Privacy Policy

Effective Date: 1 October 2025

Last Updated: 9 February 2026

Introduction

Welcome to TidyBooks ("we," "our," or "us"). This Privacy Policy explains how we collect, use, maintain, and protect information from users of our online platform that helps small business owners and accountants organize, process, and manage their documents.

By using our platform, you agree to the practices described in this Privacy Policy.

Information We Collect

1. User-Provided Information

When you use TidyBooks, you may provide us with the following details:

  • Account Information: Name, email address, password, and business details you provide when creating an account.
  • Uploaded Documents: Invoices, receipts, letters of registration, permits, compliance documents, and any files you choose to upload, forward, or submit to TidyBooks.
  • Payment Information: If you subscribe to TidyBooks, we collect payment details via our third-party provider, LemonSqueezy.
  • Phone Number: If you use WhatsApp integration, we collect your verified phone number for document submission.

2. Information from Connected Services

When you connect Third-Party Services to TidyBooks, we may receive:

  • Accounting Software (QuickBooks, Xero): Account names, categories, vendors, tax rates, and transaction data you authorize us to access for syncing and export purposes.
  • Cloud Storage (Google Drive, OneDrive, Dropbox): File metadata, folder structures, and document content from folders you authorize us to monitor or extract from.
  • Email Services (Gmail, Outlook): Email metadata (sender, date, subject), attachment content, and folder/label information from emails matching your configured filters.
  • Messaging Services (WhatsApp): Phone numbers, message timestamps, and document/media content sent to our WhatsApp Business number.

We only access and process data from connected services that you explicitly authorize through OAuth consent or similar authorization mechanisms.

3. Automatically Collected Information

We may collect certain information automatically, including:

  • Usage Data: How you interact with the platform (e.g., features used, documents processed, filters applied).
  • Device Information: Browser type, operating system, device identifiers, and IP address.
  • Cookies & Tracking Technologies: We use cookies and similar technologies to store preferences, keep you logged in, and analyze platform usage. You can manage cookies in your browser settings.
  • Audit Trail Data: For security and compliance purposes, we log certain actions and events. See the "Security Audit Logs" section below for details.

4. Analytics and Tracking Software

We may use third-party analytics software from time to time, including but not limited to:

  • Mixpanel: For user behavior analytics and product improvement insights.
  • Google Analytics: For website traffic analysis and user engagement metrics.
  • Other Analytics Tools: We reserve the right to implement additional analytics services as needed.

These analytics tools are used for the following purposes:

  • Security Monitoring: To detect and prevent unauthorized access and security threats.
  • Bug Investigation: To identify, diagnose, and resolve technical issues and software bugs.
  • Service Improvement: To understand user behavior and improve our platform's features, performance, and user experience.

Data Privacy Protection: We do not share your personal information (such as email addresses, names, or other personally identifiable information) with these analytics services. Instead, we use non-personally identifiable user IDs and anonymous data to track usage patterns. This ensures that even if a third-party analytics provider experiences a data breach, your personal information remains protected.

Important Note on Cookies: The use of these third-party analytics services may result in cookies and tracking technologies being placed on your browser or device. These cookies help us collect anonymous usage data and improve our service. You can manage or disable cookies through your browser settings, though some functionality may be affected.

How We Use Your Information

We use the information we collect for the following purposes:

  • Document Management: To process, organize, categorize, and store your uploaded or forwarded documents.
  • AI-Powered Processing: To extract text, vendor names, dates, amounts, tax information, and other data from your documents using OCR and AI models. Your documents are never used to train AI models.
  • Third-Party Integrations: To sync data with and export documents to connected accounting software, cloud storage, and other authorized services.
  • Account Management: To create and maintain your account, provide customer support, and send service-related updates.
  • Team Management: To facilitate accountant practice (Team) features, including client management, license allocation, and team member access.
  • Payment Processing: To handle subscription payments securely via LemonSqueezy. We reserve the right to change payment processors at our discretion in the future.
  • Platform Improvement: To analyze aggregated usage data and improve features, speed, and reliability.
  • Communications: To send you service announcements, security alerts, and (with your consent) marketing communications.

Third-Party Account Connections

TidyBooks allows you to connect external accounts to enhance your experience. When you connect a third-party account, we access only the data necessary to provide the requested functionality.

Google Services (Gmail, Google Drive)

When you connect your Google account, we may access:

  • Gmail (Read-Only Access): We access your Gmail messages to identify and import documents (invoices, receipts) sent to your inbox. We use the gmail.readonly scope, which provides read-only access. We cannot send, delete, or modify your emails.

  • Google Drive: We can read files from folders you specify to import documents (invoices, receipts, statements). We can also write files to export your organized documents back to Google Drive. We use the drive.file scope.

Optional Real-Time Monitoring: If you explicitly enable monitoring in your account settings, we receive push notifications from Google when new emails arrive in Gmail or new files are added to monitored Google Drive folders. This allows automatic import of new documents without manual intervention. You can disable monitoring at any time.

Data we collect from Google:

  • Email metadata (sender, subject, date) for document identification
  • Email attachments that match document criteria (PDFs, images)
  • For emails matching your configured filters, we store the full email content securely so you can audit and verify document extractions
  • Files from monitored Google Drive folders that match document criteria
  • Basic profile information (name, email address) for account identification

Data we do NOT collect:

  • Emails that do not match your configured filters
  • Contacts, calendar, or other Google services data
  • Files outside of folders you have explicitly selected for monitoring

Microsoft Services (Outlook, OneDrive)

When you connect your Microsoft account, we may access:

  • Outlook (Read-Only Access): We access your Outlook inbox messages to identify and import documents. We use the Mail.Read scope, which provides read-only access. We cannot send, delete, or modify your emails. For emails matching your configured filters, we store the full email content securely so you can audit and verify document extractions.

  • OneDrive: We can read files from folders you specify to import documents. We can also write files to export your organized documents back to OneDrive. We use the Files.ReadWrite scope.

Optional Real-Time Monitoring: Similar to Google, if you explicitly enable monitoring, we receive push notifications when new emails arrive in Outlook or new files are added to monitored OneDrive folders.

Dropbox

When you connect your Dropbox account:

  • We can read files from folders you specify to import documents (invoices, receipts, statements)
  • We can write files to export your organized documents back to Dropbox
  • If you enable monitoring, we receive notifications when new files are added to monitored folders

Accounting Software (QuickBooks, Xero)

When you connect your accounting software:

  • We do NOT read your financial data from these platforms
  • We export documents (expenses, bills) from TidyBooks to your accounting software
  • We sync category lists, vendor lists, and tax rates to ensure consistency between TidyBooks and your accounting software
  • All data flows FROM TidyBooks TO your accounting software, not the other way around

Messaging Services (WhatsApp)

When you connect your phone number via WhatsApp:

  • We collect your verified phone number for identity and message routing
  • We receive documents and media you send to our WhatsApp Business number
  • We store message timestamps and document/media content for processing
  • WhatsApp media files may expire on Meta's servers; TidyBooks stores copies of received media but cannot retrieve expired media from WhatsApp

Disconnecting Third-Party Accounts

You can disconnect any third-party account at any time from your TidyBooks account settings. When you disconnect:

  • We immediately stop accessing data from that service
  • We revoke our access tokens with the third-party provider
  • Any active monitoring is disabled
  • Previously imported documents remain in your TidyBooks account unless you delete them
  • You can reconnect the service at any time

Information Sharing

We do not sell or rent your personal information. We may share limited information only in the following cases:

  • Service Providers: With trusted third parties who help us operate the platform:

    • Cloud Infrastructure: Amazon Web Services (AWS) for data storage and processing
    • AI Processing: OpenAI for document OCR and data extraction (documents processed, not stored for training)
    • Payment Processing: LemonSqueezy for subscription management
    • Analytics: Mixpanel and Google Analytics (anonymized data only)
    • Email Delivery: For transactional and notification emails

  • Third-Party Integrations: When you connect services like QuickBooks, Xero, Google Drive, OneDrive, Dropbox, Gmail, Outlook, or WhatsApp, data is shared with those services as authorized by you.

  • Team Access: If your organization is managed by an accountant practice (Team), team members with appropriate permissions may access your organization's documents and data.

  • Legal Compliance: If required by law, subpoena, court order, or to respond to lawful government requests.

  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that process. We will notify you of any such transfer.

  • Protection of Rights: To enforce our Terms of Service, protect our rights, or investigate potential violations.

Data Storage and Security

Storage Locations

  • Primary Storage: Your documents and data are stored on Amazon Web Services (AWS) servers.
  • Encrypted Tokens: OAuth access tokens for connected services are encrypted using user-specific encryption keys before storage.

Security Measures

We implement industry-standard security measures including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • User-specific encryption for sensitive credentials
  • Regular security assessments and monitoring
  • Access controls and authentication requirements
  • Secure webhook signature verification for integrations

However, no online system is 100% secure, and we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.

Data Retention

Active Accounts

  • Documents and extracted data are retained while your account is active.
  • Connected service tokens are retained until you disconnect the service or your account is deleted.

After Account Deletion

  • Account data is deleted within 30 days of deletion request.
  • Documents and extracted data are permanently deleted.
  • Backup copies may be retained for up to 90 days for disaster recovery purposes.
  • Some data may be retained longer for legal compliance, dispute resolution, or fraud prevention.

Managed Client Data

  • If an accountant practice (Team) subscription is cancelled, managed client data is retained for 90 days before automatic deletion.
  • Warning notifications are sent at 60 and 80 days.

Automatically Deleted Data

  • Expired invitation tokens are automatically cleaned up.
  • Temporary processing files are deleted after processing completes.

To request account deletion, use the account settings in the app or contact us at info@tidybooks.tax.

Security Audit Logs

To maintain platform security and meet compliance requirements (including CASA Tier 2 certification), TidyBooks maintains an audit trail of security-relevant events and user actions within your organization.

What We Log

Authentication Events:

  • Successful and failed sign-in attempts
  • Sign-out events
  • Password changes
  • Two-factor authentication enablement and disablement
  • Session revocations
  • Magic link requests and verifications

Account & Access Events:

  • Connected account additions and removals (e.g., linking Gmail, Google Drive)
  • Member additions, removals, and role changes
  • Invitation sends, acceptances, and cancellations
  • Organization settings changes

Data Events:

  • Document exports and bulk deletions
  • Subscription and billing changes

What Data Is Captured

For each logged event, we record:

  • Timestamp: When the event occurred
  • Actor Information: Name and email of the user who performed the action (stored as a snapshot at the time of the action)
  • Actor Role: The user's role at the time of the action (e.g., owner, admin, member)
  • IP Address: The IP address from which the action was performed
  • Action Type: The specific action taken (e.g., "Member added", "Password changed")
  • Resource Information: When applicable, the type and identifier of the affected resource
  • Access Context: Whether the action was performed directly or via an accountant practice (team access)

Purpose of Audit Logs

Audit logs are used for:

  • Security Monitoring: Detecting unauthorized access attempts or suspicious activity
  • Compliance: Meeting regulatory and certification requirements
  • Accountability: Providing organization owners and admins visibility into who performed what actions
  • Incident Investigation: Supporting investigation of security incidents if they occur

Access to Audit Logs

  • Only organization owners and administrators can view audit logs for their organization
  • Audit logs are accessible from the organization settings under "Audit Log"
  • Audit logs cannot be modified or deleted by users

Retention

  • Audit logs are retained for 90 days by default
  • After 90 days, logs are automatically deleted
  • This retention period balances security visibility with privacy considerations

Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

Access and Portability

  • You can access your documents and data through the platform.
  • You may export your documents at any time.

Correction

  • You can update your account information in your account settings.
  • You can edit extracted document data within the platform.

Deletion

  • You may request deletion of your account and associated data by contacting us or using account settings.
  • You can delete individual documents at any time.

Disconnect Services

  • You may disconnect any connected Third-Party Service at any time through your account settings.
  • Disconnecting a service removes TidyBooks' access but does not delete previously processed documents.

Google Account Permissions

If you have connected your Google account, you can also:

  • Review and revoke TidyBooks' access at any time via Google Account Permissions
  • Disconnecting from Google's side will also disconnect the integration in TidyBooks

Marketing Communications

  • You may opt out of marketing communications at any time.
  • Service-related communications (security alerts, billing notices) cannot be opted out of while your account is active.

Cookie Preferences

  • You may disable cookies and tracking technologies in your browser, though some features may not work correctly.
  • You can opt out of certain analytics tracking by adjusting your browser settings or using privacy extensions.

International Data Transfers

TidyBooks operates globally. Your data may be transferred to and processed in countries other than your own, including Australia and the United States, where our servers and service providers are located. By using our Service, you consent to such transfers.

We ensure appropriate safeguards are in place for international transfers in compliance with applicable data protection laws.

Document Forwarding & Unique Email Addresses

Each business account is assigned a unique, secure TidyBooks email address for forwarding documents. If you believe your unique address has been compromised, you can easily generate a new one within your account.

Third-Party Links

TidyBooks may contain links to third-party websites. We are not responsible for their privacy practices and encourage you to review their policies.

Children's Privacy

TidyBooks is not intended for individuals under the age of 18. We do not knowingly collect information from minors. If you believe a minor has provided us with data, please contact us and we will remove it.

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You can request information about the categories and specific pieces of personal information we have collected.
  • Right to Delete: You can request deletion of your personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • Do Not Sell: We do not sell personal information.

To exercise these rights, contact us at the information provided below.

European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal Basis: We process your data based on contractual necessity, legitimate interests, legal obligations, or your consent.
  • Right to Restrict Processing: You can request that we limit processing of your data.
  • Right to Object: You can object to processing based on legitimate interests.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority.
  • Data Protection Officer: For GDPR-related inquiries, contact us at the information provided below.

Updates to This Privacy Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page, and the "Last Updated" date will reflect the most recent version.

For material changes, we will notify you via email or prominent notice on the Service. Continued use of TidyBooks after updates constitutes acceptance of the revised Privacy Policy.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Privacy Policy | TidyBooks