← Cornerstone

Privacy Policy

Last updated March 20, 2026

1. Information We Collect

Cornerstone collects information you provide directly — including account credentials, entity data, financial records, contacts, and documents you import or create within the platform. We also collect usage data (page views, feature interactions) to improve the product, and technical data (IP address, browser type, session identifiers) for security and operations.

2. How We Use Your Information

  • Provide, operate, and maintain the Cornerstone platform
  • Authenticate your identity and enforce role-based access controls
  • Generate audit logs and approval trails for your estate records
  • Send transactional notifications you have opted into
  • Diagnose bugs and improve platform reliability

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Data Storage & Security

All data is stored in Supabase (PostgreSQL) with encryption at rest and in transit (TLS 1.2+). Access is governed by row-level security and role-based permissions enforced at every API endpoint. Backups are taken daily with a 30-day retention window.

4. Data Retention

Your data is retained for as long as your account is active. Upon account deletion, personal data is purged within 30 days, with the exception of audit log entries required for legal or compliance purposes, which are retained for 7 years.

5. Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting us at the address below. We will respond within 30 days.

6. Cookies

We use session cookies strictly necessary for authentication. We do not use tracking or advertising cookies.

7. Artificial Intelligence

Cornerstone uses AI to power assisted features within the platform. We integrate with two providers — Anthropic (Claude) and OpenAI — and use the private enterprise API tier for both. Under these arrangements:

  • Data submitted to Anthropic's API is not used to train or improve Anthropic's models. This is contractually enforced via Anthropic's Data Processing Agreement.
  • Data submitted to OpenAI's API is not used to train or improve OpenAI's models. This is enforced via OpenAI's enterprise data processing terms.

Your data remains yours and is processed solely to generate responses within your session. We do not use your data — including any financial records, entity information, or documents — to train, fine-tune, or contribute to any AI or machine learning model, whether operated by Anthropic, OpenAI, or any other third party.

8. Xero Integration

If you connect Cornerstone to Xero, we access your Xero data via Xero's authorised OAuth 2.0 API. We comply fully with the Xero Developer Platform Terms (effective March 2, 2026), including the following commitments:

  • Data obtained from Xero's API is never used to train or contribute to any AI or machine learning model.
  • Xero data is stored securely with encryption at rest and in transit (TLS 1.2+), consistent with Xero's security requirements for developer partners.
  • Access to Xero data is governed by Cornerstone's role-based access controls — only authorised users within your organisation can view or interact with connected Xero data.
  • In the event of a security breach involving Xero data, we will notify Xero at api@xero.com and affected users promptly.
  • You may revoke Cornerstone's access to your Xero account at any time via your Xero account settings. Upon revocation, we will cease accessing your Xero data.

9. Changes to This Policy

We may update this policy from time to time. We will notify active users of material changes via email or an in-app notification before the changes take effect.

10. Contact

Questions about this policy? Sign in and reach us through the Support page.