Privacy Policy
DRAFT for Legal Review — not in force. Last revised 2026-05-20. Square-bracketed [DRAFT NOTE → Legal] callouts mark decisions counsel should ratify.
Effective Date: [DRAFT NOTE → Legal: insert publish date]
This Privacy Policy describes how Backoffice.co, Inc. (“Backoffice”, “we”, “us”, or “our”) collects, uses, shares, and processes Personal Information in connection with the software-as-a-service product offered at [DRAFT NOTE → Marketing/Legal: insert final product name] (the “Service”).
[DRAFT NOTE → Legal: confirm whether there is a Backoffice general/platform privacy notice that this product-specific Privacy Policy should reference. If so, add a cross-reference here noting that this Privacy Policy controls with respect to the Service. If not, this Privacy Policy stands alone for the Service.]
This Privacy Policy is incorporated into the Terms of Service for the Service.
1. Scope and Roles
This Privacy Policy applies to Personal Information we process about (a) business customers of the Service (“Customer”); (b) individuals authorized by Customer to use the Service (“Authorized Users”); and (c) third parties whose information appears in Customer Data because they transacted with Customer (e.g., a vendor whose name appears on a bank transaction).
The Service is offered only to business customers located in the United States. We do not knowingly offer the Service to individuals or to customers located in the European Economic Area, the United Kingdom, or Switzerland.
For data we process to provide the Service to Customer, Backoffice acts as the service provider (under U.S. state-privacy law). For data we process for our own purposes (billing, security, telemetry to operate the Service), Backoffice acts as the business.
“Personal Information” means information that identifies, relates to, or is reasonably capable of being associated with a particular individual, including any “personal information” under California, Virginia, Colorado, Connecticut, Utah, or Texas privacy law.
2. Information We Collect
2.1 From Customer and Authorized Users.
| Category | Examples |
|---|---|
| Account and identifiers | Authorized User name, email, Auth0 subject identifier; Customer business name, business address, optional Employer Identification Number (EIN), industry sector |
| Customer-uploaded content | Receipts and supporting documents; memos; classifications and journal-entry edits |
| Communications | Support requests, in-product chat messages, feedback |
2.2 Automatically When You Use the Service.
| Category | Examples |
|---|---|
| Technical telemetry | IP address, user-agent, device and browser type, timestamps |
| Usage events | Product event names and non-sensitive properties |
| Error data | Stack traces and request identifiers (with sensitive fields scrubbed — see § 6.1) |
| Cookies | See § 6 |
2.3 From Connected Accounts.
At Customer’s direction, the Service retrieves data from accounts Customer connects:
(a) From Plaid (bank connectivity). Institution and bank-account metadata; balances; transactions (amount, date, name, merchant name, original description, payment metadata, Plaid’s “personal finance category” classification). The Service does not request from Plaid: account/routing numbers (“auth”), identity, investments, holdings, liabilities, or statements.
(b) From Intuit / QuickBooks Online. Customer’s chart of accounts, vendors, customers, employees, bills, invoices, payments, journal entries, and similar accounting records.
(c) From Stripe (billing). Stripe customer identifier, subscription status, and (for display) payment-method type, brand, last four digits, and expiry. Backoffice does not receive or store full payment-card numbers or CVVs.
(d) From Auth0 (identity). Authorized User identifier, email, name, optional phone, and authentication metadata. Authentication credentials (passwords, MFA factors) are never received or stored by Backoffice.
2.4 What We Do Not Knowingly Collect.
We do not knowingly collect government-issued identifiers of individuals (Social Security numbers, driver’s-license numbers) other than Customer’s EIN, special categories of personal data under EU/UK law, or Personal Information about minors.
3. How We Use Personal Information
We process Personal Information to: provide the Service (including ingesting and processing data from Connected Accounts, suggesting categorizations, drafting journal entries, and producing reports); operate the AI features described in § 4; administer accounts and billing through Stripe; secure the Service and prevent fraud; respond to support requests; communicate Service-related notices; comply with legal obligations; and defend legal claims.
4. AI Features
The Service uses machine-learning models hosted on Amazon Web Services Bedrock (currently Anthropic’s Claude family and Amazon’s Titan embedding family) to suggest transaction categorizations and generate retrieval embeddings.
- No training on identifiable Customer Data. Backoffice does not use identifiable Customer Data to train, fine-tune, or otherwise improve the underlying foundation models of any third-party model provider. Our agreement with AWS for Bedrock prohibits AWS and its model providers from using our inputs and outputs to train their models.
- What is sent. Inputs include the transaction description and merchant name, the amount bucket, Customer’s chart of accounts, and a small number of relevant prior categorizations within Customer’s Tenant.
- What we retain. We retain metadata about each AI run (model identifier, timing, token counts, predicted category). We do not retain the verbatim prompt content or the verbatim model completion text in operational logs.
- De-identified improvement. We may use de-identified or aggregated signals derived from Customer Data — data from which Customer, Authorized Users, and counterparties have been removed and which cannot reasonably be re-identified — to improve classification accuracy.
- Suggestion, not determination. Output is provided as a suggestion; Authorized Users review and accept, modify, or reject Output before it is committed to Customer’s books. Backoffice does not use the AI features to make automated decisions producing legal or similarly significant effects.
5. How We Share Personal Information
We share Personal Information only as described below.
5.1 Sub-processors.
We use third-party service providers to operate the Service. Sub-processors are bound by contract to use Personal Information only on our instructions. A current list is published at [DRAFT NOTE → Legal: insert URL] and reproduced in this Privacy Policy at Appendix B. We will provide reasonable advance notice to Customer of material additions to the sub-processor list.
Notable sub-processors: Plaid (bank connectivity); Intuit (QuickBooks Online connectivity); Amazon Web Services (hosting, storage, and AI inference via Bedrock, in U.S. regions); Stripe (billing); Auth0 (identity); PostHog (product analytics); Sentry (error monitoring); Snowflake (tenant-keyed model-prediction metadata for accuracy evaluation — no transaction descriptions or merchant identifiers).
5.2 Other recipients.
Professional advisors under confidentiality; acquirers in a merger or asset sale; law enforcement and government bodies in response to a valid legal request; and Customer’s designees within the Service.
5.3 We do not sell Personal Information.
We do not sell Personal Information for monetary or other valuable consideration, and we do not share Personal Information for cross-context behavioral advertising, in each case within the meaning of U.S. state-privacy law.
6. Cookies and Similar Technologies
We use cookies and local storage to authenticate Authorized Users, remember preferences, and measure performance. Strictly-necessary cookies are required to operate the Service; functional, analytics (PostHog), and performance (Sentry) cookies are optional. You can control cookies through your browser settings.
[DRAFT NOTE → Legal: confirm whether a cookie banner is required at launch. US-only with no EU exposure suggests no banner needed; counsel decides.]
6.1 Telemetry Scrubbing.
Error reports sent to Sentry have authentication tokens, JWTs, cookies, session identifiers, payment-card data, and OAuth secrets scrubbed before transmission. PostHog event payloads carry event names and non-sensitive properties only.
[DRAFT NOTE → Legal: prior draft asserted Sentry scrubs customer names, emails, addresses, and tax IDs. The current code scrub list does NOT include those fields. Either (a) we narrow this clause to what is actually scrubbed (current text), or (b) engineering expands the scrub list. Recommend (b) — small code change — but the current claim is the conservative one.]
7. Retention
We retain Customer Data while Customer’s subscription is active and for a reasonable period thereafter for backup, operational, and legal-compliance purposes. We honor verifiable deletion requests as required by applicable law. We may retain Customer Data as reasonably necessary to comply with tax-record, anti-money-laundering, sanctions, or other legal record-retention obligations. De-identified and aggregated data is retained without time limit.
[DRAFT NOTE → Legal: prior draft asserted 90-day deletion, 120-day credential cleanup, 35-day backup ceiling, and 24-month telemetry retention. All four are aspirational — no automated enforcement exists. Replaced with this deliberately general language. Counsel should weigh whether this vagueness is acceptable, or if engineering should commit to building the cleanup automation and the documented windows can return.]
8. Security
Backoffice maintains commercially reasonable administrative, technical, and physical safeguards to protect Customer Data, including: encryption in transit (HTTPS/TLS); encryption at rest for Plaid and QuickBooks access tokens; AWS Secrets Manager for production database credentials; identity and role-based access via Auth0; least-privilege access; audit logging of material mutations to Customer Data; and monitoring.
No security program is perfect. We will notify affected Customers of any security incident involving their Personal Information as required by applicable law.
[DRAFT NOTE → Legal: prior draft asserted “24x7 production monitoring,” “defined incident-response runbook,” and “SOC 2.” None of these are documented in repo today. The current language is what we can support. Engineering should publish an IR playbook before public launch.]
9. Your Rights
9.1 Universal rights.
Subject to verification and applicable law, you may request that we (a) provide access to the Personal Information we have about you, (b) correct inaccurate Personal Information, (c) delete your Personal Information (subject to records-retention obligations in § 7), or (d) provide a portable copy. To exercise a right, email privacy@backoffice.co with the subject line “Privacy Request — Service.” We will respond within the timelines required by applicable law.
You may appeal a decision by replying to our response with the subject line “Privacy Request Appeal.” We will respond within the timelines required by applicable law.
9.2 California, Virginia, Colorado, Connecticut, Utah, and Texas Residents.
Residents of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA) have the rights in § 9.1. The categories of Personal Information we collect and disclose are set out at Appendix A. We do not sell Personal Information; we do not share Personal Information for cross-context behavioral advertising; we do not engage in targeted advertising; we do not engage in profiling in furtherance of decisions producing legal or similarly significant effects.
9.3 GLBA.
Information ingested from Customer’s bank Connected Accounts is nonpublic personal information within the meaning of the Gramm-Leach-Bliley Act. We process such information solely for the everyday business purposes of providing the Service and as required by law. We do not share it with third parties for marketing. Customers may direct questions about GLBA-covered information to privacy@backoffice.co.
[DRAFT NOTE → Legal: prior draft included a full CFPB-style GLBA notice as Appendix B. Replaced with this one-paragraph statement. If counsel believes the formal model notice is necessary, it can be added back; otherwise this satisfies the basic disclosure requirement for the GLBA Privacy Rule.]
9.4 No discrimination.
We will not deny you the Service, charge a different price, or provide a different quality of service because you exercised a right.
10. Children
The Service is offered only to businesses. We do not knowingly collect Personal Information from any person under 16.
11. International Transfers
Personal Information is stored and processed in the United States.
12. Changes to this Privacy Policy
We may update this Privacy Policy. If a change is material, we will provide reasonable advance notice by email to Customer’s account-administrator address or by in-product notice.
13. Contact
Privacy questions, requests, and complaints: privacy@backoffice.co. Security: security@backoffice.co.
Backoffice.co, Inc. [DRAFT NOTE → Legal: insert mailing address] privacy@backoffice.co
Appendix A — Categories of Personal Information Collected and Disclosed
In the twelve months preceding the Effective Date, we have collected the following CCPA-defined categories of Personal Information. We have not sold or shared Personal Information.
| CCPA category | Collected? | Sources | Purposes | Disclosed to |
|---|---|---|---|---|
| A. Identifiers (name, email, account login, IP) | Yes | Customer/Authorized Users; Auth0; automatic | Provide Service; security | Sub-processors (Auth0, AWS, PostHog, Sentry) |
| B. Customer Records (financial account information) | Yes | Connected Accounts (Plaid, QBO); Customer | Provide Service; legal compliance | Sub-processors (Plaid, Intuit, AWS) |
| D. Commercial Information (transaction records) | Yes | Connected Accounts; Customer | Provide Service | Sub-processors (Plaid, Intuit, AWS) |
| F. Internet or Other Network Activity | Yes | Automatic | Operate Service; security | Sub-processors (PostHog, Sentry, AWS) |
| G. Geolocation (city/state-level inferred from IP) | Yes (general only) | Automatic | Security; fraud prevention | Sub-processors (AWS) |
| I. Professional / Employment Information (business EIN, business address) | Yes | Customer | Provide Service; legal compliance | Sub-processors (Stripe, AWS) |
| L. Sensitive Personal Information (financial-account information) | Yes | Connected Accounts (Plaid) | Provide Service | Sub-processors (Plaid, AWS) |
We retain each category for the periods set out in § 7. Categories C, E, H, J, and K of the CCPA are not collected.
Appendix B — Sub-Processor List
The current sub-processor list is maintained on the Sub-processors page and incorporated here by reference.