Privacy Policy
Effective Date: February 24, 2026
1. Information We Collect
| Category | Data Collected | Purpose |
|---|---|---|
| Account | Email address, display name, avatar (OAuth) | Authentication, communication |
| Authentication | Password hash (bcrypt), OAuth provider ID | Account security |
| QBO Connection | Realm ID, company name, encrypted OAuth tokens | API integration |
| Usage | Job counts, entity counts, feature usage events | Service improvement, billing |
| Payment | Stripe customer ID (no card numbers stored) | Billing |
| Technical | IP address, browser type, request logs | Security, debugging |
2. How We Use Your Information
- Provide and maintain the Service
- Authenticate your identity and manage your account
- Process payments and manage subscriptions
- Send transactional emails (welcome, password reset, job completion, team invites)
- Monitor service health and debug issues
- Enforce usage limits and prevent abuse
3. Data Storage and Security
Your data is stored in PostgreSQL databases and Redis caches hosted on secure infrastructure. Security measures include:
- QBO OAuth tokens are encrypted at rest using AES-256 with unique initialization vectors per record
- Passwords are hashed with bcrypt (12 rounds)
- API keys are stored as SHA-256 hashes
- All connections use TLS/HTTPS
- JWT tokens with short expiry (15 minutes) and rotating refresh tokens
4. Third-Party Services
We share limited data with the following third-party services:
| Service | Data Shared | Purpose |
|---|---|---|
| Stripe | Email, Stripe customer ID | Payment processing |
| Brevo (Sendinblue) | Email address | Transactional emails |
| Intuit QBO | OAuth tokens, generated data | Data loading |
| Google/GitHub | OAuth profile | Authentication |
| Sentry | Error reports, request metadata | Error monitoring |
We do not sell your data to third parties.
5. Cookies and Local Storage
We use browser local storage to persist authentication tokens (JWT access and refresh tokens). We do not use third-party tracking cookies. Essential cookies may be used for session management and CSRF protection.
6. Data Retention
- Account data: Retained while your account is active, deleted within 30 days of account closure
- Job artifacts: Retained based on your plan tier (1-365 days)
- QBO tokens: Deleted immediately when a connection is removed
- Logs: Retained for up to 90 days for debugging purposes
- Analytics events: Aggregated and anonymized after 12 months
7. Your Rights
You have the right to:
- Access your personal data by contacting us
- Correct inaccurate information through your account settings
- Delete your account and associated data
- Export your scenario configurations and generated data
- Object to data processing for analytics purposes
To exercise these rights, contact us.
8. Children's Privacy
The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children.
9. International Data Transfers
Your data may be processed in the United States. By using the Service, you consent to data transfer to and processing in the US.
10. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email at least 14 days before they take effect. The "Effective Date" at the top reflects the most recent revision.
11. Contact
For privacy-related inquiries, contact us.