MetricBooks ("MetricBooks", "we", "us", "our") provides a software-as-a-service product that connects QuickBooks Online to Microsoft Power BI and other Postgres-compatible BI tools through a managed reporting data pipeline.
This policy applies to the MetricBooks marketing site (metricbooks.app), the application (app.metricbooks.app), checkout, support communications, and the QuickBooks-to-Power BI service ("Service").
For privacy questions or to exercise your rights, contact privacy@metricbooks.app.
MetricBooks accesses QuickBooks Online data through the official Intuit Developer APIs after you complete an OAuth 2.0 authorization. Our use of Intuit APIs and QuickBooks data is governed by:
MetricBooks uses QuickBooks data solely for the purposes disclosed to and authorized by the user during the OAuth authorization flow. We do not use QuickBooks data for advertising or to train generalized AI or ML models. If you disconnect your QuickBooks company from MetricBooks, we revoke the stored OAuth tokens and delete the associated synced QuickBooks data from our operational database and reporting warehouse, subject to the retention rules in Section 9.
Name, email address, password hash, workspace name, user role, sign-in status, and account preferences. Used to authenticate users, associate users with workspaces, and communicate about the platform.
QuickBooks realm ID, OAuth access and refresh tokens, token expiration metadata, selected environment, connection status, and audit events. Tokens are encrypted at rest with per-tenant keys and used only to maintain the authorized QuickBooks connection.
When you connect QuickBooks Online, we read data available under the com.intuit.quickbooks.accounting scope, including but not limited to invoices, payments, bills, journal entries, credit memos, customers, vendors, accounts, items, classes, departments, terms, currencies, reports, and related metadata required to build Power BI-ready reporting tables. We do not write to QuickBooks.
Read-only warehouse username, authorized IP allowlist entries, generated credential status, available reporting views, and revocation status. Stored credentials are not displayed in plain text after creation except through controlled reveal and rotation flows that you initiate.
Sync runs, timestamps, row counts, errors, audit entries, IP addresses for application access and allowlist actions, rate-limit events, webhook processing records, and security-relevant events.
Paddle.com Market Limited ("Paddle") processes payment details as Merchant of Record. We store subscription state, plan, renewal and cancellation metadata, Paddle customer, subscription and transaction identifiers, and invoice metadata required to display billing status.
If you contact us, we collect the information you provide so we can respond and resolve the request.
We process personal data only when we have a lawful basis to do so. For users protected by the EU/UK General Data Protection Regulation (GDPR) or similar laws, the legal bases are:
| Purpose | Legal basis |
|---|---|
| Create and operate your account; provide the Service | Performance of a contract |
| Process payments and manage subscriptions | Performance of a contract |
| Secure the Service, prevent abuse, investigate incidents | Legitimate interest |
| Improve and develop the Service (in aggregated, non-identifying form) | Legitimate interest |
| Send transactional emails (sync alerts, billing, security notices) | Performance of a contract |
| Send marketing emails (if applicable) | Consent (you may withdraw at any time) |
| Comply with tax, accounting, and legal obligations | Legal obligation |
No system is perfectly secure. We commit to operating MetricBooks with commercially reasonable security practices appropriate to the sensitivity of accounting data.
We do not sell your data. We share limited data only with vetted service providers that help us operate MetricBooks. These providers are contractually restricted from using customer data for their own advertising or unrelated commercial purposes.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, databases, storage, secrets, networking, logs, infrastructure | United States |
| Paddle.com Market Limited | Merchant of Record: checkout, subscription billing, taxes, receipts, refunds | United Kingdom / United States |
| Intuit Inc. | OAuth authorization, token exchange, QuickBooks API access that you authorize | United States |
| Transactional email and error-monitoring providers (if enabled) | Sync alerts, security emails, error diagnosis | United States / European Union |
A current list of subprocessors is available on request. We will provide reasonable advance notice of new subprocessors to active customers by email or in-app notice.
To request deletion outside the in-product flows, email privacy@metricbooks.app. We respond within 30 days.
MetricBooks is operated from infrastructure located in the United States. If you access the Service from outside the United States, your data will be transferred to, processed, and stored in the United States and other countries where our service providers operate.
Where required by law, we rely on appropriate safeguards for international transfers of personal data, including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, executed with our service providers.
Depending on your location, you may have rights to:
To exercise these rights, email privacy@metricbooks.app. We respond within 30 days. We may need to verify your identity before processing your request.
If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended:
To submit a request, email privacy@metricbooks.app with the subject line "CCPA Request".
For purposes of GDPR, MetricBooks acts as a processor of QuickBooks accounting data on behalf of the customer (the controller). For account, billing, and operational data of the user signing up for MetricBooks, MetricBooks acts as a controller.
Business customers may request a Data Processing Addendum (DPA) by emailing privacy@metricbooks.app.
If we become aware of a security incident that compromises the confidentiality, integrity, or availability of your personal data, we will notify affected customers without undue delay and, where required by law, within the timeframes set by applicable regulation (for example, 72 hours under GDPR). Notifications will describe the nature of the incident, the data affected, the steps taken, and recommended actions on your part.
The marketing site does not use third-party advertising cookies. The application uses first-party browser storage and session mechanisms (such as cookies and local storage) to keep you signed in, route you to the correct workspace, and operate the product. Disabling these may prevent the application from functioning correctly.
MetricBooks does not perform automated decision-making that produces legal or similarly significant effects on users. As stated in Section 2, we do not use QuickBooks data to train or fine-tune AI or ML models.
MetricBooks is intended for business use and is not directed to individuals under 16, or the minimum age required to enter into a binding agreement in your jurisdiction, whichever is higher. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@metricbooks.app and we will delete it.
The Service may link to third-party services (Intuit, Paddle, Microsoft Power BI, Tableau, Looker, and others). Your interaction with those services is governed by their own privacy policies. We are not responsible for the privacy practices of third parties.
We will post material changes to this policy on this page and notify active users by email at least 14 days before they take effect. Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes. The "Effective date" at the top reflects the most recent version.
MetricBooks
Email: privacy@metricbooks.app
General: hello@metricbooks.app
For EU/UK residents who wish to lodge a complaint, you may contact your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.