Privacy Policy

Last updated: March 24, 2026

DueToFrom, LLC ("we," "us," or "our") operates the DueToFrom web application. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service. We're committed to transparency and protecting your data.

1. Information We Collect

Account Information

When you register for DueToFrom, we collect:

  • Email address
  • Name (optional)
  • Organization name
  • Password (stored as a secure hash — we never see your actual password)

QuickBooks Online Data

When you connect QuickBooks Online entities to DueToFrom, we access and store:

  • Company names and IDs
  • Chart of Accounts data (account names, types, numbers)
  • General Ledger transaction data needed for intercompany reconciliation
  • Due to/due from account balances and transaction details
  • OAuth 2.0 access and refresh tokens (encrypted with Fernet AES-256 encryption)

We only access data necessary to provide the reconciliation service. We do not access customer lists, vendor details, employee information, or other unrelated financial data.

Usage Data

We collect information about how you use DueToFrom:

  • Pages visited and features used
  • Actions taken (account mappings, journal entry creation, reconciliations performed)
  • Timestamps of activity
  • IP addresses and browser information (for security and troubleshooting)
  • Audit logs of significant actions within your organization

Payment Information

If you subscribe to a paid plan, Stripe processes your payment information. We receive and store only:

  • The last four digits of your credit card
  • Card brand and expiration date
  • Billing email and address
  • Subscription status and payment history

We never see or store your full credit card number — that's handled securely by Stripe.

2. How We Use Your Information

We use the information we collect solely to provide and improve DueToFrom:

  • Service delivery: Match intercompany transactions, identify reconciliation differences, and generate journal entries
  • Account management: Authenticate users, manage roles and permissions (owner, admin, bookkeeper, viewer), and maintain your organization structure
  • OAuth token management: Store encrypted tokens to access your QuickBooks Online data and refresh them automatically when they expire
  • Communication: Send transactional emails (account invitations, password resets, welcome messages) via Resend
  • Billing: Process subscription payments and send receipts
  • Security: Monitor for suspicious activity, maintain audit logs, and protect against unauthorized access
  • Improvement: Analyze usage patterns to enhance features and user experience
  • Support: Troubleshoot issues and respond to your questions

We do not sell, rent, or share your data with third parties for marketing purposes. Ever.

3. Data Security

Protecting your financial data is our top priority. Here's how we keep it safe:

  • Encryption at rest: All OAuth tokens are encrypted using Fernet (AES-256) before being stored in our database
  • Encryption in transit: All data transmission uses TLS 1.2+ encryption
  • Database security: PostgreSQL database hosted on Railway with restricted access and regular backups
  • Secure authentication: Passwords are hashed using industry-standard algorithms; we never store plain text passwords
  • Role-based access control: Fine-grained permissions ensure users only see data they're authorized to access
  • Audit logging: We track all significant actions for accountability and security monitoring
  • OAuth scoping: We request only the minimum QuickBooks permissions needed for intercompany reconciliation

While we implement strong security measures, no system is 100% secure. If you discover a security vulnerability, please contact us immediately at support@duetofrom.com.

4. Cookies and Tracking

DueToFrom uses cookies to provide essential functionality:

  • Authentication cookies (JWT): Keep you logged in as you navigate the application
  • CSRF tokens: Protect against cross-site request forgery attacks
  • Theme preference: Remember your dark mode / light mode selection

We do not use advertising cookies or share cookie data with third parties. You can disable cookies in your browser settings, but this will prevent you from using DueToFrom.

5. Third-Party Services

DueToFrom relies on trusted third-party services to operate. Here's what each one does:

Intuit QuickBooks Online

We connect to QuickBooks Online via OAuth 2.0 to read your Chart of Accounts, General Ledger data, and transactions. We can also create Journal Entries when you authorize us to do so. Intuit's privacy practices are governed by their own privacy policy.

Stripe

Stripe processes all subscription payments. They handle your credit card information directly — we never see or store full payment details. Stripe is PCI-DSS Level 1 certified.

Resend

We use Resend to send transactional emails (invitations, password resets, welcome messages). Resend receives your email address and name for delivery purposes only.

Railway

Our application and database are hosted on Railway's infrastructure. Railway provides secure, SOC 2 compliant hosting.

Sentry

We use Sentry for error monitoring and application reliability. Sentry receives error logs and stack traces but does not receive personally identifiable information or financial data.

6. Data Retention and Deletion

We retain your data as long as your account is active or as needed to provide services.

Active Accounts

While your account is active, we store:

  • Account and user information
  • Connected QuickBooks Online entities and their data
  • Reconciliation history and journal entries
  • Audit logs

Disconnecting QuickBooks Online Entities

When you disconnect a QuickBooks entity:

  • We immediately revoke the OAuth tokens and cease accessing that entity's data
  • Historical reconciliation data is retained to maintain audit trails
  • You can request deletion of all data related to that entity by contacting support

Account Deletion

To delete your account, contact us at support@duetofrom.com. Upon request, we will:

  • Revoke all OAuth tokens
  • Delete your account and user information
  • Delete all organization data and reconciliation records
  • Remove all stored QuickBooks Online data

Account deletion is completed within 30 days of your request. We may retain certain data for legal or regulatory compliance (e.g., billing records, audit logs) as required by law.

7. Your Rights

You have the following rights regarding your data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Update inaccurate or incomplete information
  • Deletion: Request deletion of your account and associated data
  • Export: Export your reconciliation data and account mappings
  • Revoke access: Disconnect QuickBooks Online entities at any time to revoke our access to your financial data
  • Portability: Receive your data in a structured, machine-readable format
  • Object: Object to processing of your data for specific purposes

To exercise any of these rights, contact us at support@duetofrom.com. We will respond within 30 days.

8. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect and how we use it
  • The right to request deletion of your personal information
  • The right to opt-out of the sale of personal information (note: we do not sell personal information)
  • The right to non-discrimination for exercising your CCPA rights

Categories of personal information we collect: identifiers (email, name), financial information (QuickBooks Online data via OAuth), internet activity (usage data), and professional information (organization name).

Business purposes: providing the reconciliation service, account management, security, and customer support.

To exercise your CCPA rights, contact us at support@duetofrom.com with "CCPA Request" in the subject line.

9. Children's Privacy

DueToFrom is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If we discover that we have collected information from a child under 13, we will delete it immediately. If you believe we have collected information from a child under 13, please contact us at support@duetofrom.com.

10. International Users

DueToFrom is operated from the United States. If you are located outside the United States, please be aware that information we collect will be transferred to, stored, and processed in the United States. By using DueToFrom, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify you by:

  • Email to the address associated with your account
  • Prominent notice within the DueToFrom application
  • Updating the "Last updated" date at the top of this policy

We encourage you to review this policy periodically. Continued use of DueToFrom after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data, we're here to help:

Email: support@duetofrom.com

Address: DueToFrom, LLC, Macon, GA

Website: duetofrom.com

We will respond to all privacy inquiries within 30 days.