Hammock Privacy Policy
Effective date: April 15, 2026 Last updated: April 15, 2026
This Privacy Policy explains how PXA LLC, a New York limited liability company doing business as Hammock ("Hammock," "we," "us," or "our"), collects, uses, discloses, and protects information in connection with our websites, applications, and services — including the Atlas web and mobile applications, the Eirene AI assistant, the Hammock Connect integrations, and our bookkeeping, financial-controls, and advisory services (collectively, the "Services").
This Policy is incorporated into and subject to our Terms of Service / EULA.
1. Who this Policy covers and our role
Hammock serves businesses ("Customers"). Within the Services we handle two broad categories of information, and our legal role differs for each:
· Account & Marketing Data — Hammock acts as a controller. Information we collect to create accounts, bill Customers, provide support, secure the Services, and market to prospects. We decide how and why this data is processed.
· Customer Data — Hammock acts as a processor / service provider. Financial records, transactions, receipts, documents, and personal information about a Customer's employees, vendors, contractors, or clients that a Customer submits to or generates within the Services. We process this data on the Customer's behalf and under their instructions, as governed by our Terms and any applicable Data Processing Addendum ("DPA").
If you are an individual whose information appears in a Customer's account (for example, an employee submitting an expense, or a vendor on an invoice), the Customer — not Hammock — is the controller of that data. Please direct privacy requests to the Customer; we will support them in responding.
This Policy does not apply to the third-party services you connect to Hammock (e.g., QuickBooks Online, Shopify, Centerbase, banks, or card networks), which are governed by their own privacy policies.
2. Information we collect
2.1 Information you provide
· Account & identity data: name, business name, email, phone, role/title, password or authentication identifiers, and profile details.
· Customer & engagement data: organization details, billing contacts, the services you engage us for, and information you share with our team.
· Financial & accounting data ("Customer Data"): expenses, receipts and uploaded documents, invoices and bills, ledger and chart-of-accounts data, budgets, approvals, timesheets, engagement workbooks, and related records — which may include personal information about your employees, contractors, vendors, or clients.
· Communications: messages, support requests, and content you submit to Hammock staff or to the Eirene assistant.
2.2 Information from connected accounts and integrations
When you connect a third-party account, we receive data from it per the scopes you authorize, including:
· Accounting / ERP: QuickBooks Online, Centerbase, and similar systems (ledgers, accounts, transactions).
· Commerce: Shopify (orders, payouts, fees).
· Banking & cards: financial-institution and card-network feeds you import or connect (transactions, balances, statement data).
· Identity / productivity: Google sign-in and related profile data.
2.3 Information collected automatically
· Usage & log data: pages and features used, actions taken, timestamps, referring URLs, and diagnostic logs.
· Device & connection data: IP address, browser/OS, device identifiers, and app version.
· Cookies & similar technologies: used for authentication, preferences, security, and analytics. See Section 9 (Cookies).
2.4 Information from other sources
Business contact data from our service providers and partners, fraud-prevention and identity signals, and publicly available information used to provision, secure, or support accounts.
We do not intentionally collect special categories of data (e.g., health, biometric, precise geolocation) and ask that you not submit them through the Services.
3. How we use information
We use information to:
1. Provide and operate the Services — authenticate users, deliver Atlas, Solon-supported workflows, Eirene, integrations, and our bookkeeping/advisory work.
2. Power AI features — generate categorizations, summaries, document extraction (OCR), insights, and assistant responses (see Section 4).
3. Support and communicate — respond to requests, send service/transaction notices, and provide updates.
4. Bill and administer — process subscriptions, fees, and taxes.
5. Secure and protect — detect, prevent, and investigate fraud, abuse, and security incidents.
6. Improve and develop — analyze usage and train and improve Hammock's own models, features, and Services using de-identified, aggregated, or anonymized data (see Section 4.4).
7. Comply and enforce — meet legal obligations and enforce our agreements.
8. Market (Account & Marketing Data only) — promote Hammock to prospects and Customers, consistent with applicable law and your preferences.
Legal bases (where GDPR/UK GDPR applies): performance of a contract; legitimate interests (operating, securing, and improving the Services); consent (where required, e.g., certain cookies and marketing); and compliance with legal obligations.
4. Artificial intelligence and automated processing
Hammock is an AI-forward platform. The Atlas app, the Solon staff tooling, and the Eirene assistant use machine learning and large language models to read documents, categorize transactions, draft content, surface insights, and answer questions.
4.1 AI sub-processors
To provide these features we send relevant inputs to vetted AI sub-processors, which may include:
Provider
Purpose
Anthropic (Claude)
Generative AI, summarization, assistant responses, classification
OpenAI
Generative AI and embeddings
Google Cloud (Document AI / Vision)
Optical character recognition and document extraction
A current list is maintained in Section 7 (Sub-processors).
4.2 No third-party model training on your data
We contractually require our AI sub-processors not to use Customer Data to train or improve their own foundation models, and to process such data on a limited-retention basis sufficient only to return results and meet security and abuse-monitoring obligations.
4.3 Human-in-the-loop and accuracy
AI outputs may be incomplete or incorrect. Material accounting, bookkeeping, and advisory work is subject to human review by Hammock personnel before it is relied upon as a deliverable. AI outputs are not professional accounting, tax, audit, legal, or financial advice, and you are responsible for reviewing them before relying on them. See the Terms for the full disclaimer.
4.4 Model training, benchmarking, and product improvement
We may use Customer Data that has been de-identified, aggregated, or anonymized so that it no longer reasonably identifies any individual or business, to:
· train, fine-tune, evaluate, and improve Hammock's own models, features, and Services; and
· generate aggregated analytics and benchmarks — for example, anonymized industry, peer, or cohort comparisons surfaced to Customers as insights.
We apply commercially reasonable measures to prevent re-identification and do not attempt to re-identify de-identified data except as permitted by law to test those measures. Aggregated and benchmarking outputs are presented so that they do not identify any individual Customer or person.
Because these uses go beyond core service delivery, where required we obtain affirmative acknowledgment of them — see Section 4.5 and the Technology & Data Use Addendum.
4.5 Affirmative acknowledgment, enterprise controls, and opt-out
The data uses described in Section 4.4 are addressed in our Technology & Data Use Addendum, which Customers affirmatively acknowledge at sign-up or on engagement. Eligible Customers may, under an enterprise agreement, DPA, or that Addendum, disable certain AI features and/or opt out of having their de-identified data used for Hammock model training or benchmarking, and may request terms addressing data residency and retention. Contact privacy@gethammock.com to discuss.
4.6 Automated decision-making
We do not use solely automated processing that produces legal or similarly significant effects about individuals without human involvement. AI-assisted suggestions are reviewable and reversible.
5. How we share information
We share information only as described here. We do not sell personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.
· Service providers & sub-processors — cloud hosting, storage, AI providers, analytics, email and notifications, payment processing, and support tooling, bound to protect the data and use it only to provide services to us (see Section 7).
· Connected third parties — services you direct us to integrate with (QBO, Shopify, Centerbase, banks/cards), to the extent you authorize.
· Within your organization — other authorized users in your Customer account, per your configured roles and permissions.
· Hammock professional team — our bookkeeping, controls, and advisory staff who perform the Services you engage us for.
· Legal & safety — to comply with law, respond to lawful requests, enforce our agreements, or protect the rights, property, or safety of Hammock, our Customers, or others.
· Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
· With your consent — for any other purpose disclosed at the time.
6. Payments
Subscription payments for our SaaS products are processed by Stripe. Bill-payment and certain transactions for managed-service clients are processed through Bill.com. These processors handle payment information under their own privacy terms and applicable PCI-DSS obligations. Hammock does not store full payment-card numbers.
7. Sub-processors
We engage the following sub-processors to provide the Services:
Sub-processor
Function
Region
Google Cloud Platform / Firebase
Hosting, database, storage, authentication, OCR
United States
Anthropic
Generative AI
United States
OpenAI
Generative AI / embeddings
United States
Stripe
SaaS subscription payment processing
United States
Bill.com
Bill payment and transactions for managed-service clients
United States
We may engage additional sub-processors for transactional email, push notifications, and product analytics. A current, maintained list is published at our Sub-processors page, and Customers under a DPA receive advance notice of changes.
8. Data retention
We retain Customer Data for the duration of your engagement and, thereafter, for up to seven (7) years to meet financial-recordkeeping, tax, and audit obligations, unless a longer period is required by law or a different period is agreed in writing. Account and marketing data is retained while your account is active and as needed for legitimate business and legal purposes. De-identified and aggregated data may be retained and used as described in Section 4.4. On request after termination, we will export or delete Customer Data as provided in the Terms and any DPA, subject to these retention requirements.
9. Cookies and tracking technologies
We use cookies and similar technologies for authentication, security, preferences, and analytics. You can control non-essential cookies through your browser settings or, where available, our in-product cookie controls. Some features require essential cookies to function.
10. Security
We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit, access controls, least-privilege practices, and monitoring. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Report security concerns to support@gethammock.com.
11. International data transfers
We are based in the United States and process data in the U.S. and other countries where our sub-processors operate. Where we transfer personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the Standard Contractual Clauses.
12. Your privacy rights
Depending on where you live and our role, you may have rights to access, correct, delete, or receive a copy of your personal data, to restrict or object to certain processing, and to withdraw consent.
· If your data is in a Customer's account, contact that Customer (the controller). We will assist them.
· For data where Hammock is the controller, submit a request to privacy@gethammock.com. We will verify your identity and respond within the timeframes required by law.
12.1 U.S. state privacy rights (California, and similar states)
California residents and residents of other states with comprehensive privacy laws may request to know/access, delete, correct, and obtain a portable copy of their personal information, and to opt out of sale or sharing for cross-context behavioral advertising. Hammock does not sell or share personal information as those terms are defined under the CCPA/CPRA. We do not use or disclose sensitive personal information (which, for our Services, includes financial account information) beyond the purposes permitted under applicable law. We will not discriminate against you for exercising your rights. You may use an authorized agent to submit requests.
The categories of personal information we collect, the sources, purposes, and recipients are described in Sections 2, 3, and 5.
12.2 EEA / UK rights
The Services are directed to businesses in the United States. If you are located in the EEA or UK and believe we process your personal data, you may contact us at privacy@gethammock.com, and you may lodge a complaint with your local supervisory authority.
13. Children's privacy
The Services are intended for businesses and users 18 and older. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.
14. Third-party links and services
The Services may link to or integrate with third-party sites and services that we do not control. Their privacy practices are governed by their own policies.
15. Changes to this Policy
We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice (e.g., email or in-product). Your continued use of the Services after the effective date constitutes acceptance.
16. Contact us
PXA LLC d/b/a Hammock 64 Beaver Street, Unit 514, New York, NY 10004 Email: privacy@gethammock.com (privacy) · support@gethammock.com (general)
For data-protection inquiries, mark your message "Privacy Request."