1. Introduction

Shadu Labs LLC ("we," "us," or "our") operates the CollisionSuite platform, a shop management application designed for automotive collision repair businesses. This Privacy Policy describes how we collect, use, store, and protect information — including financial data obtained through our integration with Plaid Inc. ("Plaid") — in connection with our services provided at collisionsuite.com and shadulabs.com.

By using CollisionSuite or authorizing a connection to your financial accounts through Plaid, you consent to the practices described in this Privacy Policy.

2. Information We Collect via Plaid

We use Plaid to securely connect to your business credit card accounts. Through this integration, we access the following data:

  • Transaction data: Date, amount, merchant name, and card identifier for each transaction
  • Account balances: Current balance information for connected credit card accounts

We do not access:

  • Bank account numbers or routing numbers
  • Funds transfer or payment initiation capabilities
  • Identity verification or personal identification data
  • Account credentials (these are handled exclusively by Plaid)

Plaid acts as a data intermediary and processor, securely retrieving financial data from your financial institution on our behalf. Your account credentials are never transmitted to or stored by Shadu Labs. For more information on how Plaid handles your data, please review Plaid's End User Privacy Policy.

3. Purpose of Data Collection

We collect financial data through Plaid exclusively for the following business purposes within CollisionSuite:

  • Employee expense tracking: Associating credit card transactions with individual cardholders for accountability
  • General ledger (GL) coding: Categorizing transactions to appropriate expense accounts
  • Manager approval workflows: Routing coded transactions through a review and approval process
  • QuickBooks export: Exporting approved and coded transactions to QuickBooks Online for accounting purposes

4. Data Access and Role-Based Controls

Access to financial data within CollisionSuite is governed by a role-based access control system with five permission tiers:

  • Owner: Full access to all data and system configuration
  • Admin: Full access to all financial data and user management
  • Manager: Access to transaction data for review and approval workflows
  • Employee: Access limited to their own assigned card transactions
  • Read-only: View-only access as configured by an administrator

User onboarding is invitation-only — there is no self-registration. All user accounts require Google OAuth authentication with multi-factor authentication (MFA) enabled.

5. Data Security

We implement the following security measures to protect your financial data:

  • Encryption in transit: All data transmission is encrypted using TLS 1.2 or higher, enforced via Nginx with certificates from Let's Encrypt
  • Encryption at rest: Financial data is stored in PostgreSQL with encrypted storage
  • Authentication: Google OAuth with multi-factor authentication required for all users
  • Access controls: Role-based permissions limiting data access to authorized personnel only
  • Audit logging: All data changes are logged for accountability and incident response
  • Application security: Django framework protections against CSRF, XSS, and SQL injection attacks
  • Error monitoring: Automated error reporting for rapid incident detection and response

6. Data Retention and Deletion

We retain financial transaction data for as long as necessary to fulfill the purposes described in this Privacy Policy, including compliance with legal and accounting obligations. Specifically:

  • Transaction data is retained for the duration of the business relationship and as required for accounting and tax purposes
  • Plaid access tokens are stored securely and can be revoked at any time upon request
  • Upon termination of service or upon request, we will delete or de-identify financial data within 30 days, except where retention is required by law

7. Third-Party Data Sharing

We do not sell, rent, or trade your financial data. We share financial data only with the following third parties, and only as necessary to provide our services:

  • Plaid Inc.: Acts as a data intermediary to securely retrieve financial data from your financial institution
  • Intuit QuickBooks Online: Receives approved and coded transaction data for accounting export, as initiated by authorized users

We may also disclose data if required by law, regulation, legal process, or governmental request.

8. Consumer Rights

You have the following rights regarding your financial data:

  • Right to access: You may request a copy of the financial data we have collected about you
  • Right to deletion: You may request that we delete your financial data, subject to legal retention requirements
  • Right to opt out: You may disconnect your financial accounts from CollisionSuite at any time by contacting us or revoking access through your financial institution
  • Right to know: You may request information about what data we collect, how we use it, and with whom we share it
  • Right to non-discrimination: We will not discriminate against you for exercising any of these rights

To exercise any of these rights, please contact us at dustin@shadulabs.com. We will respond to verified requests within 30 days.

9. GLBA Compliance

To the extent that the Gramm-Leach-Bliley Act (GLBA) applies to the financial data we process, we comply with its requirements as follows:

  • We provide this Privacy Policy as our required privacy notice describing our data collection, sharing, and protection practices
  • We implement administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of nonpublic personal information
  • We restrict access to nonpublic personal information to authorized personnel who need it to perform their job functions
  • We do not disclose nonpublic personal information to nonaffiliated third parties except as permitted by law or as described in this policy
  • We maintain an information security program designed to protect against anticipated threats or hazards to the security of financial information

10. CCPA Compliance

For California residents, the California Consumer Privacy Act (CCPA) provides additional rights regarding personal information:

  • Right to know: You have the right to know what personal information we collect, use, disclose, and sell
  • Right to delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions
  • Right to opt out of sale: We do not sell personal information. No opt-out is necessary
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

Categories of personal information collected: Financial information (credit card transaction data and account balances) as described in Section 2 of this policy.

Business purpose for collection: Expense tracking, GL coding, approval workflows, and accounting export as described in Section 3 of this policy.

To submit a CCPA request, please contact us at dustin@shadulabs.com. We will verify your identity before processing any request and respond within 45 days.

11. Plaid's Role and Privacy Policy

Plaid Inc. acts as a data processor and intermediary, facilitating the secure connection between your financial institution and CollisionSuite. Plaid's handling of your data is governed by its own privacy policy.

We encourage you to review Plaid's End User Privacy Policy to understand how Plaid collects, uses, and protects your information.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this Privacy Policy periodically.

13. Contact Information

If you have questions about this Privacy Policy, your financial data, or wish to exercise any of your rights described above, please contact us: