cookies, or third-party tracking pixels. We do not track your activity across other websites.
8. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly.
9. International Data Transfers
The Service is hosted in the United States (Microsoft Azure, Central US region). If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last Updated" date. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.
11. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
CodeWright LLC Website: Contact Us