Privacy Policy

1. Introduction

Bolt Systems, LLC ("Company," "we," "us," or "our") operates the Quoining platform ("Service"), a multi-entity GAAP accounting software product available at quoining.com. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard information when you visit our website, create an account, or use any part of the Service.

We are committed to protecting the privacy and security of the data entrusted to us. This policy is designed to comply with the European Union General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Delaware Personal Data Privacy Act ("DPDPA"), and other applicable privacy laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of the Service immediately.

2. Scope & Applicability

This Privacy Policy applies to:

• All visitors to quoining.com and any related marketing pages
• Individuals who create an account on the Service ("Users")
• Organization administrators who manage entities, team members, and integrations
• Third-party individuals whose personal data is processed through the Service by our customers (e.g., vendors, customers, employees whose information appears in accounting records)

B2B Context: Controller vs. Processor. Quoining is a business-to-business ("B2B") platform. When our customers upload or input data about their own vendors, customers, employees, or other third parties into the Service, we act as a data processor on behalf of our customer, who is the data controller. Our customers are responsible for ensuring they have the appropriate legal basis to provide such data to us. This Privacy Policy governs our own data collection and processing activities; our customers' use of data they process through the Service is governed by their own privacy policies and our Data Processing Agreement ("DPA").

This policy does not apply to third-party websites, products, or services linked from our Service, even if they bear the Quoining brand. We encourage you to review the privacy policies of any third-party service you access.

3. Definitions

For purposes of this Privacy Policy, the following terms have the meanings set forth below:

• Personal Data (Personal Information): Any information relating to an identified or identifiable natural person. This includes names, email addresses, IP addresses, device identifiers, financial information, and any other data that can be linked to an individual, directly or indirectly.
• Processing: Any operation performed on Personal Data, whether automated or manual, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• Data Controller: The entity that determines the purposes and means of Processing Personal Data. With respect to account and usage data, Bolt Systems, LLC is the Controller. With respect to accounting data uploaded by our customers, the customer is the Controller.
• Data Processor: The entity that Processes Personal Data on behalf of the Data Controller. When our customers use the Service to process their accounting data, we act as a Processor.
• Data Subject: An identified or identifiable natural person whose Personal Data is being Processed.
• Sub-Processor: A third-party entity engaged by us to Process Personal Data on behalf of the Controller.
• Consent: A freely given, specific, informed, and unambiguous indication of a Data Subject's wishes by which they signify agreement to the Processing of their Personal Data.
• Service: The Quoining accounting platform, including all web-based features, APIs, integrations, and related services provided by Bolt Systems, LLC.
• Sensitive Personal Information: A subset of Personal Data that includes financial account numbers, tax identification numbers (EINs, SSNs), precise geolocation, racial or ethnic origin, religious beliefs, health data, biometric data, and sexual orientation. See Section 19 for details on our handling of Sensitive Personal Information.

4. Legal Basis for Processing (GDPR Article 6)

Where the GDPR or UK GDPR applies, we process Personal Data only when we have a valid legal basis. The table below maps each processing purpose to its legal basis:

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request information about our balancing tests by contacting privacy@quoining.com.

5. Information We Collect

5.1 Information You Provide Directly

• Account Information: Name, email address, password (hashed), company name, job title, and role when you register or are invited to a team
• Entity & Corporate Information: Legal entity names, EIN/tax identification numbers, states of incorporation, fiscal year settings, corporate structure, and multi-entity hierarchy
• Financial Data: Chart of accounts, journal entries, bank statements, credit card transactions, vendor and customer records, invoices, bills, purchase orders, payments, receipts, and other accounting data you upload, create, or import
• Banking Data (via Plaid): When you connect a bank account, Plaid transmits account balances, transaction history, and account metadata. Plaid's own data handling is governed by Plaid's privacy policy.
• Blockchain & Cryptocurrency Data: Wallet addresses you provide for cryptocurrency tracking, and publicly available on-chain transaction data (transaction hashes, token transfers, balances, ERC-20 token details) retrieved via the Moralis blockchain API. We never store private keys, seed phrases, or wallet passwords.
• Employee & Payroll Data (via Gusto): When you connect a Gusto payroll integration, we receive payroll run summaries, employee-level wage breakdowns, tax withholdings, benefit deductions, employer contributions, and net pay amounts. See Section 20 for details on how we handle payroll data.
• E-Commerce Data (via Shopify): When you connect a Shopify integration, we receive payout summaries, order data, product information, and inventory details necessary to generate accounting journal entries.
• Expense & Corporate Card Data (via Brex, Ramp, Expensify): When you connect expense integrations, we receive transaction data, expense reports, merchant details, and category information.
• Accounts Payable Data (via Bill.com): When you connect Bill.com, we receive vendor records, bill details, and payment status information.
• Tax Compliance Data (via Avalara): When you connect Avalara AvaTax, we exchange transaction details for automated tax calculation and compliance purposes.
• Document Inbox Data: Documents forwarded to your Quoining email inbox (invoices, receipts, statements) are processed using AI extraction to identify amounts, dates, vendors, and line items.
• Payment Information: Billing address and payment method details for your Quoining subscription, processed by Stripe. We do not store full payment card numbers. Stripe is PCI DSS Level 1 certified.
• Communications: Messages, feedback, support requests, and any content you send to us through email, in-app support, or other channels

5.2 Information Collected Automatically

• Usage Data: Pages visited, features used, actions taken, time spent, clicks, navigation paths, search queries, and module usage patterns
• Device Information: Browser type and version, operating system, device type, screen resolution, and language preferences
• Log Data: IP address, access times, referring URLs, HTTP request methods, response codes, and error logs
• Authentication Logs: Login timestamps, authentication method used (password, Google OAuth, two-factor authentication), session duration, and IP address at login
• Cookies & Tracking Technologies: Session cookies for authentication, preference cookies (most preferences stored server-side in our database), and analytics cookies. See Section 10 for full details.

5.3 Information We Do Not Collect

We do not collect:

• Biometric data (fingerprints, facial recognition, voiceprints, retina scans)
• Precise geolocation data (GPS coordinates). We may infer approximate location from IP address for security purposes only
• Racial or ethnic origin, religious beliefs, political opinions, trade union membership, or sexual orientation
• Health or medical data
• Genetic data
• Private keys, seed phrases, or wallet passwords for cryptocurrency

6. How We Use Your Information

We use the information we collect for the following purposes, each mapped to a legal basis described in Section 4:

6.1 Service Delivery & Operations

• Provide, operate, maintain, and improve the accounting Service
• Process your financial data and generate reports, financial statements, trial balances, and other accounting outputs
• Execute SmartGL engine operations, automatically synthesizing bank, credit card, and bill data into a proper General Ledger
• Process bank reconciliations, period close checklists, and year-end close procedures
• Facilitate multi-entity consolidation, intercompany eliminations, and currency translation

6.2 Account Management & Authentication

• Authenticate your identity and manage your account, including two-factor authentication
• Manage role-based access control (RBAC) and entity-level permissions
• Process team invitations and multi-company access

6.3 AI-Powered Features

• AI transaction categorization: automatically suggest GL account mappings for imported transactions
• AI Accountant: natural language financial data entry using Anthropic Claude
• AI PDF bank statement parsing: extract transactions from uploaded PDF statements
• AI-assisted footnote generation for financial statements
• AI-powered period close features (anomaly detection, flux analysis, close narrative generation)
• Document inbox AI extraction: identify amounts, dates, and vendors from forwarded documents

See Section 8 for detailed information about our AI and automated decision-making practices.

6.4 Billing & Payments

• Process subscription payments and manage billing through Stripe
• Send invoices, receipts, and payment-related communications

6.5 Communications

• Send administrative communications (account verification, security alerts, service updates, password reset)
• Respond to support requests and communications

6.6 Security & Compliance

• Detect, prevent, and address fraud, unauthorized access, security issues, and technical problems
• Enforce rate limits to protect the Service from abuse
• Maintain immutable audit trails for financial integrity and SOC compliance
• Comply with legal obligations including tax record retention and law enforcement requests
• Enforce our Terms of Service

6.7 Analytics & Improvement

• Monitor and analyze usage trends and module adoption to improve user experience
• Track performance metrics and diagnose technical issues via Sentry error monitoring
• Conduct A/B testing and feature evaluation (aggregated, non-identifying)

7. How We Share Your Information

We do not sell, rent, or trade your personal information. We do not share your personal information for cross-context behavioral advertising. We may share your information only in the following circumstances:

• Service Providers (Sub-Processors): Third-party vendors who process data on our behalf under written data processing agreements. These providers are contractually obligated to protect your data and may only use it to perform services for us. See Section 9 for a complete list of current sub-processors.
• Legal Requirements: When required by law, subpoena, court order, or governmental regulation, or when we believe in good faith that disclosure is necessary to protect our legal rights, your safety, or the safety of others, or to investigate fraud.
• Business Transfers: In connection with a merger, acquisition, bankruptcy, reorganization, or sale of all or a portion of our assets. You will be notified via email and/or prominent notice on our Service at least 30 days before any change in ownership or use of your Personal Data.
• With Your Consent: When you explicitly authorize us to share your information with a third party.
• Team Members: Information may be visible to other users within your organization who have been granted access by your account administrator, subject to role-based permissions and entity-level access controls.
• Professional Advisors: Attorneys, auditors, and insurance providers as needed for professional services, subject to confidentiality obligations.

8. AI & Automated Decision-Making (GDPR Article 22)

Quoining uses artificial intelligence and machine learning features powered by Anthropic's Claude large language model. We believe in transparency about how AI processes your data.

8.1 AI Features and Data Flows

• AI Transaction Categorization: When enabled, transaction descriptions, amounts, and merchant names are sent to Anthropic Claude to suggest GL account mappings. The AI reviews your chart of accounts and past categorization patterns to provide suggestions. All categorizations are presented as suggestions, and a human user must review and approve or modify before they take effect.
• AI Accountant (Natural Language Entry): When you interact with the AI Accountant, your natural language prompts, along with relevant contextual data (chart of accounts, entity names, recent transactions as needed) are sent to Anthropic Claude. The AI generates draft journal entries, bills, invoices, or other records that require human review and confirmation before posting.
• AI PDF Bank Statement Parsing: When you upload a PDF bank statement, the document is sent to Anthropic Claude to extract structured transaction data (dates, descriptions, amounts, running balances). Extracted data is presented for your review before import.
• AI Period Close Features: Anomaly detection, flux analysis, and close narrative generation use financial data in conjunction with Anthropic Claude to generate insights and draft narratives. All outputs are advisory and require human review.
• AI Document Inbox Extraction: Documents forwarded to your inbox are processed using AI to identify amounts, dates, vendors, and line items for automatic categorization.
• AI-Assisted Footnotes: Financial statement footnote generation uses Anthropic Claude to draft footnote language based on your accounting data. All footnotes require human review and editing.

8.2 Data Sent to Anthropic

When AI features are invoked, we send the minimum data necessary to Anthropic Claude to perform the requested function. This may include:

• Transaction descriptions, amounts, dates, and merchant names
• Chart of accounts names and numbers (not balances, unless specifically needed for the feature)
• Entity names and department names
• PDF bank statement content
• Natural language prompts you type into the AI Accountant

Anthropic does not use data submitted through our API to train its models. Our agreement with Anthropic prohibits them from retaining your data beyond the duration necessary to provide the response. For more information, see Anthropic's Privacy Policy.

8.3 No Solely Automated Decisions with Legal Effects

We do not make any solely automated decisions that produce legal effects or similarly significantly affect you, as described in GDPR Article 22. All AI-generated outputs in Quoining are suggestions or drafts that require human review and explicit confirmation before they affect your financial records. Specifically:

• AI categorization suggestions must be accepted by a user before any GL posting occurs
• AI Accountant draft entries must be reviewed and confirmed before they are saved
• AI-parsed PDF transactions are presented for review before import
• AI-generated footnotes and narratives are editable drafts, not final outputs

8.4 Your Rights Regarding AI Processing

You have the right to:

• Request human review of any AI-generated suggestion or output
• Override or modify any AI-generated categorization, entry, or narrative
• Opt out of AI features entirely. All AI features can be disabled by your account administrator, and the Service is fully functional without AI
• Request an explanation of how a specific AI output was generated

9. Sub-Processors

The following third-party sub-processors may process your data in connection with the Service. Each sub-processor is bound by a data processing agreement or equivalent contractual terms:

We will update this list when we add or change sub-processors. Material changes will be communicated via notice on the Service at least 30 days before the new sub-processor begins processing data. If you object to a new sub-processor, you may terminate your use of the Service before the new sub-processor is engaged.

10. Cookies & Tracking Technologies

We use the following types of cookies and similar technologies:

• Essential Cookies: Required for authentication, session management, CSRF protection, and core functionality. These cookies are strictly necessary and cannot be disabled without preventing the Service from functioning.
• Preference Cookies: Used alongside server-backed preference storage to remember your settings (e.g., theme, sidebar state, dashboard layout). Most preferences are stored securely in our database rather than in browser cookies; only cookie consent status is stored in the browser.
• Analytics Cookies: Help us understand how users interact with the Service to improve functionality and performance. These cookies are only set after you provide consent.

You can manage cookie preferences through the cookie consent banner displayed when you first visit our site, or through your browser settings. Disabling essential cookies may prevent you from using the Service. We do not use advertising cookies or tracking pixels.

11. Data Security

We implement comprehensive technical and organizational measures to protect your data. Our security program is designed to meet SOC 2 Type II standards and includes:

11.1 Encryption

• In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints.
• At Rest: Data stored in our PostgreSQL database (AWS RDS) and file storage (AWS S3) is encrypted using AES-256 encryption.
• Field-Level Encryption: Sensitive fields (e.g., bank account numbers, tax identification numbers, API keys, integration credentials) are additionally encrypted at the application layer using AES-256-GCM with a dedicated encryption key, providing defense-in-depth beyond database-level encryption.

11.2 Access Controls

• Role-based access control (RBAC) with admin, member, and viewer roles
• Entity-level access restrictions: users can only access entities explicitly assigned to them
• Two-factor authentication (TOTP) available for all accounts
• All sessions invalidated on password change
• Rate limiting on authentication endpoints (database-backed with in-memory fallback)
• Administrative access is time-limited (10 minutes maximum), IP-bound, and fully logged

11.3 Audit Logging & Immutable Trail

• Every data mutation is logged with actor identity, IP address, user agent, timestamp, and action details
• Audit logs are protected by database triggers that prevent UPDATE and DELETE operations. The audit trail is immutable
• Each audit record includes a monotonic sequence number for gap detection
• Audit log deletion is prevented by RESTRICT foreign key constraints
• Audit logs are available to enterprise customers upon request

11.4 Infrastructure & Vulnerability Management

• Application hosted on AWS ECS with CloudFront CDN
• Environment variables validated at application startup. The Service will not start with missing or invalid configuration
• No hardcoded credentials or fallback secrets in application code
• Automated dependency updates via Dependabot
• Input validation using Zod schemas on all user-submitted data
• HTML output sanitization to prevent injection attacks

11.5 Incident Response

We maintain a documented incident response plan. In the event of a confirmed data breach that compromises the security, confidentiality, or integrity of your personal information, we will:

• Notify affected users via email without unreasonable delay, and no later than 72 hours after becoming aware of the breach (consistent with GDPR Article 33)
• Provide a description of the nature of the breach, the categories and approximate number of records affected, and the likely consequences
• Describe the measures taken or proposed to address the breach, including steps to mitigate possible adverse effects
• Notify relevant supervisory authorities as required by applicable law (e.g., state attorneys general, GDPR supervisory authority, UK Information Commissioner's Office)
• Document the breach internally regardless of whether notification thresholds are met

12. Administrative Access

Authorized Quoining personnel may access your account data in the following limited circumstances:

• Customer support: When you contact us for assistance and troubleshooting requires reviewing your account configuration or data
• Compliance and audit: To verify data integrity, investigate suspected fraud, or respond to legal obligations
• System maintenance: To diagnose and resolve technical issues affecting your account

All administrative access is subject to the following safeguards:

• Access is restricted to authorized personnel with a documented business need
• Every access session is cryptographically authenticated and logged to an immutable audit trail, including the administrator's identity, IP address, timestamp, and session duration
• Sessions are time-limited (maximum 10 minutes) and bound to the originating IP address and device
• Administrative access does not grant the ability to modify your password, authentication settings, or billing information
• Audit logs of administrative access are available to enterprise customers upon request

13. International Data Transfers

All data processed by Quoining is currently stored and processed in the United States. If you are located outside the United States, your data will be transferred to the United States for processing.

13.1 Transfer Mechanisms

For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (2021 version) as the primary mechanism for transfers from the EEA. For UK transfers, we use the UK International Data Transfer Addendum to the SCCs.
• EU-U.S. Data Privacy Framework: Where applicable, we rely on sub-processors' certifications under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework.
• Transfer Impact Assessments (TIAs): We conduct Transfer Impact Assessments to evaluate the legal framework of the destination country and confirm that appropriate supplementary measures are in place to ensure an essentially equivalent level of protection.

13.2 Sub-Processor Transfers

All of our sub-processors listed in Section 9 currently process data in the United States. We require each sub-processor to maintain appropriate safeguards for international data transfers, including adherence to the Data Privacy Framework or Standard Contractual Clauses where applicable.

13.3 Your Rights

You may request a copy of the Standard Contractual Clauses or Transfer Impact Assessments applicable to your data by contacting privacy@quoining.com.

14. Your Privacy Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your Personal Data:

• Right to Access: Request a copy of the Personal Data we hold about you, along with information about how it is processed
• Right to Correction (Rectification): Request correction of inaccurate or incomplete Personal Data
• Right to Deletion (Erasure): Request deletion of your Personal Data, subject to legal retention requirements and legitimate business needs
• Right to Portability: Request a machine-readable export of your Personal Data in a structured, commonly used format (see Section 18)
• Right to Object: Object to processing based on legitimate interests, including profiling
• Right to Restrict Processing: Request restriction of processing in certain circumstances (e.g., while we verify accuracy of contested data)
• Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of processing before withdrawal
• Right Regarding Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal effects (see Section 8)

To exercise any of these rights, contact us at privacy@quoining.com. We will acknowledge your request within 10 business days and respond substantively within 30 days (or within the timeframe required by applicable law). If we need additional time, we will notify you of the extension and the reasons for it.

We will not discriminate against you for exercising any of your privacy rights. Exercising your rights will not result in different pricing, reduced service quality, or denial of service.

15. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"). This section supplements the rest of our Privacy Policy with information required by California law.

15.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of Personal Information (as defined by the CCPA):

• Identifiers: Name, email address, IP address, account name, unique personal identifier
• Financial Information: Bank account numbers (encrypted), transaction data, billing information
• Commercial Information: Records of products or services purchased (subscription details), purchasing or consuming histories
• Internet or Network Activity: Browsing history on our Service, search history within the Service, interactions with our Service
• Professional or Employment Information: Job title, company name, role within the organization
• Inferences: AI-generated transaction categorization suggestions based on transaction patterns

15.2 Business Purposes for Collection

We collect and use Personal Information for the business purposes described in Section 6, including: providing the Service, processing payments, security and fraud prevention, debugging and error repair, account maintenance, and service improvement.

15.3 No Sale or Sharing

We do not sell your Personal Information. We have not sold Personal Information in the preceding 12 months and have no plans to do so. We do not "share" Personal Information for cross-context behavioral advertising as defined under the CPRA. We do not have actual knowledge that we sell or share the Personal Information of consumers under 16 years of age.

15.4 Your CCPA/CPRA Rights

As a California resident, you have the right to:

• Right to Know: Request disclosure of the categories and specific pieces of Personal Information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it
• Right to Delete: Request deletion of your Personal Information, subject to certain exceptions (e.g., legal retention requirements, completing transactions)
• Right to Correct: Request correction of inaccurate Personal Information
• Right to Opt Out of Sale/Sharing: Although we do not sell or share Personal Information, you may submit an opt-out request at any time
• Right to Limit Use of Sensitive Personal Information: You may request that we limit the use of Sensitive Personal Information to purposes necessary to provide the Service
• Right to Non-Discrimination: We will not deny you goods or services, charge different prices, provide a different quality level, or suggest any of the foregoing for exercising your CCPA/CPRA rights

15.5 How to Submit a Request

To submit a verifiable consumer request, you may:

• Email us at privacy@quoining.com
• Use the in-app privacy settings in your Quoining account (Settings → Privacy)

15.6 Verification Process

We will verify your identity before fulfilling your request. For requests submitted via the email associated with your Quoining account, we will verify ownership of that email address. For requests submitted by other means, we may require you to provide information sufficient to verify your identity (e.g., confirming account details). We will not fulfill a request if we cannot verify your identity or authority to make the request.

15.7 Authorized Agents

You may designate an authorized agent to make requests on your behalf. To do so, provide us with written authorization signed by you, or a power of attorney. We may still ask you to verify your own identity directly.

15.8 Response Timeframes

We will acknowledge receipt of your request within 10 business days and provide a substantive response within 45 calendar days of receiving a verifiable request. If we need additional time (up to an additional 45 days), we will notify you of the extension and the reason for it.

15.9 Financial Incentive Programs

We do not offer financial incentives, price differences, or service differences in exchange for the retention or sale of Personal Information.

16. Virginia, Colorado, Connecticut & Other US State Privacy Rights

If you are a resident of Virginia, Colorado, Connecticut, Delaware, or another US state with a comprehensive consumer privacy law, you may have additional rights beyond those described in Section 14.

16.1 Virginia Consumer Data Protection Act (VCDPA)

Virginia residents have the right to:

• Confirm whether we are processing your Personal Data and access that data
• Correct inaccuracies in your Personal Data
• Delete your Personal Data
• Obtain a portable copy of your Personal Data
• Opt out of processing for targeted advertising, sale of Personal Data, or profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in any of these activities)

16.2 Colorado Privacy Act (CPA)

Colorado residents have the right to:

• Confirm whether we are processing your Personal Data and access that data
• Correct inaccuracies in your Personal Data
• Delete your Personal Data
• Obtain a portable copy of your Personal Data
• Opt out of processing for targeted advertising, sale of Personal Data, or profiling (we do not engage in these activities)

16.3 Connecticut Data Privacy Act (CTDPA)

Connecticut residents have the right to:

• Confirm whether we are processing your Personal Data and access that data
• Correct inaccuracies in your Personal Data
• Delete your Personal Data
• Obtain a portable copy of your Personal Data
• Opt out of processing for targeted advertising, sale of Personal Data, or profiling (we do not engage in these activities)

16.4 Delaware Personal Data Privacy Act (DPDPA)

Delaware residents have rights substantially similar to those listed above, including the right to access, correct, delete, and obtain a portable copy of Personal Data, and to opt out of targeted advertising, sale, and profiling.

16.5 Appeal Process

If we decline to take action on your request, you have the right to appeal our decision. To appeal, send an email to privacy@quoining.com with the subject line "Privacy Rights Appeal" and include a description of your original request and the reason you believe our decision was incorrect. We will respond to your appeal within 60 days. If your appeal is denied, you may contact your state's Attorney General to submit a complaint:

• Virginia: Office of the Attorney General, oag.state.va.us
• Colorado: Office of the Attorney General, coag.gov
• Connecticut: Office of the Attorney General, portal.ct.gov/AG
• Delaware: Department of Justice, attorneygeneral.delaware.gov

17. European Economic Area & UK Rights (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following additional rights under the GDPR and/or UK GDPR:

17.1 Rights Summary

• Right of Access (Article 15): Obtain confirmation of whether we process your Personal Data and receive a copy of that data, along with supplementary information about the processing
• Right to Rectification (Article 16): Have inaccurate Personal Data corrected and incomplete data completed
• Right to Erasure (Article 17): Have your Personal Data deleted when it is no longer necessary, you withdraw consent, or you object and there are no overriding legitimate grounds
• Right to Restriction (Article 18): Restrict processing where accuracy is contested, processing is unlawful, or we no longer need the data but you require it for legal claims
• Right to Data Portability (Article 20): Receive your Personal Data in a structured, commonly used, machine-readable format and transmit it to another controller
• Right to Object (Article 21): Object to processing based on legitimate interests (including profiling). We must cease processing unless we demonstrate compelling legitimate grounds
• Rights Related to Automated Decision-Making (Article 22): Not be subject to solely automated decision-making with legal or similarly significant effects (see Section 8)
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal

17.2 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your Personal Data infringes the GDPR or UK GDPR. You may file a complaint with the supervisory authority in your country of residence, place of work, or the place of the alleged infringement. Key supervisory authorities include:

• United Kingdom: Information Commissioner's Office (ICO), ico.org.uk
• Ireland: Data Protection Commission (DPC), dataprotection.ie
• Germany: Relevant state data protection authority (Landesdatenschutzbeauftragter)
• France: Commission Nationale de l'Informatique et des Libertés (CNIL), cnil.fr
• Netherlands: Autoriteit Persoonsgegevens (AP), autoriteitpersoonsgegevens.nl

We encourage you to contact us first at privacy@quoining.com so we can address your concern directly before you escalate to a supervisory authority.

17.3 Data Protection Officer

For questions regarding our GDPR compliance, you may contact our Data Protection Officer at support@quoining.com. See Section 23 for full contact details.

18. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. There is currently no universally accepted standard for how companies should respond to DNT signals. We do not currently respond to DNT signals. However, we do not engage in cross-site tracking, targeted advertising, or sale of Personal Information, so the practical effect of DNT on our Service is minimal. We will update this policy if a uniform standard for DNT is adopted.

19. Data Minimization & Purpose Limitation

We are committed to the principles of data minimization and purpose limitation:

• Collection Limitation: We collect only the minimum Personal Data necessary to provide and improve the Service. We do not collect data "just in case." Each data element has a defined purpose.
• Purpose Limitation: We use Personal Data only for the purposes described in this Privacy Policy. We will not repurpose your data for unrelated activities without your explicit consent.
• AI Data Minimization: When invoking AI features, we send only the minimum data necessary for the specific AI function, not your entire accounting dataset.
• Integration Data Minimization: Third-party integrations (Plaid, Gusto, Shopify, etc.) are only activated when you explicitly initiate the connection. We only request the data scopes necessary for the integration's function.
• Storage Limitation: We do not retain data beyond the periods described in Section 21 unless required by law or requested by you.

20. Data Portability & Export

We believe your data belongs to you. Quoining provides multiple ways to export your data:

• In-App Exports: Most data tables and reports in Quoining include CSV and/or PDF export functionality available directly from the user interface
• Financial Statement Export: Financial statements (Income Statement, Balance Sheet, Cash Flow) can be exported as PDF documents
• API Access: Quoining's Public API (v1) provides programmatic access to accounts, bills, entities, invoices, journal entries, and trial balance data in structured JSON format
• Full Data Export: You may request a complete export of all your Personal Data and accounting data by contacting privacy@quoining.com. We will provide the export in a structured, commonly used, machine-readable format (JSON or CSV) within 30 days of a verified request.

Data exports include all data categories that you have the right to receive under applicable privacy law. Exported data will not include derived data that constitutes our trade secrets (e.g., proprietary SmartGL engine logic), but will include all outputs generated from your data.

21. Sensitive Personal Information

Given the nature of accounting software, certain categories of Sensitive Personal Information may be processed through the Service:

21.1 Financial Data We Process

• Bank Account Numbers: Encrypted at the field level using AES-256-GCM in addition to database-level encryption
• Tax Identification Numbers (EINs): Encrypted at the field level; access restricted to administrators
• Payment Card Information: We do not store payment card numbers. All payment processing is handled by Stripe (PCI DSS Level 1 certified)
• Payroll Data: When Gusto integration is connected, employee wage and tax withholding data is encrypted and access is restricted to authorized users

21.2 Sensitive Data We Do Not Collect

We do not collect, process, or store:

• Social Security Numbers (SSNs) of individuals (only employer EINs)
• Racial or ethnic origin
• Religious or philosophical beliefs
• Political opinions
• Trade union membership
• Health or medical data
• Biometric data
• Genetic data
• Sexual orientation or sex life data
• Precise geolocation data (GPS coordinates)
• Criminal conviction or offense data

21.3 Protection Measures

All Sensitive Personal Information processed through Quoining is subject to enhanced protections including field-level encryption, role-based access controls, audit logging, and retention limits as described in Sections 11 and 21. Under the CPRA, we use Sensitive Personal Information only for purposes necessary to provide the Service and do not use it for inferring characteristics about you.

22. Employee & Payroll Data

When you connect the Gusto payroll integration, certain employee and payroll data is transmitted to Quoining for the purpose of generating accounting journal entries and financial reports. This section explains what data flows through our system and how we handle it.

22.1 Data Received from Gusto

• Payroll run summaries (dates, total amounts, pay period)
• Employee-level wage breakdowns (gross pay, net pay)
• Tax withholdings (federal, state, local)
• Benefit deductions (health insurance, retirement contributions)
• Employer contributions (employer tax portions, benefit contributions)
• Employee names and identifiers (for line-item attribution)

22.2 How We Use Payroll Data

Payroll data is used exclusively for:

• Generating SmartGL journal entries (debit Wage Expense, credit Payroll Liabilities and Cash)
• Populating payroll-related line items in financial statements
• Supporting period close and reconciliation processes

22.3 Controller/Processor Relationship

For payroll data, your organization is the Data Controller. Quoining processes this data on your behalf as a Data Processor. Gusto separately acts as a Processor for your payroll operations. We do not independently use employee payroll data for purposes outside of providing the accounting Service.

22.4 Employee Rights

Employees whose data is processed through Quoining via the Gusto integration should direct privacy inquiries and rights requests to their employer (the Data Controller). If we receive a request directly from an employee, we will direct them to the appropriate Controller and assist the Controller in fulfilling the request as required by applicable law.

23. Data Retention

We retain your data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and support our legitimate business needs. The following table summarizes our retention schedule by data type:

Upon account termination, we retain your data for 90 days to facilitate account recovery, after which non-legally-mandated data is permanently deleted. Data subject to legal retention requirements (financial records, tax records, audit logs) is retained for the applicable period and then permanently deleted.

For full details, see our Data Retention & Deletion Policy.

24. Children's Privacy

The Service is a business accounting platform not intended for use by anyone under the age of 18. We do not knowingly collect Personal Data from children under 13 (or under 16 in the EEA/UK). We do not knowingly collect or solicit information from anyone under 18.

If we learn that we have collected Personal Data from a child under the applicable minimum age, we will take prompt steps to delete that information. If you believe a child has provided us with Personal Data, please contact us at privacy@quoining.com.

We comply with the Children's Online Privacy Protection Act (COPPA) and do not direct our Service to children. COPPA requires verifiable parental consent before collecting Personal Data from children under 13. Since our Service is exclusively for business use, we do not have a mechanism for parental consent and will delete any data collected from a child under 13 upon discovery.

25. Third-Party Links

The Service may contain links to third-party websites, products, or services that are not operated by us. We are not responsible for the privacy practices, content, or security of these third parties. We encourage you to review the privacy policies of any third-party services you access. The inclusion of a link does not imply endorsement of the linked website.

26. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Provide notice via email to the address associated with your account at least 30 days before the changes take effect
• Display a prominent notice within the Service
• Where required by applicable law (e.g., GDPR), obtain your consent before implementing material changes to how we process your Personal Data

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes acceptance of the updated policy. We encourage you to review this page periodically for the latest information on our privacy practices.

27. Contact, Data Protection Officer & Complaints

If you have questions, concerns, or complaints about this Privacy Policy, our data practices, or the exercise of your privacy rights, you may contact us using the information below:

Response Timeframes

• General inquiries: We will respond within 10 business days
• GDPR / UK GDPR rights requests: We will respond within 30 days (extendable by 60 days for complex requests, with notice)
• CCPA/CPRA verifiable consumer requests: We will respond within 45 calendar days (extendable by an additional 45 days, with notice)
• State privacy law requests (VCDPA, CPA, CTDPA, DPDPA): We will respond within 45 days (extendable by an additional 45 days, with notice)
• Appeal decisions: We will respond within 60 days

Filing a Complaint

If you are unsatisfied with our response to your privacy concern, you may file a complaint with the relevant authority:

• EEA residents: Your local data protection authority (see Section 17 for links)
• UK residents: Information Commissioner's Office (ICO) at ico.org.uk
• California residents: California Attorney General at oag.ca.gov/privacy
• Other US state residents: Your state's Attorney General (see Section 16 for links)