Privacy Policy | FifthFirm

1. Introduction

Digital Inventory Group LLC ("FifthFirm", "we", "us") operates the FifthFirm platform at fifthfirm.com. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

2. Information We Collect

2.1 Information You Provide

Account information: name, email address, organization name
Client data: business names, financial records, tax documents you upload or connect via QuickBooks Online
Payment information: processed by our payment provider (Stripe)
Communications: support requests, feedback, and correspondence

2.2 Information from Third-Party Integrations

When you connect QuickBooks Online, we receive access to financial data including chart of accounts, transactions, invoices, bills, customers, vendors, and financial reports. We access only the data scopes you explicitly authorize during the OAuth connection flow.

2.3 OAuth Scopes and Data Access

When you connect your QuickBooks Online account, FifthFirm requests the following OAuth 2.0 scopes:

com.intuit.quickbooks.accounting — Read and write access to accounting data including chart of accounts, transactions, customers, vendors, items, and reports
openid, profile, email — Basic identity verification for single sign-on

You may revoke FifthFirm's access at any time through your QuickBooks Online account at Apps > Manage Apps, or by contacting us at privacy@fifthfirm.com.

2.4 Automatically Collected Information

Usage data: pages visited, features used, actions taken within the platform
Device information: browser type, operating system, IP address
Cookies: essential session cookies for authentication and CSRF protection. We do not use advertising or tracking cookies.

3. How We Use Your Information

Provide, maintain, and improve the Service, including AI-powered bookkeeping, reporting, and advisory features
Process financial data to generate reports, categorize transactions, and prepare tax documents
Communicate with you about your account, updates, and support
Ensure security, detect fraud, and comply with legal obligations
Analyze usage patterns to improve the platform (aggregated, de-identified data only)

AI Model Training: Your data is not used to train AI models. AI-powered features use pre-trained models applied to your data at runtime only.

4. Data Sharing and Disclosure

We do not sell, rent, or share your personal or financial data for cross-context behavioral advertising. We may share data:

With your consent: When you explicitly authorize sharing
Service providers: Third-party vendors who assist in operating the Service (hosting, payment processing), bound by confidentiality agreements and data processing agreements
Legal requirements: When required by law, subpoena, or government request
Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users

5. Data Security

We implement industry-standard security measures to protect your data, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
OAuth 2.0 for third-party integrations (no password storage)
Role-based access controls within the platform
Multi-tenant data isolation between organizations
Regular security assessments and monitoring
Audit logging of all data access and modifications

No system is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using commercially reasonable measures.

6. Data Retention

We retain your data according to the following schedule:

Data Type	Retention Period
Account profile information	Duration of account + 30 days
QuickBooks Online cached data	Duration of active integration + 30 days post-disconnect
Financial transaction records	7 years (IRS record retention)
Audit logs	7 years
Support correspondence	3 years
Usage analytics (aggregated)	Indefinite (de-identified)
AI model training data	Not applicable — your data is not used to train AI models

After the retention period, data is permanently deleted or irreversibly anonymized.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request deletion of your data
Export your data in a portable format (CSV or JSON)
Withdraw consent for data processing
Disconnect third-party integrations at any time via your account settings

To exercise these rights, contact us at privacy@fifthfirm.com. We will respond within 30 days (or as required by your jurisdiction).

8. Your State Privacy Rights

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to: (i) know what personal information we collect, use, and disclose; (ii) request deletion of your personal information; (iii) opt out of the sale or sharing of personal information; and (iv) not be discriminated against for exercising these rights. We do not sell or share your personal information as defined by the CCPA/CPRA. To exercise your rights, contact privacy@fifthfirm.com. We will respond within 45 days.

Virginia, Colorado, Connecticut, and Other States

Residents of states with consumer privacy laws (VCDPA, CPA, CTDPA, and others) have similar rights to access, correct, delete, and obtain a copy of their personal data, and to opt out of targeted advertising and profiling. To exercise any right, email privacy@fifthfirm.com with your state of residence. We will respond within the timeframe required by your state's law.

Do Not Sell or Share

We do not sell or share personal information for cross-context behavioral advertising. No opt-out mechanism is required because no such activity occurs, but you may contact us at any time to confirm.

9. Data Breach Notification

In the event of a security breach involving your personal information, we will notify affected users without unreasonable delay and no later than as required by applicable law (typically 30–72 days depending on jurisdiction). Notification will include: (a) a description of the breach; (b) the types of data involved; (c) steps we are taking to address the breach; and (d) steps you can take to protect yourself. We will also notify relevant regulatory authorities as required by law.

10. QuickBooks Online Integration

When you connect your QuickBooks Online account to FifthFirm:

We use Intuit's OAuth 2.0 protocol — we never see or store your QBO password
You can revoke access at any time through your QBO account settings or through FifthFirm
We access only the data scopes you authorize
Financial data accessed via QBO is used solely to provide the services you requested
We do not sell, rent, or trade your QuickBooks data to any third party
Upon disconnecting, cached QBO data is deleted within 30 days

QuickBooks, QuickBooks Online, and Intuit are trademarks of Intuit Inc. FifthFirm is not affiliated with, endorsed by, or sponsored by Intuit Inc.

11. Data Processing for B2B Clients

When your organization uses FifthFirm to process client financial data, Digital Inventory Group LLC acts as a data processor on your behalf. You remain the data controller. A Data Processing Agreement (DPA) is available upon request and governs our processing of personal data on your behalf. Contact legal@fifthfirm.com to obtain a copy.

12. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the Service at least 30 days before they take effect. Continued use after changes constitutes acceptance.

14. Contact Us

For privacy-related inquiries:
Digital Inventory Group LLC
Email: privacy@fifthfirm.com