Privacy Policy
Effective date: 1 April 2026 · Last updated: 8 May 2026
Welcome to BookSaiDSo (“we,” “our,” or “us”). We are committed to protecting your personal and business privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (www.booksaidso.com) and use our AI-assisted bookkeeping software-as-a-service (the “Service”). We operate in compliance with the Personal Data (Privacy) Ordinance (Cap. 486) of the Hong Kong Special Administrative Region.
1. Information We Collect
1.1 Information You Provide
When you register for an account, subscribe to our plans, or contact us for support, we may collect:
- Identity information: your name, email address, and company name
- Account credentials: your password is securely hashed and managed by our authentication provider (Supabase Auth); we never store plaintext passwords
- Business settings: your business name, business nature, business type, fiscal year start, and default payment method (stored in your profile to personalise the Service)
1.2 Information Collected Automatically
When you access the Service, we automatically collect certain technical information, including:
- IP address, browser type, and operating system
- Referring URLs and interaction data (such as clicks and page views)
- Session tokens and authentication state (stored in cookies)
This information is used to maintain your session, ensure platform security, and improve the user experience.
1.3 Financial Data
To provide our core bookkeeping functionalities, you may upload financial documents including receipts, invoices, bank statements, and Director's Current Account (DCA) records. You may also enter transaction data directly via chat. We process this data strictly to generate your requested bookkeeping records, exports, and reports.
You retain full ownership of all financial data you provide.
2. How We Use Your Information
We use the collected information for the following purposes:
- To provide, operate, and maintain the Service
- To process your financial documents and generate categorised bookkeeping records
- To process subscription payments and send related confirmations and invoices
- To send transactional emails (e.g., magic links, account notifications, data export reminders)
- To provide customer support and respond to your enquiries
- To investigate and resolve technical issues affecting the Service (which may involve reviewing uploaded data within our secure infrastructure)
- To monitor and analyse usage trends to improve the Service
- To enforce our Terms and Conditions and comply with legal obligations
We do not use your data for advertising, profiling, or any purpose beyond operating the Service.
3. Data Storage and Security
Your data is stored on the following secure cloud infrastructure:
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database (transactions, messages, profiles) + private file storage (receipts) | Outside Hong Kong (cloud-hosted) |
| Vercel | Web application hosting and serverless functions | United States |
File storage: Uploaded receipts and documents are stored in a private Supabase Storage bucket. All files require a signed URL to access and are not publicly accessible. Signed URLs expire after 1 hour.
Attachment storage modes: Business-plan users may choose how receipt attachments are stored after they are confirmed. Three modes are available under Settings → Attachment Storage:
| Mode | Where files are kept | What happens after upload |
|---|---|---|
| Booksaidso storage (default, all plans) | Supabase private bucket (Singapore) | File retained until you delete it or your account is purged. Chat attachments deleted after 72 hours (thumbnails kept permanently for conversation history). |
| Both (Booksaidso + Google Drive) | Supabase bucket and your own Google Drive | File copied to your Google Drive immediately after confirmation. Both copies are retained independently. The Google Drive copy lives in your account and persists even if you cancel Booksaidso. |
| Google Drive only | Your own Google Drive only | After a confirmed upload to Google Drive, the Supabase copy is immediately deleted from our servers. No receipt data is retained on Booksaidso infrastructure after the Drive upload succeeds. If the Drive upload fails, the Supabase copy is kept as a fallback until the next successful sync. |
Chat attachments (files sent in the AI chat) always follow the 72-hour deletion schedule regardless of storage mode — they are needed for the ongoing conversation and are never synced to Google Drive.
Google Drive integration: When you connect Google Drive, we store an OAuth refresh token in our database, encrypted at rest using AES-256-GCM. We request only the drive.file permission scope, which limits our access to files created by Booksaidso — we cannot read, list, or access any other files in your Google Drive. You may revoke this access at any time via Google Account → Security → Third-party apps with account access; revoking access does not delete files already in your Drive.
Encryption: All data is encrypted in transit using HTTPS/TLS. All data stored in Supabase is encrypted at rest using AES-256 encryption. Supabase (our infrastructure provider) holds SOC 2 Type II and ISO 27001 certifications — BookSaiDSo itself is not independently certified, but your data rests on certified infrastructure.
Access controls: Row-Level Security (RLS) is enforced on all database tables, ensuring your data is accessible only to your own account. No BookSaiDSo staff can access your financial data in the normal course of operations.
Staff access policy: Access to individual user data is governed by purpose, not plan tier — the same rules apply to all users regardless of subscription level.
| Purpose | Who | Conditions |
|---|---|---|
| Support | Founder only | Only on your written request; access is logged |
| Debugging | Founder only | Aggregate or anonymised data only — individual documents and transactions are not reviewed |
| Legal / Emergency | Founder only | Only under valid HK court order or statutory obligation under PDPO; access is logged and you will be notified where legally permitted |
| Marketing / Training / Analytics | — | Never — strictly prohibited |
Cross-border storage: Your data is stored on infrastructure located outside of Hong Kong. By using the Service, you acknowledge and consent to this. We have selected providers with strong security certifications to mitigate the associated risks.
While we implement industry-standard security measures, no system is completely impenetrable, and we cannot guarantee absolute security against all threats.
4. AI Processing and Cross-Border Data Transfer
4.1 AI Provider Chain
Booksaidso uses Qwen (a Large Language Model developed by Alibaba Cloud), accessed via OpenRouter (an AI API gateway based in the United States), to extract and categorise data from your uploaded financial documents and chat messages.
When you upload a receipt or type a transaction, your data travels through the following path:
Your device → Booksaidso (Vercel, US) → OpenRouter (US) → Qwen model (Alibaba Cloud, Singapore)
This means your data is transmitted outside of Hong Kong for AI processing. By using the Service, you acknowledge and consent to this cross-border transfer.
4.2 What Is Sent to the AI
We transmit only the minimum data necessary to process your request. This includes:
- The receipt image or extracted text from the document you upload
- Your business name and business nature (to correctly classify income vs. expenses)
- Up to the last 10 chat messages for conversational context
We never transmit your email address, payment details, account credentials, or any data unrelated to the transaction being processed.
4.3 AI Model Training
OpenRouter: Every request we send to OpenRouter includes an explicit data_collection: "deny" flag, which instructs OpenRouter not to log or retain your prompt contents. This is enforced at the API level on every message and every receipt upload. See OpenRouter's privacy policy for their full data handling terms.
Alibaba Cloud (Qwen model): Alibaba Cloud may retain prompt data for a limited operational period in accordance with their service terms. We route all traffic via OpenRouter with the deny flag above, which is our primary control. Alibaba Cloud's data centres are located in Singapore and China. By using the Service, you acknowledge and consent to your data being processed in these jurisdictions. Their full terms are available at the Alibaba Cloud International Terms of Service.
5. Data Sharing and Third Parties
5.1 Service Providers
We share your information with the following trusted third-party service providers, solely to operate the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, file storage | Account data, transaction data, uploaded files |
| Vercel | Web hosting and serverless functions | Request logs, IP addresses |
| OpenRouter | AI API gateway (routes to Qwen by Alibaba Cloud) | Receipt images, transaction text (transient; data_collection: deny flag enforced on every request) |
| Stripe | Payment processing (subscribers only) | Email address, payment details |
| Sentry | Error monitoring and crash reporting | Error stack traces and user ID only. sendDefaultPii: false prevents automatic capture of IP addresses, cookies, and request bodies. A beforeSend filter strips financial field values (amounts, descriptions, counterparty names) and authentication tokens from all events before transmission. Session replay is disabled. |
| Resend | Transactional email delivery (magic links, account notifications) | Email address, email content (login links, system notifications only) |
| OAuth authentication (all users) · Google Drive file storage (Business plan, opt-in) | OAuth: Google account identity used for sign-in only. Drive: receipt files created by Booksaidso, stored in your own Google account (drive.file scope only). Encrypted refresh token stored in Booksaidso database. |
Supabase and Stripe maintain formal Data Processing Agreements (DPAs). OpenRouter's data handling is governed by their published Data Processing Agreement. Alibaba Cloud's terms are available at their International Terms of Service.
5.2 No Sale of Data
We do not sell, rent, or trade your personal or financial data to any third parties under any circumstances. Your business data is your own.
5.3 Legal Disclosure
We may disclose your information if required by law, court order, or government authority, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.
6. Data Retention
We retain your data according to the following schedule:
| Scenario | Retention period |
|---|---|
| Active account (paid) | Retained while your account is active (transactions, chat history, uploaded files) |
| Chat conversation history | Retained while your account is active; deleted with your account or on your request |
| Active account (free tier, within 12 months) | Retained while activity is recorded within the past 12 months |
| Free-tier account inactive for 12+ months | All data permanently deleted (transactions, chat history, files, profile) |
| Subscription cancellation | Downgraded to free tier; all data retained; CSV export always available at no cost |
| After cancellation (no activity for 12 months) | Permanently deleted (same as inactive free-tier policy) |
| Resubscription (within 12-month window) | All data restored in full, no data loss |
| Chat attachment files | Full-size files deleted after 72 hours (thumbnails retained permanently) |
| Bulk upload processing files | Deleted after 72 hours; confirmed receipts copied to permanent storage before deletion |
Last activity timestamp (last_active_at) | Updated on each session; used to determine inactivity; deleted with account |
Activity tracking: We record a timestamp of your last active session in your profile (last_active_at). This is updated automatically each time you use the Service and is used solely to determine inactivity for free-tier data retention purposes. It is never shared with third parties.
7. Your Rights
Under the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486), you have the following rights:
- Right of access: Request a copy of the personal data we hold about you
- Right of correction: Request correction of inaccurate personal data
- Right to deletion: Request deletion of your account and associated data at any time
- Right to object: Object to direct marketing use of your data (note: we do not currently conduct direct marketing)
- Right to complain: Lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) of Hong Kong
To exercise any of these rights, please contact us at hello@booksaidso.com. We will respond within a reasonable timeframe in accordance with the PDPO.
8. Cookies
We use cookies solely for essential functions, including maintaining your authenticated session after login and storing your session preferences.
We do not use advertising cookies, third-party tracking cookies, or cookies for behavioural profiling. You can instruct your browser to refuse all cookies, but doing so may prevent you from logging in or using the Service.
9. Children's Privacy
Our Service is intended for business use by adults and is not directed to children under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by sending an email to your registered address and by updating the “Last Updated” date at the top of this page. Continued use of the Service after changes are posted constitutes your acceptance of the updated Policy.
11. Governing Law
This Privacy Policy shall be governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region, in particular the Personal Data (Privacy) Ordinance (Cap. 486). Any disputes relating to this Policy shall be subject to the exclusive jurisdiction of the courts of Hong Kong.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:
Email: hello@booksaidso.com
Website: www.booksaidso.com