Privacy Policy

Last updated: March 21, 2026

1. Overview

Vantirs ("we", "us", or "our") respects your privacy and is committed to protecting the data you share with us. This Privacy Policy describes how we collect, use, store, and protect your information when you use our payment verification assistance service.

2. Information We Collect

Account Information

  • Name, email address, and firm name (provided during signup)
  • Authentication data managed by Supabase Auth (session tokens)
  • Billing information processed by Paddle (we do not store credit card numbers)

QuickBooks Online Data

When you connect a QuickBooks Online account, we access and store:

  • Vendor information: Display name, company name, email address, phone number
  • Bill (invoice) data: Invoice numbers, amounts, due dates, currency
  • Bill payment data: Payment amounts, dates, payment methods
  • OAuth tokens: Access and refresh tokens for API access (encrypted at rest)

We access QuickBooks data in read-only mode. We do not create, modify, or delete any records in your QuickBooks account.

Derived Data

  • Vendor fingerprints: Statistical profiles (average amounts, frequency, known email domains) computed from payment history
  • Risk scores: Numerical scores (0-100) computed for each invoice
  • Alerts: Flagged anomalies generated by our scanning engine
  • Audit logs: Records of all scans, decisions, and data access

3. How We Protect Your Data

Encryption

  • QuickBooks OAuth tokens are encrypted at rest using AES-256-GCM
  • All data in transit is encrypted via TLS 1.2+
  • Database connections use SSL

Bank Account Data

We never store raw bank account numbers. When bank account information is encountered (e.g., on vendor invoices), we store only a salted SHA-256 hash of the last 4 digits combined with the routing number. This allows us to detect changes without storing sensitive financial data.

Multi-Tenant Isolation

All data is scoped to your firm. Row-level security policies ensure that users can only access data belonging to their own firm. Cross-firm data access is technically impossible through the application layer.

Logging

We never log full bank account numbers, social security numbers, or authentication tokens. Logs contain only masked or hashed identifiers.

4. How We Use Your Data

  • To build vendor fingerprints and compute invoice risk scores
  • To generate alerts when anomalies are detected
  • To send email notifications about flagged invoices and weekly reports
  • To generate PDF reports summarizing scanning activity
  • To maintain audit trails for compliance purposes
  • To improve the accuracy of our anomaly detection algorithms

We do not sell your data to third parties. We do not use your data for advertising.

5. Third-Party Services

We use the following third-party services to provide the Service:

  • Supabase: Authentication and database hosting (PostgreSQL)
  • Vercel: Application hosting and deployment
  • Paddle: Merchant of record and payment processing (PCI-compliant)
  • Resend: Transactional email delivery
  • Upstash: Redis for background job queues
  • Sentry: Error monitoring (no sensitive data is sent)
  • Intuit/QuickBooks: Accounting data access via OAuth 2.0

Each third-party provider operates under their own privacy policy and data processing agreements.

6. Data Retention

  • Account data is retained for as long as your account is active
  • QuickBooks data is synced and retained to maintain vendor fingerprints and audit trails
  • Audit logs are retained for 24 months
  • Upon account deletion, all associated data is permanently deleted within 30 days
  • QuickBooks OAuth tokens are revoked and deleted upon disconnection

7. Your Rights

You have the right to:

  • Access the data we store about you and your firm
  • Disconnect QuickBooks integration at any time
  • Delete your account and all associated data
  • Export your data in standard formats
  • Revoke QuickBooks access through your Intuit account settings

To exercise these rights, contact us at privacy@vantirs.com.

8. Cookies

We use essential cookies for authentication session management. We do not use tracking cookies, analytics cookies, or advertising cookies.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

10. Contact

For questions about this Privacy Policy, contact us at privacy@vantirs.com.