AbsDabs Studio — Privacy Policy
Effective date: TBD on publication Last updated: May 9, 2026 Version: v1 draft (pending attorney review)
1. Who we are and what this covers
This Privacy Policy describes how AbsDabs Accounting LLC ("AbsDabs", "we", "us", or "our") collects, uses, shares, and protects information in connection with the AbsDabs Studio software service (the "Service"), accessed at app.absdabs.com and related subdomains. This policy applies to information processed through the Service. It does not cover information collected on the AbsDabs Accounting marketing website at absdabs.com, which is governed by a separate marketing site privacy policy.
The Service is a financial advisory platform used by AbsDabs and its authorized advisor users to perform accounting, controllership, and CFO advisory work for engaged customers. The Service connects to customer financial systems, including QuickBooks Online ("QBO"), to read and analyze financial data and to assist authorized advisors in producing analysis, deliverables, and selected accounting entries.
If you are a Customer of AbsDabs Accounting LLC whose financial data is processed through the Service under an executed engagement letter, this policy describes how your data is handled. If you are a third party (including users of products of our Customers), AbsDabs is not the controller of your information; the Customer is, and you should refer to that Customer's privacy practices.
2. Information we collect
We collect three categories of information:
Account information. When AbsDabs creates an advisor account in the Service for an employee or contractor, we collect name, work email address, role, and authentication credentials. End-customer users are not currently provisioned with direct accounts in the Service during Phase 1 of the Service. If end-customer accounts are introduced in a later phase, this policy will be updated.
Customer financial data. When an authorized advisor connects a Customer's QuickBooks Online file to the Service through Intuit's OAuth-based authorization flow, we read financial data from that QBO file, including but not limited to chart of accounts, transactions, journal entries, customers, vendors, items, classes, locations, attachments, reports, and metadata about that data. The connection is initiated by an authorized advisor under the engagement letter executed between AbsDabs and the Customer. The Customer authorizes the connection through Intuit's standard OAuth consent screen.
Usage and operational data. We collect logs of authorized advisor actions inside the Service, including which records were viewed, which AI proposals were generated, which proposals were reviewed and approved, and which actions were posted back to the Customer's QBO file. We also collect standard server logs, error reports, and performance telemetry to operate and improve the Service.
We do not knowingly collect special categories of personal information (such as health, biometric, or genetic data). We do not collect payment card information through the Service; engagement fees are billed separately by AbsDabs Accounting LLC outside the Service.
3. How we use information
We use Customer financial data and account information to:
- Perform the accounting, controllership, and CFO advisory work described in the Customer's executed engagement letter
- Generate financial analysis, variance commentary, and CFO-level narratives for review by authorized advisors and subsequent delivery to the Customer
- Propose recurring and rule-based journal entries, bills, and invoices for advisor review and approval before posting to the Customer's QBO file
- Operate, secure, and improve the Service
- Comply with legal obligations, respond to lawful requests, and enforce our agreements
We do not use Customer financial data for advertising, for resale, or to train general-purpose AI models. We do not sell Customer financial data to any third party.
4. Artificial intelligence and automated processing
The Service uses AI under two strict architectural rules that bind every engagement:
- All money movement is initiated by a human. AI does not initiate payments, transfers, or deposits. The Service does not have the capability to move money on behalf of a Customer.
- Any action that leaves the Service's internal analysis layer requires explicit advisor review and approval. This includes any write to a Customer's QuickBooks file, including journal entries, bills, invoices, vendor records, and customer records, and any deliverable shared with the Customer. The review gate is enforced by the Service architecture, not by policy alone. AI proposals are not posted autonomously; they are reviewed and approved by an authorized advisor first, with an audit trail capturing who proposed, who reviewed, and who approved each entry.
Generative AI is used inside the Service to draft analysis, commentary, and proposed accounting entries from Customer financial data. The Service does not expose generative AI directly to end customers in Phase 1; AI assists internal advisor workflows only. Additional safeguards apply to entries affecting payroll, revenue recognition, and reclassifications between tax-relevant accounts.
5. Sharing of information
We share Customer financial data only with the following categories of recipients, each under contractual obligations consistent with this policy:
Sub-processors. We engage third-party service providers who process Customer financial data on our behalf to operate the Service. Our current sub-processors are:
- Merge.dev — unified accounting API broker; provides our connection to Intuit QuickBooks Online and to other accounting and bank platforms in future phases
- Intuit, Inc. — operator of QuickBooks Online; the source and destination of accounting data we process
- Anthropic, PBC — provider of large language models used for generative AI tasks; configured under terms that exclude Customer data from being used to train Anthropic's models
- Pinecone Systems, Inc. — vector database used for retrieval-augmented analysis
- Voyage AI — embedding model provider used to convert text into vector representations
- Supabase, Inc. — PostgreSQL database hosting and authentication infrastructure
- Vercel, Inc. — application hosting and serverless compute infrastructure
- Sentry (Functional Software, Inc.) — error monitoring and performance telemetry
We will update this list as sub-processors change. Material additions of sub-processors that receive Customer financial data will be communicated to affected Customers in advance.
Authorized advisor users. Customer financial data is accessible inside the Service to AbsDabs employees and contractors authorized under the relevant engagement letter. Access is restricted by role and audited.
Legal and regulatory recipients. We may disclose information when required by law, by valid legal process, or when necessary to protect the rights, property, or safety of AbsDabs, our Customers, or the public.
Successors. If AbsDabs is acquired, merged, or undergoes a similar corporate transaction, Customer financial data may be transferred to the successor entity, subject to commercially reasonable continuity of this policy.
We do not share Customer financial data with advertisers, data brokers, or any party for marketing purposes.
6. Data retention
We retain Customer financial data for the duration of the active engagement and for the period required by applicable law, professional standards, and the executed engagement letter. After engagement termination, retention follows the schedule specified in the engagement letter, with a default retention window appropriate to the work performed (typically the longer of seven years or any longer regulatory minimum applicable to the Customer's jurisdiction or industry).
Audit logs, including records of AI proposals, advisor reviews, and approvals, are retained for the duration of retention applicable to the underlying Customer financial data they reference, to preserve the audit trail.
When the QBO connection is disconnected by the Customer or by an authorized advisor, the Service immediately ceases ingestion of new QBO data. Previously ingested data remains subject to the retention rules above. A Customer may request earlier deletion in writing, subject to AbsDabs' professional and legal retention obligations.
7. Data deletion and Customer rights
Customers may request export or deletion of Customer financial data held in the Service by contacting AbsDabs at the address in Section 13. Requests are honored within thirty days, subject to professional and legal retention obligations that may require us to retain certain records (for example, audit trails associated with deliverables already issued).
Customers in jurisdictions whose laws grant additional rights (including but not limited to the European Economic Area, the United Kingdom, and California) may have rights to access, correct, restrict, or object to the processing of personal information. AbsDabs honors those rights as applicable, working through the engaged Customer's authorized representative when the requestor is an end party associated with a Customer rather than the Customer itself.
8. Security
We protect Customer financial data using commercially reasonable administrative, technical, and physical safeguards, including:
- Encryption in transit (TLS) for all network communication between the Service, sub-processors, and end users
- Encryption at rest for sensitive credentials, including QBO OAuth tokens, using industry-standard cryptographic methods
- Role-based access control limiting which advisors can view which Customers' data
- Tenant isolation enforced at the database layer through row-level security policies
- Audit logging of advisor actions
- Vendor selection and review for sub-processors with attention to their security posture and contractual data protection commitments
No security program is invulnerable. We cannot guarantee absolute security of information transmitted to or stored on the Service. We respond to suspected security incidents per our incident response procedures and notify affected Customers as required by applicable law.
9. International data transfers
The Service is operated primarily from the United States. Sub-processors may process data in the United States and other jurisdictions. Where applicable law requires a transfer mechanism (for example, Standard Contractual Clauses for transfers from the European Economic Area), we and our sub-processors implement those mechanisms.
10. Children's privacy
The Service is not directed to individuals under the age of eighteen, and we do not knowingly collect personal information from individuals under eighteen. If we become aware that we have collected such information, we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated to active Customers in advance, by email to the Customer contact on the engagement letter or by posting a notice in the Service. The "Last updated" date at the top of this policy reflects the most recent revision.
12. Limited application
This policy describes the practices of AbsDabs Accounting LLC operating the AbsDabs Studio Service. It does not modify or replace the terms of any executed engagement letter between AbsDabs and a Customer. Where the engagement letter specifies more protective or different data handling terms, the engagement letter governs.
13. Contact
Questions, requests, and complaints concerning this policy may be directed to:
AbsDabs Accounting LLC Attention: Privacy Officer Email: privacy@absdabs.com Phone: (859) 514-2790
This document is a draft prepared by the AbsDabs Studio team. It must be reviewed by qualified counsel before publication or use. Items marked TBD must be filled in. Sub-processor list must be verified and kept current. Retention schedule must be reconciled with the executed engagement letter template before publication.