Privacy Policy

This policy covers how Elevate Small Business and its affiliate UpliftProcure (collectively referred to as “Elevate Small Business,” “we,” “us,” or “our”) treat data and information collected and received through our websites (“Sites”) and products and services (“Services”) (the Sites and Services are sometimes collectively referred to as “Online Services”).

This Privacy Policy is part of our Terms of Service, End-User License Agreement, and Data Processing Agreement.

Scope of this Policy

This policy applies to information collected and received by us through access and use of the Online Services, including data obtained from third-party services you connect to the Platform (“Connected Services”). It does not apply to any other information collected by us through other means.

It is your responsibility to read and understand this policy. By using our Online Services, you are agreeing and consenting to the practices described in this policy. If you do not agree to all of this policy and do not wish to be bound by it, you should not use our Online Services.

What Information Does Elevate Small Business Collect?

Via our website and platform, Elevate Small Business collects from you:

• Certain personally identifiable (i.e. non-business) information
• Certain business information
• Financial data from Connected Services (when you authorize a connection)
• Technical and other information

Personally Identifiable Information

When you browse the non-password protected portions of our site, we collect information on you, which includes when you engage in the following activities:

• Request information
• Participate in a survey
• Interact with our social media pages
• Apply for procurement contracts, financing, or advisory services
• Subscribe to one of our newsletters
• Post content where permitted on the Site

This information consists of your name, email address, your usage data, location information, interests, and page views.

Business Information

At the time you become a registered user of Elevate Small Business or you register as a buyer, capital provider, or business on the site, we request that you provide us with certain business information (including your business name, Federal Employer ID Number, address, web domain, business operations capabilities, and financial and insurance information regarding your business).

Financial Data from Connected Services

When you connect a third-party accounting or financial platform (“Connected Service”) to Elevate Small Business, we collect financial and business data from that service on your behalf. The specific data collected depends on the Connected Service and the permissions you authorize. See the Connected Services and Third-Party Integrations section below for details on each supported service.

Technical and Other Information

Elevate Small Business uses commonly-used automated information gathering tools. While you are browsing our site, we automatically log your IP address (a number assigned to your computer when you use the Internet that provides general location information), general data (including your domain name, and the name of the web page from which you entered our site, and your activity while using our site).

How Do We Collect Information from You?

We collect, retain and use personally identifiable and business information from you on this site (i) by expressly requesting it from you (a) when you request information from us via email and (b) at the time you become a registered user of Elevate Small Business or you register on the site and (ii) when you provide us with such information in connection with the various services offered by Elevate Small Business or when you contact us via email.

We also collect information when you authorize a connection to a third-party service through our integration features. In this case, data is retrieved directly from the Connected Service's API using secure, server-side authentication on your behalf.

In order to personalize and enhance your experience on our site, we and our third-party advertising partners may also collect information through “cookies.” Cookies are small strings of text that are sent by our site to your browser and then stored by your browser on your computer's hard drive.

Connected Services and Third-Party Integrations

The Platform allows you to connect third-party accounting, financial, and business platforms (“Connected Services”) to enable automated data synchronization and analysis. When you connect a Connected Service, you authorize us to access, retrieve, store, and process data from that service in accordance with this Privacy Policy and our End-User License Agreement.

General Principles for All Connected Services

• User-Initiated: We only access Connected Services when you explicitly authorize a connection through our Platform. We never access your third-party accounts without your consent.
• Server-Side Only: All API calls to Connected Services are made from our servers. Your authorization credentials (OAuth tokens) are never exposed to browser-side code or transmitted to your device.
• Purpose Limitation: Data from Connected Services is used solely to provide the features and analysis you have requested through the Platform.
• Dual Terms Apply: When you connect a third-party service, your data is subject to both this Privacy Policy and the privacy policy of the Connected Service provider. We encourage you to review the provider's privacy practices.

QuickBooks Online (Intuit)

When you connect your QuickBooks Online account, you authorize us to access the following data using Intuit's OAuth 2.0 authorization framework with the com.intuit.quickbooks.accounting permission scope:

• Financial Reports: Profit & Loss statements, Balance Sheet reports, and Cash Flow summaries
• Chart of Accounts: Account names, types, subtypes, and hierarchical structure
• Transaction Data: Individual transaction records including dates, amounts, descriptions, and associated accounts
• Customer and Vendor Lists: Contact names, company names, email addresses, phone numbers, and billing addresses

Sync Frequency: After initial connection, data is synchronized automatically on a weekly basis. Data may also be refreshed on-demand when authorized users access financial analysis features, or manually triggered by you at any time.

How We Use This Data: QuickBooks data is used to generate financial reports and analytics, support capital application processes, enable AI-assisted account categorization, and create point-in-time financial snapshots for advisory review or loan applications.

Intuit's Privacy Practices: Your QuickBooks Online account is also governed by Intuit's Privacy Statement . We encourage you to review Intuit's privacy practices before connecting your account.

Authorization Token Security

When you connect a Connected Service, we receive authorization tokens (OAuth credentials) that allow us to access your data on your behalf. These tokens are:

• Encrypted at Rest: All OAuth tokens are encrypted using AES-256-GCM encryption before being stored in our database. Tokens are unreadable even in the event of direct database access.
• Server-Side Only: Tokens are stored and used exclusively on our servers. They are never transmitted to your browser, included in client-side code, or logged in application logs.
• Automatically Refreshed: Access tokens are refreshed proactively before expiration to maintain your connection without requiring manual reauthorization.
• Revocable: When you disconnect a Connected Service, we revoke our authorization tokens with the provider where technically supported and securely delete the encrypted tokens from our database.

How is Your Information Used?

We collect, retain, and use the information we collect via our site for legitimate business purposes only as described herein. Information collected is used to:

• Perform normal business operations including billing, collection and management
• Provide users with the services contracted for and as otherwise requested
• Correspond and provide information to users regarding our site and/or services
• Generate financial reports, analytics, and business intelligence using data from your Connected Services
• Provide AI-assisted analysis, account categorization, and data-driven insights
• Support capital application processes, due diligence, and procurement matching
• Personalize the Elevate Small Business website
• Monitor site visitor traffic patterns and site usage
• Comply with applicable laws
• Enforce our Terms of Service
• Protect the rights, property, or safety of Elevate Small Business, our users and others

Artificial Intelligence and Automated Processing

We use artificial intelligence (AI) and machine learning models to provide certain features of the Platform, including account categorization, financial analysis, business plan generation, and data-driven insights. When processing your data with AI models:

• Data is transmitted securely to our AI providers (Google Gemini, Anthropic Claude) via encrypted connections
• We minimize the amount of personally identifiable information sent to AI models, focusing on financial and business data needed for the specific analysis
• Our AI providers do not use your data to train their general models
• AI-generated outputs are informational only and should not be relied upon as financial, tax, or legal advice

How Do We Disclose the Information We Receive?

We only share or distribute information with Service Providers as provided in this Privacy Policy. We share your personally identifiable information with our affiliates and subsidiaries in order to provide you with our services. In addition, we may share in aggregate, statistical form non-personal information regarding the visitors to our site, traffic patterns and site usage with our partners or affiliates.

We may share data with the following categories of service providers to deliver the Platform:

• Infrastructure Providers: Supabase (database hosting), Vercel (application hosting) — to operate the Platform
• AI Providers: Google (Gemini), Anthropic (Claude) — to provide AI-assisted analysis features
• Connected Service Providers: Intuit (QuickBooks Online) and other services you connect — data flows bidirectionally as needed for synchronization

We will disclose information we maintain, including personally identifiable information, when required to do so by law or regulation, or in response to a request from a law enforcement or governmental agency or authority.

For a complete list of sub-processors, see our Data Processing Agreement.

Multi-Tenant Data Isolation

Elevate Small Business is a multi-tenant platform serving multiple businesses and organizations. We implement strict data isolation measures to ensure your data remains private and separate:

• Entity-Level Separation: All data is associated with a specific business entity and isolated at the database level using Row Level Security (RLS) policies
• Access Controls: Users can only access data for entities they have been explicitly authorized to view. Role-based access controls (admin, member, advisor, capital provider) restrict actions based on your relationship to each entity
• No Cross-Entity Access: Connected Service data (including OAuth tokens) is stored per entity. There is no mechanism for one entity's users to access another entity's financial data or credentials

Retention of Information

We retain different categories of data for different periods based on their nature and applicable legal requirements:

Account and Profile Data

User-identifiable information and business profiles are retained for as long as you remain an active user of Elevate Small Business. Upon account closure, we will delete or anonymize your account data within 30 days, except where retention is required by law.

Financial Data from Connected Services

• Sync Data: We maintain the current synchronization plus two prior versions (rolling retention). When new data is synced, the oldest version beyond the retention window is automatically removed.
• Capital Application Snapshots: Point-in-time financial snapshots created for capital applications are retained indefinitely, as they serve as the “reported as of” reference for due diligence and lending decisions.
• Legal and Tax Compliance: Financial records relevant to tax or legal obligations may be retained for up to 7 years in accordance with applicable regulations, even after account closure or disconnection of a Connected Service.

Technical and Usage Data

Audit logs, sync history, and error logs are retained for up to 2 years for security monitoring and service improvement purposes. Personally identifiable information is excluded from application logs.

Disconnecting Connected Services

You may disconnect any Connected Service at any time through the Platform's integration settings. When you disconnect a Connected Service:

• We immediately cease retrieving new data from that service
• We revoke our authorization tokens with the provider (where technically supported) and securely delete the encrypted tokens from our database
• Previously synchronized data is retained according to the retention schedules described above
• You may request deletion of previously synchronized data by contacting us at support@elevatesb.com. Deletion will be completed within 30 days, except for data subject to legal retention requirements

Modifications to Your Information

We strive to maintain the accuracy of any personally identifiable or business information that may be collected from you, and will use our commercially reasonable efforts to respond promptly to update our database when you tell us the information in our database is not accurate. If you wish to make any changes to any personally identifiable or business information you have provided to us, you may do so at any time by contacting us at support@elevatesb.com.

Opt Out

You may opt out of receiving targeted advertisements and marketing communications from us and our partners/affiliates or opt out of providing personally identifiable information by following the opt-out link provided in any email received from us or by emailing us at support@elevatesb.com.

Third Party Websites

Elevate Small Business may reference or provide links to third party websites. We are not responsible for the third party websites, and you should review the privacy policies posted on such sites. This privacy policy applies only to the Elevate Small Business platform and websites and not to other websites accessible from our platform, including the websites of Connected Service providers.

Protecting Your Information

Elevate Small Business employs industry-standard safeguards to protect the information we receive from you from unauthorized access, disclosure, alteration, and destruction:

• Encryption in Transit: All data transmitted between your browser and our servers is protected using TLS 1.2 or higher (HTTPS). All communications with third-party APIs and Connected Services use encrypted connections.
• Encryption at Rest: Sensitive data, including OAuth tokens and credentials, is encrypted using AES-256-GCM before storage. Our database provider also implements encryption-at-rest for all stored data.
• Access Controls: Database access is restricted through Row Level Security policies, ensuring users can only access data for entities they are authorized to view.
• Authentication: User accounts are protected through OAuth 2.0 (Google, Microsoft) or email/password with industry-standard password hashing. We recommend using single sign-on (SSO) providers for enhanced security.
• Audit Logging: Significant actions — including data connections, disconnections, synchronization events, and access changes — are logged for security monitoring and compliance purposes. Personally identifiable information is excluded from application logs.
• Server-Side Processing: All third-party API calls and credential handling occurs server-side. Sensitive data is never exposed to client-side code or browser environments.

While we take reasonable measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security. We encourage you to use strong, unique passwords and to enable single sign-on where available.

Elevate Small Business's websites do not process any credit card or personal payment information directly.

Security Incident and Breach Notification

In the event of a security incident involving unauthorized access to, or disclosure of, your personal or financial data, we will:

• Investigate Promptly: We will immediately investigate the scope and impact of any suspected breach
• Notify Affected Users: We will notify affected users without undue delay when a breach poses a high risk to their rights or freedoms, providing details about the nature of the breach, the data affected, and the steps we are taking
• Notify Supervisory Authorities (GDPR): Where required by the EU General Data Protection Regulation, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach, including: the nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken to mitigate the impact
• Notify per State Law (CCPA/US): Where required by the California Consumer Privacy Act or other applicable US state breach notification laws, we will notify affected individuals and relevant authorities within the timeframes required by law
• Document and Remediate: We will document all security incidents, including their effects and the remedial actions taken, and implement measures to prevent recurrence

To report a security concern or suspected breach, contact us at security@elevatesb.com.

Transfer of Data

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

If you are located outside United States and choose to provide information to us, please note that we transfer the data, including Personal Data, to United States and process it there. Where required by applicable data protection laws, we implement appropriate safeguards for international transfers, including Standard Contractual Clauses (SCCs) and supplementary technical measures.

Children's Privacy

Our Service does not address anyone under the age of 18 (“Children”). We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us.

Your California Consumer Privacy Rights

If you are a California resident, the California Consumer Privacy Act (“CCPA”) provides you with specific rights regarding your personal information.

Categories of Personal Information Collected

We collect the following categories of personal information:

• Identifiers: Name, email address, phone number, IP address
• Business Information: Business name, Federal Employer ID Number (FEIN), NAICS codes, business certifications, business address
• Financial Information: Financial statements, transaction records, account balances, invoices, and payment records obtained from Connected Services (not payment card numbers)
• Customer and Vendor Contact Data: Names, email addresses, phone numbers, and billing addresses of your customers and vendors as synchronized from Connected Services
• Internet/Network Activity: Browsing history on our platform, page views, usage patterns, IP addresses
• Inferences: AI-generated categorizations, financial analysis, and business insights derived from the data above

Your CCPA Rights

You have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting, and the categories of third parties with whom we share your information
• Delete: Request deletion of your personal information, subject to certain exceptions (such as legal retention requirements for financial records)
• Opt-Out of Sale/Sharing: We do not sell your personal information. We share data with service providers (infrastructure, AI, Connected Services) solely to provide the Platform. You may opt out of any sharing by disconnecting Connected Services and contacting us
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights, submit a request to support@elevatesb.com. We will verify your identity before processing your request and respond within 45 days.

Users in the European Economic Area (EEA), Switzerland, and UK

If you are a resident of the EEA, Switzerland, or the UK, you are entitled to the rights under the EU General Data Protection Regulation (GDPR) and applicable local implementations with respect to the processing of your personal data.

Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract Performance: Processing necessary to provide the Services you have requested (account management, financial analysis, integration with Connected Services)
• Consent: Where you have explicitly authorized processing, such as connecting a third-party service or opting into specific features
• Legitimate Interests: Processing necessary for our legitimate business interests (security monitoring, service improvement, fraud prevention), balanced against your rights
• Legal Obligation: Processing necessary to comply with applicable laws and regulations

Your GDPR Rights

You have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete personal data
• Erasure: Request deletion of your personal data where there is no compelling reason for continued processing. Deletion requests will be completed within 30 days, except for data subject to legal retention requirements (e.g., financial records retained for up to 7 years for tax compliance)
• Data Portability: Request your personal data in a structured, commonly used, machine-readable format (CSV or JSON) for transfer to another provider
• Restriction of Processing: Request that we limit processing of your personal data in certain circumstances
• Objection: Object to processing based on legitimate interests or for direct marketing purposes
• Withdraw Consent: Where processing is based on consent, withdraw that consent at any time (including by disconnecting Connected Services)

To exercise these rights, contact us at support@elevatesb.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

For details on our data processing practices, sub-processors, and international transfer safeguards, see our Data Processing Agreement.

Acceptance and Modifications to this Policy

This Privacy Policy is effective as of February 2026. We reserve the right, at any time, to modify, alter, or update this policy, and any such modifications, alterations, or updates will be effective upon posting. Material changes will be communicated through the Platform or via email to registered users.

Questions?

Elevate Small Business will happily address any concerns about our Privacy Policy.

Contact Information

General inquiries: Contact form
Security concerns: security@elevatesb.com

Mailing address:
Shikari Development Group, LLC
386 Western Avenue
Boston, MA 02135