Privacy Policy

Last updated: May 18, 2026

1. Overview

BridgeBooks (“BridgeBooks,” “we,” “us,” “our”) is a B2B software product that helps accounting professionals import bank, credit card, and Venmo statements into QuickBooks Online. This Privacy Policy describes what information we collect, how we use it, who we share it with, and the choices you have.

We act as a data controller for information collected from public visitors to our marketing website (analytics, demo requests). We act as a data processor for the financial records our accounting-firm customers upload on behalf of their own clients — the firm is the controller of that data and BridgeBooks processes it under the firm's instructions.

2. Information We Collect

We collect information in the following categories:

Account information

Email address
Password (stored as a one-way hash by our auth provider)
Name and display name
One-time codes used for two-factor authentication (2FA)

Firm information

Firm / business name
Team member roles (admin, accountant, reviewer, viewer)
Invitation history (emails invited, status, timestamps)

Statement and transaction data

PDF and CSV statements you upload
Transactions extracted from those statements — date, amount, description, merchant / vendor name, bank account name, and running balance
Per-client vendor rules and account-mapping preferences
Notes, flags, and review status you add during transaction review

QuickBooks Online integration data

OAuth access and refresh tokens (encrypted at rest)
QuickBooks realm ID and company name
Chart of accounts, vendor list, and bank-account list
Transactions you choose to push from BridgeBooks to QBO

Demo request info

Name, work email, firm name
Approximate client count (optional)
Free-text message (optional)

Communications metadata

When transactional emails (statement-ready notifications, team invitations, password resets) are sent and to whom
Email delivery status returned by our email provider

Usage and analytics data

Page views, navigation paths, anchor clicks, conversion events
Session recordings, scroll depth, and heatmap data (on marketing pages only — see Section 4 for how authenticated pages are masked)
Core Web Vitals and page-load performance metrics

Device and browser info

User agent, browser, operating system, viewport / device size
IP address (used by our analytics providers and edge network for geolocation and abuse prevention)
Approximate location inferred from IP (country / region)

3. How We Use Your Information

We use the information above to:

Operate the service — extract transactions from your uploaded statements, push approved transactions into your QuickBooks Online file, store the results
Authenticate you — verify your identity at login, send password-reset and 2FA emails, maintain trusted device records
Send transactional emails — notify you when statements finish processing, when team members invite you, when sensitive account changes occur, when you request a demo
Improve UX — analyze aggregated usage, session recordings of marketing pages, and Web Vitals to find and fix problem areas
Comply with legal obligations — maintain audit logs of who did what and when, retain records as required by applicable financial regulations
Prevent fraud and abuse — rate-limit login attempts, detect anomalous activity, honor account-disable requests

4. How We Share Your Information

BridgeBooks does not sell or rent personal information. We share information with the following third-party subprocessors strictly to operate the service:

Provider	Purpose	Data shared	Location
Supabase	Authentication, database, file storage, edge functions	All account, firm, statement, and transaction data	US — Ohio (us-east-2)
Resend	Transactional email (demo confirmations, statement-ready notices, team invitations)	Recipient email, sender info, message body	US / EU
Vercel	Hosting, edge functions, Web Analytics, Speed Insights, social-share image generation	Page request metadata, IP, user-agent, Core Web Vitals	US (origin) — global edge network
Google Analytics 4	Behavioral analytics on the marketing site	Page paths, navigation events, conversion events, device info, IP-derived approximate location	US (Google's global infrastructure)
Microsoft Clarity	Session recordings, heatmaps, scroll-depth analysis — for UX research	Mouse positions, scrolls, clicks. On authenticated pages and during sign-in / password reset, all on-screen text content is masked from playback (see note below)	US / EU
Intuit / QuickBooks Online	Destination for transactions you push, via OAuth-authorized API access you grant	Transactions, vendors, accounts you explicitly send to your QBO file	US
n8n	Statement extraction workflow service that converts PDF / CSV statements into structured transactions	Uploaded statement file, bank account ID, QBO realm ID and OAuth token (used to write extraction results back to your file)	Processed on BridgeBooks-controlled infrastructure

Clarity masking on sensitive pages: On every authenticated page (e.g. /Dashboard, /TransactionReview, /UploadStatement, /TeamManagement) and during the sign-in, password-reset, and invitation-accept flows, Microsoft Clarity records the page structure and interaction patterns but masks all text content from session playback. Bank account numbers, transaction descriptions, vendor names, email addresses being typed, and any other on-screen text inside those pages are not viewable in Clarity recordings.

5. Cookies and Similar Technologies

We and our subprocessors use cookies, localStorage, and sessionStorage entries to operate the service and measure usage. The current inventory:

Key	Set by	Purpose	Lifetime
`_ga`, `_ga_*`	Google Analytics 4 (cookies)	Distinguish visitors and sessions	2 years
Clarity session cookie	Microsoft Clarity (cookies)	Tie page views to a session recording	Session
Vercel Analytics tracking	Vercel (first-party)	Aggregate page views and Core Web Vitals	Session
Supabase auth session JWT	Supabase Auth (localStorage)	Keep you signed in across page reloads	Until sign-out or token expiry
`sidebar_state`	BridgeBooks (cookie)	Remember whether the in-app sidebar is open or closed	7 days
`active_firm_id`	BridgeBooks (localStorage)	Reopen your last-used firm at next login	Until sign-out or cleared
`TRUSTED_DEVICE_TOKEN`	BridgeBooks (localStorage)	Opt-in: skip 2FA on a trusted browser for 30 days	30 days from last use
`returnTo`	BridgeBooks (sessionStorage)	Redirect you back to the page you tried to open before signing in	Single-use, cleared after login

A cookie-consent banner that gates the analytics cookies above (GA4, Clarity, Vercel Analytics) on prior consent is on our near-term roadmap. Until it ships, you can disable analytics cookies via your browser's tracking-protection settings or use a privacy-focused browser extension.

6. Data Retention

We retain data per the following schedule:

Statement PDFs / CSVs — retained while your QuickBooks Online connection is active; deletable on request.
Extracted transaction records — retained for the life of your account so the audit trail of what was imported and pushed remains intact for your firm and your clients.
Audit logs — retained indefinitely; small footprint, required as compliance evidence.
Trusted device tokens — 30 days from last use, auto-expire.
Invitations — retained until accepted or explicitly revoked.
Marketing analytics — retained per each provider's default policy (Google Analytics 14 months, Microsoft Clarity 13 months, Vercel Analytics 30 days).
Demo requests — retained for up to 2 years for sales follow-up.

You can request earlier deletion of any of the above by emailing the address in Section 12.

7. International Data Transfers

Your account data and uploaded statements live in our Supabase project, hosted in the United States (Ohio region, us-east-2). Vercel serves the website from its global edge network with origin compute in the US. Google Analytics, Microsoft Clarity, and Vercel Analytics process telemetry primarily in the US (with possible secondary processing in each provider's other regions per their own privacy policies). Intuit processes your QuickBooks data in the US.

For customers located in the European Economic Area, United Kingdom, or Switzerland, transfers of personal data to the United States rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent safeguards offered by each subprocessor.

8. Your Rights and Choices

You can exercise the following rights by emailing the contact in Section 12. We'll respond within 30 days.

Access — request a copy of the personal data we hold about you.
Correction — ask us to fix inaccurate information.
Deletion — request that we delete your personal data and close your account (subject to record-keeping obligations).
Portability — receive your data in a portable, machine-readable format.
Opt-out of analytics — use browser-level tracking-protection settings or the official Google Analytics opt-out browser add-on. A consent banner is forthcoming.
Marketing communications — in-app notification emails are gated by a per-user preference toggle in your account settings. To stop sales-related follow-ups, reply STOP to the email or contact us directly.

California residents (CCPA / CPRA): you additionally have the right to know what personal information we've collected, to whom we've disclosed it, and to opt out of any “sale” or “sharing” of it. BridgeBooks does not sell personal information.

EU / UK residents (GDPR): you have the rights of access, rectification, erasure, restriction of processing, data portability, objection, and to withdraw consent at any time. You also have the right to lodge a complaint with your local data-protection supervisory authority.

9. Security

The technical and operational safeguards in place today:

TLS encryption for all data in transit
Encryption at rest in our Supabase Postgres database and file storage
Row-level security policies enforcing per-firm data isolation in Postgres
OAuth 2.0 with CSRF nonce protection for the QuickBooks Online connection
Optional two-factor authentication via email OTP
Trusted-device tokens stored as hashes only on the server
Comprehensive audit logging of administrative and data-write actions
Access to production data restricted to BridgeBooks staff on a strict need-to-know basis

No security program is perfect. If you believe you've found a vulnerability or have a security concern, please email us at the address in Section 12 with the subject line SECURITY.

10. Children's Privacy

BridgeBooks is built for accounting professionals operating a business. It is not directed at children under 16 and we do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact us so we can delete it.

11. Changes to This Policy

We update the “Last updated” date at the top of this page whenever the text changes. For material changes that affect how we handle your data, we'll also notify account holders by email and via an in-app banner before the change takes effect.

12. Contact

For questions about this policy, to exercise the rights in Section 8, or for any other privacy-related concern, email korey@firmbuilt.co. EU / UK residents seeking a designated data-protection contact should use the same address until a Data Protection Officer is formally appointed.