OperatorIQ LLC · myoperatoriq.com
Effective March 27, 2026 · Governed by North Carolina law
1.1 Account Information
When you create an account or subscribe, we collect: your name, email address, business name, and industry. This information is stored securely via Clerk, our authentication provider.
1.2 Financial Data from Integrations
When you connect QuickBooks, Square, or Xero to OperatorIQ, we access and store: profit and loss data (revenue, COGS, gross profit, operating expenses, net income), payment transaction data, product and SKU-level sales data, and account metadata such as company name and currency. This data is synced daily via automated cron jobs and stored in encrypted Redis-based storage on Vercel infrastructure. OAuth access tokens are encrypted at rest using AES-256-GCM encryption.
1.3 Uploaded Documents
Documents you upload to the Service (such as P&L exports, contracts, or FDD documents) are stored in encrypted cloud storage via Cloudflare R2. You retain full ownership of all uploaded documents.
1.4 Usage Data and AI Query Logs
We collect usage data including: pages visited within the portal, features used, questions submitted to Ask Thalen, AI insights generated, and integration activity. This data is stored in an audit log associated with your account and retained for up to 12 months. It is used to improve the Service and provide product support. We never log raw financial figures in usage logs.
1.5 Billing Information
Billing is processed by Stripe. OperatorIQ does not store your credit card number, CVV, or full payment details. We receive from Stripe only a token, last four digits, card type, and subscription status necessary to manage your account.
1.6 Demo and Lead Data
If you access the OperatorIQ demo, we collect your email address and optionally your name and company name. This information is used to follow up about the Service and is stored securely for up to 24 months. You may opt out of marketing communications at any time.
1.7 Communications
If you contact us by email or through any contact form, we retain the content of your communications and your contact information to respond to your inquiry and improve our support. These communications are stored securely and are not shared with third parties except as necessary to respond to your request.
We use the information we collect to:
We do NOT sell your financial data, business data, or personal information to any third party. We do NOT use your financial data to train AI models. We do NOT share your individual data with other OperatorIQ clients. Your data is used exclusively to provide the Service to you.
We take data security seriously. The following protections are in place:
| OAuth Token Encryption | All QuickBooks, Square, and Xero OAuth access tokens are encrypted at rest using AES-256-GCM encryption before storage. Keys are stored as environment variables and never committed to source code. |
| Redis Data Storage | Financial data synced from integrations is stored in Vercel Redis, a managed cloud database with encryption at rest and in transit. |
| Cloudflare R2 Document Storage | Uploaded documents are stored in Cloudflare R2 with server-side encryption. Access is controlled via pre-signed URLs with limited expiry. |
| Authentication | Account authentication is managed by Clerk, a production-grade authentication platform. OperatorIQ does not store passwords. |
| HTTPS / TLS | All data transmitted between your browser and OperatorIQ is encrypted in transit using HTTPS/TLS. |
| Access Controls | Your financial data is accessible only to you via your authenticated account. OperatorIQ staff access is limited to what is necessary to operate and support the Service. |
| Audit Logging | All integration syncs, AI queries, and significant account events are logged in a tamper-evident audit trail associated with your account. Audit logs are retained for 12 months. |
OperatorIQ uses the following third-party services (“subprocessors”) to operate the platform. Each has its own privacy policy governing their handling of data. We will provide at least 14 days advance notice of any material changes to our subprocessor list:
| Service | Domain | What they handle |
|---|---|---|
| Clerk | clerk.com | Authentication and user management. Stores your name, email, and account metadata. |
| Stripe | stripe.com | Payment processing. Subject to Stripe's Privacy Policy. OperatorIQ does not store full payment details. |
| Vercel | vercel.com | Hosting, serverless functions, and Redis data storage. Data processed in the United States. |
| Cloudflare R2 | cloudflare.com | Encrypted document storage. Data stored in the United States. |
| Intuit QuickBooks | intuit.com | Financial data integration (when connected). Governed by Intuit's Privacy Policy. |
| Square | squareup.com | Payment and product data integration (when connected). Governed by Square's Privacy Policy. |
| Xero | xero.com | Accounting data integration (when connected). Governed by Xero's Privacy Policy. |
| Resend | resend.com | Transactional email delivery for digest, alert, and notification emails. |
| Anthropic | anthropic.com | AI analysis engine powering OIQ Analysis and Ask Thalen. Relevant portions of your financial data are sent to Anthropic's API for processing. Anthropic does not use API data to train models. Subject to Anthropic's usage policies. |
| Mailchimp | mailchimp.com | Marketing email communications (opt-in only). You may unsubscribe at any time via the link in any marketing email. |
We retain your account data and financial data for as long as your subscription is active and for 30 days after cancellation or termination, after which it is permanently deleted from our systems. You may request earlier deletion by contacting legal@myoperatoriq.com.
You have the following rights with respect to your data:
To exercise any of these rights, contact us at legal@myoperatoriq.com. We will respond within 30 days.
When you use AI-powered features (OIQ Analysis, Ask Thalen, OIQ Forecasting), relevant portions of your financial data are sent to Anthropic’s API to generate responses. This processing is governed by Anthropic’s API usage policies. Anthropic does not use API-submitted data to train its models. Only the minimum data necessary to generate the requested analysis is sent.
SENSITIVE DATA CAUTION: Do not enter sensitive personal information — such as Social Security numbers, government ID numbers, protected health information (PHI), or personal financial data unrelated to your business — into any AI chat feature. The AI features are designed for business financial data only.
OperatorIQ does not use your individual financial data to train any AI model.
In the future, OperatorIQ may use anonymized, aggregated data across clients in the same industry or vertical to generate industry benchmarks that are made available within the Service (“Benchmark Data”). Benchmark Data is de-identified — it cannot be used to identify you or your business.
Before including any of your data in Benchmark Data for the first time, OperatorIQ will:
OperatorIQ owns all rights to Benchmark Data. Your opt-out is permanent until you affirmatively choose to opt back in. Opting out does not affect your access to any features of the Service.
In the event of a data security incident that affects your personal or financial data, OperatorIQ will notify affected users by email within 72 hours of becoming aware of the incident, to the extent required by applicable law. The notification will describe the nature of the incident, the data affected, steps taken to contain the incident, and recommended actions you can take to protect yourself.
OperatorIQ maintains an incident response plan and will not pay ransoms. OperatorIQ will cooperate with law enforcement and relevant regulatory authorities as required in the event of a security incident.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
To exercise California privacy rights, contact us at legal@myoperatoriq.comwith the subject line “California Privacy Request.” We will verify your identity and respond within 45 days as required by law.
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will delete it promptly.
We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address at least 14 days before the changes take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
For privacy questions, data requests, or concerns, contact:
OperatorIQ LLC
Email: legal@myoperatoriq.com
Website: myoperatoriq.com
This Privacy Policy was last updated on March 27, 2026.
OperatorIQ LLC · myoperatoriq.com · legal@myoperatoriq.com · Privacy Policy effective March 27, 2026 · Governed by North Carolina law