Legal
Privacy Policy
Effective date: March 1, 2025 · Last updated: March 1, 2025
Books Fixer · booksfixer.evercleanhouse.com
Privacy at a glance
🔒
Tokens stored securely
OAuth tokens in encrypted server DB only
📊
Financial data not stored
Reports fetched on-demand, never saved
🤖
AI receives anonymized data only
Rounded summaries, no exact figures
🚫
No data sold or shared
Private app — single authorized user
1. Who We Are
Books Fixer ("the App," "we," "our") is a private, single-user web application operated by its
owner for internal business use only. The App is accessible at
https://booksfixer.evercleanhouse.com. It is not a public product and is not
available to the general public.
This Privacy Policy describes how the App collects, uses, stores, and protects information
obtained through its connection to QuickBooks Online via Intuit's OAuth 2.0 API.
2. What Information We Collect
The App collects only the minimum information required to function:
- QuickBooks OAuth tokens — Access token, refresh token, token expiry timestamp, and company Realm ID received from Intuit's OAuth 2.0 authorization flow. These are stored permanently in a server-side PostgreSQL database to maintain the connection between sessions.
- QuickBooks company name — Fetched automatically from the QuickBooks Company Info endpoint after authorization and stored as a display label.
- Authentication email — A single authorized email address is configured server-side. No user registration or profile data is stored.
- Session data — A signed JSON Web Token (JWT) stored in an HTTP-only cookie for session management. The cookie expires automatically.
Financial data is NOT permanently stored.
Profit & Loss reports, Balance Sheet data, invoices, bills, journal entries, accounts, and all other QuickBooks financial records are fetched from the Intuit API on demand and returned directly to the browser. None of this data is written to the application's database.
3. How We Use QuickBooks Data
The App accesses the following QuickBooks Online data exclusively via the com.intuit.quickbooks.accounting scope:
- Profit & Loss reports (read-only)
- Balance Sheet reports (read-only)
- Aged Receivables and Aged Payables reports (read-only)
- Chart of Accounts (read-only)
- Open Invoices and Bills (read-only, SELECT queries only)
- Journal Entries (read-only)
- Purchase transactions (read-only, for duplicate detection)
- Company Info (read-only, for company name and closing date)
The App is read-only. It never creates, modifies, or deletes any data in
QuickBooks Online. All API interactions are limited to GET requests and read-only SELECT queries.
This data is used solely to display financial health summaries, detect bookkeeping issues,
and provide AI-assisted analysis for the App's sole authorized user.
4. AI and Third-Party Services
The App uses OpenAI's API to provide AI-powered financial analysis. When this feature is enabled:
Anonymized data only is sent to OpenAI.
Financial figures are rounded and anonymized before being included in AI prompts.
For example, a revenue figure of $127,543 is sent to OpenAI as "$128K". No exact
dollar amounts, customer names, vendor names, or transaction IDs are transmitted to
OpenAI.
The following third-party services are used:
- Intuit / QuickBooks Online — OAuth 2.0 authorization and accounting data API. Governed by Intuit's own privacy policy.
- OpenAI — AI language model API. Receives only anonymized, rounded financial summaries. No personally identifiable information is transmitted.
- Resend — Transactional email service used to deliver authentication (magic link) emails. Receives only the authorized admin email address.
No other third parties receive any data from this application.
5. Data Storage and Security
The App is hosted on a private Linux VPS server in the United States. Security measures include:
- HTTPS (TLS) enforced for all connections via Let's Encrypt / nginx
- HTTP security headers via Helmet.js (HSTS, CSP, X-Frame-Options, etc.)
- OAuth tokens stored server-side only — never exposed to the browser or client-side code
- Client ID and Client Secret stored in server environment variables only
- All application routes require authenticated session (HTTP-only JWT cookie)
- Rate limiting on authentication and API endpoints
- PostgreSQL database accessible only from localhost (no external access)
6. Data Retention and Deletion
QuickBooks OAuth tokens and company connection records are retained for as long as the
QuickBooks connection is active. The authorized user can disconnect any QuickBooks company
at any time from the QB Connect page within the App. Disconnecting removes
all stored tokens for that company from the database immediately.
To request complete deletion of all stored data, contact the App owner at the email below.
7. Access and Authorization
This App is a private application with a single authorized user. Access is controlled by:
- A server-configured admin email address — only this email can authenticate
- Magic link authentication via one-time tokens (15-minute expiry, single-use)
- Signed JWT session cookies (HTTP-only, Secure)
No other individuals have access to the App or the QuickBooks data it processes.
8. Intuit Platform Compliance
This App was developed in compliance with Intuit's Developer Terms of Service and
QuickBooks API usage guidelines. The App:
- Uses only officially documented Intuit OAuth 2.0 endpoints
- Does not share QuickBooks data with any unauthorized party
- Does not store QuickBooks financial data beyond what is necessary for OAuth session management
- Provides clear Connect and Disconnect controls to the authorized user
- Automatically refreshes access tokens before expiry
- Handles token expiry and invalid grant errors gracefully
9. Changes to This Policy
If this Privacy Policy is updated, the "Last updated" date at the top of this page will be
revised. Because this App is private and has a single authorized user, no additional
notification mechanism is required.
