Effective date: April 22, 2026 · Last updated: April 24, 2026
LUCA LLC · Lincoln, Nebraska · hello@nexusfirma.io
LUCA LLC (“LUCA,” “we,” “us,” or “our”) operates FIRMA, the financial operating system for service businesses, accessible at nexusfirma.io. This Privacy Policy explains how we collect, use, disclose, and protect information when you use FIRMA.
By accessing or using FIRMA, you agree to this Privacy Policy. If you do not agree, do not use the service.
Account information
When you create a FIRMA account, we collect your name, email address, business name, and password. If you upgrade to a paid plan, we also collect billing information processed through our payment processor.
Business and financial data
FIRMA stores the business data you enter into the platform: clients, invoices, contracts, proposals, accounting records, documents, and any other content you create or upload. This data belongs to you. We store it to provide the service.
Banking data (via Plaid)
If you connect a bank account using FIRMA Money, we use Plaid Technologies, Inc. to retrieve transaction and balance data. Plaid is subject to its own privacy policy. We do not store your bank credentials. See Section 6 for more on Plaid.
Usage data
We automatically collect information about how you interact with FIRMA: pages visited, features used, actions taken, device type, browser, IP address, and timestamps. This data is used to improve the service and diagnose technical issues.
Cookies and Tracking
We use cookies, local storage, and similar tracking technologies to maintain your authenticated session, remember your preferences, and analyze platform usage. You can instruct your browser to refuse all cookies, but some parts of the Service may not function properly.
We do not sell your personal information to third parties. We do not use your business data to train AI models or for any purpose other than providing the FIRMA service to you.
We share your information only in the following limited circumstances:
If you choose to connect your QuickBooks Online account to FIRMA, we will access and import your accounting data (including chart of accounts, customers, vendors, and transaction history) to facilitate the Service. This data is securely stored in our infrastructure. You can disconnect your QuickBooks account at any time, which will revoke our access to future data. FIRMA's use and transfer to any other app of information received from Intuit APIs will strictly adhere to Intuit's Developer Terms of Service.
FIRMA's Money module uses Plaid Technologies, Inc. to connect to your financial institutions. When you connect a bank account, you are interacting directly with Plaid's interface. Plaid receives your bank login credentials and returns transaction and balance data to FIRMA. We do not see or store your bank username or password.
Plaid's use of your data is governed by Plaid's Privacy Policy at plaid.com/legal.
FIRMA uses Stripe, Inc. to process subscription payments. When you enter payment information, it is transmitted directly to Stripe. We do not store your full credit card number, CVV, or bank account details on our servers. Stripe's use of your payment information is governed by Stripe's Privacy Policy at stripe.com/privacy.
FIRMA utilizes artificial intelligence (“Nova AI”) to assist with transaction categorization, forecasting, and querying. To process these requests, your data may be securely transmitted to third-party AI sub-processors via enterprise APIs. We have explicitly opted out of data sharing for model training with these providers. Your data is strictly used to return the requested output to you and is not retained by the AI sub-processors to train foundational models.
FIRMA's Enterprise / Multiplace tier is designed to support home health agencies and other healthcare-adjacent businesses. If you are a Covered Entity under HIPAA and require a Business Associate Agreement (BAA), please contact us at hello@nexusfirma.io. A BAA is available for Enterprise plan customers.
FIRMA's infrastructure is hosted on Supabase, which is SOC 2 Type II certified. Entity isolation in the Multiplace tier ensures that data from one business entity is not accessible to users of another entity.
We do not knowingly store Protected Health Information (PHI) in FIRMA unless a BAA has been executed. If you are using FIRMA for workflows that involve PHI without a BAA, that is a violation of our Terms of Service and HIPAA.
We retain your data for as long as your account is active. If you cancel your account, we will retain your data for 90 days to allow for reactivation or export. After 90 days, your data is permanently deleted from our systems, except where we are required by law to retain it longer.
You may request a full export of your data at any time by contacting us at hello@nexusfirma.io.
We implement industry-standard technical and organizational safeguards to protect your data, including encryption in transit (TLS), encryption at rest, role-based access controls, and audit logging. Our infrastructure provider (Supabase) is SOC 2 Type II certified.
No system is perfectly secure. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.
Depending on your location, you may have the following rights regarding your personal information:
To exercise any of these rights, contact us at hello@nexusfirma.io.
FIRMA is a business application intended for use by adults. We do not knowingly collect personal information from anyone under 18 years of age. If we learn that we have collected personal information from a minor, we will delete it promptly.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by displaying a notice in the FIRMA application at least 30 days before the changes take effect. Continued use of FIRMA after the effective date constitutes acceptance of the updated policy.
For privacy-related questions, data requests, or to report a concern, contact: