1. Who We Are
IOLTAWatch is a product of Verona Strategic LLC ("Company," "we," "us," or "our"), a Florida limited liability company. This policy applies to the IOLTAWatch web application and all related services accessible at ioltawatch.com.
For privacy inquiries: privacy@ioltawatch.com
2. Data We Collect
| Category | What we collect | Why |
|---|---|---|
| Account data | Name or firm name, email address, state, password (hashed — never stored in plain text) | To create and manage your account |
| Bank data (via Plaid) | Read-only access to your IOLTA trust account balance and transaction history. We store an encrypted Plaid access token. We do not store your bank login credentials. | To run nightly reconciliation and retrieve live bank balance |
| Ledger data | Client matter IDs, client names, and ledger balances you upload via CSV | To perform three-way reconciliation against your bank balance |
| Reconciliation records | Results of each nightly reconciliation run: bank balance, ledger total, sub-ledger sum, status, discrepancy amount, timestamp | To provide your reconciliation history and generate PDF reports |
| Billing data | Subscription status. Payment card details are processed and stored exclusively by Stripe — we do not store card numbers. | To manage your subscription |
| Usage data | Standard web server logs (IP address, browser type, pages visited, timestamps) | To operate and improve the Service |
3. How We Use Your Data
We use the data we collect solely to:
- Provide, operate, and maintain the Service;
- Run nightly reconciliation and send alert emails;
- Generate reconciliation worksheets and PDF reports;
- Process your subscription and communicate with you about your account;
- Respond to support requests;
- Comply with legal obligations.
We do not use your data to train AI models, to target advertising, or for any purpose other than providing the Service.
4. Subprocessors
We rely on the following third-party services to operate IOLTAWatch. Each is bound by its own privacy and security policies.
| Subprocessor | Purpose | Data involved |
|---|---|---|
| Plaid Technologies, Inc. | Bank account connection and balance retrieval (read-only) | Bank account data, encrypted access token |
| Supabase, Inc. | Database, authentication, and row-level data storage | All application data (account, ledger, reconciliation records) |
| Stripe, Inc. | Payment processing and subscription management | Billing information, subscription status |
| Twilio SendGrid | Transactional email delivery (alerts, welcome email) | Your email address and alert content |
| Railway Corp. | Application hosting and infrastructure | All data processed by the application |
5. Data Security
We implement the following security measures:
- Encryption in transit: All connections use TLS 1.2 or higher.
- Encryption at rest: Plaid access tokens are encrypted using AES-256 before storage. Supabase encrypts data at rest.
- Access controls: Row-level security (RLS) in our database ensures that each firm's data is isolated and inaccessible to other users.
- Least-privilege access: Bank account connections are read-only. IOLTAWatch can never initiate transactions on your behalf.
- Session security: Authentication cookies are HTTP-only, secure, and scoped to the application domain.
No IOLTAWatch employee can access your firm's data in the normal course of business. Access to customer data requires written authorization from Company leadership and is logged. In the event of a legally binding subpoena, court order, or other compulsory legal process, the Company will comply with the requirement and will notify you to the extent permitted by law.
6. Data Retention
Active subscription: We retain your reconciliation records, ledger data, and account data for the duration of your active subscription.
On cancellation: Upon cancellation of your subscription, your account access is disabled at the end of the paid billing period. Your reconciliation records are retained indefinitely following cancellation to support your ongoing bar compliance obligations. You may export all reconciliation PDFs at any time by logging in or by contacting support@ioltawatch.com. To request permanent deletion of your data, contact privacy@ioltawatch.com — deletion requests are fulfilled within 30 days, subject to any legal retention obligations. We strongly recommend exporting all reconciliation PDFs before cancelling.
Your obligation: Your state bar's rules may require you to retain trust account reconciliation records for a specific period (typically five to seven years). It is your responsibility to export and retain those records. IOLTAWatch's retention practices do not substitute for your professional recordkeeping obligations.
7. Your Rights
You have the right to:
- Access: Request a copy of the personal data we hold about you;
- Correction: Request correction of inaccurate data;
- Deletion: Request deletion of your data (subject to our retention policy and any legal obligations);
- Export: Download your reconciliation reports at any time from your dashboard.
To exercise these rights, email privacy@ioltawatch.com. We will respond within 30 days.
8. Cookies
We use a single session cookie ("sb_token") to maintain your authenticated session. This cookie is HTTP-only, secure, and expires after seven days. We do not use tracking cookies, analytics cookies, or advertising cookies.
9. Children's Privacy
The Service is intended for licensed attorneys and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
11. Contact
Privacy questions or requests: privacy@ioltawatch.com
Verona Strategic LLC · Boca Raton, FL