Privacy Policy

Carto Ventures QBO Connector — Internal Use Only
Effective: June 7, 2026

This Privacy Policy describes how the Carto Ventures QBO Connector ("the Connector") handles data accessed via the Intuit QuickBooks Online API.

1. Operator

The Connector is operated by Carto Ventures, Inc. for the purpose of internal financial operations. There are no external end users; the Connector is not made available to third parties.

2. Data Accessed

The Connector reads and writes the following categories of QuickBooks Online data:

• Vendor records (name, contact information, payment terms)
• Vendor Bills (invoices from vendors) and Vendor Credits (credit memos)
• Purchase Orders
• Accounts Payable transactions and aging information

3. Authorization

All data access is granted via OAuth 2.0 authorization performed by a Carto Ventures, Inc. administrator. The Connector cannot access QuickBooks Online data without explicit, revocable authorization.

4. Purpose of Use

QuickBooks Online data is used solely for: (a) automated ingestion of vendor invoices and credit memos received in Carto Ventures' accounts-payable email inbox; (b) reconciliation of vendor-issued credit memos against open vendor returns; and (c) accuracy of accounts-payable aging and payment timing.

5. Storage and Infrastructure

Data is processed in transit and cached on infrastructure controlled by Carto Ventures, Inc., including Cloudflare Workers (United States edge) and a Hetzner-hosted virtual private server located in Ashburn, Virginia, USA. No independent long-term copies of QuickBooks Online data are maintained outside of QuickBooks Online itself.

6. Third-Party Sharing

The Connector does not share QuickBooks Online data with any third party, advertising network, or analytics provider.

7. Security

OAuth credentials and refresh tokens are stored encrypted at rest. All data in transit is protected with TLS. Access to the Connector's infrastructure is restricted to authorized Carto Ventures, Inc. administrators.

8. Retention

OAuth refresh tokens are retained for the lifetime of the integration. Operational caches are retained for no longer than 90 days.

9. Revocation

Authorization may be revoked at any time via the Intuit QuickBooks Online "My Apps" interface, which immediately terminates the Connector's access to QuickBooks Online data.

10. Changes to this Policy

Material changes to this Privacy Policy will be published at this URL with an updated effective date.

11. Contact

Questions regarding this Privacy Policy: ops@nstant.ai