Privacy Policy
Effective date: 1 April 2026 · Last updated: 1 April 2026
Welcome to Booksaidso (“we,” “our,” or “us”). We are committed to protecting your personal and business privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (www.booksaidso.com) and use our AI-assisted bookkeeping software-as-a-service (the “Service”). We operate in compliance with the Personal Data (Privacy) Ordinance (Cap. 486) of the Hong Kong Special Administrative Region.
1. Information We Collect
1.1 Information You Provide
When you register for an account, subscribe to our plans, or contact us for support, we may collect:
- Identity information: your name, email address, and company name
- Account credentials: your password is securely hashed and managed by our authentication provider (Supabase Auth); we never store plaintext passwords
- Business settings: your business name, business nature, business type, fiscal year start, and default payment method (stored in your profile to personalise the Service)
1.2 Information Collected Automatically
When you access the Service, we automatically collect certain technical information, including:
- IP address, browser type, and operating system
- Referring URLs and interaction data (such as clicks and page views)
- Session tokens and authentication state (stored in cookies)
This information is used to maintain your session, ensure platform security, and improve the user experience.
1.3 Financial Data
To provide our core bookkeeping functionalities, you may upload financial documents including receipts, invoices, bank statements, and Director's Current Account (DCA) records. You may also enter transaction data directly via chat. We process this data strictly to generate your requested bookkeeping records, exports, and reports.
You retain full ownership of all financial data you provide.
2. How We Use Your Information
We use the collected information for the following purposes:
- To provide, operate, and maintain the Service
- To process your financial documents and generate categorised bookkeeping records
- To process subscription payments and send related confirmations and invoices
- To send transactional emails (e.g., magic links, account notifications, data export reminders)
- To provide customer support and respond to your enquiries
- To monitor and analyse usage trends to improve the Service
- To enforce our Terms and Conditions and comply with legal obligations
We do not use your data for advertising, profiling, or any purpose beyond operating the Service.
3. Data Storage and Security
Your data is stored on the following secure cloud infrastructure:
| Provider | Purpose |
|---|---|
| Supabase | Database (transactions, messages, profiles) + private file storage (receipts) |
| Vercel | Web application hosting and serverless functions |
File storage: Uploaded receipts and documents are stored in a private Supabase Storage bucket. All files require a signed URL to access and are not publicly accessible. Signed URLs expire after 1 hour.
Security measures: We use encrypted connections (HTTPS/TLS), private storage with access controls, and Row-Level Security (RLS) on all database tables to ensure your data is accessible only to you.
While we have taken reasonable steps to secure your information, no security measures are perfect or impenetrable, and we cannot guarantee absolute security.
4. AI Processing
Booksaidso uses Large Language Models (LLMs) via the OpenRouter API to extract and categorise data from your uploaded financial documents and chat messages.
How your data is processed:
- When you upload a receipt or type a transaction, the relevant text and image data is transmitted to OpenRouter securely via API
- The AI model processes your data transiently to generate a structured response (e.g., categorised transaction details)
- Your data is not retained by OpenRouter or the underlying model providers after the API call completes
- Your financial data is never used to train, fine-tune, or improve any foundational AI model
We only transmit the minimum data necessary to process your request.
5. Data Sharing and Third Parties
5.1 Service Providers
We share your information with the following trusted third-party service providers, solely to operate the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, file storage | Account data, transaction data, uploaded files |
| Vercel | Web hosting and serverless functions | Request logs, IP addresses |
| OpenRouter | AI processing (LLM API) | Receipt images, transaction text (transient only) |
| Stripe | Payment processing (subscribers only) | Email address, payment details |
All service providers are contractually bound to process your data only for the purposes we specify.
5.2 No Sale of Data
We do not sell, rent, or trade your personal or financial data to any third parties under any circumstances. Your business data is your own.
5.3 Legal Disclosure
We may disclose your information if required by law, court order, or government authority, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.
6. Data Retention
We retain your data according to the following schedule:
| Scenario | Retention period |
|---|---|
| Active account | Retained while your account is active |
| Trial expiry or subscription cancellation | Read-only mode; data retained for 90 days |
| Export window | 30 days to export data via CSV |
| Reactivation within 90 days | All data restored in full |
| After 90-day safeguard period | Permanently and securely deleted |
| Chat attachment files | Deleted after 30 days (thumbnails retained) |
7. Your Rights
Under the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486), you have the following rights:
- Right of access: Request a copy of the personal data we hold about you
- Right of correction: Request correction of inaccurate personal data
- Right to deletion: Request deletion of your account and associated data at any time
- Right to object: Object to direct marketing use of your data (note: we do not currently conduct direct marketing)
- Right to complain: Lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) of Hong Kong
To exercise any of these rights, please contact us at hello@booksaidso.com. We will respond within a reasonable timeframe in accordance with the PDPO.
8. Cookies
We use cookies solely for essential functions, including maintaining your authenticated session after login and storing your session preferences.
We do not use advertising cookies, third-party tracking cookies, or cookies for behavioural profiling. You can instruct your browser to refuse all cookies, but doing so may prevent you from logging in or using the Service.
9. Children's Privacy
Our Service is intended for business use by adults and is not directed to children under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by sending an email to your registered address and by updating the “Last Updated” date at the top of this page. Continued use of the Service after changes are posted constitutes your acceptance of the updated Policy.
11. Governing Law
This Privacy Policy shall be governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region, in particular the Personal Data (Privacy) Ordinance (Cap. 486). Any disputes relating to this Policy shall be subject to the exclusive jurisdiction of the courts of Hong Kong.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:
Email: hello@booksaidso.com
Website: www.booksaidso.com