Larch handles a firm's client financial data: payroll runs, margins, the owner's worst quarter. This policy says plainly what we collect, where it is stored, who it is shared with, and the rights you have over it. It avoids vague reassurance.
Plain-language summary: we collect the account details needed to run your firm's workspace, and we process the client financial data you connect on your firm's behalf. Connections to accounting systems are read-only. We do not sell data, and we do not use your client data to train AI models. Data is hosted in Canada.
This policy applies to uselarch.com, the Larch manual, the Larch application, and related services (together, the Service). It covers two kinds of people: firm users (the accountants and advisors who operate Larch) and client stakeholders (the firm's clients who are given portal access). Larch is operated by FourX Partners, [full legal entity name] ("Larch", "we", "us").
For client financial data, your firm is the controller and Larch processes that data on the firm's instructions. Client stakeholders with questions about their own data should contact the firm they work with first; we will support the firm in responding.
Name, work email, firm, and role label, plus authentication records needed to sign you in and scope your access.
Trial balances, account activity, balances, budgets, and the chart of accounts, brought in from the accounting systems you connect (for example Xero) or that you upload. This data enters as a reviewable batch, is mapped to your reporting lines, and is committed to produce statements. It is processed on your firm's behalf.
Standard log data created when you use the Service: device and browser type, IP address, pages and actions, and timestamps. Used to operate, secure, and debug the Service.
Messages you send to us (for example to hello@uselarch.com or security@uselarch.com) and the records of support we provide.
Larch uses a language model inside the close cycle, and that deserves a precise answer. The AI can draft observations and a first pass of the working brief for a person to keep, edit, or discard. The AI cannot publish anything a client sees, modify the books, or train on your data. Every client-visible surface requires a named human sign-off at your firm. The same boundary is described on the Security page.
We do not sell personal or client data. We share data only with service providers who process it on our instructions to run the Service, and only as needed:
We may also disclose data where required by law, to enforce our terms, or to protect the rights and safety of users. A current list of subprocessors is available on request at hello@uselarch.com.
Client financial data is hosted in Canada (ca-central-1) and does not leave the Canadian region in normal operation. Some providers above may process limited account or technical data in other regions; where that happens, it is governed by appropriate safeguards. We retain data while your firm's engagement is active and for as long as needed to meet legal, audit, and accounting-record requirements, after which it is deleted or anonymized. The audit log is append-only by design.
TLS 1.2 or higher in transit and AES-256 at rest; firm-scoped isolation enforced at the database row level, so one firm's queries cannot return another firm's rows; role-based access per engagement; and a permanent audit log of state changes. More detail is on the Security page.
Subject to applicable Canadian privacy law (including PIPEDA and Alberta's Personal Information Protection Act), you may request access to the personal information we hold about you, ask us to correct it, ask us to delete it, or withdraw consent where processing relies on it. Client stakeholders should raise requests about client financial data with their firm, which controls that data; we will assist the firm. To make a request, contact us at hello@uselarch.com. You also have the right to contact the Office of the Privacy Commissioner of Canada.
The Service is a professional tool and is not directed to children. We do not knowingly collect personal information from anyone under the age of majority.
We may update this policy as the Service changes. When we do, we will revise the effective date above, and we will give notice of material changes through the Service or by email. Continued use after an update means you accept the revised policy.
Questions about this policy or your data can go to hello@uselarch.com, or by mail to FourX Partners, [mailing address].
Send it to hello@uselarch.com. A person who can read it answers it, usually within two business days.