Privacy Policy

Last updated: September 23, 2025

1. Introduction

AutoPO (“AutoPO,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy describes how we collect, use, share, and safeguard personal information when you visit our websites, use our SaaS platform, or connect your QuickBooks Online account (collectively, the “Service”).

By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, do not access or use the Service.

2. Scope

This Privacy Policy applies to personal information we collect directly from you, through the Service, or from third parties acting on your behalf (such as QuickBooks). It does not cover the practices of companies we do not own or control. If you access third-party services through the Service, their terms and privacy statements govern those interactions.

3. Information We Collect

The categories of information we collect include:

  • Account information: name, email address, job title, phone number, company name, and authentication credentials.
  • Billing information: billing contacts, payment method details (processed by our PCI-DSS compliant providers), tax IDs, and transaction history.
  • QuickBooks data: OAuth tokens, realm IDs, vendor, item, purchase order, invoice, and related records as authorized through Intuit scopes.
  • Usage data: log files, IP address, device and browser characteristics, pages viewed, features used, diagnostics, and performance metrics.
  • Support and communications: emails, chat transcripts, attachments, survey responses, and other correspondence.

4. How We Use Information

We process personal information for the following purposes:

  • Provide, operate, and customize the Service, including generating purchase orders from connected systems.
  • Authenticate users, manage accounts, and deliver customer support.
  • Send transactional messages, product updates, and service notifications.
  • Monitor Service performance, conduct analytics, and improve functionality.
  • Detect, investigate, and prevent security incidents, fraud, or abuse.
  • Comply with legal obligations, enforce agreements, and resolve disputes.
  • Conduct marketing communications consistent with applicable laws (you may opt out at any time).

5. Legal Bases for Processing

Where required by applicable law (such as the GDPR or UK GDPR), we rely on one or more of the following legal bases to process personal information: performance of a contract, legitimate interests (for example, improving the Service or securing our systems), compliance with legal obligations, protection of vital interests, and consent (for optional marketing and certain cookies).

6. How We Share Information

We may share personal information with:

  • Service providers that host infrastructure, process payments, deliver email, or provide analytics, subject to contractual confidentiality and security obligations.
  • QuickBooks (Intuit) when you connect your account, in accordance with the permissions you grant.
  • Professional advisors (lawyers, accountants) as necessary for legitimate business purposes.
  • Authorities or other parties when required by law, court order, or to protect AutoPO, our customers, or others from harm.
  • Successors in the event of a merger, acquisition, or sale of assets, subject to continued protection of your information.

We do not sell personal information or share it for cross-context behavioral advertising within the meaning of applicable U.S. state privacy laws.

7. International Data Transfers

We operate in the United States and may transfer personal information to other countries where we or our service providers operate. When we transfer personal information internationally, we implement appropriate safeguards such as Standard Contractual Clauses, Data Privacy Framework participation, or other legally recognized transfer mechanisms.

8. Data Retention

We retain personal information for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce agreements. Customer Data associated with an account is deleted or anonymized within ninety (90) days of account closure unless a longer retention period is required by law. OAuth tokens are revoked immediately when you disconnect QuickBooks.

9. Security Safeguards

We use administrative, technical, and physical safeguards designed to protect personal information, including:

  • TLS encryption for data in transit and encryption at rest.
  • Role-based access controls, audit logging, and least-privilege principles.
  • Regular vulnerability scanning, penetration testing, and security monitoring.
  • Vendor risk management and incident response procedures.

No security practice is perfect, and we cannot guarantee absolute security. Please notify us immediately if you suspect unauthorized access to your account.

10. Your Privacy Rights

Depending on your residency, you may have rights to:

  • Request access to and copies of your personal information.
  • Request correction or deletion of personal information.
  • Object to or restrict processing, or request portability of personal information.
  • Opt out of certain data sharing or targeted advertising (where applicable).
  • Lodge a complaint with a supervisory authority.

You can exercise these rights by emailing hello@autopo.io. We may verify your identity before fulfilling requests. Authorized agents may submit requests on behalf of California consumers in accordance with CCPA requirements.

11. Marketing Preferences

You may opt out of marketing emails by following the unsubscribe link in the messages or by contacting us. You will continue to receive transactional communications necessary for the Service. You can manage in-product notifications in your account settings.

12. Cookies and Tracking Technologies

We use cookies, pixels, and similar technologies to operate the Service, remember preferences, and analyze usage. You can control cookies through your browser settings. Where required, we will obtain your consent before setting non-essential cookies. For more detail, please review our Cookie Policy when available.

13. Children's Privacy

The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16. If we learn that we have collected such information, we will delete it and take reasonable steps to terminate the corresponding account.

14. Roles and Responsibilities

For most processing activities, AutoPO acts as a data processor or service provider, and the Customer is the data controller or business with respect to Customer Data. Our Data Processing Addendum, available upon request, includes Standard Contractual Clauses and describes our commitment to assist customers in meeting their compliance obligations.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Service or by email prior to the effective date. The updated policy will be posted on this page with a revised “Last updated” date. Your continued use of the Service after the effective date constitutes acceptance of the changes.

16. Contact Us

If you have questions or requests regarding this Privacy Policy, contact us: hello@autopo.io