ProfitControl SuiteProfitControl SuiteBack to home

Privacy Policy

Version: 1.0 Effective date: 2026-05-14 Last updated: 2026-05-14

A&F Business Consulting Inc. ("A&F," "we," "us," or "our") operates ProfitControl Suite (the "Service"). This Privacy Policy explains what personal information we collect when you use the Service, how we use and share it, and the rights you have over it.

If you have any questions, contact us at privacy@afbusinessconsulting.com.

1. Who is responsible for your data

A&F Business Consulting Inc. is the data controller. We have engaged Jetbrackets as our contracted software development and information security service provider for ProfitControl Suite, operating under a written services agreement with data protection obligations. Jetbrackets acts as a data processor on A&F's behalf and is bound by the same security and confidentiality obligations described in this policy.

2. The information we collect

We collect information you provide directly, information generated when you use the Service, and information we receive from third parties you connect to ProfitControl Suite.

2.1 Information you provide

  • Account information: name, email address, password (stored as a salted hash, never in plain text), profile image (if provided via Google sign-in).
  • Company information: company name, address, contact name, contact email, EIN, and similar business details you supply during onboarding.
  • Financial information you upload: Profit & Loss statements imported from QuickBooks or other accounting tools, manual financial entries, and notes you enter into ProfitControl Suite features (for example the AI advisor chat).
  • Billing information: subscription status. Card numbers and full payment details are collected and stored by Stripe, our payment processor; we receive a customer identifier and payment status, not the card itself.

2.2 Information generated when you use the Service

  • Authentication and security events: sign-in timestamps, IP address, user agent string, passkey registration metadata (counter, device type, transports), session activity. We use this for security, fraud prevention, and audit logging.
  • Usage data: the features and pages you access, dashboard interactions, AI advisor queries and responses, and similar product telemetry.
  • Cookies and similar technologies: strictly necessary cookies for authentication and session management, including a signed cookie that records that you have completed your phishing-resistant multi-factor authentication challenge for the active session. We do not use third-party advertising or analytics cookies.

2.3 Information we receive from third parties you connect

If you choose to connect a financial account through Plaid, we receive from Plaid the data you authorize during the Plaid Link consent flow. For ProfitControl Suite this is limited to Plaid Transactions data: bank account names and identifiers, transaction history and metadata (date, amount, merchant, category), and related account balances surfaced with the transaction stream. We do not retrieve account/routing numbers, identity verification data, asset or income reports, or any other Plaid product unless you separately authorize it.

If you sign in with Google, we receive your email address, name, and profile image from Google. We do not request any other Google account scope.

3. How we use your information

We use the information described above to:

  • Operate and provide the Service, including the ProfitBooks dashboard, AI advisor, financial reporting, and budget tools.
  • Authenticate you, enforce multi-factor authentication, and protect your account from unauthorized access.
  • Process subscription billing and respond to billing questions.
  • Send transactional emails (password resets, security notices, account changes, billing receipts) via our email provider.
  • Provide AI-powered financial insights. When you use the AI advisor, the question and the relevant subset of your financial data are sent to OpenAI under a no-training data-use policy. We do not use your financial data to train, fine-tune, or improve any model.
  • Comply with legal, regulatory, and tax obligations.
  • Detect, investigate, and respond to security incidents and fraud.
  • Communicate with you about service updates and material changes to this policy.

We do not sell your personal information. We do not share your information with third parties for advertising or marketing.

4. Who we share information with (sub-processors)

We share information with the following service providers, each acting on our behalf under a written agreement and bound by appropriate security and confidentiality obligations.

| Sub-processor | Purpose | Data shared | Security posture | |---|---|---|---| | Jetbrackets | Contracted software development and security operations for ProfitControl Suite | All categories listed in Section 2, only as necessary to operate the Service | Bound by our services agreement and data protection obligations | | Vercel | Application hosting | All categories transit Vercel | SOC 2 Type II | | Supabase | Managed PostgreSQL database and object storage | All categories listed in Section 2 | SOC 2 Type II, HIPAA available, AES-256 encryption at rest, TLS 1.2+ in transit | | Stripe | Subscription billing and payment processing | Name, email, payment card details (collected by Stripe, not by us), billing address | PCI DSS Level 1, SOC 1/2 | | Resend | Transactional email delivery | Name, email address, message contents (password resets, receipts, security notices) | SOC 2 Type II | | OpenAI | AI advisor responses | The question you ask the advisor and the relevant subset of your financial data; covered by OpenAI's no-training policy for API use | SOC 2 Type II | | Plaid | Bank transaction retrieval | OAuth-style consent: Plaid receives the credentials you provide directly to Plaid; we receive transaction data Plaid returns | SOC 2 Type II, regulated under U.S. financial-data privacy frameworks | | Google | Optional OAuth sign-in | Your Google email, name, profile image (only if you choose Google sign-in) | SOC 2/3, ISO 27001/27017/27018 |

We may also share information when required by law, in response to a valid legal request (subpoena, court order, government investigation), to enforce our agreements, or to protect our or our customers' rights, property, or safety.

If we ever undergo a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you and update this policy.

5. Data retention

We keep your personal information for as long as your account is active and your subscription is in good standing.

After you close your account or cancel your subscription:

  • We retain your account and financial data for 30 days to support reactivation, then we delete or anonymize it from our production systems.
  • Limited records required for legal, tax, accounting, audit, fraud-prevention, or dispute-resolution purposes are retained for the period required by applicable law (typically up to 7 years for billing records).
  • Encrypted backups are rotated on Supabase's standard backup schedule and expire automatically.

When you disconnect a bank account from ProfitControl Suite, we revoke the associated Plaid access_token and delete the related transaction history within 30 days.

6. Your rights

Subject to applicable law (including the California Consumer Privacy Act, other U.S. state privacy laws, and the EU/UK GDPR where it applies):

  • Access: request a copy of the personal information we hold about you.
  • Correction: ask us to correct inaccurate or incomplete information.
  • Deletion: ask us to delete your information. We will comply unless we are required by law to retain it.
  • Portability: request an export of your account and financial data in a structured, machine-readable format.
  • Withdraw consent: disconnect any linked bank account at any time from within the Service, which revokes Plaid's continued access.
  • Restriction or objection: in certain circumstances, restrict or object to specific processing.
  • Non-discrimination: we will not deny service, charge a different price, or provide a different quality of service because you exercised these rights.

To exercise any of these rights, contact us at privacy@afbusinessconsulting.com. We respond within 30 days. We may need to verify your identity before fulfilling certain requests.

California residents: A&F does not sell or "share" (as defined under the CPRA) personal information for cross-context behavioral advertising.

7. Security

We protect your information using technical and organizational measures described in our Information Security Policy and Access Control Policy, including:

  • TLS 1.2 or higher for all data in transit.
  • AES-256 encryption at rest for all customer data stored in Supabase.
  • Phishing-resistant multi-factor authentication (passkey / WebAuthn) required for all end users before accessing financial data, with a session-bound step-up verification valid for 24 hours.
  • Multi-factor authentication required on every administrative system that can access production data.
  • Role-based access control inside the application, with separate administrator and client roles.
  • Quarterly access reviews and audit logging of authentication events, deployments, and administrative actions.

No system is perfectly secure. If we ever experience a security incident affecting your personal information, we will notify you in accordance with applicable law.

8. International transfers

We process data in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S., which may have data-protection laws different from those of your country.

9. Children's privacy

ProfitControl Suite is a business product and is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make a material change, we will update the "Last updated" date at the top, post the revised policy at this URL, and notify you by email at the address on file at least 14 days before the change takes effect for material changes.

11. Contact us

A&F Business Consulting Inc. Privacy contact: privacy@afbusinessconsulting.com General contact: fernanda@afbusinessconsulting.com