Privacy Policy

LAST UPDATED: JANUARY 24, 2026

DATA MINIMIZATION PROMISE We practice strict data minimization. We only fetch the specific financial records required to generate your diagnostic report. We do NOT store your client's full General Ledger or complete transaction history on our servers. Raw financial data is processed in-memory and discarded after report generation.

At BizDoc ("BizDoc," "Company," "we," "our," or "us"), protecting your data and your clients' data is our highest priority. This Privacy Policy describes how we collect, use, store, share, and protect information when you use the BizDoc website (bizdoc.io), embeddable widgets, APIs, and related services (collectively, the "Service").

This Privacy Policy applies to: (1) Users — accounting professionals, bookkeepers, and financial advisors who create BizDoc accounts; and (2) Clients — individuals or businesses who connect their QuickBooks Online files through a User's embedded Widget.

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY. If you do not agree with our data practices, please do not use the Service.

1. Information We Collect

We collect different types of information depending on how you interact with the Service:

1.1 User Account Information

When you register for a BizDoc account, we collect:

Identity Information: Full name, firm name, job title
Contact Information: Email address, phone number (optional)
Account Credentials: Password (stored in hashed form)
Payment Information: Billing address, payment method details (processed and stored by Stripe; we do not store credit card numbers on our servers)
Profile Information: Services offered, testimonial text, branding preferences (for white-label features)

1.2 Client Information (Captured via Widget)

When a Client connects their QuickBooks Online file through a User's embedded Widget, we collect:

Identity Information: Name and email address (via Intuit's identity API)
Company Information: Business name, company ID from QuickBooks
Connection Metadata: Date/time of connection, Widget ID, referring User

1.3 Integrated Financial Data (From QuickBooks Online)

When a Client authorizes access to their QuickBooks Online file, we receive an OAuth2 access token from Intuit. Using this token, we access read-only data from specific QBO endpoints.

OAuth Scopes Requested:

BizDoc requests only the following OAuth scopes from Intuit:

com.intuit.quickbooks.accounting (read-only access to accounting data)
openid, profile, email (user identity verification)

We do NOT request write permissions. BizDoc cannot create, modify, or delete any data in your QuickBooks Online file.

Within the accounting scope, we access only the following specific endpoints:

Data Category	QBO API Endpoint	Why We Access This
Company Profile	`CompanyInfo`	Identify the business name, fiscal year settings, and basic company details for the report header
Chart of Accounts	`Account`	Analyze account structure, identify uncategorized accounts, and assess bookkeeping organization
Balance Sheet Report	`Reports/BalanceSheet`	Calculate financial ratios (current ratio, debt-to-equity), assess solvency and stability
Profit & Loss Report	`Reports/ProfitAndLoss`	Analyze revenue trends, expense patterns, and profitability for health scoring
Aged Receivables Report	`Reports/AgedReceivables`	Calculate Days Sales Outstanding (DSO), identify collection risk and AR aging over 90 days
Aged Payables Report	`Reports/AgedPayables`	Calculate Days Payable Outstanding (DPO), analyze payment patterns and overdue AP

What We Do NOT Access:

Individual transaction details or the full General Ledger
Customer or vendor contact information (names, addresses, emails)
Bank account numbers or sensitive payment details
Employee or payroll information
Attachments, receipts, or uploaded documents

Data Processing:

We access this data strictly to perform algorithmic analysis and generate Diagnostic Reports. Raw financial data is processed in-memory and discarded immediately after the report is generated. We do NOT permanently store your General Ledger, transaction history, or detailed financial records in our database.

1.4 Automatically Collected Information

When you access the Service, we automatically collect:

Device Information: Browser type, operating system, device identifiers
Usage Information: Pages visited, features used, actions taken, time spent
Log Data: IP address, access times, referring URLs, error logs
Location Data: General geographic location based on IP address (not precise GPS)

1.5 Information from Third Parties

We may receive information about you from:

Intuit: Identity information and access tokens when you or your Clients authorize QBO access
Payment Processors: Transaction status and billing information from Stripe
Analytics Providers: Aggregated usage data and insights

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery

Generate Financial Health Scores and Diagnostic Reports
Deliver PDF reports to Users
Capture and deliver lead information (email, company name, score) to Users
Enable white-label customization and branding
Store historical reports in User dashboards

2.2 Account Management

Create and manage your account
Authenticate your identity and verify access permissions
Process subscription payments and manage billing
Provide customer support

2.3 Communication

Send transactional emails (account confirmation, password resets, payment receipts)
Send service-related notifications (new features, maintenance, security alerts)
Send marketing communications (with your consent, and you can opt out anytime)
Respond to support inquiries

2.4 Service Improvement

Analyze usage patterns to improve features and user experience
Develop new products and features
Conduct research and analytics using aggregated, de-identified data
Improve our benchmarking algorithms and scoring models

2.5 Security and Compliance

Detect, prevent, and respond to fraud, abuse, and security incidents
Enforce our Terms of Service
Comply with legal obligations
Protect the rights and safety of BizDoc, Users, Clients, and the public

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

Purpose	Legal Basis
Providing the Service	Performance of contract
Processing payments	Performance of contract
Sending transactional communications	Performance of contract
Marketing communications	Consent (opt-in)
Security and fraud prevention	Legitimate interests
Service improvement and analytics	Legitimate interests
Legal compliance	Legal obligation

We do not sell, rent, or trade your personal information or your clients' financial data.

We share information only in the following circumstances:

4.1 With Users (for Client Data)

When a Client connects their QBO file through a User's Widget, we share the following with that User: Client email address, company name, Financial Health Score, letter grade, and the full Diagnostic Report. This sharing is the core function of the Service.

4.2 With Service Providers

We engage trusted third-party service providers who process data on our behalf:

Provider	Purpose	Data Shared
Railway	Cloud hosting and infrastructure	All Service data (encrypted)
Stripe	Payment processing and subscription billing	Payment and billing information
SendGrid	Transactional and marketing emails	Email address, name
Google Analytics	Website and usage analytics	Anonymized usage data, IP address (anonymized)

All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes.

4.3 For Legal Reasons

We may disclose information if we believe it is necessary to:

Comply with a subpoena, court order, or other legal process
Respond to lawful requests from government authorities
Protect the rights, property, or safety of BizDoc, our Users, or the public
Detect, prevent, or address fraud, security, or technical issues
Enforce our Terms of Service

4.4 Business Transfers

If BizDoc is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or control of your personal information.

4.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. For example, we may publish industry benchmarks based on aggregated scoring data.

5. Intuit Data Policy Compliance

Our integration with QuickBooks Online complies with Intuit Developer Terms and data security requirements:

5.1 Data Protection Standards

Encryption in Transit: All data transmitted between BizDoc and Intuit, and between BizDoc and your browser, is protected using TLS 1.2+ encryption
Encryption at Rest: Stored data is encrypted using AES-256 encryption
Access Controls: OAuth2 tokens are encrypted and access is limited to authorized systems
Security Reviews: We undergo regular security assessments to maintain Intuit platform compliance

5.2 Read-Only Access

BizDoc requests read-only permissions only. We cannot create, modify, edit, or delete any data in connected QuickBooks Online files.

5.3 Minimum Necessary Data

We practice data minimization and request only the OAuth scopes and access the specific API endpoints necessary to provide our Financial Health Score service. We do not request or access more data than is required for our stated purposes (see Section 1.3 for the complete list of data accessed).

5.4 Token Management

OAuth2 access tokens received from Intuit are securely encrypted and stored only as long as necessary to maintain the authorized connection. Tokens are automatically invalidated when access is revoked.

5.5 Disconnect and Revocation of Access

How to Disconnect BizDoc from QuickBooks Online

You or your Clients can revoke BizDoc's access to a connected QuickBooks Online file at any time using any of these methods:

From BizDoc: Log into your BizDoc dashboard, go to "Connections" or "Connected Files", and click "Disconnect" next to the QBO file you wish to remove
From QuickBooks: Visit the Intuit App Center at accounts.intuit.com/app/account-manager/myApps, find "BizDoc" in your connected apps, and click "Disconnect"
Contact Us: Email support@bizdoc.io with your request and we will process the disconnection within 24 hours

What happens when you disconnect: BizDoc's access token is immediately invalidated. We can no longer access any data from that QuickBooks file. Previously generated reports remain in your account history unless you delete them.

6. Data Retention and Deletion

6.1 Retention Periods

Data Type	Retention Period
User Account Data	Duration of account + 30 days after deletion request
OAuth2 Access Tokens	Until disconnection or account cancellation
Diagnostic Reports (PDFs)	Until User deletes them or account is terminated
Lead/Client Contact Info	Until User deletes or account is terminated
Raw Financial Data (from QBO)	Not retained — processed in-memory and discarded after report generation
Payment Records	7 years (for tax and legal compliance)
Server Logs	90 days

6.2 Transient Analysis Data

When we analyze a connected QBO file, the raw financial data (account balances, transaction summaries, report data) is fetched via API, processed in-memory by our analysis engine, and then discarded. This data is NOT permanently stored in our database. Only the generated scores, grades, and the final PDF report are retained.

6.3 Deletion Requests

You may request deletion of your account and associated data at any time. Upon receiving a verified deletion request, we will delete your personal information within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, legal compliance).

7. Data Security

We implement industry-standard security measures to protect your information:

7.1 Technical Safeguards

TLS 1.2+ encryption for all data in transit
AES-256 encryption for data at rest
Secure, hashed password storage (bcrypt)
Web Application Firewall (WAF) protection
Regular vulnerability scanning and penetration testing
Automated security monitoring and alerting

7.2 Organizational Safeguards

Role-based access controls for employees
Background checks for personnel with data access
Security awareness training
Incident response procedures

7.3 Infrastructure

Hosted on Railway's secure cloud infrastructure
Automatic SSL/TLS certificates for all connections
Regular automated backups with encryption
Isolated container-based deployment
Disaster recovery and business continuity plans

7.4 Security Limitations

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the security of your account credentials.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

8.1 Access

You have the right to request a copy of the personal information we hold about you.

8.2 Correction

You have the right to request correction of inaccurate or incomplete personal information.

8.3 Deletion

You have the right to request deletion of your personal information ("Right to be Forgotten"), subject to certain exceptions.

8.4 Portability

You have the right to receive your personal information in a structured, commonly used, machine-readable format.

8.5 Restriction

You have the right to request restriction of processing of your personal information in certain circumstances.

8.6 Objection

You have the right to object to processing of your personal information based on legitimate interests.

8.7 Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time.

8.8 Revoke QBO Access

You or your Clients may revoke BizDoc's access to QuickBooks Online files at any time via:

The Intuit App Center: https://accounts.intuit.com/app/account-manager/myApps
Your BizDoc dashboard (Connections section)

8.9 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@bizdoc.io. We will respond to your request within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing certain requests.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

9.1 Right to Know

You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collection, and the categories of third parties with whom we share it.

9.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

9.3 Right to Correct

You have the right to request correction of inaccurate personal information.

9.4 Right to Opt-Out of Sale/Sharing

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

9.5 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

9.6 Categories of Information Collected

In the past 12 months, we have collected the following categories of personal information:

Identifiers (name, email, IP address)
Commercial information (transaction history, subscription data)
Internet activity (browsing history, usage data)
Professional information (firm name, job title)
Financial information (from connected QBO files — processed transiently)

9.7 Authorized Agent

You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authority.

9.8 Contact for California Requests

California residents may submit requests to: privacy@bizdoc.io or call us at the number provided in the Contact section.

10. International Data Transfers

BizDoc is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

10.1 EEA/UK Transfers

For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on:

Standard Contractual Clauses approved by the European Commission
Data Processing Agreements with our sub-processors
Additional safeguards as required by applicable law

10.2 Your Consent

By using the Service, you consent to the transfer of your information to the United States and other countries as described in this Privacy Policy.

11. Cookies and Tracking Technologies

11.1 Types of Cookies We Use

Cookie Type	Purpose	Duration
Essential	Authentication, security, core functionality	Session / 30 days
Functional	Remember preferences and settings	1 year
Analytics	Understand usage patterns, improve Service	2 years

11.2 Third-Party Cookies

We use Google Analytics to understand how users interact with the Service. Google Analytics sets cookies to collect information about your use of our website, including:

Pages visited and time spent on each page
How you arrived at our website (referral source)
Your general geographic location (country/city level)
Browser and device information

We have enabled IP anonymization in Google Analytics, which truncates your IP address before storage. Google's use of this data is governed by the Google Privacy Policy. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

11.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Service. Most browsers allow you to:

View what cookies are stored and delete them individually
Block third-party cookies
Block all cookies
Clear all cookies when you close your browser

11.4 Do Not Track

Some browsers have a "Do Not Track" feature. We currently do not respond to Do Not Track signals, as there is no industry-standard interpretation.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@bizdoc.io.

13. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services (such as Intuit QuickBooks Online, Stripe, etc.). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through or in connection with BizDoc.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

We will update the "Last Updated" date at the top of this page
We will notify you via email (for registered Users) or a prominent notice on our website
For significant changes affecting how we use your data, we will provide at least 30 days' notice before the changes take effect

Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

BizDoc Financial Systems
Data Protection Officer
Email: privacy@bizdoc.io
General Inquiries: hello@bizdoc.io
Website: www.bizdoc.io

For EU/EEA residents, you also have the right to lodge a complaint with your local supervisory authority.

This Privacy Policy was last updated on January 24, 2026.