Privacy Policy

Effective Date: April 10, 2026

Last Updated: April 10, 2026

At Cincofi, we believe small business owners deserve clarity — not complexity. This Privacy Policy explains in plain terms what data we collect, why we collect it, and how we protect it. We are committed to handling your information responsibly and transparently.

This Privacy Policy ("Policy") describes how Cincofi Inc., a Delaware corporation, and its wholly owned subsidiary Cinco Insurance Agency LLC (collectively, "Cinco," "we," "us," or "our") collect, use, disclose, and safeguard personal information in connection with the Cinco platform, website (cincofi.com), mobile applications, and all related services (collectively, the "Platform").

This Policy applies to all users of the Platform, including business owners, administrators, and any individuals whose information is processed through our payroll or insurance services. By accessing or using the Platform, you agree to the practices described in this Policy.

If you are a California resident, please see Section 12 (California Privacy Rights – CCPA). If you are a Delaware resident or your business is incorporated in Delaware, please see Section 13 (Delaware Privacy Rights).

1. Information We Collect

We collect information in several ways: directly from you, automatically through your use of the Platform, and from third-party sources.

1.1 Information You Provide Directly

When you register for an account, use our Services, or communicate with us, we may collect:

Business Account Information: legal business name, entity type, state of incorporation, Federal Employer Identification Number (EIN), physical address, and business license information
Personal Identification Information: name, date of birth, Social Security number or taxpayer identification number for authorized representatives, owners, and principals (required for identity verification and regulatory compliance)
Contact Information: email address, phone number, and mailing address
Financial Information: bank account numbers and routing numbers, payment card details, and billing information
Payroll Data: employee and contractor names, addresses, Social Security numbers, compensation details, tax withholding elections, direct deposit information, and related employment records
Insurance Information: business type, industry classification, number of employees, prior insurance history, loss runs, and other information required to obtain insurance quotes or bind coverage
Communications: messages, inquiries, and other content you submit to our support team or through the Platform

1.2 Information Collected Automatically

When you access or use the Platform, we automatically collect certain technical and usage information, including:

Device and Technical Data: IP address, browser type and version, operating system, device identifiers, and hardware model
Usage Data: pages visited, features accessed, actions taken within the Platform, session duration, clickstream data, and error logs
Analytics Data: we use analytics tools, including Google Analytics, to understand how users interact with our website and Platform. These tools may use cookies and similar tracking technologies to collect aggregated usage statistics

1.3 Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar technologies on our website and Platform. These fall into the following categories:

You may manage cookie preferences at any time through our cookie consent manager (accessible via the "Cookie Preferences" link in the site footer) or through your browser settings. Disabling strictly necessary cookies will impair Platform functionality. Disabling analytics or marketing cookies will limit our ability to measure and personalize your experience but will not prevent access to the Services.

We do not currently respond to browser-level "Do Not Track" signals; however, you may opt out of Google Analytics tracking at any time by visiting tools.google.com/dlpage/gaoptout. For interest-based advertising opt-outs, you may visit optout.aboutads.info or optout.networkadvertising.org.

Strictly Necessary Cookies: essential for the Platform to function, including authentication, session management, and security. These cannot be disabled without affecting core functionality.
Analytics Cookies: help us understand how visitors interact with our website and Platform — including pages visited, session duration, and feature usage. We use tools such as Google Analytics for this purpose. Google Analytics data is aggregated and used to improve Platform performance.
Marketing and Advertising Cookies: used to deliver relevant advertisements, measure ad campaign effectiveness, and track user interactions with our marketing content across third-party sites and platforms. These cookies may be set by us or by our advertising partners and may track your activity across websites over time.

1.4 Information from Third Parties

We may receive information about you from third-party sources, including:

Identity Verification Providers: third-party KYC and AML vendors used to verify your identity and comply with regulatory requirements
Insurance Carriers: underwriting information, policy data, and claims status from licensed insurance carriers through whom coverage is placed
Payroll and Tax Authorities: tax agency responses, filing confirmations, and compliance data from federal and state authorities
Financial Institutions: bank account verification data and payment confirmation information

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Providing and Operating the Platform

Creating and managing your Account
Processing payroll, calculating and remitting payroll taxes, and issuing related tax forms (W-2s, 1099s)
Facilitating insurance quoting, placement, and policy administration through Cinco Insurance Agency LLC
Processing payments and managing billing
Providing customer support and responding to your inquiries

2.2 Legal and Regulatory Compliance

Verifying your identity in accordance with KYC and AML requirements under the Bank Secrecy Act and FinCEN regulations
Complying with OFAC sanctions screening obligations
Meeting federal and state payroll tax reporting and withholding obligations
Complying with state insurance licensing and regulatory requirements applicable to Cinco Insurance Agency LLC
Responding to lawful requests from government authorities, courts, or law enforcement

2.3 Security and Fraud Prevention

Detecting, investigating, and preventing fraudulent transactions, unauthorized access, and other security incidents
Monitoring platform activity for anomalous usage patterns
Protecting the rights, property, and safety of Cinco, its users, and the public

2.4 Improving the Platform

Analyzing usage patterns to improve Platform features, design, and performance
Conducting internal research and analytics to develop new products and services
Diagnosing technical issues and resolving bugs

2.5 Communications

Sending transactional communications: account confirmations, payroll processing notifications, and policy updates
Sending operational notices: material changes to Terms of Service or this Policy, security alerts, and maintenance notifications
Sending product updates and informational content about Cinco's Services, where you have not opted out

3. Legal Basis for Processing

Cinco processes personal information on the following legal bases:

Contractual Necessity: processing required to perform the Services you have contracted for, including payroll processing, insurance placement, and Account management
Legal Obligation: processing required to comply with applicable federal and state laws, including tax, financial, and insurance regulations
Legitimate Interests: processing for fraud prevention, platform security, analytics, and product improvement, where these interests do not override your rights
Consent: where you have provided specific consent, such as for certain marketing communications or optional features (you may withdraw consent at any time)

5. Financial Privacy – Gramm-Leach-Bliley Act (GLBA)

Because Cinco provides financial services, including payroll processing and facilitating insurance products, certain information we collect may be subject to the Gramm-Leach-Bliley Act ("GLBA") and its implementing regulations, including the FTC's Safeguards Rule.

5.1 Non-Public Personal Information

Under the GLBA, "Non-Public Personal Information" ("NPI") includes financial and personally identifiable information collected in connection with financial products or services. We collect and use NPI to process payroll, facilitate insurance placement, and maintain compliance with applicable law.

5.2 Sharing Limitations

We do not share NPI with non-affiliated third parties for marketing purposes. We share NPI only as permitted under the GLBA, including with service providers performing functions on our behalf, with financial institutions processing transactions, and as required by law.

5.3 Safeguards

Cinco maintains a comprehensive information security program in accordance with the FTC's Safeguards Rule. This program includes:

Designation of a qualified individual responsible for overseeing information security
Risk assessments to identify and address vulnerabilities to NPI
Implementation of technical, administrative, and physical safeguards
Vendor oversight and contractual data protection requirements
Incident response planning and breach notification procedures
Annual review and testing of security controls

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, including to provide Services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

When personal information is no longer required, we securely delete or anonymize it in accordance with our data retention schedule.

Account and identity data: retained for the duration of your Account and for a minimum of five (5) years following termination, as required by KYC/AML regulations
Payroll records and tax data: retained for a minimum of seven (7) years to comply with IRS and state tax requirements
Insurance-related records: retained in accordance with applicable state insurance record-keeping requirements, generally three (3) to seven (7) years depending on the state
Usage and analytics data: retained in aggregated or anonymized form for up to three (3) years

7. Data Security

We implement commercially reasonable and industry-standard technical, administrative, and physical security measures to protect your personal information from unauthorized access, use, disclosure, alteration, and destruction. Our security practices include:

No security system is impenetrable. In the event of a data breach that affects your personal information, we will notify you and applicable regulatory authorities as required by applicable law.

Encryption of data in transit (TLS) and at rest
Role-based access controls and principle of least privilege
Multi-factor authentication for Platform access
Regular third-party penetration testing and vulnerability assessments
Continuous security monitoring and anomaly detection
Documented incident response and breach notification procedures

8. Your Rights and Choices

Subject to applicable law, you have the following rights with respect to your personal information:

8.1 Access and Correction

You may access and update your Account information directly through the Platform. If you need assistance correcting inaccurate information, please contact us at privacy@cincofi.com.

8.2 Deletion

You may request deletion of your personal information by contacting us at privacy@cincofi.com. Note that we may be required to retain certain information as described in Section 6 (Data Retention), and deletion requests are subject to applicable legal retention obligations.

8.3 Opt-Out of Marketing Communications

You may opt out of receiving marketing or promotional emails from us at any time by clicking the unsubscribe link in any such email or by contacting us at privacy@cincofi.com. You will continue to receive transactional and operational communications necessary for the Services.

8.4 Cookie Preferences

You may manage cookie preferences through your browser settings. Disabling analytics cookies will limit our ability to understand Platform usage but will not affect your ability to use core Services.

8.5 Data Portability

Upon request, we will provide a copy of your personal information in a structured, machine-readable format where technically feasible and required by applicable law.

9. Employee and Contractor Data

As a business using Cinco's payroll services, you submit personal information about your employees and contractors to the Platform. With respect to such data:

You are the data controller and are solely responsible for obtaining all necessary consents and providing required notices to your employees and contractors
Cinco acts as a data processor or service provider, processing this data only on your instruction and as necessary to provide payroll and related Services
You are responsible for ensuring compliance with all applicable privacy laws regarding the collection and submission of employee data to the Platform
Cinco will handle employee and contractor data in accordance with the data processor obligations described in our Data Processing Agreement, available upon request at privacy@cincofi.com

10. Third-Party Links and Services

The Platform may contain links to third-party websites, or you may choose to connect third-party applications to your Account. Cinco is not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Platform. This Policy applies only to information collected by Cinco.

11. Children's Privacy

The Platform is intended for use by business professionals and is not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have inadvertently collected such information, we will delete it promptly. If you believe we have collected information from a minor, please contact us immediately at privacy@cincofi.com.

12. California Privacy Rights (CCPA / CPRA)

This section applies to California residents and supplements the rest of this Policy. It is provided pursuant to the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act (CPRA).

12.1 Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information from California residents:

Identifiers: name, email address, phone number, IP address, EIN, Social Security number (for payroll and KYC purposes)
Financial Information: bank account numbers, payment card data, payroll compensation details
Commercial Information: subscription records, transaction history, insurance policy information
Internet or Network Activity: usage data, browsing history on the Platform, analytics data
Professional or Employment-Related Information: employee records, job titles, compensation, tax withholding information
Sensitive Personal Information: Social Security numbers, financial account information, precise geolocation (if enabled), and information about employees submitted for payroll purposes

12.2 Purposes for Collection

We collect the above categories for the purposes described in Section 2 of this Policy, including providing payroll and insurance services, legal compliance, security, and Platform improvement.

12.3 Do We Sell or Share Personal Information?

Cinco does not sell personal information as defined under the CCPA. We do not share personal information with third parties for cross-context behavioral advertising.

12.4 Your California Rights

California residents have the following rights:

Right to Know: the right to request disclosure of the categories and specific pieces of personal information we have collected about you, and our collection, use, and disclosure practices
Right to Delete: the right to request deletion of personal information we have collected, subject to legal exceptions
Right to Correct: the right to request correction of inaccurate personal information
Right to Opt-Out of Sale or Sharing: as noted above, we do not sell or share personal information; no opt-out action is required
Right to Limit Use of Sensitive Personal Information: you have the right to limit our use of sensitive personal information to purposes expressly permitted under the CPRA
Right to Non-Discrimination: we will not discriminate against you for exercising your CCPA/CPRA rights

12.5 How to Submit a Request

To exercise your California rights, please submit a verifiable consumer request by:

We will respond to verified requests within forty-five (45) days. In some cases, we may extend this period by an additional forty-five (45) days, with notice. We may require verification of your identity before processing a request.

Email: privacy@cincofi.com with subject line "California Privacy Request"
Website: cincofi.com/privacy-request

12.6 Authorized Agent

You may designate an authorized agent to submit CCPA requests on your behalf. Authorized agents must provide written authorization from the consumer and may be required to verify their own identity.

13. Delaware Privacy Rights (DOPPA)

This section applies to residents of Delaware and is provided pursuant to the Delaware Online Privacy and Protection Act (DOPPA) and related Delaware privacy requirements applicable to Cinco as a Delaware-incorporated entity.

13.1 Applicability

Cinco Inc. is incorporated in the State of Delaware and conducts business with Delaware residents. To the extent Delaware law imposes privacy obligations on our data practices, we comply with those requirements as described in this section and throughout this Policy.

13.2 Transparency of Data Practices

Consistent with Delaware's online privacy requirements, this Policy discloses: (i) the categories of personal information we collect; (ii) how we use that information; (iii) the categories of third parties with whom we share information; and (iv) how Delaware residents may contact us to exercise applicable rights. These disclosures appear in Sections 1 through 4 of this Policy.

13.3 Minors' Privacy

Cinco complies with Delaware's child privacy requirements. The Platform is not directed to minors under the age of 18, and we do not knowingly collect personal information from minors. We do not knowingly market to minors or use information collected from minors for targeted advertising.

13.4 Marketing Cookies and Targeted Advertising

As disclosed in Section 1.3, we use marketing and advertising cookies on our website. Delaware residents may opt out of interest-based advertising by using the cookie preference controls described in Section 1.3 or by contacting us at privacy@cincofi.com. We do not sell personal information of Delaware residents.

13.5 Your Delaware Rights

Delaware residents may have rights under applicable state law including the right to:

To exercise these rights, please contact us at privacy@cincofi.com with the subject line "Delaware Privacy Request." We will respond within a reasonable time as required by applicable law.

Know what personal information we have collected about you and how it is used
Request correction of inaccurate personal information
Request deletion of personal information, subject to applicable legal retention obligations
Opt out of the use of personal information for targeted advertising purposes
Non-discrimination for exercising any of the above rights

13.6 Other Applicable State Laws

Cinco monitors evolving state privacy legislation and updates its practices as new laws take effect. Users in states with comprehensive consumer privacy laws (including but not limited to Virginia, Colorado, Connecticut, Texas, and Florida) may have additional rights. Please contact privacy@cincofi.com to inquire about rights applicable in your state.

14. Cinco Insurance Agency LLC — Additional Privacy Disclosures

Cinco Insurance Agency LLC is a licensed insurance agency and wholly owned subsidiary of Cincofi Inc. The following disclosures supplement this Policy with respect to insurance-specific data practices.

14.1 State Insurance Privacy Laws

The collection, use, and disclosure of personal information in connection with insurance products is subject to applicable state insurance privacy regulations, which may provide additional rights beyond those described in this Policy. Where state insurance privacy law conflicts with this Policy, state law controls.

14.2 Insurance Information Collected

In connection with insurance quoting, placement, and administration, Cinco Insurance Agency LLC may collect:

Business information: industry, revenue, number of employees, years in operation, prior claims history
Personal information about business owners and principals: name, address, date of birth, ownership percentage
Prior insurance information: prior carriers, policy terms, loss runs, and cancellation history

14.3 Sharing with Carriers

To obtain quotes and bind coverage, Cinco Insurance Agency LLC shares insurance application data with licensed carriers and wholesale brokers. These disclosures are necessary for the performance of insurance services and are made with your authorization at the time of application.

14.4 Adverse Underwriting Decisions

If you are denied insurance coverage or are subject to adverse underwriting action, you have the right to request the specific reasons for that decision, to the extent required by applicable state insurance regulations. Please contact us at insurance@cincofi.com for assistance.

14.5 Insurance Regulatory Compliance

Cinco Insurance Agency LLC complies with applicable state insurance privacy laws, including those modeled on the NAIC Insurance Information and Privacy Protection Model Act. Disclosures required by state insurance regulators are available upon request.

15. Changes to This Privacy Policy

We reserve the right to update this Policy at any time. When we make material changes, we will notify you by:

We will provide at least thirty (30) days' notice before material changes take effect. The updated Policy will be posted at cincofi.com/legal/privacy with a revised "Last Updated" date. Your continued use of the Platform after the effective date constitutes your acceptance of the updated Policy.

Sending an email notice to your registered email address
Posting a prominent notice within the Platform

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy team

Cincofi Inc. — Privacy Team

privacy@cincofi.com

cincofi.com/legal/privacy

Cincofi Inc., Legal & Privacy Department

2261 Market Street STE 92696, San Francisco,CA

Insurance privacy inquiries

Cinco Insurance Agency LLC — Insurance Privacy Inquiries

insurance@cincofi.com

We aim to respond to all privacy inquiries within thirty (30) days of receipt.

cincofi.com/legal/privacy | privacy@cincofi.com