Privacy Policy

Last Updated: February 2, 2025

Introduction

SBSS (Small Business Support Services) ("we," "us," "our," or "Company") operates an AI-powered back-office automation platform designed to help small businesses streamline their accounting, bookkeeping, and administrative operations. This Privacy Policy explains how we collect, use, disclose, and otherwise process your personal and business information.

We are committed to protecting your privacy. This policy applies to our website, web application, mobile application, and any related services (collectively, the "Service"). By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy.

Information We Collect

Information You Provide

• Account Registration: When you create an account, we collect your name, email address, business information, and password. Authentication is handled through Google OAuth, where we receive and store your Google account ID.
• Business Data: To provide our services, we access and store information from your email, QuickBooks Online account, and bank accounts (via Plaid). This may include invoices, bills, expense reports, vendor information, and financial transactions.
• Email Content: Our AI agents analyze your incoming and sent emails to classify documents, identify vendors, and extract financial data. Email content is processed and stored as part of service delivery.
• Financial Information: We store banking and payment card information necessary to process subscriptions and payments. Payment processing is handled securely by our payment processors.
• Voluntary Communication: Any messages, feedback, or support requests you submit are stored to help us respond to your inquiries and improve our services.

Information Collected Automatically

• Device Information: Browser type, IP address, operating system, referring URLs, pages visited, and time spent on pages.
• Usage Analytics: How you interact with the Service, which features you use, and API calls made through your account.
• Cookies and Tokens: Session cookies for authentication, OAuth tokens for integrated services, and tracking technologies to personalize your experience.
• Log Data: Error logs, access logs, and system performance data for troubleshooting and optimization.

How We Use Your Information

We process your information for the following purposes:

1. Service Delivery: To provide, maintain, and improve the SBSS platform and its features.
2. AI Processing: To train AI agents that analyze emails, classify documents, extract financial data, and automate back-office workflows.
3. Account Management: To create and manage your account, process subscriptions, and send account-related notifications.
4. Communication: To respond to support requests, send updates, and notify you of changes to our service.
5. Legal Compliance: To comply with applicable laws, regulations, and legal requests from authorities.
6. Fraud Prevention: To detect, prevent, and address fraud, abuse, and security incidents.
7. Service Improvement: To analyze usage patterns and improve our platform features and user experience.
8. Marketing: To send promotional emails and updates (you may opt-out anytime).

Third-Party Services & Data Sharing

We work with external service providers to deliver our platform. These third parties have access to your information only to the extent necessary to perform their functions:

Google Services

• Google OAuth: Authentication and identity verification. Your Google account ID and basic profile information are used for login.
• Gmail API: We access your Gmail account (with your permission) to retrieve and analyze emails for classification and processing.

Gmail Data Handling (Detailed)

• Optional Connection: You can connect your Gmail account separately from your SBSS login. Gmail access is entirely optional and can be disconnected at any time without affecting your ability to use SBSS.
• What We Access: When connected, we read your incoming and sent emails to analyze and classify business documents (invoices, receipts, vendor emails, expense reports, etc.). We read email attachments to determine email type and extract relevant financial data. We do not modify your emails or delete attachments.
• AI Processing: Email content is processed by our AI agents and may be sent to OpenAI's servers for advanced analysis, document classification, and data extraction. OpenAI uses this data according to their privacy policy. We only send the minimum necessary email content required for analysis.
• What We Do With Emails:
  • Identify vendor emails and classify bill invoices
  • Extract financial data (amounts, dates, invoice numbers, vendor names)
  • Create bills in your QuickBooks Online account automatically
  • Track vendor relationships and payment history
  • Generate email digests and summaries of processed documents
• Data Retention: Processed emails are stored in your SBSS account as part of your business records. You can delete individual emails or your entire Gmail history at any time. Upon account termination, all email data is deleted within 30 days.
• Revocation: You can disconnect your Gmail account at any time in your account settings. After disconnection:
  • Email processing stops immediately
  • We no longer access your Gmail account
  • Previously processed emails remain in your SBSS account unless you delete them
  • You can reconnect your Gmail account later without loss of previous data
• Security: OAuth tokens are encrypted and stored securely in our database. We never store your Gmail password. You can revoke SBSS access through:
  • SBSS account settings ("Disconnect" button)
  • Your Google Account security settings (myaccount.google.com)
• No Data Sharing: We do not sell, rent, or share your email data with third parties except OpenAI (for AI processing) and services required to deliver our platform. Your email data is not used for marketing, profiling, or any purpose other than providing SBSS services.

QuickBooks Online

• We integrate with QuickBooks Online to create bills, manage vendors, and sync financial data. Your QBO credentials are securely stored and used only to perform authorized actions in your account.

Plaid

• For users who connect banking information, Plaid securely retrieves and transmits banking data. Plaid is PCI-DSS compliant and does not store your banking credentials.

OpenAI

• We use OpenAI's GPT-4 API to power our AI agents. Email content, document text, and financial data are sent to OpenAI for analysis and structured output generation. OpenAI uses this data according to their own privacy policy.

Payment Processors

• Payment information is processed by secure third-party payment processors. We do not store full credit card details.

Disclosure of Information

We do not sell your personal information. We may share information in these circumstances:

• With your explicit consent
• With service providers under data processing agreements
• To comply with legal obligations, court orders, or government requests
• To protect our rights, privacy, safety, or property
• In connection with a merger, acquisition, or sale of assets (with notice)

Data Security

We implement comprehensive technical and organizational measures to protect your information:

• Encryption: All data in transit is encrypted using TLS 1.2+. Sensitive data at rest is encrypted in our databases.
• Access Controls: Only authorized employees with legitimate business reasons can access your data, subject to strict confidentiality agreements.
• Secure Authentication: We use secure OAuth flows, session tokens, and password hashing (bcrypt/Argon2).
• Regular Audits: We conduct regular security assessments, penetration testing, and code reviews.
• Incident Response: If a security breach occurs, we have procedures to contain the breach, notify affected users, and work with authorities.
• Vendor Security: Third-party service providers must meet industry security standards and maintain appropriate certifications (SOC 2, ISO 27001, etc.).

Note: While we take security seriously, no system is 100% secure. We cannot guarantee absolute security of your information.

Your Rights

GDPR Rights (EU Users)

If you are located in the European Union, you have the following rights:

• Right to Access: You can request a copy of your personal data.
• Right to Correction: You can request we correct inaccurate data.
• Right to Deletion: You can request we delete your data ("right to be forgotten") subject to certain exceptions.
• Right to Restrict Processing: You can limit how we process your information.
• Right to Data Portability: You can request your data in a portable format to transfer to another service.
• Right to Object: You can object to certain types of processing, including marketing.
• Right to Withdraw Consent: You can withdraw consent at any time.

CCPA Rights (California Users)

If you are a California resident, you have the following rights:

• Right to Know: You can request what personal information we collect, use, and share.
• Right to Delete: You can request deletion of your personal information (with certain exceptions).
• Right to Opt-Out: You can opt-out of the "sale or sharing" of your personal information for targeted advertising.
• Right to Correct: You can request correction of inaccurate information.
• Right to Appeal: If we deny a request, you have the right to appeal our decision.

How to Exercise Your Rights

To exercise any of these rights, please contact us at support@smallbusinessessupport.services with your request. We will respond within 30 days or as required by law. You may also exercise rights directly through your account settings or by contacting our support team.

Data Retention

• Active Accounts: We retain your business data and account information while your account is active.
• Deleted Accounts: After you delete your account, we retain data for 30 days to allow for recovery. After this period, data is deleted from our primary systems.
• Legal Holds: If we receive a legal request or have a legal obligation, we may retain data beyond the normal retention period.
• Automated Logs: Server logs and technical data may be retained for 90 days for security and debugging purposes.
• Email Archives: Processed emails may be retained longer if required for compliance purposes.

Cookies & Tracking Technologies

What Are Cookies?

Cookies are small text files stored on your device that contain information about your browsing activity. We use cookies for the following purposes:

Session Cookies

• Authentication: Essential cookies that keep you logged in and maintain your session securely.
• Preferences: Cookies that remember your language, timezone, and display preferences.

Tracking & Analytics

• We may use analytics services (such as Google Analytics) to understand how users interact with our platform.
• These cookies are non-essential and can be disabled. You consent to analytics when you accept our cookie policy.

Third-Party Cookies

• Third-party service providers may set cookies for functionality and analytics.
• You can control cookies through your browser settings.

Disabling Cookies

You can disable cookies through your browser settings, but this may impact platform functionality and user experience. Session cookies are essential for authentication and cannot be disabled while using the service.

Children's Privacy

Our Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If we discover that we have collected information from a child under 18, we will delete such information promptly. If you believe we have collected information from a child under 18, please contact us immediately at support@smallbusinessessupport.services.

Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• Email notification to the address associated with your account
• Prominent notice on our website or app
• Requiring affirmative acceptance of the updated policy before you can continue using the Service

Your continued use of the Service after changes become effective constitutes your acceptance of the updated Privacy Policy. We recommend you review this policy regularly.

Contact Us

If you have questions about this Privacy Policy, our privacy practices, or wish to exercise your rights, please contact us:

• Email: support@smallbusinessessupport.services
• Response Time: We will respond to privacy requests within 30 days

For GDPR-related inquiries from EU residents, we maintain records of our data processing activities and can provide additional information about our legal basis and data processing practices upon request.

Privacy Commitment

We are committed to protecting your privacy and maintaining transparency about our data practices. Your trust is essential to our business, and we take our responsibility seriously. If you have concerns or complaints about our privacy practices, please contact us first. You also have the right to lodge a complaint with your local data protection authority.