Privacy Policy

Introduction

This Privacy Policy explains how Getbackplate ("Getbackplate," "we," "us," or "our") collects, uses, stores, shares, and protects information when you use our middleware integration that connects QuickBooks Online ("QBO") with Restaurant365 ("R365") (the "Service" or "Application").

Getbackplate is headquartered at 1321 Upland Dr., Suite 9894, Houston, Texas 77043, United States.

This Privacy Policy applies to all users of the Service. By using the Service, you consent to the practices described in this Policy. If you do not agree, you must not use the Service.

This Privacy Policy is intended to comply with the disclosure requirements of the Intuit Developer Program, applicable U.S. state privacy laws (including the California Consumer Privacy Act, where applicable), and other relevant data protection regulations.

Information We Collect

2.1 Information You Provide

When you register or are authorized to use the Service, we may collect:

• Contact information: name, business name, email address, phone number.
• Account credentials: OAuth 2.0 authorization tokens granted by you through QuickBooks Online (we do not receive or store your QBO username or password).
• Configuration data: Restaurant365 FTP endpoint details, field-mapping preferences, and delivery schedules that you or your administrator provide.

2.2 Information We Access From QuickBooks Online

When you authorize the Application via Intuit's OAuth flow, the Service accesses the following data from your QBO company file, limited to scopes you have approved:

• Invoice records (invoice number, date, due date, status, totals, taxes, terms)
• Customer records associated with invoices (name, billing address, contact information)
• Customer Account Number assigned in QuickBooks Online, used as the cross-reference identifier for the corresponding vendor record in Restaurant365
• Line-item detail (item description, quantity, unit price, account, class, location)
• Vendor and company profile data needed for proper accounting categorization
• Tax codes, payment terms, and currency settings

We access this data only to perform the integration's stated purpose: transforming and delivering invoice data to your designated Restaurant365 FTP endpoint.

We do not access, collect, or process:

• QBO usernames, passwords, or other login credentials
• Payroll or employee personal information beyond what may be incidentally referenced on an invoice
• Bank account or credit card numbers
• Social Security Numbers or other government identifiers

2.3 Information Generated Automatically

When the Service runs, our systems automatically log:

• Operational data: webhook events, job timestamps, processing duration, success/failure status, error messages.
• Technical data: IP addresses, request headers, API response codes from Intuit and Restaurant365.
• Backup artifacts: copies of generated CSV/TXT files transmitted to Restaurant365, retained for audit and recovery purposes.

How We Use Information

We use the information collected for the following purposes:

1. Service delivery: to retrieve QBO invoices, transform them into Restaurant365-compatible formats (CSV, TXT, or EDI 810), and deliver them to your designated FTP endpoint;
2. Operational monitoring: to log job execution, detect errors, alert on failures, and maintain service reliability;
3. Support and troubleshooting: to investigate issues you or your counterparty report;
4. Security: to detect, prevent, and respond to fraud, abuse, or unauthorized access;
5. Compliance: to comply with applicable laws, regulations, court orders, and Intuit Developer Program requirements; and
6. Communication: to send service-related notices, security alerts, and administrative messages.

We do not use your QBO data for advertising, marketing, profiling, training of artificial intelligence models, or any purpose unrelated to providing the Service.

How We Share Information

We share information only as described below:

4.1 With Restaurant365

The core function of the Service is to transmit transformed invoice data to a Restaurant365 FTP endpoint that you or your authorized counterparty have designated. By using the Service, you authorize this transmission.

4.2 With Service Providers

We use the following third-party infrastructure providers, which process data on our behalf under their own privacy and security commitments:

• Vercel Inc. — application hosting and serverless compute.
• Supabase Inc. — managed PostgreSQL database (job logs), object storage (CSV backups), and edge function execution.
• Intuit Inc. — source platform for invoice data via the Intuit Developer API.

These providers are contractually obligated to use the data only to provide their services to us and to maintain appropriate security safeguards.

4.3 Legal Disclosures

We may disclose information when required by law, subpoena, court order, or other legal process, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

4.4 Business Transfers

If Getbackplate is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction. We will notify affected users before any such transfer takes effect.

4.5 With Your Consent

We will share information for any other purpose only with your explicit consent.

We do not sell or rent personal information to third parties.

Data Storage and Retention

• OAuth tokens are stored encrypted at rest in our database and refreshed automatically according to Intuit's token lifecycle. Tokens are deleted within 30 days after disconnection.
• Operational logs (job execution records, error messages) are retained for up to twelve (12) months for monitoring, audit, and troubleshooting purposes.
• CSV/TXT backup files delivered to Restaurant365 are retained in Supabase Storage for up to twelve (12) months to support recovery, dispute resolution, and audit needs.
• Account and configuration data is retained for the duration of your active use of the Service plus a reasonable period thereafter for legal and accounting compliance.

You may request earlier deletion of your data at any time, subject to legal retention requirements (see Section 7).

Data Security

We implement industry-standard administrative, technical, and physical safeguards designed to protect information against unauthorized access, alteration, disclosure, or destruction, including:

• TLS 1.2+ encryption for all data in transit between QBO, Getbackplate, and Restaurant365 (FTP transmission uses encrypted channels where supported by the receiving endpoint).
• Encryption at rest for stored OAuth tokens and database records.
• Role-based access controls for personnel.
• Logging and monitoring of administrative access.
• Regular software updates and dependency vulnerability scanning.
• Principle of least privilege for service-account permissions.

Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. You should notify us immediately at the contact below if you suspect any unauthorized access to your data.

Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: request that we correct inaccurate information.
• Deletion: request that we delete your personal information, subject to legal retention obligations.
• Restriction: request that we limit the processing of your information.
• Portability: request a copy of your information in a structured, machine-readable format.
• Objection: object to certain types of processing.
• Withdrawal of consent: withdraw any consent you previously provided.

To exercise these rights, contact us using the information in Section 12. We will respond within the timeframe required by applicable law (typically 30–45 days).

7.1 How to Disconnect the Application

You can revoke the Service's access to your QuickBooks Online data at any time:

Once disconnected, the Service will no longer be able to access your QBO data. Cached operational data will be deleted in accordance with the retention schedule in Section 5, or sooner upon written request.

International Data Transfers

The Service is hosted and operated in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, which may have data protection laws different from those in your jurisdiction. By using the Service, you consent to such transfers.

Children's Privacy

The Service is intended for use by businesses and is not directed at children under 13 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child under 13, we will delete it promptly.

California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide additional rights, including the right to know what personal information is collected, to request deletion, to opt out of "sales" or "sharing" of personal information (we do not sell or share personal information as defined by these laws), and to non-discrimination for exercising your rights. To exercise these rights, contact us as described in Section 12.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top and, where appropriate, notify you by email or through the Service.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

We will acknowledge your inquiry within a reasonable time and respond as required by applicable law.