Effective March 27, 2026 · Governed by North Carolina law
OperatorIQ LLC ("OperatorIQ," "we," "our," or "us") operates the OperatorIQ platform at myoperatoriq.com. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service. By using the Service, you agree to the practices described in this policy.
When you create an account or subscribe, we collect your name, email address, business name, and industry via Clerk, our authentication provider. We do not store passwords directly.
When you connect QuickBooks, Square, or Xero to OperatorIQ, we access and store: profit and loss data (revenue, COGS, gross profit, operating expenses, net income), payment transaction data, product and SKU-level sales data, and account metadata. This data is synced daily and stored in encrypted Redis-based storage. OAuth access tokens are encrypted at rest using AES-256-GCM encryption.
Documents you upload (P&L exports, contracts, FDD documents) are stored in encrypted cloud storage via Cloudflare R2. You retain full ownership of all uploaded documents.
We collect usage data including pages visited, features used, questions submitted to Ask Thalen, AI insights generated, and integration activity. This is stored in an audit log associated with your account and retained for up to 12 months. We never log raw financial figures in usage logs.
Billing is processed by Stripe. OperatorIQ does not store your credit card number, CVV, or full payment details — only a Stripe token, last four digits, card type, and subscription status.
If you access the OperatorIQ demo, we collect your email and optionally your name and company. This is retained for up to 24 months and used to follow up about the Service. You may opt out of marketing communications at any time.
If you contact us by email or through any contact form, we retain the content of your communications and your contact information to respond to your inquiry and improve our support. These communications are not shared with third parties except as necessary to respond to your request.
| OAuth Token Encryption | All QuickBooks, Square, and Xero OAuth tokens are encrypted at rest using AES-256-GCM. Keys are stored as environment variables and never committed to source code. |
| Redis Data Storage | Financial data is stored in Vercel Redis with encryption at rest and in transit. |
| Cloudflare R2 Storage | Uploaded documents are stored in Cloudflare R2 with server-side encryption. Access is controlled via pre-signed URLs with limited expiry. |
| Authentication | Account authentication is managed by Clerk. OperatorIQ does not store passwords. |
| HTTPS / TLS | All data transmitted between your browser and OperatorIQ is encrypted using HTTPS/TLS. |
| Access Controls | Your data is accessible only to you via your authenticated account. Staff access is limited to what is necessary to operate and support the Service. |
| Audit Logging | All integration syncs, AI queries, and significant account events are logged in a tamper-evident audit trail. Audit logs are retained for 12 months. |
OperatorIQ uses the following subprocessors to operate the platform. We will provide at least 14 days advance notice of any material changes to this list:
| Service | Domain | What they handle |
|---|---|---|
| Clerk | clerk.com | Authentication and user management. Stores your name, email, and account metadata. |
| Stripe | stripe.com | Payment processing. OperatorIQ does not store full payment details. |
| Vercel | vercel.com | Hosting, serverless functions, and Redis data storage. Data processed in the United States. |
| Cloudflare R2 | cloudflare.com | Encrypted document storage. Data stored in the United States. |
| Intuit QuickBooks | intuit.com | Financial data integration (when connected). Governed by Intuit's Privacy Policy. |
| Square | squareup.com | Payment and product data integration (when connected). Governed by Square's Privacy Policy. |
| Xero | xero.com | Accounting data integration (when connected). Governed by Xero's Privacy Policy. |
| Resend | resend.com | Transactional email delivery for digest, alert, and notification emails. |
| Anthropic | anthropic.com | AI analysis engine powering OIQ Analysis and Ask Thalen. Relevant portions of your financial data are sent to Anthropic's API for processing. Anthropic does not use API data to train models. |
| Mailchimp | mailchimp.com | Marketing email communications (opt-in only). Unsubscribe at any time via any marketing email. |
We retain your account data and financial data for as long as your subscription is active and for 30 days after cancellation, after which it is permanently deleted. Contact legal@myoperatoriq.com to request earlier deletion.
Contact legal@myoperatoriq.com to exercise any of these rights. We will respond within 30 days.
When you use AI-powered features (OIQ Analysis, Ask Thalen, OIQ Forecasting), relevant portions of your financial data are sent to Anthropic's API to generate responses. Only the minimum data necessary to generate the requested analysis is sent. Anthropic does not use API-submitted data to train its models.
OperatorIQ does not use your individual financial data to train any AI model.
In the future, OperatorIQ may use anonymized, aggregated data across clients in the same industry to generate industry benchmarks available within the Service ("Benchmark Data"). Benchmark Data is de-identified and cannot be used to identify you or your business.
Before including any of your data in Benchmark Data for the first time, OperatorIQ will:
OperatorIQ owns all rights to Benchmark Data. Opting out does not affect your access to any features of the Service.
In the event of a data security incident affecting your personal or financial data, OperatorIQ will notify affected users by email within 72 hours of becoming aware of the incident, to the extent required by applicable law. The notification will describe the nature of the incident, data affected, steps taken to contain it, and recommended protective actions.
OperatorIQ maintains an incident response plan and will cooperate with law enforcement and relevant regulatory authorities as required. OperatorIQ will not pay ransoms.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
To exercise California privacy rights, contact legal@myoperatoriq.com with the subject line "California Privacy Request." We will verify your identity and respond within 45 days.
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided personal information, we will delete it promptly.
We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address at least 14 days before changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
For privacy questions, data requests, or concerns:
OperatorIQ LLC
Email: legal@myoperatoriq.com
Website: myoperatoriq.com
This Privacy Policy was last updated on March 27, 2026.