Privacy Policy

Hubricon, Inc. (“Hubricon,” “we,” “our,” or “us”) operates the website at www.hubricon.com and the Hubricon platform (collectively, the “Service”). This Privacy Policy describes how we collect, use, store, share, and protect information when you access or use our Service.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, you must discontinue use of the Service immediately.

2.1 Account Information

When you register, we collect your name, email address, and company name. If you sign in via a third-party provider (Google or GitHub), we receive your name and email from that provider. We use Supabase for authentication; we do not store your password in our application database.

2.2 Financial Data from QuickBooks Online

With your explicit authorization via OAuth 2.0, we connect to your Intuit QuickBooks Online (“QBO”) account. We access the following data in read-only mode:

• Profit & Loss reports
• Balance Sheet reports
• Cash Flow statements
• Chart of Accounts
• Company information (company name, fiscal year)

We never access, view, or store your QuickBooks username or password. We do not modify, create, or delete any records in your QuickBooks account. Our access is limited to the com.intuit.quickbooks.accounting OAuth scope, which grants read-only access to accounting data.

2.3 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not receive, store, or process your credit card number, bank account number, or other payment instrument details. Stripe’s privacy policy governs payment data handling. We store only your Stripe customer ID and subscription status.

2.4 Usage and Analytics Data

We collect anonymized usage analytics through Vercel Analytics and Vercel Speed Insights to understand how the Service is used and to improve performance. This includes pages visited, feature interactions, device type, browser type, and general geographic region. We do not use this data for advertising, profiling, or sale to third parties.

2.5 Cookies and Local Storage

We use essential cookies for authentication session management (set by Supabase Auth). We do not use advertising cookies, tracking pixels, or third-party marketing cookies. You may configure your browser to reject cookies, but doing so may prevent you from using the Service.

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Service, including generating financial dashboards and AI-powered insights
• To process your QuickBooks data and produce analytics, reports, and alerts
• To send transactional communications such as account confirmations, security alerts, and weekly financial briefings
• To process subscription payments via Stripe
• To monitor and improve the performance, security, and reliability of the Service
• To respond to your support requests and communications
• To comply with legal obligations and enforce our Terms of Service

We do not sell, rent, lease, or trade your personal information or financial data to any third party for marketing, advertising, or any other purpose.

We share your information only in the following limited circumstances:

4.1 Service Providers

We use third-party service providers to operate the Service. Each provider receives only the minimum data necessary to perform its function:

• Intuit QuickBooks Online: OAuth token exchange for read-only accounting data access
• Stripe: Subscription and payment processing (receives email for receipts)
• Supabase: Database hosting, authentication, and row-level security
• Anthropic: AI analysis engine for generating financial insights. Financial data sent to Anthropic for analysis is processed in real-time and is not retained by Anthropic after the response is generated, per Anthropic’s commercial API data policy
• Vercel: Application hosting, edge network, and anonymized analytics

4.2 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of the transaction. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy.

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data transmitted between your browser, our servers, and third-party APIs is encrypted using TLS 1.2 or higher
• Encryption at rest: All database records are encrypted at rest. OAuth tokens (QuickBooks access and refresh tokens) are additionally encrypted with AES-256-CBC using a dedicated encryption key before storage
• Access control: Row-Level Security (RLS) policies enforce strict data isolation between organizations at the database level. Each user can only access data belonging to their own organization
• Infrastructure: Our application is hosted on Vercel’s edge network with automatic SSL. Our database is hosted on Supabase’s SOC 2 Type II compliant infrastructure with automated backups
• No plaintext token storage: OAuth tokens are never stored in plaintext, logged, returned in API responses, or exposed in client-side code
• Read-only access: We request only read-only OAuth scopes. Hubricon cannot modify your QuickBooks data

6.1 Retention

We retain your account information and synced financial data for as long as your account is active and you maintain an active connection. Synced financial data is refreshed every 6 hours and overwritten with the latest data from QuickBooks.

6.2 Disconnection

You may disconnect your QuickBooks account at any time from your Settings page. Upon disconnection, we revoke the OAuth token and delete all synced financial data (P&L, balance sheet, and transaction records) from our database. AI-generated insight history is preserved unless you request its deletion.

6.3 Account Deletion

You may request deletion of your entire account and all associated data by emailing contact@hubricon.com. Upon receiving a verified deletion request, we will:

• Revoke all OAuth tokens and disconnect all integrations
• Delete all synced financial data, AI insights, and reports
• Delete your account, organization, and membership records
• Cancel any active subscriptions
• Complete all deletions within 30 calendar days

Certain data may be retained for up to 90 days in encrypted backups before being permanently purged. We may also retain limited records as required by law (e.g., billing records for tax compliance).

7.1 All Users

Regardless of your location, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data and account
• Disconnection: Disconnect your QuickBooks account and delete synced financial data at any time via Settings
• Portability: Request your data in a structured, machine-readable format

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request the categories and specific pieces of personal information we have collected about you
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out of Sale: We do not sell personal information. We have not sold personal information in the preceding 12 months
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights

To exercise any of these rights, contact us at contact@hubricon.com. We will verify your identity before processing your request and respond within 45 days as required by law.

7.3 European Economic Area Residents (GDPR)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local data protection authority. Our legal basis for processing your data is: (a) your consent (for connecting QuickBooks), (b) performance of a contract (for providing the Service), and (c) our legitimate interests (for security and service improvement).

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will promptly delete that information.

Your data may be processed and stored in the United States, where our service providers operate. By using the Service, you consent to the transfer of your information to the United States. We ensure that all service providers maintain adequate data protection standards.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email to the address associated with your account or by displaying a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

For data protection inquiries or to exercise your privacy rights, email contact@hubricon.com with the subject line “Privacy Request.”