Legal

Privacy Policy

Effective: July 1, 2026
Last updated: June 2026
The short version: Overlodger reads your QuickBooks transactions to detect unusual spending and send you alerts. We share transaction data with OpenAI only to generate alert messages. We never sell your data. We store only what we need to run the service.

1. Overview

This Privacy Policy explains how The Overlodger Team ("Overlodger," "we," "us," or "our") collects, uses, shares, and protects information when you use the Overlodger platform ("Service"). It applies to all users of our website, web application, and related communications.

By creating an account or connecting your QuickBooks account, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

Overlodger is currently operated as an unincorporated business.

2. What We Collect

2.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored as a bcrypt hash — we never store your plaintext password)
  • Business name (optional at signup, can be added later)
  • Phone number (optional; required only if you enable SMS notifications)

2.2 QuickBooks Transaction Data

When you connect QuickBooks, we retrieve and store:

  • Purchase transaction records including date, vendor name, amount, and QuickBooks category
  • Up to 5 years of historical transactions on initial connection to build your spending baseline, then ongoing as new transactions occur
  • Your QuickBooks company ID (realm ID) and OAuth access/refresh tokens to maintain the connection

We request read-only access to your QuickBooks data. We do not read, modify, or store invoices, payroll, customer data, employee records, bank account numbers, or any data beyond purchase transactions.

2.3 Usage & Technical Data

We automatically collect:

  • Log data: pages visited, actions taken within the application, timestamps
  • Device and browser information
  • IP address
  • Sync history: when syncs occurred, how many transactions were pulled, how many alerts were generated

2.4 Alert Feedback

When you mark an alert as "Helpful" or "Not an issue," we record that feedback associated with the alert to improve detection accuracy.

2.5 Communications

If you contact us by email, we retain those communications to respond to your inquiry and improve the Service.

3. How We Use Your Information

We use the information we collect to:

  • Provide the Service: run anomaly detection, generate alerts, build weekly digests, and maintain your dashboard
  • Authenticate your account: verify identity and maintain secure sessions
  • Send notifications: deliver anomaly alert emails, weekly digest emails, and SMS alerts (paid plan only)
  • Maintain your QuickBooks connection: refresh OAuth tokens to keep your data syncing
  • Improve the Service: analyze aggregate usage patterns and evaluate alert accuracy
  • Respond to support requests: communicate with you about your account
  • Comply with legal obligations: respond to lawful requests from government authorities

We do not use your data for advertising purposes and we do not allow third parties to use your data for advertising.

4. Third-Party Services

To operate the Service, we share limited data with the following providers. We do not sell your data to any of these providers — they receive only what is necessary to perform their function.

Provider Purpose Data Shared
Intuit (QuickBooks) Source of transaction data via OAuth API OAuth tokens; we retrieve data from them, not share to them
OpenAI AI verification of flagged transactions; generation of alert messages and weekly insights Transaction details (vendor, amount, category, date) for flagged transactions and weekly aggregates. OpenAI's API does not use API inputs to train their models.
Resend Email delivery (alerts, digests, welcome emails) Your email address and the content of emails sent
Railway Application hosting and database infrastructure All data stored in the Service is hosted on Railway's infrastructure
Cloudflare DNS, CDN, and domain security IP addresses, request metadata for security filtering
SMS Provider SMS/text alert delivery (paid plan only) Your phone number and alert message content
Stripe Subscription billing for paid plan Billing information; we do not store payment card data ourselves

We may also disclose your information if required by law, court order, or government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Overlodger, our users, or the public.

5. AI Processing

When our statistical model flags a transaction as potentially anomalous, we send specific details about that transaction — including vendor name, amount, category, and date — to OpenAI's API. OpenAI's model evaluates whether the flag is likely a genuine concern and generates a plain-English explanation for the alert you receive.

For weekly digests, we send aggregated spending summaries (total spend, top categories, top vendors, week-over-week comparison) to OpenAI to generate the 2–3 sentence insight included in your report.

What we don't send to OpenAI: your name, email, phone number, business name, QuickBooks realm ID, OAuth tokens, or your account history. Only the transaction data necessary for the specific alert or digest is included in each API call.

OpenAI processes this data under their API terms of service, which specify that API inputs are not used to train their models. You can review OpenAI's privacy practices at openai.com/policies/privacy-policy.

6. SMS & Email Communications

7.1 Transactional Emails

By creating an account, you consent to receive transactional emails including anomaly alerts, weekly digests, and account notifications. These are core to the Service and cannot be fully disabled while your account is active. You can unsubscribe from non-essential emails using the link in any email.

7.2 SMS Text Messages (Paid Plans)

SMS notifications require your explicit consent at the time you enable them. By providing your phone number and enabling SMS alerts, you consent to receive automated text messages from Overlodger. Message frequency depends on your transaction activity. Message and data rates may apply.

To stop SMS messages: reply STOP to any message, or disable SMS in your profile settings. For help: reply HELP or email [email protected].

We do not share your phone number with third parties for marketing purposes. Your number is used only for delivering Overlodger alerts.

7. Data Retention

We retain your data for as long as your account is active and as necessary to provide the Service. Specific retention periods:

  • Account information: retained while your account is active; deleted within 60 days of account deletion upon request
  • Transaction data: retained while your account is active; we maintain a rolling history as needed for anomaly detection accuracy. Deleted within 60 days of account deletion.
  • QuickBooks OAuth tokens: deleted immediately upon disconnection or account deletion
  • Alert history: retained for the life of your account; can be cleared on request
  • Logs and usage data: retained for up to 90 days for security and debugging purposes

We may retain certain data longer if required by law, to resolve disputes, or to enforce our agreements.

8. Security

We take reasonable technical measures to protect your data, including:

  • Passwords stored using bcrypt hashing — never in plaintext
  • JWT-based authentication with short-lived access tokens and 30-day refresh tokens
  • HTTPS encryption for all data in transit
  • Railway's managed database infrastructure with access controls
  • QuickBooks OAuth tokens encrypted at rest using AES (Fernet) — never stored in plaintext

No security system is perfect. We cannot guarantee that unauthorized parties will never gain access to your data. If you believe your account has been compromised, contact us immediately at [email protected].

In the event of a data breach that affects your personal information, we will notify affected users by email as required by applicable law.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data. To exercise any of these rights, email [email protected].

Access

Request a copy of the personal data we hold about you.

Correction

Update inaccurate or incomplete account information through your profile page or by contacting us.

Deletion

Request deletion of your account and personal data. We will comply within 60 days subject to legal retention requirements.

Portability

Request your data in a machine-readable format so you can transfer it to another service.

Disconnect QuickBooks

Revoke Overlodger's access to your QuickBooks data at any time from your dashboard or Intuit account settings.

California Residents (CCPA)

California residents have the right to know what personal information we collect, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at [email protected].

Other U.S. State Privacy Laws

Multiple U.S. states have enacted comprehensive privacy laws. If you are a resident of Virginia, Colorado, Connecticut, Texas, Florida, or another state with a consumer privacy law, you may have additional rights. Contact us to make a request and we will respond in accordance with applicable law.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that a user under 18 has created an account, we will promptly delete their information. If you believe a minor has registered, please contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 14 days before the changes take effect and update the "Last updated" date at the top of this page.

Your continued use of the Service after the effective date of any changes constitutes acceptance of the revised policy. If you do not agree to the changes, you must stop using the Service and may request account deletion.

12. Contact

For privacy-related questions or requests to access or delete your data:

  • Email: [email protected]
  • Subject line for data requests: "Privacy Request — [your request type]"
  • Response time: We aim to respond to all privacy requests within 30 days.
  • Mailing address: [Insert upon incorporation]

We take privacy requests seriously and will respond personally — not with an automated reply.