Privacy Policy
Our Core Privacy Commitment
We do not sell your data. We do not use your financial data for advertising. We do not share your data with third parties for their own marketing purposes. Your financial data is accessed solely to provide the Service you subscribed to, and for no other purpose.
Effective Date: [05/19/2026] Version: 1.0
SECTION 1
Introduction
Account4Cast, LLC (“Acct4Cast,” “we,” “us,” or “our”) operates the financial intelligence platform accessible at app.acct4cast.com. This Privacy Policy explains what information we collect, how we use it, how we protect it, how long we retain it, and your rights regarding it.
By creating an account, connecting your QuickBooks Online account, or using any feature of the Service, you acknowledge that you have read and agree to the practices described in this Privacy Policy. This Policy is incorporated by reference into our Terms of Service at acct4cast.com/terms.
1.1 Scope
This Policy applies to:
• Visitors to acct4cast.com (the marketing website)
• Registered users of app.acct4cast.com (the authenticated dashboard)
• All QuickBooks Online financial data processed through the Service
• Communications you send to Acct4Cast by any channel
1.2 Legal Basis for Processing
Where applicable law requires a stated legal basis for data processing, Acct4Cast processes your data on the following grounds:
• Contractual necessity: to provide the Service you subscribed to and fulfill the obligations in our Terms of Service.
• Legitimate interest: to operate, secure, troubleshoot, and improve the Service in ways that do not override your privacy rights.
• Legal obligation: to comply with applicable law, including financial recordkeeping requirements and court orders.
• Consent: for any optional features, such as AI-generated narrative insights in Phase 8, where we will request your explicit consent before activating.
SECTION 2
Information We Collect
2.1 Account Information
When you register, we collect your name, email address, company name, and a securely hashed password. If you register using Google OAuth (“Continue with Google”), we collect your Google account identifier, display name, and email address in place of a password. We do not store plaintext passwords under any circumstances.
2.2 QuickBooks Financial Data
With your explicit OAuth 2.0 authorization, we access the following read-only data from your QuickBooks Online account:
• Profit and Loss reports (income, expense, and net income by category)
• Balance Sheet data
• Budget data, where your QuickBooks plan includes the budget feature
• Transaction-level data required for variance and rolling forecast calculations
We do not access payroll records, employee data, bank credentials, payment card data, Social Security numbers, or any data outside the scopes listed above. We do not write to, modify, or delete any data in your QuickBooks account.
2.3 Usage and Technical Data
We collect server-side logs including IP addresses, browser type and version, pages visited within the dashboard, timestamps of access, and API request metadata. This data is used exclusively for security monitoring, abuse prevention, and service improvement. It is not linked to advertising profiles.
2.4 Payment Information
Subscription payments are processed by Stripe, Inc. Acct4Cast does not store your credit card number, CVV, expiry date, or full billing address. We retain only a Stripe customer ID, subscription status, and billing tier, which are necessary to manage your account.
2.5 Communications
If you contact us by email, submit a support request, or respond to an automated report, we retain those communications to resolve your inquiry and to improve the Service. We do not use your communications to build advertising profiles.
2.6 Device and Browser Information
The dashboard may collect your browser’s localStorage data for non-sensitive preferences, such as your alert threshold setting and dashboard display preferences. This data never leaves your device and is not transmitted to our servers.
SECTION 3
How We Use Your Information
We use the information we collect solely for the following purposes:
• To authenticate your identity and authorize access to the dashboard
• To connect to your QuickBooks Online account and retrieve authorized financial data
• To generate budget-versus-actual reports, rolling forecasts, variance alerts, and scenario models
• To deliver automated email reports you have configured in your account settings
• To send system notifications such as variance alerts, token expiry warnings, and billing receipts
• To troubleshoot errors and improve the reliability and performance of the Service
• To comply with legal obligations and respond to lawful requests from public authorities
• To detect and prevent fraud, abuse, or unauthorized access
We do not use your financial data to train AI or machine learning models. We do not sell, rent, or share your personal or financial information with third parties for their commercial benefit. We have not sold personal information in the preceding 12 months.
SECTION 4
QuickBooks Data Handling
4.1 Read-Only Access
Acct4Cast requests only read-only access to your QuickBooks financial data. The OAuth scopes granted are the minimum required to power the features you use. We do not request write permissions and we do not modify, delete, or initiate any transaction in your QuickBooks account.
4.2 Storage Location
Synced QuickBooks financial data is stored in a PostgreSQL database hosted on a DigitalOcean droplet located in the United States. Data does not leave the United States except as described in Section 6 (Third-Party Services). All stored data is encrypted using AES-256 encryption provided by DigitalOcean’s managed storage layer.
4.3 Token Security
Your QuickBooks OAuth access token and refresh token are stored encrypted in the database using AES-256 encryption. They are never exposed in API responses, log files, browser-accessible storage, or client-side code. Access to decrypted tokens is restricted to the server-side application process only.
4.4 Token Deletion on Disconnect
When you disconnect your QuickBooks account from Acct4Cast, either from within the dashboard settings or by revoking access in QuickBooks Online, we immediately delete your stored access token and refresh token from all systems. This ensures that Acct4Cast can no longer access your QuickBooks data through the API after disconnection.
4.5 Data Minimization
We retrieve only the data required to power the features you use. Raw transaction data is processed in memory to produce variance and forecast calculations. We retain aggregated outputs (totals, ratios, period comparisons) rather than full transaction-level records, unless full records are required to support a specific feature you have enabled.
4.6 AI Features (Phase 8)
When AI-generated narrative insights are activated in Phase 8, financial summary figures are transmitted to the Anthropic Claude API to generate plain-language commentary. Before transmission, company-identifying information such as your company name and owner name is stripped and replaced with a neutral placeholder. Raw transaction records and personally identifying information are never sent to the Claude API. A separate consent notice will be presented before activating this feature.
SECTION 5
Data Storage and Security
5.1 Infrastructure
The Service runs on DigitalOcean Ubuntu 22.04 LTS servers located in the United States. All web traffic is routed through Nginx with TLS 1.2 or higher enforced. SSL certificates are issued by Let’s Encrypt and auto-renewed every 90 days. All data in transit between your browser and our servers is encrypted.
5.2 Access Controls
Database access requires application-level credentials stored in environment variables that are never committed to version control. Direct server access requires SSH key authentication to a non-root, limited-privilege deployment account. No Acct4Cast employee or contractor can access your financial data without an explicit, logged support request from you.
5.3 Security Practices
• Passwords are hashed using bcrypt before storage and are never stored in plaintext
• OAuth tokens are encrypted at rest using AES-256
• API endpoints are rate-limited: 100 requests per 15 minutes per IP address
• Credential files (.env) are excluded from version control via .gitignore
• Security dependencies are reviewed and updated on a regular schedule
• No credentials are written to server log files or console output
• The QuickBooks sandbox is isolated from production data
5.4 Security Limitations
While we apply industry-standard security practices, no system is completely immune to security vulnerabilities. The Service is provided with reasonable security measures, but we cannot guarantee that unauthorized access, disclosure, or loss will never occur. You acknowledge this limitation and accept that use of the Service is at your own risk with respect to events outside our reasonable control.
5.5 Breach Notification
In the event of a data breach that may affect your personal or financial information, we will notify you without unreasonable delay and in compliance with applicable state law, including Washington State breach notification requirements. Notification will be delivered to your registered email address and will include a description of the incident, the categories of data affected, and the steps we are taking in response.
SECTION 6
Third-Party Services and Sub-Processors
The following third-party services may process your data as part of operating the Service. We limit data shared with each provider to what is strictly necessary for their function.
Provider Purpose Data Shared Location
Intuit (QuickBooks Online) Source of your financial data via OAuth 2.0 API OAuth access tokens, QB Realm ID USA
DigitalOcean Server hosting and infrastructure All data stored on hosted servers USA
Stripe, Inc. Subscription payment processing Name, email, billing info USA
Google (optional) Account login via Continue with Google OAuth Name, email, Google account ID USA
Anthropic (Phase 8) AI-generated financial narrative insights Anonymized financial summary figures only. Company name and personal identifiers stripped before transmission. No raw transaction data. USA
Let’s Encrypt SSL certificate issuance and renewal Domain name only USA
6.1 Sub-Processor Updates
Acct4Cast may engage additional sub-processors as the Service evolves. We will update this table and notify registered users by email of any material additions that affect how your financial data is processed, providing at least 14 days’ notice before any new sub-processor accesses your data.
6.2 No Advertising Networks
We do not use advertising networks, behavioral tracking pixels, third-party analytics SDKs, or data brokers within the authenticated dashboard at app.acct4cast.com. The marketing website at acct4cast.com may use standard WordPress analytics for anonymous traffic measurement.
SECTION 7
Data Retention
We retain your data only as long as necessary to provide the Service and fulfill our legal obligations.
Data Type Retention Period Basis
Account information (name, email, company) Duration of active subscription, plus 30 days after cancellation Contractual necessity
QuickBooks financial data Duration of active subscription, plus 30 days after cancellation Contractual necessity
OAuth tokens (QB access and refresh) Deleted immediately upon disconnect or account cancellation Contractual necessity
Server access logs (IP, timestamps) 90 days Legitimate interest (security)
Email communications and support records 2 years from date of communication Legitimate interest
Stripe payment records As required by Stripe and applicable financial regulations (typically 7 years) Legal obligation
Acceptance records (clickwrap timestamps) 7 years from acceptance date Legal obligation
Data Type Retention Period Basis
Acceptance records (clickwrap timestamps) 7 years from acceptance date Legal obligation
After the applicable retention period, data is permanently deleted from all production systems. Backups are purged on a rolling 30-day cycle. You may request early deletion of your data at any time by contacting privacy@acct4cast.com, subject to our legal retention obligations.
SECTION 8
Your Rights
Regardless of your location, you have the following rights with respect to your personal and financial data:
8.1 Right of Access
You may request a copy of the personal and financial data we hold about you. We will provide this in a structured, machine-readable format within 30 days of a verified request.
8.2 Right to Correction
You may request correction of any inaccurate account information we hold. Financial data accuracy depends on your QuickBooks account and must be corrected at the source.
8.3 Right to Deletion
You may request deletion of your account and all associated data. We will process deletion requests within 30 days, subject to our legal retention obligations (see Section 7). To initiate deletion, cancel your subscription in account settings and email privacy@acct4cast.com with the subject line “Data Deletion Request.”
8.4 Right to Data Portability
You may request an export of your data in a machine-readable format (JSON or CSV). This includes your account information and the financial data we have synced from QuickBooks.
8.5 Right to Revoke QuickBooks Access
You may revoke Acct4Cast’s access to your QuickBooks data at any time from within QuickBooks Online under Authorized Apps, or from within your Acct4Cast account settings. Revocation immediately terminates our ability to sync new data. Previously synced data will be deleted within 30 days unless you maintain an active subscription.
8.6 California Residents (CCPA)
California Consumer Privacy Act (CCPA)
California residents have the right to: (1) know what personal information is collected and how it is used; (2) delete personal information; (3) opt out of the sale of personal information (Acct4Cast does not sell personal information and has not done so in the preceding 12 months); and (4) non-discrimination for exercising these rights. To exercise any CCPA right, contact privacy@acct4cast.com with the subject line “CCPA Request.”
8.7 Washington State Residents
Washington State residents may also have rights under Washington State privacy law. Contact us at privacy@acct4cast.com to exercise any applicable state privacy rights. We will respond to verified requests within 45 days.
8.8 How to Exercise Your Rights
To exercise any of the rights above, contact us at privacy@acct4cast.com. Include your registered email address and the specific right you are exercising. We will verify your identity before processing any request. We will respond within 30 days. If we need additional time, we will notify you within the initial 30-day period.
SECTION 9
Cookies and Local Storage
Acct4Cast uses a minimal set of browser storage mechanisms within the authenticated dashboard:
Name Type Purpose Duration
Session token Cookie (HttpOnly) Maintains your authenticated login session. Required for the Service to function. Session or 7 days
Alert threshold localStorage Stores your variance alert threshold preference locally in your browser. Never transmitted to our servers. Until manually cleared
Dashboard preferences localStorage Stores display preferences such as chart settings and page layout choices. Until manually cleared
We do not use third-party advertising cookies, behavioral tracking cookies, or analytics cookies within the authenticated dashboard. The marketing website at acct4cast.com may use standard WordPress analytics cookies for anonymous visitor counting. A cookie notice will be displayed on first visit to acct4cast.com.
SECTION 10
International Data Transfers
Acct4Cast is based in the United States and stores all data on servers located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.
By using the Service, you consent to this transfer. We apply the same data protection standards described in this Policy regardless of where you are located.
If you are located in the European Economic Area (EEA) or the United Kingdom, note that the United States may not provide the same level of data protection as your home jurisdiction. We rely on your consent and contractual necessity as the legal basis for transferring your data to the United States. If you have concerns about international data transfers, contact privacy@acct4cast.com before using the Service.
SECTION 11
Children’s Privacy
The Service is intended for use by business owners, accountants, and financial professionals aged 18 and older. Acct4Cast does not knowingly collect personal information from anyone under the age of 18.
If you believe that a minor has submitted personal information to us, contact us immediately at privacy@acct4cast.com and we will delete it promptly. If we become aware that we have collected personal data from a minor without parental consent, we will take immediate steps to delete that information.
SECTION 12
Changes to This Policy
We may update this Privacy Policy periodically as the Service evolves. Changes will be posted at acct4cast.com/privacy with a revised effective date and updated version number.
For material changes that affect how we collect, use, or share your financial data, we will notify you by email to your registered address at least 14 days before the change takes effect. Material changes include: adding new sub-processors that handle financial data, expanding the scope of data we collect, changing how long we retain data, or modifying your rights under this Policy.
Continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes. If you do not agree to the revised Policy, you must cancel your subscription and discontinue use of the Service before the effective date.