Legal
Privacy Policy
Last updated May 30, 2026
1. Information We Collect
We collect information needed to provide TrimBooksHQ, including account profile details, organization information, user roles, billing selections, financial records, imported data, uploaded documents, and support communications.
2. How We Use Information
We use information to operate the service, authenticate users, manage subscriptions, process bookkeeping workflows, generate reports, store files, provide support, prevent abuse, improve reliability, and meet legal or security obligations.
3. Financial and Document Data
TrimBooksHQ may store sensitive business records such as transactions, customers, vendors, invoices, bills, bank imports, grant funds, donor restrictions, contracts, receipts, and attachments. We process this data only to provide and secure the service.
4. Service Providers
We may use trusted infrastructure, authentication, payment, storage, email, analytics, and support providers to deliver TrimBooksHQ. These providers may process information on our behalf under appropriate confidentiality and security obligations.
5. Security
We use technical and organizational safeguards designed to protect customer data, including authentication controls, encryption in transit, protected storage, access controls, audit trails where available, and monitoring. No system can be guaranteed to be completely secure.
6. Data Retention and Disposal Policy
6.1 Retention Principles
We retain customer data only for as long as necessary to fulfill the purposes for which it was collected, provide the service, comply with legal and regulatory obligations, resolve disputes, enforce agreements, and maintain backups or audit records. Data is categorized by type, and each category has a defined retention period aligned with applicable laws and business requirements.
6.2 Retention Periods by Data Category
| Data Category | Retention Period | Basis |
|---|---|---|
| Account & profile information | Duration of account + 30 days | Service delivery; account recovery |
| Financial records (invoices, bills, journal entries, payments, expenses) | Duration of account + 7 years | Tax & regulatory compliance (IRS, state agencies) |
| Bank connection credentials (Plaid access tokens) | Until disconnected or account closure | Service delivery; revoked on disconnect |
| Bank transaction data | Duration of account + 7 years | Reconciliation; tax compliance |
| Uploaded documents & receipts | Duration of account + 7 years | Record-keeping; audit support |
| Audit logs | Duration of account + 3 years | Security; compliance; dispute resolution |
| Billing & subscription data | Duration of account + 7 years | Payment records; tax compliance |
| Authentication & MFA records | Duration of account + 90 days | Security; fraud prevention |
| Support communications | 3 years from last interaction | Service improvement; dispute resolution |
| Server logs & analytics | 90 days (rolling) | Operational monitoring; security |
6.3 Data Disposal Procedures
When data reaches the end of its retention period, or when an organization owner requests deletion, we follow a structured disposal process:
- Export opportunity.Before any deletion, organization owners are offered the ability to export their data in standard formats (CSV, JSON) through the application's export functionality or by contacting support.
- Soft deletion. Records are first marked as deleted and become inaccessible through the application. A grace period of up to 30 days allows for recovery if the deletion was unintentional.
- Permanent deletion. After the grace period, records are permanently removed from primary databases. This includes cascading deletion of dependent records (e.g., line items, attachments, journal entries associated with deleted invoices).
- Third-party revocation.Credentials for connected services (e.g., Plaid access tokens) are revoked via the provider's API. Payment tokens and customer records held by payment processors are deleted per their retention policies.
- File storage cleanup. Uploaded documents, receipts, logos, and attachments are permanently deleted from cloud storage (Amazon S3) including any versioned copies.
- Backup expiration. Deleted data is retained in encrypted backups only until the backup rotation cycle completes (typically up to 35 days). Backups are encrypted at rest and access-controlled. We do not selectively restore deleted records from backups.
6.4 Account Closure
When an organization owner closes their account or their subscription is terminated:
- A data export is made available for download for up to 30 days.
- All third-party service connections (Plaid, Stripe) are revoked.
- Account data enters the soft-deletion grace period.
- After the grace period, all organization data is permanently deleted from primary storage per the disposal procedures above.
- Financial records subject to regulatory retention may be retained in anonymized or minimal form as required by law.
6.5 Deletion Requests
Organization owners may request data deletion at any time by using the in-app data purge feature in Settings, or by contacting support@trimbookshq.com. We will process deletion requests within 30 days, subject to legal retention requirements. We will confirm completion of the deletion in writing.
6.6 Disposal Verification
We maintain internal logs documenting when data disposal actions are executed, including the data categories affected, the method of disposal, and the date of completion. These logs are retained for audit purposes and are available to demonstrate compliance upon request.
7. Your Choices
You can update account and organization information in the product, manage users and roles, control uploaded records, and choose which integrations, imports, add-ons, and subscription features your organization uses.
8. Contact
Questions about this policy can be sent to support@trimbookshq.com.