Last updated: June 25, 2026
Sherlock ("Sherlock," "we," "us," or "our") provides software that helps small and medium-sized businesses review their financial transactions for potential fraud, errors, and unusual activity. This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to sherlockwatch.com and the Sherlock web application (together, the "Service").
This policy is written for businesses and individuals in the United States. By using the Service, you agree to the collection and use of information as described here.
Account information. When you create an account, we collect your email address and a password. Passwords are stored in hashed form by our authentication provider — we never see or store your password in plain text.
Transaction data you provide. The core of the Service. Transaction data enters the Service in two ways: by connecting a bank or financial account, or by uploading a file. This data typically includes dates, amounts, descriptions, vendor or merchant names, account names, and categories. We use this data to run our detection rules and show you insights.
Bank and financial account connections. You may connect your bank or financial accounts to Sherlock through Plaid, a third-party service that securely links to financial institutions. When you connect an account, Plaid provides Sherlock with transaction information and account details such as balances, account names, and account types. We receive and store this transaction and account data to operate the Service. We do not receive or store your bank login credentials — those are handled by Plaid, and the secure access token that allows ongoing syncing is stored on our side and is never exposed to your browser. You can disconnect a connected account at any time from within the Service.
File uploads. You may also upload your transactions as a file — including CSV and Excel bank statements, and QuickBooks transaction exports. When you upload a file, we collect the information it contains and process it the same way as connected-account data.
Communications. If you contact us for support or feedback, we collect the information you choose to share, such as your email address and the contents of your message.
Usage and device information. We use analytics tools, including PostHog, to understand how the Service is used, for example, which pages are visited, which features are used, and general performance. This includes basic technical information such as browser type, device type, and approximate location derived from your IP address. We use this to improve the Service and do not use it to build advertising profiles.
Session replay. Our analytics include session replay, which records how users interact with the Service, such as page navigation and clicks, to help us find and fix usability problems. Sensitive content is masked in these recordings: input fields and on-screen financial figures are obscured, so the recordings capture how the Service is used without exposing your actual financial data.
Cookies and similar technologies. We use cookies that are necessary for the Service to function, such as keeping you signed in, and cookies that support our analytics. We do not use advertising or cross-site tracking cookies.
For transparency, and as some state laws require, the categories of personal information we collect are:
| Category | Examples | Do we collect it? |
|---|---|---|
| Identifiers | Email address, IP address | Yes |
| Financial information | Transaction data, account names, balances, vendor/merchant names, categories | Yes |
| Internet or network activity | Pages visited, features used, session interactions | Yes |
| Approximate location | General location derived from IP address | Yes |
| Bank login credentials | — | No — never collected or stored |
| Full bank account numbers | — | No |
| Social Security numbers | — | No |
| Precise (GPS) geolocation | — | No |
| Demographic or protected-class data | Race, ethnicity, gender, age | No |
| Audio or call recordings | — | No |
We use the information we collect to:
We do not sell your personal information, and we do not share it for cross-context behavioral or targeted advertising. We are an ad-free, privacy-first service. We share information only in the limited circumstances below.
We rely on a small number of trusted vendors to run the Service. They process information on our behalf and are permitted to use it only to provide services to us. These currently include:
Sherlock includes an optional question-and-answer feature powered by Claude, an AI service provided by Anthropic. Before first use, we ask for your express consent. When you ask Sherlock a question, relevant summaries, vendor names, categories, transaction amounts and dates, and alert details may be sent to Anthropic to generate the response. We do not send bank login credentials, Plaid access tokens, or complete account numbers. Anthropic is the only external AI provider that receives transaction context for this feature, and no information is sent to Anthropic through this feature unless you consent and submit a question. If you do not consent, the AI feature remains unavailable and the rest of the Service continues to work normally.
To improve the accuracy of our detection rules, we may use anonymized, aggregated information derived from activity across the Service — for example, statistics about how often a given rule type fires. This information is stripped of identifiers that tie it to you or your business and cannot reasonably be used to identify you. We do not share your individual transactions with other customers.
We may disclose information if required to do so by law, or if we believe in good faith that disclosure is reasonably necessary to comply with a legal obligation, enforce our agreements, or protect the rights, property, or safety of Sherlock, our users, or others.
If Sherlock is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and of any choices you may have.
We take reasonable measures to protect your information. Data is encrypted in transit using TLS and encrypted at rest. Access to your data is restricted through row-level access controls so that you can access your own data. We never store your bank login credentials, and Sherlock cannot move money or initiate transactions — our access to connected accounts is read-only.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account password confidential.
We retain your account information, connected-account data, and uploaded transaction data for as long as your account is active or as needed to provide the Service. We will not retain your personal information for longer than is reasonably necessary for the purposes described in this policy.
You can delete uploaded data and disconnect connected accounts from within the Service at any time. When you request deletion of your account, we will delete as much of your personal information as possible; we may retain limited information where required by law or for legitimate business purposes such as security and recordkeeping, and we will protect any such retained information accordingly.
Access and deletion. You can review the transaction data in your account within the Service, and you can delete uploaded data and disconnect connected accounts. To request deletion of your account, contact us at the email below.
Account information. You can update your email or reset your password from the sign-in screen, and you can change your password from your account settings.
Connected accounts. You can disconnect any bank or financial account at any time from within the Service.
Analytics. Because we use privacy-respecting analytics with sensitive content masked, and do not run advertising trackers, there is no separate ad-tracking opt-out to manage.
Note: the specific rights below depend on your state of residence and on which privacy laws apply to Sherlock. This section is provided in good faith; the exact scope of rights and our obligations may vary, and we update this section as our practices and the applicable laws evolve.
Depending on where you live, you may have some or all of the following rights regarding your personal information:
States that have enacted comprehensive consumer privacy laws include California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, among others. The rights available to you, and the thresholds at which they apply, depend on your state's law.
How to exercise your rights. To make a request, contact us at contact@sherlockwatch.com. To protect your information, we will take reasonable steps to verify your identity before fulfilling a request — typically by confirming you control the email address associated with your account. We will not fulfill a request to access or delete an account's data unless we can reasonably verify the requester is the account holder (or an authorized agent acting with valid written authority). We will respond within the timeframe required by applicable law.
Sherlock is based in the United States, and we and our service providers process and store your information in the United States. If you access the Service from outside the United States, you understand that your information will be processed in the U.S., which may have different data-protection rules than your home jurisdiction.
The Service is intended for businesses and is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us and we will delete it.
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If we make material changes, we will provide a more prominent notice. We encourage you to review this page periodically.
If you have questions about this Privacy Policy or how we handle your information, contact us at:
Sherlock
Email: contact@sherlockwatch.com