1. Scope
This Privacy Policy (the “Policy”) explains how OKGN Bookkeeping Inc. (“OKGNBooks,” “we,” “us” or “our”) collects, uses, discloses, safeguards, retains and disposes of personal information in connection with the private OKGNBooks QuickBooks integration application, related bookkeeping workflows, support, and the public legal pages that link to this Policy (collectively, the “Services”).
This Policy is intended to meet our obligations under British Columbia’s Personal Information Protection Act, Canada’s Personal Information Protection and Electronic Documents Act where applicable, Intuit platform requirements, and other privacy laws that apply to a particular engagement. It forms part of our End-User Licence Agreement and may be supplemented by an engagement letter or service agreement.
2. Our privacy role
OKGNBooks is responsible for personal information under its control and has appointed a Privacy Officer. For account administration, security, support and our own business operations, OKGNBooks determines why and how personal information is processed.
When we process QuickBooks data, receipts, statements or other records on behalf of a bookkeeping client, the client generally determines the business purposes and remains responsible for giving appropriate notices and obtaining necessary authority. In that context, OKGNBooks acts as the client’s service provider and processes information only on documented instructions, our agreements, and applicable law.
3. Information we collect
Depending on the Services you authorize, we may process:
- Account and contact information: name, business name, business email, telephone number, role, staff permissions and support communications.
- Authentication and connection information: account identifiers, authorization status, QuickBooks company or realm identifier, connection timestamps, encrypted OAuth tokens and revocation status. We do not receive your Intuit password.
- QuickBooks data: company information, preferences, chart of accounts, customers, vendors, items, classes, locations, taxes, transactions, reports, attachments, identifiers, metadata and other records the authorized QuickBooks company makes available through Intuit’s APIs.
- Bookkeeping evidence: receipts, invoices, statements, document images, extracted text, transaction details, dates, amounts, taxes, merchant or counterparty information, account references and evidence provenance.
- Workflow and audit information: matches, proposals, approvals, corrections, attachment jobs, readback results, reconciliation outcomes, exceptions, operator actions and immutable audit events.
- Technical and security information: IP address, browser and device information, session identifiers, request timestamps, error details, security events and Intuit transaction identifiers such as the
intuit_tidresponse value.
We do not request or store online-banking passwords. The current Application does not use the QuickBooks Payments API and does not collect full payment-card numbers or card security codes.
4. Where information comes from
We collect information:
- directly from you or an authorized user;
- from the business or bookkeeping client that authorizes your access;
- from Intuit when an authorized administrator connects a QuickBooks Online company;
- from documents, evidence stores and business systems the client directs us to use; and
- automatically from the Application when needed for authentication, security, reliability and auditability.
5. How we use information
We use information only for reasonable, identified purposes, including to:
- authenticate authorized staff and isolate each client and QuickBooks company;
- connect, refresh, monitor, disconnect and reconnect authorized QuickBooks integrations;
- retrieve and organize accounting records for authorized bookkeeping services;
- match evidence to existing transactions, present proposed actions for review, attach approved documents, and verify results by readback;
- support reconciliation, completeness checks, client reporting, controlled migration and record preservation;
- prevent duplicate or unauthorized actions and maintain an audit trail;
- operate, secure, troubleshoot, back up and improve the Services;
- respond to support, access, correction, deletion and complaint requests; and
- comply with tax, accounting, privacy, security and other legal obligations.
We do not use QuickBooks data for a materially different purpose without additional notice and any consent or authorization required by law.
6. QuickBooks data and authorization
A person with authority over a QuickBooks Online company must expressly authorize the connection through Intuit’s consent process. The Application requests only the scopes required for the approved bookkeeping functions. Access and refresh tokens are stored encrypted, separated from application content, and are never displayed to users or recorded in ordinary logs.
You may revoke the connection through Intuit or request disconnection from OKGNBooks. After revocation, we stop new access to that QuickBooks company and follow the deletion and retention process below. Intuit operates QuickBooks under its own privacy statement and terms; OKGNBooks is independent of Intuit Inc.
7. Consent and lawful authority
We obtain consent where required and may also process information where permitted or required by law, including to perform a contract, provide requested business services, protect security, investigate misuse, or meet legal obligations. You may withdraw consent by contacting us, subject to legal or contractual limits and reasonable notice. Withdrawal may prevent us from continuing some Services.
If you provide personal information about employees, customers, vendors or other people, you confirm that you are authorized to do so and have provided required notices.
8. When we disclose information
We may disclose information only as needed:
- to authorized users of the same client organization according to their permissions;
- to Intuit to carry out an authorized QuickBooks connection and API request;
- to contracted service providers that support secure hosting, encrypted secret management, evidence storage, backups, monitoring, email or technical support;
- to a professional adviser bound by confidentiality;
- to comply with law, a valid legal process, or a regulator’s lawful request; or
- in a business transaction, subject to confidentiality and privacy protections.
Service providers receive only the information needed for their role and must protect it under written terms. They may not use QuickBooks data for their own advertising, sale, independent product development or unrelated purposes.
9. No sale or cross-customer sharing
We do not sell, rent or trade personal information or QuickBooks data. We do not share one customer’s identifiable QuickBooks data with another customer. We do not use it for behavioural advertising or data-broker activities.
We may create aggregate operational statistics only where they cannot reasonably identify or be re-identified to a person or company. We do not disclose customer-specific benchmarks to others without express written authorization.
10. Automation and AI assistance
The Application may use deterministic automation and, where expressly enabled, AI-assisted suggestions to help staff review evidence, matches or proposed bookkeeping treatment. Automated or AI output is a proposal only: it does not have independent authority to write to QuickBooks. Approved controls, human review and readback verification govern material actions.
We do not use identifiable customer information or QuickBooks data to train general-purpose models for the benefit of unrelated parties without express written authorization. Any service provider used for authorized AI assistance must be contractually restricted and assessed for privacy and security.
11. Processing locations
OKGNBooks operates in British Columbia, Canada. Depending on the approved hosting and service providers for an engagement, information may be processed in Canada or in another country. Information processed outside your province or Canada may be subject to the laws and lawful access authorities of that jurisdiction. We use contractual, access and security safeguards appropriate to the sensitivity of the information and disclose material location requirements in the applicable service terms.
12. Retention and deletion
We retain information only as long as reasonably necessary for the identified purpose, client instructions, security, dispute resolution, and tax, accounting or legal obligations. Our standard targets are:
| Record | Standard retention target |
|---|---|
| OAuth tokens | Revoked and securely deleted promptly after confirmed disconnection, unless temporarily needed to complete the authorized disconnection. |
| Replicated QuickBooks operational data | Active engagement plus up to 90 days for orderly export and verified deletion, unless a longer period is required or agreed. |
| Bookkeeping evidence and required audit records | Up to seven years after the relevant fiscal period or engagement, where required or agreed for accounting, tax, defence or professional records. |
| Security and application logs | Normally up to 12 months, unless needed for an active investigation or legal obligation. |
| Support communications | Normally up to 24 months after closure. |
| Backups | Removed through the normal backup cycle, targeted within 35 days after deletion from primary systems. |
When a user revokes consent, disconnects, or requests deletion, we stop new access and securely delete information that is no longer required. If we must retain particular records, we isolate them from ordinary use, limit access, and delete or anonymize them when the obligation ends. Disposal methods are appropriate to the record and may include cryptographic erasure, secure deletion, or destruction of physical media.
13. Safeguards
We use administrative, technical and physical safeguards proportionate to the sensitivity of financial and personal information. These include encrypted transport and storage, least-privilege access, tenant and realm isolation, strong authentication, secure session controls, separate secret management, token rotation, logging redaction, approval and idempotency controls, immutable audit events, backups, monitoring, vulnerability management and incident-response procedures.
No system is perfectly secure. If a breach creates a real risk of significant harm or otherwise requires notification, we will investigate, contain, document and notify affected parties and regulators as required by applicable law.
15. Your privacy rights
Subject to applicable law and verification of your identity, you may ask us to:
- explain whether we hold your personal information and how it has been used or disclosed;
- provide access to your personal information;
- correct inaccurate or incomplete information;
- withdraw consent or object to certain processing;
- delete information that is no longer required; or
- provide information needed to transfer or disconnect an authorized service.
We will respond within the period required by applicable law. We may deny or limit a request where the law permits or requires it, and will explain the reason. When we process information solely for a client, we may refer the request to that client and assist with its response.
16. Children
The Services are for authorized business users and are not directed to children. We do not knowingly collect personal information directly from children through the Application. Business records may incidentally contain information about minors only where an authorized client has a lawful business reason to provide it.
17. Changes to this Policy
We may update this Policy to reflect changes in our Services, providers, practices or legal duties. We will post the revised Policy with a new effective date and provide additional notice where required by law or where a change is material. We will not apply a materially different use to previously collected information without appropriate notice and authority.
18. Privacy Officer and complaints
Questions, requests and complaints should be sent to our Privacy Officer. Please describe the request, the organization or QuickBooks company involved, and how we can contact you. Do not send passwords, OAuth tokens, full financial account numbers or unrequested sensitive documents by email.
Privacy Officer — OKGN Bookkeeping Inc.Okanagan Valley, British Columbia, Canada
hello@okgnbooks.com
We investigate privacy complaints fairly and document the outcome. If you are not satisfied, you may contact the Office of the Information and Privacy Commissioner for British Columbia or another privacy regulator with jurisdiction.