Privacy Policy
Effective Date: January 12, 2026 | Last Updated: January 12, 2026
Table of Contents
1. Introduction
Bookmonstic ("we," "us," "our," or the "Company") operates a web-based accounting automation platform designed for accountants, bookkeepers, and CPA firms. We are committed to protecting your privacy and handling your personal information with transparency and care.
This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you access or use our website and services (collectively, the "Service"). By using the Service, you consent to the practices described in this Privacy Policy.
Important: Bookmonstic processes financial data on your behalf. We act as a data processor for your clients' financial information, while you remain the data controller. You are responsible for obtaining appropriate consent from your clients before uploading their financial data.
2. Information We Collect
2.1 Information You Provide Directly
| Category | Data Elements | Purpose |
|---|---|---|
| Account Information | Username, email address, password (hashed) | Authentication, account management |
| Client Data | Client names, company identifiers | Organizing your work within the platform |
| Financial Documents | Bank statements, credit card statements (PDF, CSV, Excel) | Transaction processing and categorization |
| Transaction Data | Dates, descriptions, amounts, payees | AI categorization, rule matching |
| Chart of Accounts | Account names, numbers, types | Transaction categorization |
| Categorization Rules | Payee-to-account mappings, keywords | Automated transaction matching |
2.2 Information Collected Automatically
| Category | Data Elements | Purpose |
|---|---|---|
| Device Information | IP address, browser type, operating system | Security, troubleshooting |
| Usage Data | Pages visited, features used, timestamps | Service improvement, analytics |
| Activity Logs | Login attempts, file uploads, exports | Security monitoring, audit trail |
2.3 Information from Third Parties
Payment Processor: When you make a payment, Stripe provides us with limited transaction information (last 4 digits of card, card type, billing address) but we never receive or store your full credit card number.
3. How We Use Your Information
Service Delivery
- • Process and parse uploaded statements
- • Categorize transactions using AI and rules
- • Generate export files for accounting software
- • Manage your clients and rules
Account Management
- • Create and authenticate your account
- • Process payments and subscriptions
- • Send service-related communications
- • Provide customer support
Security & Compliance
- • Detect and prevent fraud or abuse
- • Monitor for security threats
- • Comply with legal obligations
- • Enforce our Terms of Service
Service Improvement
- • Improve AI categorization accuracy
- • Analyze usage patterns
- • Develop new features
- • Fix bugs and optimize performance
4. Data Sharing & Third-Party Services
We Do Not Sell Your Personal Information. Bookmonstic does not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. This applies to all users, including California residents under the CCPA/CPRA and residents of other states with privacy laws.
We share data only with the following categories of service providers who help us operate the Service:
| Service Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Email, payment method details | stripe.com/privacy |
| Google (Gemini AI) | AI transaction categorization | Transaction descriptions (anonymized, no PII) | policies.google.com/privacy |
| Google (Custom Search) | Business identification | Brand/vendor names from transactions | policies.google.com/privacy |
| DocuClipper | PDF statement parsing | Uploaded PDF files (temporary) | docuclipper.com/privacy |
| Amazon Web Services | Cloud hosting infrastructure | All service data (encrypted at rest) | aws.amazon.com/privacy |
Other Disclosures
We may also disclose your information: (a) to comply with legal obligations or valid legal process; (b) to protect our rights, privacy, safety, or property; (c) in connection with a merger, acquisition, or sale of assets; or (d) with your consent.
5. Data Retention
We retain your information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy. Specific retention periods are:
| Data Type | Retention Period | Notes |
|---|---|---|
| Account Information | Duration of account + 30 days | Deleted upon account closure request |
| Uploaded Files (PDF/CSV/Excel) | 24 hours | Automatically deleted after processing |
| Processing Results | 24 hours | Temporary cache, auto-deleted |
| Client Data & Rules | Duration of account | You can delete anytime; removed on account closure |
| Activity Logs | 7 days | Used for security monitoring |
| Audit Events | 180 days (6 months) | Required for compliance and support |
| Payment Records | 7 years | Required for tax and legal compliance |
Your Financial Documents Are Not Stored Long-Term: Uploaded bank statements and transaction files are processed in real-time and automatically deleted within 24 hours. We do not maintain a permanent archive of your financial documents.
6. Data Security
We implement industry-standard security measures to protect your information:
Technical Safeguards
- ✓ HTTPS/TLS encryption for data in transit
- ✓ bcrypt password hashing (industry standard)
- ✓ JWT token-based authentication
- ✓ CSRF protection on all forms
- ✓ Rate limiting to prevent brute-force attacks
- ✓ Input validation and SQL injection prevention
Operational Safeguards
- ✓ Regular security assessments
- ✓ Access controls and authentication
- ✓ Secure cloud infrastructure (AWS)
- ✓ Automated security monitoring
- ✓ Incident response procedures
- ✓ Employee security training
While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
7. Your Privacy Rights
7.1 Rights for All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your account and associated data
- Data Portability: Export your data in a machine-readable format
- Withdraw Consent: Where processing is based on consent, withdraw at any time
- Opt-Out of Marketing: Unsubscribe from marketing communications at any time
7.2 State-Specific Privacy Rights
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other states with comprehensive privacy laws, you have additional rights:
| Right | Description |
|---|---|
| Right to Know | Know what personal information is collected, used, and shared |
| Right to Delete | Request deletion of your personal information |
| Right to Correct | Request correction of inaccurate personal information |
| Right to Opt-Out | Opt out of the sale or sharing of personal information (we do not sell data) |
| Right to Non-Discrimination | Not be discriminated against for exercising your privacy rights |
| Right to Appeal | Appeal our decision if we deny your privacy request |
7.3 Global Privacy Control (GPC)
We honor Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we will treat it as a valid opt-out request for the sale or sharing of your personal information. Since we do not sell personal information, no additional action is required on your part.
7.4 AI and Automated Decision-Making
Our Service uses AI to suggest transaction categorizations. These suggestions are provided as recommendations only and require your review and approval before use. You have the right to:
- Reject any AI-generated categorization suggestion
- Manually override all automated suggestions
- Request information about how AI suggestions are generated
7.5 How to Exercise Your Rights
To submit a privacy request:
- • Email: Contact us at the email address provided in Section 11
- • Account Settings: Use the data export or account deletion features in your dashboard
- • Authorized Agent: You may designate an authorized agent to submit requests on your behalf with written permission
7.6 Response Timeframes
We will acknowledge your request within 10 business days and respond substantively within:
- California (CCPA/CPRA): 45 days (may extend by additional 45 days if necessary)
- Virginia, Colorado, Connecticut: 45 days (may extend by additional 45 days if necessary)
- Other states: As required by applicable law
7.7 Verification Process
To protect your privacy, we will verify your identity before processing your request. Verification may include:
- Confirming your email address on file
- Asking you to log into your account
- Requesting additional information to match our records
7.8 Appeal Process
If we deny your privacy request, you have the right to appeal our decision. To appeal, contact us within 30 days of receiving our response with "Privacy Appeal" in the subject line. We will respond to your appeal within 60 days. If your appeal is denied, you may contact your state's Attorney General.
9. Children's Privacy
The Service is intended for business use by adults. We do not knowingly collect personal information from children under 13 years of age, in compliance with the Children's Online Privacy Protection Act (COPPA). If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. For significant changes, we may also notify you via email. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.
11. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Bookmonstic
Privacy Inquiries: support@bookmonstic.com
Website: bookmonstic.com
Response Times:
- General inquiries: Within 10 business days
- Privacy rights requests: Within 45 days (as required by law)
- Appeals: Within 60 days
When contacting us about a privacy request, please include "Privacy Request" in the subject line and provide enough information to verify your identity and locate your data.