Privacy Policy

1. Introduction

PayoutPilot ("we," "our," or "us") operates the PayoutPilot web application and related services. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our service.

By using PayoutPilot, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Account Information

When you create an account, we collect your email address and a password (stored as a cryptographic hash). An organization is automatically created for your account.

Third-Party API Credentials

To provide our service, we store API keys and OAuth tokens for the services you connect:

• Stripe — Your Restricted API key or Secret key, and the webhook signing secret we auto-create
• QuickBooks Online — OAuth 2.0 access and refresh tokens, along with your company's Realm ID
• Square — Your access token (used by the Sales Tax feature)
• Brevo — API key (used for emailing sales tax reports)

All credentials are encrypted at rest using Supabase Vault (AES-256). We never store them in plaintext.

Transaction Data

When processing payouts and generating sales tax reports, we temporarily access and store:

• Stripe payout details, balance transactions, charges, refunds, and invoice line items
• Square order summaries (order ID, date, subtotal, tax, total)
• QuickBooks account names and IDs (chart of accounts)
• Product-to-account mappings you configure
• Payout processing results and QBO deposit references

We do not collect or store credit card numbers, bank account numbers, customer payment methods, or personally identifiable information about your customers.

Usage Data

We may collect basic usage information such as browser type, access times, and pages viewed to improve the service. We do not use third-party analytics trackers or advertising pixels.

3. How We Use Your Information

We use the information we collect to:

• Authenticate you and manage your account
• Connect to Stripe, Square, and QuickBooks on your behalf
• Process and reconcile Stripe payouts into QuickBooks deposits
• Generate monthly sales tax summaries from Stripe and Square data
• Send transactional emails (account confirmation, password reset, tax reports)
• Maintain and improve the service

4. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties.

We share data only in these limited circumstances:

• Service providers — We use Supabase for hosting, authentication, and database services; and Brevo for transactional email delivery. These providers process data on our behalf under their own privacy policies.
• Third-party APIs — When you connect Stripe, Square, or QuickBooks, we transmit data to those platforms as necessary to perform reconciliation and reporting. This data is governed by each platform's own privacy policy.
• Legal requirements — We may disclose information if required by law, subpoena, or other legal process.

5. Data Security

We implement industry-standard security measures to protect your data:

• All data transmitted over HTTPS/TLS encryption
• API credentials encrypted at rest with AES-256 via Supabase Vault
• Database access controlled by Row Level Security (RLS) policies scoped to your organization
• OAuth tokens refreshed automatically and never exposed to the browser
• Service role authentication for server-to-server communication

While we strive to protect your information, no method of transmission or storage is 100% secure. We encourage you to use strong, unique passwords and restrict your API keys to the minimum permissions required.

6. Data Retention and Deletion

We retain your data for as long as your account is active. You may delete your account at any time from the Settings screen. When you delete your account:

• Your organization and all associated data (payout queue, transactions, mappings, settings, API credentials) are permanently deleted
• Stripe webhooks created by PayoutPilot are removed from your Stripe account
• Your authentication record is removed from our system

Deletion is immediate and irreversible. Data that has already been posted to QuickBooks or other third-party systems is not affected by account deletion — you must manage that data directly in those systems.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Withdraw consent at any time

To exercise any of these rights, contact us at tim@tradingblox.com.

8. Cookies

PayoutPilot uses browser local storage (not cookies) to maintain your authentication session and remember your selected organization. We do not use tracking cookies, advertising cookies, or third-party cookies of any kind.

9. Children's Privacy

PayoutPilot is not intended for use by individuals under the age of 18. We do not knowingly collect information from children. If we learn that we have collected data from a child, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the service after changes constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: tim@tradingblox.com