Privacy Policy

Mello Inc. ("Mello," "we," "our," or "us") operates the accounting platform available at melloaccounting.com and related mobile applications (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Service.

By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with any part of this policy, please discontinue use of the Service.

Because Mello connects to your financial accounts and processes sensitive financial data, we take privacy seriously. We do not sell your personal data or your financial data to third parties, and we never will.

We collect information in three ways: information you provide directly, information collected automatically, and information received from third-party services you connect.

Information You Provide

When you create an account or use the Service, you may provide: your name and email address; your business or company name; billing information processed through our payment provider (Stripe); profile preferences and settings; and any files or documents you upload (such as bank statements for the Bookkeeping Catch-Up feature).

Information Collected Automatically

When you use the Service, we automatically collect: log data (IP address, browser type, pages visited, time and date of visits, referring URLs); device information (hardware model, operating system, unique device identifiers); usage data (features used, actions taken, session duration); and authentication events (login timestamps, MFA verification events).

Information from Third-Party Services

If you connect your bank or financial accounts through Plaid (our bank connectivity provider), we receive financial data as described in the Financial Data & Plaid section below. If you sign in via OAuth (Manus authentication), we receive your name, email address, and a unique identifier from that provider.

Mello uses Plaid Technologies, Inc. ("Plaid") to enable you to securely connect your bank and financial accounts to the Service. When you connect an account through Plaid, Plaid collects your financial institution credentials and provides Mello with access to your financial data on your behalf.

What Financial Data We Receive

Through Plaid, we may receive: account names, types, and identifiers; account balances (current and available); transaction history (date, amount, merchant name, category, description); institution names and routing/account number fragments (last four digits only); and for credit accounts, statement balances, minimum payments, and credit limits.

How We Store Financial Data

Financial data received from Plaid is stored in an encrypted database. We store only the data necessary to provide the Service — specifically, transaction records and account metadata needed to populate your ledger, reports, and reconciliation features. We do not store your full bank account numbers, login credentials, or passwords for your financial institutions; those are handled exclusively by Plaid.

Plaid's Privacy Policy

Your use of Plaid's services is also governed by Plaid's End User Privacy Policy. By connecting your financial accounts, you authorize Mello to receive your financial data through Plaid in accordance with both this policy and Plaid's policy.

Revoking Bank Access

You may disconnect any linked financial account at any time from the Bank Integrations section of your Settings. Upon disconnection, we will stop receiving new data from that account. You may also revoke Mello's access directly through your financial institution or through Plaid's data portal.

We use the information we collect to:

• Provide the Service — populate your ledger, generate financial reports, enable reconciliation, and power AI-assisted bookkeeping features.
• Process payments — manage your subscription through Stripe, including billing, invoicing, and plan management.
• Authenticate and secure your account — verify your identity, enforce multi-factor authentication, and detect unauthorized access.
• Improve the Service — analyze usage patterns, diagnose technical issues, and develop new features. This analysis uses aggregated or de-identified data where possible.
• Communicate with you — send transactional emails (receipts, password resets, subscription notices), and, with your consent, product updates and announcements.
• Comply with legal obligations — respond to lawful requests from regulatory authorities and enforce our Terms of Service.

We do not use your financial data to train general-purpose AI models, sell to data brokers, or share with advertisers. AI features within Mello (such as transaction auto-coding) process your data solely to provide you with bookkeeping assistance within the Service.

We do not sell, rent, or trade your personal or financial information. We share information only in the following limited circumstances:

Service Providers

We share information with trusted third-party vendors who help us operate the Service, including: Plaid (bank connectivity), Stripe (payment processing), cloud infrastructure providers (hosting, database, file storage), and analytics providers. These vendors are contractually bound to use your information only to provide services to Mello and may not use it for their own purposes.

Legal Requirements

We may disclose information if required to do so by law or in response to valid legal process (such as a court order or subpoena), to protect the rights, property, or safety of Mello, our users, or the public, or to enforce our Terms of Service.

Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on the Service prior to any such transfer.

With Your Consent

We may share information with third parties when you have given us explicit consent to do so, such as when you invite a team member to access your Mello account.

We implement industry-standard security measures to protect your information against unauthorized access, alteration, disclosure, or destruction:

• Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher, enforced at the network edge via Cloudflare.
• Encryption at rest — your data is stored in a managed cloud database with AES-256 encryption at rest. File attachments are stored in AWS S3 with server-side encryption (SSE-S3).
• Multi-factor authentication — Mello supports TOTP-based two-factor authentication (compatible with Google Authenticator, Authy, and 1Password) to protect your account from unauthorized access.
• Access controls — access to production systems and customer data is restricted to authorized personnel on a need-to-know basis.
• Session security — sessions are signed with a secure JWT secret and expire automatically. MFA-pending sessions are isolated until verification is complete.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at [email protected].

We retain your personal and financial data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data — retained for the duration of your account and for up to 90 days after account deletion to allow for recovery.
• Financial transaction data — retained for the duration of your account. After account deletion, transaction data is permanently deleted within 30 days.
• Plaid connection tokens — revoked and deleted upon account disconnection or account deletion.
• Billing records — retained for 7 years as required by applicable tax and accounting regulations.
• Log data — retained for up to 90 days for security and debugging purposes.

You may request deletion of your account and associated data at any time by contacting us at [email protected]. We will process deletion requests within 30 days, subject to any legal retention obligations.

Depending on your location, you may have the following rights with respect to your personal information:

Access & Portability

You may request a copy of the personal and financial data we hold about you. You can export your transaction data, reports, and journal entries directly from the Data Export section of your Settings at any time.

Correction

You may update or correct your account information directly within the Service via the Settings page, or by contacting us.

Deletion

You may request deletion of your account and all associated data. Please note that some data may be retained for legal compliance purposes (e.g., billing records) as described in the Data Retention section.

Opt-Out of Marketing Communications

You may opt out of marketing emails at any time by clicking the "unsubscribe" link in any marketing email or by updating your notification preferences in Settings. Transactional emails (receipts, security alerts, subscription notices) cannot be opted out of while your account is active.

California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, the right to delete your personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights. To exercise these rights, contact us at [email protected].

EEA / UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object. Our lawful basis for processing your data is the performance of a contract (providing the Service), compliance with legal obligations, and our legitimate interests in operating and improving the Service. To exercise your rights, contact us at [email protected].

Mello uses cookies and similar tracking technologies to operate and improve the Service.

Essential Cookies

We use session cookies to authenticate you and maintain your login state. These cookies are strictly necessary for the Service to function and cannot be disabled.

Analytics

We use privacy-respecting analytics to understand how users interact with the Service. Analytics data is aggregated and does not identify individual users. We do not use Google Analytics or third-party advertising trackers.

Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in to the Service. Most browsers allow you to refuse new cookies, delete existing cookies, and be notified when new cookies are set.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information. If you believe we have inadvertently collected information from a child, please contact us at [email protected].

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (to the address associated with your account) and by posting a prominent notice on the Service at least 30 days before the changes take effect.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy. We encourage you to review this policy periodically.

The date at the top of this page indicates when this policy was last updated. Previous versions of this policy are available upon request.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to all privacy-related inquiries within 30 days. For urgent security concerns, please include "URGENT" in the subject line of your email.