← Back to Arbor

Privacy Policy

Last updated: 2026-04-24

1. Overview

Arbor (“we”, “our”, or “the Service”) is an AI-powered automation tool for QuickBooks Online (“QBO”). Arbor is built for accountants and bookkeepers who already have authority to access the QuickBooks company files they connect. We do not sell, rent, share, or repurpose your data. Information you provide or that we access is used solely to operate the Service and perform the QuickBooks tasks you ask Arbor to perform.

2. What we collect

We deliberately keep what we store to the minimum required to run the Service:

  • Account information. Your email address and an authentication identifier from Supabase Auth (used for sign-in via email, password, or Google OAuth). We do not store your Google password.
  • QuickBooks OAuth tokens. When you connect a QuickBooks Online company, Intuit issues us an access token and refresh token. Tokens are encrypted at rest using pgcrypto in our database and are used only to call the QuickBooks API on your behalf.
  • Conversation history. The messages you send to Arbor and the responses Arbor produces are saved to your account so you can return to past sessions.
  • Agent memory and notes. When you (or Arbor on your behalf) save a learning or scratchpad note, that note is stored under your user account and the QuickBooks company it refers to.
  • Audit and checkpoint records. Every write Arbor performs against QuickBooks (create/update/void/delete) is recorded in an audit log on your account so the action can be reviewed or rewound.
  • Usage events. We record minimal metadata about each request (timestamp, event type, tier) to enforce rate limits and prevent abuse.

Arbor is not intended to collect personal information about you or third parties beyond what is strictly necessary to operate QuickBooks. We do not use cookies for advertising, do not run third-party analytics or marketing trackers in the authenticated app, and do not build profiles of users for resale.

3. What we access in QuickBooks

When you ask Arbor to perform a task, the agent reads from and writes to the QuickBooks Online company you have connected, using the permissions Intuit granted during OAuth. This includes accounting data such as customers, vendors, invoices, bills, payments, journal entries, and account balances. Arbor accesses these records only in response to your instructions and only for the duration required to complete the task you requested. We do not export QuickBooks data to any third party and we do not retain a separate copy of your accounting ledger.

4. How your data is used

Data that Arbor collects or accesses is used only to:

  • Authenticate you and protect your account.
  • Read from and write to your QuickBooks Online company at your request, via Intuit’s official API.
  • Maintain conversation history, memory, and scratchpad notes for your account.
  • Provide an audit trail and rewind capability for every change Arbor makes to your books.
  • Enforce per-user rate limits and prevent abuse of the Service.
  • Diagnose errors and improve the reliability of the Service.

We do not use your data, your QuickBooks records, or your conversation history to train AI models. We do not sell your data. We do not advertise to you.

5. Sub-processors

Arbor relies on a small set of infrastructure providers to deliver the Service. These providers process data only to perform their function and are bound by their own data protection commitments:

  • Supabase — identity (Supabase Auth) and primary database (Postgres) hosting your account and Arbor-specific records.
  • Amazon Web Services — hosts the Arbor API.
  • Intuit (QuickBooks Online) — the system Arbor connects to. Arbor never bypasses Intuit’s API or your granted scopes.
  • OpenAI — the language model provider used to plan and execute QuickBooks tasks. The contents of your prompts and the QuickBooks data needed to satisfy them may be sent to OpenAI’s API for processing. Per OpenAI’s API terms, this content is not used to train OpenAI models.
  • Google — only if you choose to sign in with Google OAuth.

6. Storage, encryption, and isolation

Account data is stored in Supabase Postgres in a multi-tenant database protected by row-level security (RLS): every record carries a user_id, and users can only read or write their own rows. QuickBooks OAuth tokens are encrypted at rest with pgcrypto. Connections between your browser, the Arbor API, and our infrastructure use TLS.

7. Data retention and deletion

We retain your account data for as long as your account is active. You can disconnect a QuickBooks Online company at any time from the Companies page; doing so revokes and removes the associated OAuth tokens. You can request deletion of your account at any time by emailing us at the address in the dashboard footer. Account deletion removes stored OAuth tokens, conversation history, agent memory, scratchpad notes, and checkpoints. Audit logs may be retained for a limited period in encrypted form to satisfy security and abuse-investigation needs and are then permanently deleted.

8. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete information we hold about you, and to object to or restrict certain processing. To exercise any of these rights, contact us at the email in the dashboard footer.

9. Children

Arbor is a professional accounting tool and is not directed to children under 16. We do not knowingly collect information from children.

10. Changes to this policy

We will update this page when our practices change. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be communicated to active users by email or in-app notice before taking effect.

11. Contact

Questions, requests, or complaints about this policy can be sent to the email address shown in the dashboard footer. By using Arbor you also agree to the License Agreement.