Privacy Policy

Auditable Books is operated by Novalycs Inc., operating as Auditable Books, a company organized in Nova Scotia, Canada. We provide an AI-assisted month-end close cockpit for accounting firms and their clients, including reconciliation, AR/AP analysis, sales-tax recomputation, and audit-evidence assembly. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over it.

Throughout this document, "Auditable Books", "we", "us", and "our" refer to Novalycs Inc., operating as Auditable Books.

We treat two kinds of users differently:

• Firm users — accountants, bookkeepers, and partners who sign up for Auditable Books. We are the data controller for their personal information.
• Firm clients (data subjects) — the small and mid-size businesses whose ledger data flows through Auditable Books because their accounting firm uses it. For their data, we act as a data processor on the firm's instructions; the firm is the controller. If you are an end-business and want to exercise rights over your data, contact your accounting firm first.

We collect three categories of information.

3.1 Information you provide directly

• Name, work email address, firm name (when you sign up).
• Authentication identifier from Google Sign-In (the OAuth "subject" / email — we do not see your Google password).
• Anything you type into the chat interface, including attachments (CSV bank statements, PDF receipts, screenshots).
• Optional support correspondence (emails to support@, screenshots, recordings).

3.2 Information from connected accounting platforms

When you connect your QuickBooks Online (QBO) company through OAuth, we receive — only with your consent and only for the companies you explicitly connect:

• QBO company (realm) ID and display name.
• Read-access tokens (encrypted at rest with AES-256-GCM) used to query the ledger.
• Ledger data needed to perform the work you ask for: chart of accounts, vendors, customers, classes, transactions, journal entries, attachments, and similar accounting records. We do not pull payroll detail or sensitive personal identifiers we don't need.

We never see, store, or transmit your QuickBooks password. Disconnecting a company through the in-app switcher revokes our access immediately and triggers deletion of stored tokens within 24 hours.

3.3 Automatically collected

• Server logs (IP address, user-agent, request path, response status, timestamp). Retained 30 days for security and debugging, then deleted.
• Aggregate, non-identifying product analytics via PostHog (page views, feature usage). We do not use this for advertising and do not sell it.
• Cookies: only those required for authentication and session continuity. We do not run third-party advertising cookies.

We use the information above to:

• Operate the product (run the agent, render the UI, store reconciliation history).
• Authenticate you and protect your account from misuse.
• Generate the AI proposals, hints, and audit evidence the product is for.
• Respond to your support requests.
• Improve reliability and performance through aggregate metrics and security monitoring.
• Comply with legal obligations, including responses to lawful government requests in the jurisdictions in which we operate.

Some Auditable Books features use third-party large language models (currently Anthropic Claude and OpenAI). When you ask the agent a question or run a workflow that requires reasoning over ledger data, the relevant snippet of that data may be sent to the model provider over a TLS connection.

• We use enterprise / API tiers that contractually do not train models on our data.
• We minimize what is sent — typically the specific rows the agent needs, never your whole ledger or your customer list in bulk.
• We never send your QuickBooks tokens, your authentication credentials, or other secrets to the model.

We do not sell personal information. We share information only with:

• Sub-processors we use to run the service — currently Supabase (database + auth), Hetzner (hosting), Resend (transactional email), Cloudflare (network + DDoS), PostHog (product analytics), Anthropic and OpenAI (AI inference). Each is bound by a data-processing agreement.
• Your firm, if you are an end-client whose data flows through a firm using Auditable Books.
• Authorities, when required by valid legal process and only after we've evaluated whether to challenge the request.
• A successor entity, in the event of a merger, acquisition, or sale of substantially all our assets — with advance notice to you and the option to terminate.

Our infrastructure is hosted on Hetzner in Germany and on Supabase's North-American region. Data may be transferred to and processed in Canada, the United States, the European Union, and the United Kingdom. Where transfers leave your jurisdiction, we rely on appropriate safeguards (Standard Contractual Clauses, Canada-EU adequacy, and Article 3 of PIPEDA).

We follow industry-standard practices to keep your information safe, including:

• TLS 1.2+ in transit, AES-256 at rest.
• JWT-gated APIs with role-based access control. The full API audit and the controls it enforces are documented internally and reviewed quarterly.
• Append-only activity logs for every agent-driven write to your ledger, so you can review what was done, when, and on whose behalf.
• Least-privilege access: a small, named set of operators have production access; all access is logged.

To report a vulnerability, please email security@auditablebooks.com. We will acknowledge within two business days.

• Account data (name, email, firm) — for as long as your account is active, plus 30 days after closure for audit purposes, then deletion.
• Ledger data and reconciliation history — for the lifetime of the account, then deletion 30 days after closure unless legal hold applies.
• Activity log — 7 years (matching standard audit-evidence retention) unless you request earlier deletion and no legal hold applies.
• Server logs — 30 days.

Depending on where you live, you may have the right to access, correct, delete, port, or restrict the use of your personal information; to object to certain processing; and to lodge a complaint with a supervisory authority (in Canada, the Office of the Privacy Commissioner; in the EU/UK, your national DPA; in California, the California Privacy Protection Agency).

To exercise any of these rights, email privacy@auditablebooks.com from the address associated with your account. We'll respond within 30 days.

If you are an end-client of an accounting firm that uses Auditable Books, please send your request to that firm first — they are the controller of your data. We will support them in fulfilling your request.

Auditable Books is a B2B product not directed at children. We do not knowingly collect personal information from anyone under 16.

When we make material changes we'll post the updated policy here and email registered users at least 14 days before the change takes effect. Non-material changes (typos, structural rewrites that don't alter rights or obligations) are made without notice; the "Effective" date at the top is always authoritative.

Novalycs Inc., operating as Auditable Books
Nova Scotia, Canada
privacy@auditablebooks.com