Privacy Policy

How we handle your data — in plain English and in legal terms.

Last updated: March 2026

Why this matters

You're trusting us with financial data — that's serious. Here's the short version:

We never sell your data. Not to advertisers, not to anyone.
You own your financial data. We only process it to run QuidBooks for you.
Your data is encrypted with AES-256 at rest and TLS 1.3 in transit.
Each account is isolated — no other customer can access your data.
You can export or delete your data at any time.
GDPR applies — QuidBooks is a US company but we respect all EU privacy rights under GDPR.

1. Introduction

QuidBooks ("QuidBooks," "we," "us," or "our") operates QuidBooks, a cloud-hosted financial management platform. This Privacy Policy explains what data we collect, how we use it, and the rights you have over it.

This policy applies to all customers and users of the QuidBooks service ("Service"), including individuals accessing the Service on behalf of a business.

If you have questions, contact us at privacy@quidbooks.com.

2. Who We Are (Data Controller)

For the purposes of GDPR, QuidBooks acts as the Data Processor on behalf of our business customers (Data Controllers) for the financial data they upload and manage. For data we collect directly about individual users (account data, usage data), QuidBooks acts as the Data Controller.

Data Protection Officer: Alan Naughton, QuidBooks
Contact: privacy@quidbooks.com

💡 What this means When your business uploads financial data to QuidBooks, your business decides what to do with that data (you're the "controller") and we just process it on your behalf. For your account details like your email and login, we're the ones responsible for handling it properly.

3. What We Collect

3.1 Account and Identity Data

When you create an account, we collect:

Business name and address
Contact name and email address
Billing information (processed and stored by Stripe — we do not store raw card numbers)
Password (stored as a salted hash — we never store your password in plain text)
Multi-factor authentication settings

3.2 Financial Data You Upload

When you use the Service, we store the financial data you provide:

Bank transactions (dates, amounts, descriptions, categories)
Receipt images and documents (JPG, PNG, PDF)
Vendor and payee information
Account balances and financial summaries
Rules and categorization preferences you create
Exported reports and PDF documents

This is your data. We process it only to provide the Service to you.

3.3 Usage and Technical Data

We automatically collect technical data to operate and improve the Service:

Log data (IP address, browser type, pages visited, timestamps)
Feature usage metrics (which features you use, export frequency)
Error reports (anonymized)
Device and browser information

3.4 Communications Data

If you contact our support team, we retain records of that communication.

💡 What this means We collect what we need to run the service — your account info, the financial data you upload, and basic technical data to keep things working. We don't collect anything extra for advertising or profiling.

4. How We Use Your Data

Purpose	Legal Basis (GDPR)
Provide and operate the Service	Performance of contract
Send transactional emails (invoices, alerts, receipts)	Performance of contract
Detect and prevent fraud, abuse, and security threats	Legitimate interests
Improve service reliability and performance	Legitimate interests
Comply with legal obligations (tax, audit)	Legal obligation
Send product updates and important notices	Legitimate interests / consent
Customer support and troubleshooting	Performance of contract

We do not use your financial data to train AI models or for any purpose other than providing the Service.

5. What We Do NOT Do

We never sell your data to any third party, under any circumstances.
We never share your data with advertisers or marketing platforms.
We never use your financial transaction data for purposes beyond operating the Service.
We do not run advertising on the QuidBooks platform.
We do not build behavioural profiles for marketing purposes.
We do not share your data with other QuidBooks customers.

Your financial data belongs to you. Full stop.

6. Data Storage and Security

QuidBooks is built on a per-tenant isolated infrastructure model:

Your data is stored in a dedicated database that belongs to your account only.
Your files (receipts, exports) are stored in a dedicated S3 bucket with an access policy that permits only your account.
Your data is encrypted with a dedicated encryption key (AWS KMS) unique to your account.
QuidBooks engineers cannot access your data except through an audited, time-limited break-glass procedure.

Encryption

Layer	Standard	Details
At rest (database)	AES-256	Encrypted RDS with per-tenant KMS key
At rest (files)	AES-256	S3 SSE-KMS with per-tenant key
In transit	TLS 1.3	All connections between your browser and our servers
Application layer	AES-256-GCM	Sensitive fields encrypted before database storage

💡 What this means Your data is encrypted everywhere — while it's stored, while it's moving, and at the application level too. Each customer gets their own encryption key, so even if someone breached another customer's data (which our isolation prevents), they couldn't touch yours.

7. Who We Share With

We use a small number of trusted third-party services ("sub-processors") to operate the Service:

Sub-processor	Purpose	Data Shared
Amazon Web Services	Infrastructure (compute, storage, database)	All encrypted customer data, in your chosen region
Stripe	Payment processing	Email address, billing information only
Amazon SES	Transactional email	Email address, invoice details
Google Gemini	AI categorization	Anonymized transaction descriptions only — no PII

We do not use any other sub-processors that access customer financial data. We will notify you at least 30 days before adding new sub-processors.

💡 What this means We only share data with services we need to run QuidBooks. Stripe handles payments, AWS hosts the infrastructure, and when we use AI to suggest categories for your transactions, we strip out all personal information first — Google never sees your name, account numbers, or any identifying details.

8. Your Rights (GDPR)

If you are located in the European Union, EEA, or UK, you have the following rights under GDPR:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — request deletion of your personal data.
Right to data portability — receive your data in a structured, machine-readable format.
Right to restriction of processing — request that we limit how we process your data.
Right to object — object to processing based on legitimate interests.
Rights related to automated decision-making — we do not make solely automated decisions with legal or significant effects on individuals.

To exercise any of these rights, email privacy@quidbooks.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection supervisory authority.

💡 What this means You can ask us to show you what data we have, correct it, delete it, or give you a copy to take elsewhere — all by sending us an email. We have 30 days to respond, and you can always complain to your country's data protection authority if you're not satisfied.

9. Cookies

We use cookies only as necessary to operate the Service. We do not use advertising cookies, analytics cookies, or any third-party tracking.

Session cookies — keep you logged in while you use QuidBooks.
Security cookies — help prevent cross-site request forgery and other attacks.
Preference cookies — remember your language and display settings.

We do not use cookies to track you across other websites or build advertising profiles.

10. Data Retention

Data Type	Retention Period
Active account data	For the duration of your subscription
Data after cancellation	30 days, then permanently deleted
Backup data	Deleted with primary data
Support communications	2 years
Anonymized usage metrics	Up to 5 years
Billing records	7 years (legal requirement)

After the 30-day post-cancellation window, all your data is permanently and irreversibly deleted, including all database records, uploaded files, and encrypted backups. We will send a reminder 7 days before deletion.

11. Children

QuidBooks is a business tool and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@quidbooks.com.

12. Changes to This Policy

We will notify you by email at least 30 days before making material changes to this Privacy Policy. The updated policy will be posted at this URL with the revision date.

13. Contact Us

Privacy requests and questions:
privacy@quidbooks.com

Data Protection Officer:
Alan Naughton, QuidBooks
privacy@quidbooks.com

Registered office:
QuidBooks, United States