Privacy Policy

Effective date: June 1, 2026

Governing law: North Carolina, United States

SupplyPO (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect information when you use the SupplyPO application and website.

1. Information We Collect

We collect the following categories of information:

• QuickBooks account identifier: When you connect your QuickBooks account, we store your QuickBooks company ID (realm ID) to associate your session.
• QuickBooks company data: We access your QuickBooks Online account via Intuit’s official API to read Estimates, Vendors, and Items, and to create Purchase Orders on your behalf. This includes company name, vendor names and email addresses, product and service information, and estimate line items.
• OAuth tokens: We store your QuickBooks OAuth access and refresh tokens, encrypted at rest using AES-128 encryption, to maintain your connection between sessions.
• Conversion history: We store records of Purchase Orders created through SupplyPO, including which estimates were converted, how many POs were created, and timestamps.
• Usage and server logs: Standard server logs including IP addresses, browser type, and request timestamps. Retained for up to 30 days.

2. How We Use Your Information

We use the information we collect solely to:

• Provide the SupplyPO service — converting QuickBooks Estimates into Purchase Orders
• Maintain your authenticated connection to QuickBooks Online
• Display your conversion history within the application
• Respond to support requests you initiate
• Improve the reliability and performance of the service

We do not sell your data. We do not use your QuickBooks data for advertising, analytics resale, or any purpose other than providing the service you requested.

3. QuickBooks Data Access

SupplyPO accesses your QuickBooks Online account through Intuit’s official OAuth 2.0 API. We request only the permissions required to perform conversions — specifically the com.intuit.quickbooks.accounting scope, which allows us to read and write accounting data within your QuickBooks company.

We access your QuickBooks data only when you initiate a conversion within SupplyPO. We do not continuously monitor or sync your QuickBooks account in the background.

You can disconnect SupplyPO from your QuickBooks account at any time through QuickBooks Online Settings → Account and Settings → Connected Apps.

4. Data Storage and Protection

• All data is stored in a PostgreSQL database hosted on Neon (neon.tech) with encryption at rest
• OAuth tokens are encrypted using AES-128 (Fernet) before storage and are never stored in plaintext
• All data transmission between your browser, our servers, and QuickBooks uses HTTPS/TLS
• Encryption keys are stored in environment secrets, separate from the database
• We do not store QuickBooks financial reports, bank account data, payroll data, or customer payment information

5. Third-Party Services

We use the following third-party services to operate SupplyPO. Each has its own privacy policy.

• Intuit / QuickBooks (intuit.com): API access to your QuickBooks Online account
• Neon (neon.tech): Encrypted PostgreSQL database hosting — SOC 2 Type II certified
• Vercel (vercel.com): Frontend application hosting — SOC 2 Type II certified
• Railway (railway.app): Backend API server hosting

We do not share your data with any third party beyond what is required to operate the service listed above.

6. Data Retention

• OAuth tokens: Retained until you disconnect your QuickBooks account or submit a deletion request
• Conversion records: Retained for the duration of your account to support your history view
• Server logs: Retained for up to 30 days for security and debugging purposes, then deleted

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and all associated data
• Portability: Request your data in a machine-readable format
• Objection: Object to certain processing of your data

To exercise any of these rights, visit our Data Deletion page or contact us at the address in Section 10.

8. Data Deletion

You may request complete deletion of your SupplyPO account and all associated data at any time. Visit our Data Deletion page for instructions. We will process deletion requests within 30 days of receipt.

Note: Disconnecting SupplyPO from QuickBooks via your QuickBooks settings revokes our API access but does not automatically delete data stored in our systems. Use the Data Deletion page for a complete account removal.

9. Children’s Privacy

SupplyPO is a business software application intended for use by adults in a professional capacity. We do not knowingly collect information from individuals under the age of 18.

10. Contact

If you have questions about this Privacy Policy or how we handle your data, contact us at:

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the effective date at the top of this page. Continued use of SupplyPO after changes constitutes acceptance of the updated policy.