Home/Privacy Policy

Privacy Policy

Last updated: May 10, 2026

This Privacy Policy describes how Maready & Co. Financial, LLC (operating as “Maready & Co.”), a North Carolina limited liability company based in Wilmington, North Carolina (“we”, “us”, “our”), collects, uses, and protects information when you use our QuickBooks Online integration (the “Service”).

1. Information we collect

When you connect QuickBooks Online to the Service, we receive, with your authorization, an OAuth access token and refresh token issued by Intuit that allow us to read and (where you direct us) write the following data in your QuickBooks company file:

  • Company information (name, fiscal year, contact details)
  • Chart of Accounts and account balances
  • Customers and vendors
  • Employee directory information as it appears on transactions (e.g., the employee name listed on a journal entry). We do not access payroll data, Social Security numbers, or compensation details.
  • Transactions (invoices, bills, purchases, journal entries, deposits)
  • Reports (P&L, Balance Sheet, A/R aging, A/P aging, etc.)

We do not access bank credentials, credit card numbers, payment processing data, or payroll processing data.

2. How we use the information

  • Provide the bookkeeping, close, reporting, and advisory services you have engaged us to perform.
  • Generate dashboards, commentary, and standup summaries for your internal use.
  • Detect issues that warrant your attention (uncategorized transactions, unsent invoices, aged receivables, etc.).
  • Improve the accuracy and reliability of the Service.

We do not sell, rent, or share your QuickBooks data with third parties for marketing.

3. Storage and security

  • Refresh tokens issued by Intuit at the OAuth callback are encrypted with AES-256-GCM immediately on receipt, using an encryption key held only by Maready & Co. Financial, LLC. The encrypted ciphertext is stored in a private storage bucket at our cloud provider (Vercel, Inc., United States); the ciphertext is unintelligible without our encryption key and is never transmitted in plaintext.
  • The decrypted refresh token is held only on the practitioner’s workstation, in access-restricted files (filesystem permissions limited to the operator account), and only while needed to call Intuit’s API on the Client’s behalf.
  • Snapshots and exports are stored on the practitioner’s workstation. They are not uploaded anywhere unless the Client has authorized an upload destination (e.g., a Google Drive folder the Client owns).
  • Audit logs of every write operation are appended to per-realm monthly log files on the practitioner’s workstation, with a SHA-256 hash chain so any historical edit is detectable.
  • All network traffic between the practitioner, Vercel, Intuit, and the Client uses HTTPS / TLS 1.2 or higher.
  • We use OAuth 2.0 with Intuit. We never see, store, or transmit your QuickBooks password.

4. Disclosure

We disclose information only:

  • To you and people you authorize.
  • When required by law (subpoena, court order, regulatory request).
  • To service providers strictly necessary to deliver the Service, under written agreements imposing equivalent confidentiality.

As of the date of this policy, our service providers are:

  • Intuit, Inc. (United States) — the QuickBooks Online platform itself.
  • Vercel, Inc. (United States) — cloud hosting for our website and OAuth flow, and encrypted token storage (Vercel Blob).
  • Resend (United States) — transactional email delivery for operational notifications.
  • Google LLC (United States) — Google Workspace for our operator email, and, where the Client has opted in, Google Drive folders the Client owns and shares with us for snapshot delivery.

All four service providers are U.S.-based. Client data is not transferred outside the United States.

5. Disconnecting and data deletion

You can disconnect the Service from your QuickBooks company file at any time from Apps → Connected Apps in QuickBooks Online. On disconnect:

  • The refresh token becomes invalid; we can no longer access your data.
  • On request, we will delete cached snapshots, exports, and tokens associated with your realm within 30 days. Email privacy@mareadyco.com to request deletion.

Audit logs may be retained for the period required by professional responsibility, regulatory, or insurance obligations, and will be treated as confidential workpapers.

6. Children

The Service is not directed to children under 13 and does not knowingly collect personal information from them.

7. Changes

We may update this policy from time to time. Material changes will be communicated to active clients before they take effect.

8. Contact

Maready & Co. Financial, LLC
Maverick Maready, Member · Wilmington, NC
Privacy: privacy@mareadyco.com
General: Maverick@MareadyCo.com
Mailing address available on request.