Backoffice Platform Privacy Policy
Effective Date: June 12, 2026
This Privacy Policy describes how Backoffice.co, Inc. (“Backoffice,” “we,” “us,” or “our”) collects, uses, shares, and protects information in connection with the software-as-a-service product (“Backoffice Platform”) offered at https://www.backoffice.co (the “Service”). This Privacy Policy is incorporated into the Backoffice Platform Terms of Service. If you do not agree with this Privacy Policy, please do not use the Service. Depending on how you interact with us, you may also be subject to the Finally Privacy Policy.
1. What This Privacy Policy Covers
This Privacy Policy applies to “Personal Information,” meaning information that identifies, relates to, or can reasonably be associated with you. It covers Personal Information we process about: (a) businesses and sole proprietors that subscribe to, or begin onboarding for, the Service (each, a “Customer”); (b) individuals a Customer authorizes to use the Service, including in owner, administrator, member, or viewer roles (“Authorized Users”); and (c) individuals whose information appears in a Customer’s data because they transacted with the Customer — for example, a vendor named on a bank transaction (“Transaction Parties”).
“Customer Data” means data retrieved from a Customer’s Connected Accounts (defined in Section 2.3) and content a Customer or its Authorized Users otherwise provides to the Service.
This Privacy Policy also describes the cookies and similar technologies used on our public marketing website at https://www.backoffice.co (the “Website”), which anyone may visit without an account.
The Service is a business product. It is offered only to business customers located in the United States. We do not offer the Service to consumers for personal, family, or household purposes, and we do not knowingly offer it to individuals or customers located in the European Economic Area, the United Kingdom, or Switzerland.
1.1 Our Role
When we process Customer Data to provide the Service, we do so on the Customer’s behalf and at the Customer’s direction. When we process Personal Information for our own purposes (such as account administration, billing, securing the Service, and product analytics) we determine how and why that information is used, as described in this Privacy Policy.
2. Information We Collect
2.1 Information You Provide
| Category | Examples |
|---|---|
| Account information and identifiers | Authorized User name, email address, optional phone number, and Auth0 subject identifier; Customer business name, business address, optional Employer Identification Number (EIN), and industry sector. |
| Customer-uploaded content | Receipts and supporting documents; memos; categorizations and journal-entry edits. |
| Communications | Support requests; messages you exchange with our team and your bookkeeper; feedback. |
2.2 Information Collected Automatically
| Category | Examples |
|---|---|
| Technical telemetry | IP address, user-agent, device and browser type, timestamps. |
| Usage events | Product event names and non-sensitive event properties (collected through PostHog). |
| Error data | Stack traces and request identifiers, with sensitive fields scrubbed before transmission (see Section 7.1). |
| Cookies and similar technologies | See Section 7. |
2.3 Information from Connected Accounts
At the Customer’s direction, the Service retrieves data from third-party accounts the Customer connects (“Connected Accounts”), including:
- Through Plaid (bank connectivity). Financial institution and bank account metadata; balances; and transaction data (amount, date, name, merchant name, original description, payment metadata, and Plaid’s “personal finance category” classification). The Plaid connection refreshes transaction data on a periodic basis while it remains connected. The Service does not request account or routing numbers, identity data, investments, holdings, liabilities, or statements from Plaid. Plaid’s collection, use, and sharing of data is described in the Plaid End User Privacy Policy, available at https://plaid.com/legal/#end-user-privacy-policy.
- Through Stripe (billing). Stripe customer identifier, subscription status, and (for display purposes) payment-method type, brand, last four digits, and expiration date. Backoffice does not receive or store full payment-card numbers or CVVs.
- Intuit / QuickBooks Online. The Customer’s chart of accounts, vendors, customers, employees, bills, invoices, payments, journal entries, and similar accounting records, retrieved when the Customer connects its QuickBooks Online account.
- Auth0 (identity). Authorized User identifier, email, name, optional phone number, and authentication metadata. Authentication credentials (passwords and multi-factor authentication factors) are never received or stored by Backoffice.
The Service may allow Customers to connect other services or accounts to the Service. This Privacy Policy does not apply to the data practices of these third parties, and we encourage you to review the privacy policies and notices associated with any such account or service that you connect to the Service.
2.4 Prospective Customers
During onboarding, you may connect one or more Connected Accounts before electing a subscription. If you connect an account but do not complete your subscription, we still may have received data described in Section 2.3 from the accounts you connected, and certain connections (such as Plaid) may continue to retrieve data periodically until disconnected. If you do not complete your subscription within a reasonable period, we disconnect your Connected Accounts so that no further data is retrieved, and we delete or de-identify the data we received. You may request earlier disconnection and deletion at any time by contacting privacy@backoffice.co, and you may also revoke Plaid access directly through your Plaid Portal.
2.5 Information We Do Not Knowingly Collect
We do not knowingly collect government-issued identifiers of individuals (such as Social Security numbers or driver’s-license numbers) other than a Customer’s EIN, and we do not knowingly collect Personal Information about anyone under the age of 16, as further described in Section 11.
3. How We Use Personal Information
We use Personal Information to:
- Provide, operate, and maintain the Service, including ingesting and processing data from Connected Accounts, suggesting transaction categorizations, drafting journal entries, supporting month-end close activities, and producing financial reports;
- Operate and provide the AI features described in Section 4;
- Create de-identified and aggregated data as described in Section 5;
- Administer accounts and process billing;
- Secure the Service, prevent fraud and abuse, and debug and fix errors;
- Respond to support requests and communicate with you about the Service, including Service-related notices;
- Comply with legal obligations and establish, exercise, or defend legal claims.
4. AI Features
The Service uses machine-learning models hosted on Amazon Web Services (“AWS”) Bedrock to power features such as suggested transaction categorizations and retrieval embeddings.
- No training on identifiable Customer Data. We do not use identifiable Customer Data to train, fine-tune, or otherwise improve the underlying foundation models of any third-party model provider, and our agreement with AWS prohibits AWS and its model providers from using our inputs and outputs to train their models.
- What is sent to the models. Inputs include the transaction description and merchant name, the amount bucket, the Customer’s chart of accounts, and a small number of relevant prior categorizations from within the Customer’s own account.
- What we retain. We retain metadata about each AI run (model identifier, timing, token counts, and the predicted category). We do not retain verbatim prompt content or verbatim model output in our operational logs.
- Human review. AI output is provided as a suggestion. We do not use AI features to make automated decisions that produce legal or similarly significant effects about individuals.
- AI-assisted communications. Certain communications between us and Customers may be initially drafted or handled by an AI assistant before being handed off to, or reviewed by, an individual.
5. De-Identified and Aggregated Data
We may create de-identified or aggregated data from Customer Data, including data retrieved through Connected Accounts such as Plaid. “De-identified” and “aggregated” data refer to data from which individually identifiable information about the Customer, Authorized Users, and Transaction Parties have been removed and which cannot reasonably be used to identify them. We use this data to improve the Service (for example, to improve categorization accuracy) and to analyze patterns across industries and business types, and we may make aggregated, anonymized insights and benchmarks derived from this analysis available to Customers. We commit to maintaining this data only in de-identified or aggregated form and not to attempt to re-identify it, except where permitted by law (such as to test the effectiveness of our de-identification processes) or where required by law.
6. How We Disclose Personal Information
We disclose Personal Information only as described below. We do not sell Personal Information.
6.1 Service Providers (Sub-Processors)
We use third-party service providers to operate the Service. They are bound by contract to use Personal Information only to provide services to us and on our instructions. A list of our current sub-processors is published at https://www.backoffice.co/subprocessors. We may add or remove sub-processors from time to time. When we do so, we will update the “last modified” date listed in the document.
6.2 Other Recipients
- Professional advisors (lawyers, accountants, auditors, and insurers) under duties of confidentiality;
- A successor, acquirer, or similar counterparty (and their agents, consultants, attorneys, and similar) in connection with a merger, acquisition, financing, reorganization, sale of assets, or other corporate transaction, subject to appropriate protections;
- Law enforcement, regulators, and other government bodies in response to a valid legal request, or where disclosure is necessary to protect our rights, your safety, or the safety of others;
- Recipients the Customer designates, such as the Authorized Users a Customer invites within the Service.
7. Cookies and Similar Technologies
7.1 In the Service
Within the Service itself, we use cookies and local storage to authenticate Authorized Users, maintain sessions, and remember preferences (strictly necessary), and we use cookies and similar technologies for product analytics (PostHog) and error monitoring (Sentry). We do not use advertising cookies within the Service. Disabling strictly necessary cookies through your browser settings may prevent the Service from functioning.
7.2 On Our Website
Our public Website uses a limited set of cookies and similar technologies:
- Bot and abuse prevention (Cloudflare Turnstile). Our contact form uses Cloudflare Turnstile to distinguish real visitors from automated abuse. This processes limited technical signals (such as IP address and browser characteristics) to render and verify the challenge.
- Analytics (PostHog), consent-gated. We use PostHog to understand how visitors use the Website (such as pages viewed and non-sensitive interaction events). PostHog loads only after you accept analytics cookies through the cookie banner shown on your first visit; if you decline, no analytics scripts or cookies are loaded.
We do not use advertising cookies on the Website, we do not use the Website to deliver targeted or cross-context behavioral advertising, and we do not sell or share Website-visit data with advertising platforms.
Representative cookies as of the Effective Date are listed below; the specific cookies in use may change over time.
| Category | Provider | Purpose |
|---|---|---|
| Strictly necessary / security | Cloudflare (Turnstile) | Bot and abuse prevention on web forms |
| Analytics (loaded only after consent) | PostHog | Website and product usage analytics |
7.3 Your Choices
When you first visit the Website, our cookie banner lets you accept or decline analytics cookies, and you can change your decision at any time. You can also control or delete cookies through your browser settings, including blocking third-party cookies. Because we do not use advertising cookies, there are no ad-targeting preferences to manage for the Website. Please note that blocking strictly necessary cookies may affect how the Website and the Service function.
8. Data Retention
We retain Customer Data while the Customer’s subscription is active and for a reasonable period thereafter for backup, operational, legal-compliance, and other legitimate business purposes. We retain data collected from prospective customers as described in Section 2.4. We honor verifiable deletion requests as described in Section 10, except where retention is reasonably necessary to comply with tax-record, anti-money-laundering, sanctions, or other legal obligations; to resolve disputes; or to enforce our agreements or other rights. De-identified and aggregated data may be retained without time limit.
9. Security
Backoffice maintains commercially reasonable administrative, technical, and physical safeguards designed to protect Customer Data. However, no method of transmission or storage is completely secure. If you have created an account with us, you are responsible for keeping confidential any usernames and passwords you use to access the Service. Do not share your password with anyone else, and do not reuse it for other services or products. For more on the safeguards in place, see our Security page.
10. Your Privacy Choices
10.1 Privacy Requests
Subject to identity verification and applicable law, you may request that we: (a) provide access to the Personal Information we hold about you; (b) correct inaccurate Personal Information; (c) delete your Personal Information (subject to the retention obligations in Section 8); or (d) provide a portable copy of Personal Information you provided to us. To make a request, email privacy@backoffice.co with the subject line “Privacy Request.” We will respond within a reasonable time and within any timeline required by applicable law. If you are dissatisfied with our response, you may ask us to reconsider by replying with the subject line “Privacy Request — Appeal.”
Because we process Customer Data on the Customer’s behalf, if you are an Authorized User or a Transaction Party and your request concerns Customer Data, we may direct your request to the relevant Customer or assist that Customer in responding.
We will not deny you the Service, charge you a different price, or provide a different level of quality of service because you exercised any of these choices.
10.2 Communication Preferences
Depending on where you live and your choices about how to engage with us, you may receive marketing communications from us. You can follow the instructions below to opt out of marketing communications:
- Emails. To opt out of email communications, click the “unsubscribe” link at the bottom of the email or contact us.
- Text Messages. If you receive an unwanted text message from us, you may opt out of receiving future text messages by following the instructions in the message you received or by otherwise contacting us as set forth in the “Contact Us” section below.
- Push Notifications. In some cases, you may choose to opt in to receive push notifications from us. If you no longer want to receive them, you can turn them off at the device level.
Please note that if you opt out of receiving marketing communications, we may still send you informational communications about your account or any Services you have requested, used, or received.
11. Children
The Service is offered only to businesses and is not directed to children. We do not knowingly collect Personal Information from anyone under 16. If you believe a child has provided us Personal Information, contact privacy@backoffice.co and we will delete it.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time, including if Backoffice becomes subject to additional laws, or where legal requirements change over time. If a change is material, we will provide reasonable advance notice by email to the Customer’s account-administrator address or by in-product notice before the change takes effect. The “Effective Date” above reflects the date this Privacy Policy was last revised.
13. Contact Us
For privacy questions, requests, and complaints: privacy@backoffice.co.
For data security matters: security@backoffice.co.
Backoffice.co, Inc.