Stonemont Data

Privacy Policy

This Privacy Policy explains what information Stonemont Data LLC (Stonemont Data, we, us, our) collects when you use our products, how we use that information, who we share it with, and what choices you have.

Last updated: 2026-05-29


Who we are

Stonemont Data LLC is a Texas-based software company that operates two products: Slaughterhouse Operations Manager (at slops.stonemontdata.com) and Signage (at signage.stonemontdata.com). This Privacy Policy applies to both products and to our corporate site at stonemontdata.com.

Our customers are businesses (tenants). Most data we hold belongs to a tenant and is operated on by users that tenant has authorized. We are the processor of that data on the tenant’s behalf.

Information we collect

Account information

When a tenant operator account is created, we collect the email address, display name, role assignment, and a one-way hash of the chosen password. We do not store passwords in plaintext.

Tenant business profile

Business name, mailing address, contact email and phone number, timezone, optional uploaded logo, and any settings the tenant configures (category mappings, default sync schedules, recipient lists for emailed reports, and similar).

Bank and financial data

With the tenant’s explicit authorization, we collect bank transaction data either through Plaid (when the tenant links their financial institution) or through CSV upload (when the tenant uploads a statement export). The data we ingest includes posted date, amount, description, account identifier, merchant, and category metadata.

When Plaid is used, Stonemont Data stores the Plaid-issued access token for that institution. Access tokens are encrypted at the application layer (AES-256-GCM) on top of the underlying database encryption.

Operations data

Tenants record wholesale invoices, retail orders, animal inventory events (intake, sale, mortality), and bookkeeping categorizations. This data is what the application is for and is retained for the life of the tenant account.

Audit logs

We log sensitive actions taken by tenant administrators — user creation, role changes, password rotation, bank account changes, sync runs, and similar — for security and compliance purposes.

Report recipients

Email addresses configured by tenant administrators as recipients for weekly P&L reports and similar emails.

Standard server logs

IP address, user agent, request timestamps, and similar diagnostic information that any web service collects. We retain these logs for operational troubleshooting and security investigations.

How we use information

  • To provide the operations and bookkeeping features the tenant signed up for — P&L reports, dashboards, inventory tracking, AI-assisted transaction categorization, weekly emails, and similar.
  • To run AI-assisted transaction categorization. Anonymized transaction descriptions are sent to Azure OpenAI (Microsoft) under the standard Microsoft data processing terms. We do not send account numbers, customer names, or other directly identifying details to the model — only the redacted description and amount the model needs to suggest a category.
  • To send operational emails — account-related notifications and weekly reports — via Azure Communication Services.
  • To investigate and respond to security events, prevent abuse, and meet our legal obligations.
  • To improve the product. Where we use any data for product improvement, we use aggregate or anonymized information only; we do not profile individual users for marketing.

We do not use tenant data for advertising, do not run any third-party advertising or analytics SDKs in our products, and do not sell any personal information to data brokers or anyone else.

Third parties and sub-processors

We rely on a small set of sub-processors to operate the service. Each is bound by the relevant data-processing agreement and processes data only on our instructions.

  • Plaid Inc. — bank account linking and transaction retrieval, on the tenant’s explicit authorization. Plaid’s privacy practices are described at https://plaid.com/legal/.
  • Microsoft Azure — application hosting, database (Azure SQL), object storage (Blob Storage), email delivery (Azure Communication Services), and AI inference (Azure OpenAI). Microsoft acts as a sub-processor under the Microsoft Online Services Data Protection Addendum.
  • Domain registrar and DNS provider — used for the operation of our domains. They have no access to tenant data.

We do not use third-party advertising networks, analytics SDKs, session-replay tools, or data brokers.

Data retention

  • Bank transactions — retained for the lifetime of the tenant account so historical reporting remains accurate.
  • AI usage logs — retained indefinitely for billing audit and cost attribution.
  • Sync staging tables (RawImportRecord, ImportIssue) — 3 days after the run completes, then purged automatically.
  • Sync run history (SyncRun) — 90 days.
  • Audit logs — retained indefinitely.
  • Generated reports (HTML and PDF P&L) — retained indefinitely so the tenant can re-download a prior period’s report.
  • Database backups7 days point-in-time restore via Azure SQL short-term retention.

When a tenant terminates their account, we delete tenant data within 30 days, except where we are legally required to retain specific records or where retention is needed to resolve a dispute or enforce our agreements.

How we protect your information

  • Encryption in transit — TLS 1.2 or higher on every endpoint that handles tenant data.
  • Encryption at rest — AES-256 Transparent Data Encryption on Azure SQL; AES-256 server-side encryption on Azure Blob Storage.
  • Application-layer encryption — Plaid access tokens are additionally encrypted with AES-256-GCM at the application layer before storage.
  • Authentication safeguards — rate limiting on login attempts, account lockout after repeated failures, and password rotation enforcement for newly-provisioned accounts.
  • Multi-factor authentication (TOTP) — committed on our roadmap; not yet generally available.
  • Audit logging on user-management and other sensitive administrative actions.
  • Multi-tenant isolation — every query that reads or writes tenant data is scoped to that tenant’s identifier; isolation is enforced at the data-access layer, not relied on from the UI.

No system is perfectly secure. If we become aware of a security incident that affects your information, we will notify affected tenants without undue delay.

Your rights and choices

Access and correction

Tenant operators can view and edit most of their data directly in the application. For data that is not user-editable in the UI, email us at info@stonemontdata.com and we will respond.

Deletion

To request deletion of personal information, email us at info@stonemontdata.com. We commit to completing the deletion within 30 days of a verified request, except where retention is required by law or by another tenant’s legal or compliance obligations (for example, when a deletion would compromise the integrity of an audit log that documents activity affecting that other tenant).

California residents (CCPA)

California residents have the right to know what personal information we collect, to request deletion, and to be free from discrimination for exercising these rights. The same rights described above apply. We do not sell personal information, so a “Do Not Sell My Personal Information” link does not apply.

EU/UK residents (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, you have the rights of access, rectification, erasure, restriction, portability, and objection. You also have the right to lodge a complaint with your local supervisory authority. The legal basis for our processing is the performance of our contract with the tenant and our legitimate interest in operating and securing the service.

Children’s privacy

The service is not directed to children under 13 (or 16 where GDPR/UK GDPR applies). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, email us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of the page always reflects the most recent revision. For material changes, we will notify account administrators by email.

Contact us

Questions, requests, or complaints about this Privacy Policy can be sent to info@stonemontdata.com.

Stonemont Data LLC · Texas, USA.