Privacy Policy
This policy explains what personal information SideQuest Automation collects, why we collect it, where we store it, and how you can control it. It applies to everyone who uses our website, signs up for an account, or installs the SideQuest connector.
Who we are
SideQuest Automation is an independent operator based in the United States. Contact: [email protected].
What we collect
We collect three categories of information, and only these.
1. Account information you give us
When you fill out the signup form, we collect:
- Your email address (required)
- Your company name (required)
- Your first name (optional)
- Rough monthly PO volume (optional, used for sizing your tier)
- Current tool used (optional, used for sales context)
- How you heard about us (optional, used for marketing attribution)
- Free-form notes you provide (optional)
If you become a paying customer, we additionally collect the billing information your payment processor (Stripe) supplies us, which is limited to your subscription tier and customer ID. We do not see your credit card number.
2. Usage counters
When the SideQuest connector processes a purchase order on your computer, the connector reports one small event to our control plane containing:
- Your license key
- The fact that one PO was processed
- The Gmail message ID of the PO (an opaque identifier with no content)
- The count of line items in the PO
- The QuickBooks realm ID (which identifies which QBO company received the estimate)
- A timestamp
We use these counters to enforce your monthly tier (free, starter, growth, scale, unlimited).
3. Technical logs
Our servers automatically record:
- HTTP request timestamps, response codes, and byte counts
- IP addresses (used briefly for rate-limiting and abuse prevention, then aggregated)
We do not log request bodies. We do not log query parameters that contain personal information.
What we deliberately do NOT collect
To be explicit, the following are NOT collected, stored, or transmitted to our servers:
- The contents of any purchase order email
- Buyer names, addresses, or contact information from your POs
- Part numbers, descriptions, quantities, or prices
- Your QuickBooks catalog
- Your QuickBooks customer list
- Your Gmail message bodies, attachments, or threads other than the message IDs noted above
- Your OAuth refresh tokens for Gmail or QuickBooks (these live only on your computer)
- Any contents of files in your
~/.qb-distributor-mcp/directory - Credit card numbers (Stripe processes these directly)
Why we collect what we collect
| Data | Purpose | Legal basis |
|---|---|---|
| Email + company name | Communicate with you about your account; deliver the product | Contract (necessary to provide the service) |
| Monthly PO counters | Enforce your tier; bill you correctly | Contract |
| Optional signup fields | Improve product fit and qualify leads | Legitimate interest |
| Stripe customer ID | Process recurring payments | Contract |
| Server logs | Operate the service and prevent abuse | Legitimate interest |
If you are in the EU or UK, the legal bases above reference GDPR Article 6.
Where data lives
| Data type | Storage location | Operator |
|---|---|---|
| Customer database (email, license, counters) | Neon Postgres, AWS us-east-1 (Virginia, USA) | Neon Inc. |
| Application server logs | Fly.io machine, region ord (Chicago, IL, USA) | Fly.io Inc. |
| Payment information | Stripe | Stripe Inc. |
All data we hold is stored in the United States. We do not transfer customer data outside the US except where the customer themselves accesses our service from outside the US (in which case standard HTTPS transit applies).
How long we keep it
- Active customer account data: for as long as you have an active license, plus 90 days after cancellation for billing reconciliation.
- Usage counters: kept for 24 months for trend analysis, then deleted automatically.
- Server access logs: 30 days, then deleted automatically.
- Stripe data: retained per Stripe's own retention policy, which we cannot override.
- Closed accounts that you ask us to delete: purged within 30 days of your request.
How we share data
We share data with three categories of recipients, and only these:
- Subprocessors that operate our infrastructure: Fly.io (hosting), Neon (database), Stripe (payments), Cloudflare (DNS). Each is bound by their own privacy commitments.
- Law enforcement, when legally compelled: subpoena, court order, or equivalent legal process. We will notify you if legally permitted to do so.
- A successor entity in the event SideQuest Automation is acquired or merges with another company. We will give you 30 days notice and the right to delete your account first.
We do not sell customer data. We do not share data with advertisers. We do not use customer data to train AI models.
Your rights
Regardless of where you live, you can:
- Access your data: email us and we will send you everything we have about you in machine-readable form within 30 days.
- Correct your data: email us with the change.
- Delete your data: email us. We delete your account, license, and counters within 30 days.
- Export your data: same as access; we will provide JSON or CSV.
If you are in the EU, UK, or California, you have additional rights under GDPR / UK GDPR / CCPA including the right to lodge a complaint with a supervisory authority. Contact for all rights requests: [email protected].
Cookies and tracking
The SideQuest website and signup form do not use cookies, web beacons, or other tracking technology. We do not run analytics on the signup page. The only state we keep about a visitor is what they choose to type into the signup form and submit.
The admin dashboard at /admin uses a session cookie (HTTP Basic Auth credentials cached by your browser) for the operator only.
Children
The SideQuest service is intended for businesses. We do not knowingly collect information from anyone under 18. If you believe we have, email us and we will delete it.
Changes to this policy
If we make material changes to this policy, we will email every active customer at least 30 days before the change takes effect. The "Last updated" date at the top reflects the most recent change.
Contact
Privacy questions, requests, complaints: [email protected]
We acknowledge requests within 5 business days and complete them within 30 days. If you do not receive a response, please assume the email did not arrive and try again.