Privacy Policy

Our role

For the QBO company data we back up on your behalf (“Customer Data” — financial records and the personal information they contain about your customers, vendors, and employees), you are the controller / business and Technovault is a processor / service provider. You (or the accountant acting for you) decide why the data is processed; we process it only to provide backup, restore, change-audit, deletion, support, security, and customer-requested CFO analysis.

Separately, Technovault is an independent controller for its own operational data — account administration, billing records, security and access logs, fraud prevention, support tickets, and internal business records.

What we collect

• Customer Data: a copy of the QBO company data you connect, retrieved via the Intuit API and stored as encrypted snapshots.
• OAuth tokens & connection metadata: the access/refresh tokens that let us reach your QBO company, and which company is connected. We never receive or store your QuickBooks password — authentication is handled by Intuit OAuth.
• Account & identity: your Intuit user identifier and email from sign-in.
• Billing data: handled by Stripe; we do not store full card numbers.
• Operational data: security and access logs, support communications, and basic usage records needed to run and secure the Service.

How we use it — and what we never do

We process Customer Data only on your instructions — to provide, secure, support, maintain, restore, delete, and document the Service, including customer-requested CFO analysis, and as required by law. We use operational data to run billing, security, support, and compliance.

We do not sell Customer Data, share it for cross-context behavioural advertising, use it for any purpose unrelated to providing the Service, combine it across customers, or use it to train AI models that benefit other customers. CFO analysis runs only against your own data, for you.

Sub-processors & international transfers

We use a small set of vetted sub-processors to provide the Service — Cloudflare (hosting, storage, compute, security), Stripe (billing), and Intuit (QBO access and identity). The current list is on our Sub-processors page. We impose data-protection obligations on them materially consistent with our own.

Your personal information and Customer Data may be processed in Canada, the United States, and other locations where we or our providers operate. Where required for UK/EU customers, transfers rely on Standard Contractual Clauses or equivalent mechanisms (directly or through our providers).

Security

Customer Data is encrypted in transit and at rest. OAuth tokens are encrypted with keys held only in our infrastructure, never sent to your browser. We apply access controls and least privilege, isolate each company’s data, log and monitor access, keep dependencies current, and run a documented quarterly security review. No system is perfectly secure, but protecting your financial data is the core of what we do.

Cookies

We use only cookies and similar technologies necessary to operate the Service, including authentication, security, session management, billing flow, and fraud prevention. We do not use advertising cookies or cross-site tracking cookies.

Retention & deletion

Our default behaviour:

• Disconnect a company: we stop future backups and revoke/clear its access tokens.
• Cancel your subscription: paid service ends; we keep your Customer Data only for a short grace period unless you ask us to delete it sooner.
• Delete All Data: on a verified request we revoke our QuickBooks access and delete the Customer Data we hold (your QBO backups). Deletion is immediate and complete — the backups are removed as part of your request, not queued for later, and we keep no residual copies. Before deleting, you are responsible for exporting any data you wish to keep; after deletion, backups cannot be recovered.
• What we must retain: we do not offer full account deletion. Where a financial transaction has occurred, we are legally obligated to retain billing, payment, and tax records for the period required by law. Your account therefore remains active so you can reconnect and access past invoices; we retain those financial records and otherwise hold no further Customer Data after a Delete All Data request.
• Logs: operational logs expire on a rolling schedule (currently 30 days).
• No residual copies: we do not keep separate or archival copies of deleted backups. Our infrastructure provider may briefly retain deleted data within its own storage replication and durability systems, outside our control; we do not access or restore from it.

Your rights

Depending on where you live (e.g., Canada’s PIPEDA/BC PIPA, UK/EU GDPR, California CCPA/CPRA, Australia’s Privacy Act), you may have rights to access, correct, delete, port, or object to the processing of personal information. Because we act as a processor for Customer Data, requests about a connected company’s data are normally directed to that company (the controller); we will assist the controller to the extent applicable and technically feasible. For your own account data, or to exercise any right, contact us.

Data breaches

If we confirm or reasonably suspect a security incident involving Customer Data, we will notify affected customers without undue delay and provide the information reasonably available to help them investigate, mitigate, and meet any legally required notifications. Where we are the controller for affected data, we will make any notifications required of us. We maintain an internal log of security incidents.

Changes & contact

We may update this policy; we will revise the effective date and, for material changes, notify you by email or in the Service. Questions or requests: contact us, or write to Technovault Inc., 329 Howe Street #2239, Vancouver, BC V6C 3N2, Canada.