PRIVACY POLICY

1. Information We Collect

1.1 Account Information

When you register or sign in via OAuth 2.0, we collect your name, email address, organization name, job title, and authentication tokens provided by your identity provider (e.g., Google, Microsoft, Okta). We never receive or store your identity provider password.

1.2 QuickBooks Online Data

When you connect your QuickBooks Online account, we retrieve financial data from your QBO company file through Intuit's APIs using OAuth 2.0. The specific data categories include: chart of accounts and account balances; journal entries and general ledger data; invoices, bills, payments, and purchase orders; customer and vendor records; financial reports (profit and loss, balance sheet); and other accounting data necessary for FP&A functionality. We only request the minimum API scopes necessary to deliver our services. We do not store your QuickBooks username or password.

1.3 Other Financial and Business Data

You and your Authorized Users may upload or connect additional financial data, including budgets, forecasts, and other FP&A data through direct upload or via Third-Party Services such as API Deck.

1.4 AI Interaction Data

When you use AI Features, we collect your prompts, queries, selected parameters, and the AI-generated outputs. This data is stored within the Platform's databases and is used to provide the service and improve Platform functionality. QuickBooks Data is not sent to third-party LLM providers.

1.5 Usage and Technical Data

We automatically collect IP address, browser type and version, device identifiers, pages visited, features used, session duration, error logs, and performance metrics.

1.6 Cookies and Similar Technologies

We use session cookies for authentication and user preferences, and analytics cookies to understand usage patterns. You can manage cookie preferences through your browser settings. We do not use advertising or tracking cookies. For details on each cookie type we use, please see our cookie notice on our website.

2. How We Use Your Information

We use the information we collect to: (a) provide, maintain, and improve the Platform, including FP&A analysis using QuickBooks Data; (b) process and deliver AI-powered analyses and forecasts using Platform-resident data; (c) authenticate your identity and manage access controls via OAuth 2.0; (d) facilitate integrations with QuickBooks Online and other Third-Party Services; (e) send service-related communications and alerts; (f) detect and prevent fraud, abuse, and security incidents; (g) comply with legal obligations; and (h) generate aggregated, de-identified analytics to improve the Platform. We do not use your QuickBooks Data for purposes unrelated to providing the Platform services to you.

3. Data Storage and Infrastructure

3.1 Database Systems

Your data is stored across two primary database systems:

• PostgreSQL: Used for structured relational data including account information, financial models, chart of accounts data, transactional records, user configurations, and access controls.
• MongoDB: Used for semi-structured and document-oriented data including AI interaction logs, report templates, dashboard configurations, and flexible analytical workspaces.

3.2 Security Measures

We implement the following security measures:

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Network isolation and firewall protections
• Regular security audits and penetration testing
• Automated backup and disaster recovery procedures
• Role-based access controls within our infrastructure
• Database activity monitoring and alerting
• Secure storage of all OAuth tokens and API credentials (never hardcoded or exposed in client-side code)
• Input sanitization and output encoding to prevent injection and XSS vulnerabilities

3.3 Data Location

Your data is stored in data centers located in the United States. We will not transfer your data to other regions without prior notice and, where required, your consent.

4. AI and LLM Data Processing

4.1 Architecture Overview

The Platform uses large language models (LLMs) provided by third-party AI services to power its AI Features, including natural language analysis, forecasting, and automated reporting. The AI Features operate on data stored within the Platform's own databases.

4.2 QuickBooks Data and AI Separation

QuickBooks Data retrieved through the QuickBooks Online integration is stored in the Platform's PostgreSQL and MongoDB databases. This data is not transmitted to, processed by, or shared with third-party LLM providers (such as Anthropic, OpenAI, or similar services). AI Features do not ingest, read, or process QuickBooks Data. The separation between QuickBooks Data storage and AI processing is maintained by architectural design.

4.3 AI Provider Commitments

For data that is processed by AI Features (non-QuickBooks Platform data such as user prompts and AI interaction data), our LLM providers are contractually bound to:

• Not use your data to train or improve their general-purpose models
• Not retain your data beyond the processing session unless required for abuse prevention
• Maintain SOC 2 Type II compliance or equivalent
• Process data in compliance with applicable data protection laws

4.4 AI Data Retention

AI prompts and outputs are retained for up to twelve (12) months for service improvement, debugging, and audit purposes. You may request earlier deletion by contacting us.

5. QuickBooks Online Integration Privacy

5.1 OAuth 2.0 Authentication

We access your QuickBooks Online data exclusively through Intuit's OAuth 2.0 protocol. We never receive, store, or have access to your QuickBooks Online username or password. OAuth tokens are stored using industry-standard encryption and can be revoked by you at any time.

5.2 Minimum Scope Access

The Platform requests only the minimum API scopes necessary to provide its FP&A functionality. We do not request access to payroll data, payment processing, or other QuickBooks features outside the scope of financial planning and analysis unless explicitly disclosed and authorized.

5.3 Disconnect and Data Deletion

You may disconnect the Platform from your QuickBooks Online account at any time by revoking access through your QuickBooks Online settings (Settings > Manage Apps) or through the Platform's disconnect function. Upon disconnection:

• The Platform immediately stops all API calls to your QuickBooks company file
• Stored QuickBooks Data is retained for ninety (90) days to facilitate potential reconnection
• After ninety (90) days, QuickBooks Data is permanently deleted from all production systems

You may request immediate deletion of your QuickBooks Data at any time by contacting us at help@valzo.ai, and we will process the request within thirty (30) days.

5.4 No Sale of QuickBooks Data

We do not sell, rent, lease, or trade your QuickBooks Data to any third party. QuickBooks Data is used exclusively to provide Platform services to you and your Authorized Users. QuickBooks Data is not shared with, displayed to, or made accessible to any party other than you and your Authorized Users.

6. Third-Party Data Sharing

We share data with the following categories of third parties:

• Intuit (QuickBooks Online): OAuth tokens and financial data read/write per authorized scopes, for the purpose of syncing accounting data for FP&A.
• API Deck / Financial Connectors: OAuth tokens, API keys, and financial data necessary for integration, for the purpose of connecting additional financial systems.
• LLM Providers (e.g., Anthropic): User prompts and AI interaction data only; no QuickBooks Data is shared, for the purpose of powering AI Features.
• Cloud Hosting Providers: All Platform data (encrypted at rest and in transit), for the purpose of infrastructure hosting.
• Analytics Providers: Anonymized usage and performance data only, for the purpose of product improvement.
• Authentication Providers: OAuth tokens and basic identity information, for the purpose of user login and identity verification.

We do not sell your personal information or your QuickBooks Data. We may disclose information when required by law, subpoena, or government request, or to protect the rights, property, or safety of our users or the public.

7. "Do Not Sell or Share" Commitment

We do not sell or share (as those terms are defined under the California Consumer Privacy Act and similar state privacy laws) your personal information, including QuickBooks Data, to third parties for monetary or other valuable consideration. We do not use your personal information for cross-context behavioral advertising.

8. Your Rights and Choices

8.1 General Rights

Depending on your jurisdiction, you may have the right to:

• Access and receive a copy of your personal data
• Correct inaccurate personal data
• Request deletion of your personal data
• Object to or restrict processing of your data
• Data portability (receive your data in a machine-readable format)
• Withdraw consent where processing is based on consent
• Opt out of the sale or sharing of your personal information

8.2 QuickBooks-Specific Rights

In addition to the general rights above, you may:

• Disconnect the Platform from your QuickBooks Online account at any time
• Request deletion of all stored QuickBooks Data
• Request a summary of what QuickBooks Data we hold
• Revoke OAuth access through QuickBooks Online settings

8.3 Exercising Your Rights

To exercise any of these rights, contact us at help@valzo.ai. We will respond within thirty (30) days of receiving a verified request. We will not discriminate against you for exercising any of these rights.

9. California and State Privacy Law Compliance

9.1 California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act. These include:

• The right to know what categories of personal information we have collected, the categories of sources, the business or commercial purpose for collecting, and the categories of third parties with whom we share personal information
• The right to delete your personal information, subject to certain exceptions
• The right to correct inaccurate personal information
• The right to opt out of the sale or sharing of personal information
• The right to limit the use and disclosure of sensitive personal information
• The right to non-discrimination for exercising your privacy rights

9.2 Other State Privacy Laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, or another state with comprehensive privacy legislation, you may have similar rights. We honor privacy requests from all U.S. residents regardless of specific state law applicability.

10. Data Retention

We retain your data according to the following schedule:

• Account Information: Duration of account plus three (3) years
• QuickBooks Data: Duration of connection plus ninety (90) days
• AI Interaction Data: Twelve (12) months
• Usage and Technical Data: Twenty-four (24) months
• Financial Models and Reports: Duration of account plus ninety (90) days

Backup copies may be retained for up to an additional thirty (30) days. Data required for legal compliance or dispute resolution may be retained longer as necessary.

11. International Data Transfers

The Platform is operated from the United States. If you access the Platform from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Platform, you consent to this transfer. We implement appropriate safeguards for any international transfers as required by applicable law.

12. Children's Privacy

The Platform is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will delete that information.

13. Security Incident Response

In the event of a security incident affecting your personal information, we will notify you and any applicable regulatory authorities as required by law. Notification will include a description of the incident, the types of data affected, and the steps we are taking in response.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Effective Date" above. For significant changes affecting QuickBooks Data, we will provide additional notice (such as email notification or in-app alert) at least thirty (30) days before the changes take effect. Your continued use of the Platform after any changes indicates your acceptance of the updated policy.

15. Third-Party Links and Services

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the Platform.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: