Privacy Policy
Last updated: 12/7/2025
This Privacy Policy describes how InsightPilot ("we", "us") collects, uses, and protects personal information when you visit insightpilot.com, use our AI-powered FX trade confirmation reconciliation platform, or request a demo of our services.
Who We Are & Contact
InsightPilot provides AI-powered FX trade confirmation reconciliation for mid-market treasury teams. We help treasury managers automatically match FX trades against bank confirmations, flag discrepancies, and generate audit-ready reports.
Privacy inquiries: [email protected]
Security reports: [email protected] — see our Vulnerability Disclosure Policy and security.txt.
Personal Information We Collect
Account Information
Name, work email, company, role, and profile details if you create or are provisioned an account.
Financial Data (FX Reconciliation)
| Data Type | Description |
|---|---|
| SWIFT Messages | MT300/MT304/MT940 trade confirmations containing trade dates, value dates, currency pairs, amounts, rates, and counterparty references |
| Bank Confirmations | PDF confirmations from your banking partners (e.g., BNP Paribas, Société Générale, Crédit Agricole, HSBC) |
| FX Trade Data | Trade tickets, deal references, settlement instructions, and Standard Settlement Instructions (SSI) from your ERP/TMS |
| Reconciliation Results | Match status, break explanations, exception flags, and audit narratives generated by the platform |
| Bank Account Identifiers | Account references used for PSD2-compliant bank connectivity (we do NOT store banking credentials) |
ERP/TMS Integration Data
Trade records imported from connected systems (Sage X3, SAP Business One, Microsoft Dynamics 365, NetSuite) for matching purposes.
User Content
Inputs, documents, notes, uploads, and feedback you submit to our forms or app (including demo intake details).
Communications
Emails and messages you send us (e.g., demo confirmations, scheduling, support).
Log & Usage Data
IP address, user agent, time zone, pages/features used, timestamps, and basic interaction events.
How We Process Financial Data
Lawful Bases (GDPR Article 6):
| Basis | Application |
|---|---|
| Contract Performance | Processing FX data to deliver reconciliation services you've requested |
| Legitimate Interests | Service improvement, security monitoring, and fraud prevention |
| Legal Obligation | Compliance with financial regulations, audit requirements, and law enforcement requests |
Data Minimization: We only process FX data fields necessary for reconciliation. We do not request or store data beyond what is required for the matching and reporting functions you use.
Retention: Reconciliation records are retained for 7 years to support audit trail requirements and regulatory compliance. You may request earlier deletion subject to our legal retention obligations.
No Training on Confidential Data: Your FX trade data, bank confirmations, and reconciliation results are NOT used to train AI models that benefit other customers. See our Terms of Service for details.
AI/ML Processing
We use AI/ML algorithms for:
- Document parsing (extracting structured data from SWIFT messages and PDFs)
- Fuzzy matching (comparing trades with configurable tolerance bands)
- Anomaly detection (flagging unusual patterns for human review)
- Natural language generation (creating human-readable break explanations)
These processes are automated but human-reviewable. You can request human review of any automated decision. We do NOT use your confidential data to train models shared with other customers.
Bank Connectivity (PSD2)
We use PSD2-compliant open banking providers (such as Powens or Tink) to securely retrieve bank statements for reconciliation. We do NOT store your banking credentials. Authentication is handled directly by your bank via secure redirect. Open banking providers act as processors under our instructions and are bound by data processing agreements.
How We Use Personal Information
- Service delivery & account management (contract/pre-contract)
- Communications (transactional updates; limited B2B marketing where permitted)
- Customer support & security (legitimate interests)
- Improvement & analytics (legitimate interests, privacy-respecting metrics)
- Legal compliance (legal obligation)
- Aggregated/Anonymized reporting that does not identify you
Service Providers (Subprocessors)
We engage the following categories of subprocessors under data processing agreements:
| Category | Purpose |
|---|---|
| Cloud Hosting | EU-region infrastructure providers for data storage and processing |
| Open Banking Aggregators | PSD2-compliant providers for secure bank statement retrieval |
| Email Delivery | Transactional email services for notifications and reports |
| Analytics | Privacy-friendly analytics for service improvement (no cross-site tracking) |
| Security Tooling | DDoS protection, vulnerability scanning, and monitoring services |
A list of specific subprocessors is available upon request to enterprise customers.
Sharing & Disclosures
- Service providers (processors): hosting/CDN, email delivery, analytics, and security tooling—under contracts limiting their use to our instructions.
- Business transfers: in an acquisition, merger, or similar transaction, your data may transfer as part of the business assets.
- Legal requests & safety: to comply with law, protect rights, investigate fraud/abuse, or ensure safety.
- Affiliates: if applicable, under this Policy's protections.
- With your consent: where we ask and you agree.
International Transfers
When data moves across borders, we use appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-US Data Privacy Framework certification (where applicable)
- Adequacy decisions for transfers to countries with equivalent data protection
Your financial data is primarily processed within the European Economic Area (EEA).
Lawful Bases (EU/UK)
Contract/pre-contract; legitimate interests (security, service improvement, B2B communications); consent (where needed); and legal obligation.
Security
We use administrative, technical, and organizational measures to protect data. No system is perfect; please avoid sending sensitive data via email and report issues to [email protected].
Retention
We keep personal data only as long as needed for the purposes above (e.g., leads up to 24 months after last interaction), to comply with law, or resolve disputes, then delete or anonymize it. Reconciliation data is retained for 7 years to support audit requirements.
Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or object to processing, and data portability. To exercise rights, email [email protected]. EU residents can lodge complaints with their authority (e.g., CNIL in France).
Verification, Authorized Agents & Appeals (US/EU)
We may verify your identity before fulfilling a request. You may use an authorized agent where law permits (we may request proof of authorization and identity). If we deny a request, you may appeal by replying to our decision; we'll review in line with applicable law.
US State Disclosures
We do not "sell" personal information, nor do we "share" it for cross-context behavioral advertising. We don't use sensitive personal information to infer characteristics.
Children
Our services target business users and aren't directed to children.
Third-Party Links
Linked sites have their own policies. We're not responsible for their practices—please review their terms and privacy notices.
Changes
We may update this Policy; new versions will be posted here with a revised "Last updated" date.
Contact
Privacy: [email protected]
General: [email protected]