Privacy Policy

Effective date: February 9, 2026

1. Introduction

The Solution Desk LLC, a California limited liability company ("The Solution Desk", "we", "us", or "our"), operates the Ekue accounting platform, including all related websites, applications, APIs, and services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, store, and protect your information when you use the Service.

By creating an account or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service. This Privacy Policy should be read alongside our Terms of Service.

2. We Do Not Sell Your Personal Data

The Solution Desk LLC has never sold, does not sell, and will never sell your personal information to third parties. This applies to all categories of personal data we collect, including financial data, account information, and usage data. We do not share your data with data brokers, advertisers, or any third party for their own commercial purposes. This commitment applies regardless of whether you are a current, former, or prospective customer.

3. Information We Collect

Account Information

When you register for Ekue, we collect: your full name, email address, company or business name, phone number (optional), and billing address. This information is necessary to create your account, verify your identity, and manage your subscription.

Financial Data

The Service stores accounting data you enter, including but not limited to: invoices, expenses, bills, journal entries, chart of accounts, customer and vendor records, tax codes, payment records, and financial reports. This data belongs to you. We process it solely to provide the Service.

Payment Information

Subscription payments are processed entirely by Stripe, which is PCI DSS Level 1 certified — the highest level of payment security certification. We never store, see, or have access to your full credit card number, CVV, expiration date, or card PIN. Stripe provides us with a limited token, card brand, and last four digits for display purposes only.

Bank Connection Data

If you choose to connect a bank account, this is facilitated by Plaid. Plaid connects directly to your financial institution — we never see, store, or have access to your bank login credentials. Through Plaid, we receive: account names, account types, balances, and transaction history. You can disconnect your bank accounts at any time through the Service.

Usage Data

We automatically collect information about how you interact with the Service, including: pages viewed, features used, actions taken, timestamps, session duration, and referring URLs. This data helps us improve the product and diagnose technical issues.

Device and Technical Data

We collect: IP address, browser type and version, operating system, device type, and screen resolution. This data is used for security monitoring, fraud prevention, and ensuring compatibility.

Communication Data

When you contact us via email, contact form, or in-app support, we collect the content of your communications and any attachments. We use this data to respond to your inquiries and improve our support.

Integration Data

If you enable optional integrations, we collect relevant data for each:

  • Slack: Workspace name, channel preferences, and notification settings
  • AI features: Queries you submit and AI-generated responses
  • SSO (Google/Microsoft): Name, email address, and profile picture from your identity provider

Authentication Data

We store: bcrypt-hashed passwords (we cannot see or reverse your password), FIDO2/WebAuthn passkey credentials, TOTP multi-factor authentication secrets, OAuth provider identifiers, and session tokens. All sensitive authentication data is encrypted.

Audit Log Data

The Service automatically records: user actions (create, update, delete), timestamps, IP addresses, user agent strings, and affected entities. Audit logs are tamper-resistant and cannot be edited or deleted by users.

4. Information We Do NOT Collect

We want to be explicit about data we do not collect:

  • Social security numbers or government-issued identification numbers
  • Biometric data (passkeys use your device's biometric authentication locally — biometric data is never transmitted to our servers)
  • Health or medical information
  • Political opinions, religious beliefs, or sexual orientation
  • Data from children under the age of 16
  • Location data beyond IP-based geolocation
  • Keystroke logging or screen recordings

5. How We Use Your Information

We use the information we collect for the following purposes:

  • Service operation: Providing, maintaining, and operating the accounting platform
  • Payment processing: Managing subscriptions, processing payments, and sending billing notifications through Stripe
  • Authentication and security: Verifying your identity, managing sessions, and protecting against unauthorized access
  • Financial reporting: Generating the financial reports, dashboards, and exports you request
  • Transactional communications: Sending account-related emails including invoices, receipts, payment confirmations, security alerts, and service updates
  • Customer support: Responding to your inquiries, troubleshooting issues, and providing technical assistance
  • Security and fraud prevention: Detecting, investigating, and preventing fraudulent activity, unauthorized access, and abuse
  • Audit and compliance: Maintaining audit logs for accountability, tax compliance, and regulatory requirements
  • Product improvement: Analyzing aggregated, anonymized usage patterns to improve the Service (we never use individually identifiable data for this purpose)
  • Legal compliance: Fulfilling our legal obligations, including responding to lawful requests from government authorities
  • AI features: When you initiate an AI-powered action, processing relevant data through our AI provider. AI processing occurs only at your explicit request — never automatically or in the background.

6. How We Do NOT Use Your Information

  • We do NOT sell your personal data — ever, to anyone, for any reason
  • We do NOT use your financial data for advertising — we have no advertising on the platform
  • We do NOT share your data with data brokers or information resellers
  • We do NOT profile you for marketing by third parties
  • We do NOT use your data to train AI models — third-party AI providers may have their own policies regarding data submitted to their APIs; see Section 7
  • We do NOT serve targeted advertisements — there are no ads in Ekue
  • We do NOT track you across other websites

7. Third-Party Service Providers

We share data with the following Third-Party Service providers strictly as necessary to operate the Service. Each provider is bound by their own privacy policy and, where applicable, data processing agreements with us.

Stripe (stripe.com)

Purpose: Payment processing, subscription management, and invoice generation.
Data shared: Name, email, billing address, and payment method (processed directly by Stripe).
Security: Stripe is PCI DSS Level 1 certified — the highest level of payment industry security.
Their policy: Stripe Privacy Policy

Plaid (plaid.com)

Purpose: Bank account linking and transaction synchronization.
Data flow: You authenticate directly with Plaid using your bank credentials — we never see your bank login. Plaid shares with us: account names, account types, balances, and transaction history.
Control: You can disconnect bank connections at any time through the Service or through Plaid's portal.
Their policy: Plaid End User Privacy Policy

Anthropic (anthropic.com)

Purpose: AI-powered features including transaction categorization, natural-language summaries, and reconciliation suggestions.
Data shared: Only the specific financial data snippets you submit when using AI features. AI processing occurs only when you explicitly initiate it.
Important: Review Anthropic's usage policy regarding how they handle data submitted to their API.
Their policy: Anthropic Privacy Policy

Slack (slack.com)

Purpose: Optional workspace notifications and alerts.
Data shared: Notification content such as invoice summaries, payment alerts, and daily summaries. Only enabled when you explicitly connect your Slack workspace.
Their policy: Slack Privacy Policy

Cloudflare (cloudflare.com)

Purpose: DNS management, DDoS protection, SSL/TLS certificate provisioning, content delivery, and optional file storage (Cloudflare R2).
Data shared: Traffic metadata (IP addresses, request headers) for security and performance. File contents if R2 storage is used.
Their policy: Cloudflare Privacy Policy

Sentry (sentry.io)

Purpose: Application error tracking and service reliability monitoring.
Data shared: Anonymized error reports and stack traces. No financial data or personally identifiable information is intentionally sent to Sentry.
Their policy: Sentry Privacy Policy

Google and Microsoft

Purpose: Single sign-on (SSO) authentication only.
Data flow: When you choose to sign in with Google or Microsoft, we receive your name, email address, and profile picture from your identity provider. We do not receive or store your Google or Microsoft password.
Their policies: Google Privacy Policy | Microsoft Privacy Statement

8. Other Disclosures

Beyond the Third-Party Service providers listed above, we may disclose your information only in the following circumstances:

  • Legal requirements: When required by law, regulation, subpoena, court order, or governmental request. We will notify you of such requests when legally permitted.
  • Safety and rights: When we believe in good faith that disclosure is necessary to protect the rights, property, or safety of The Solution Desk LLC, our users, or the public.
  • Business transfers: In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets. In such event, we will provide advance notice and ensure the acquiring entity is bound by data protection obligations at least as protective as this Privacy Policy.
  • With your consent: When you explicitly authorize us to share specific information.
  • Aggregated data: We may share aggregated, anonymized data that cannot reasonably be used to identify you. This data contains no personally identifiable information.

9. Data Storage and Security

We implement industry-standard security measures to protect your data. For a detailed overview, please visit our Security page. Key measures include:

  • Encryption at rest: AES-256 encryption for all sensitive tokens, including bank connection tokens, API keys, and integration credentials
  • Encryption in transit: TLS 1.2+ for all data transmitted between your browser and our servers
  • Per-tenant encryption keys: Each organization's sensitive data is encrypted with a unique key derived from a master key
  • Password security: All passwords are hashed using bcrypt with salt — they are irreversible and cannot be read by anyone, including our staff
  • Session security: HTTP-only cookies for refresh tokens (not accessible to JavaScript), JWT access tokens with 15-minute expiry
  • Multi-factor authentication: Support for FIDO2/WebAuthn passkeys and TOTP authenticator apps
  • Access controls: Role-based permissions with granular, per-user, per-company controls
  • Multi-tenant isolation: Strict database-level filtering ensures your data is never accessible by other organizations
  • Rate limiting: Protection against brute-force attacks and API abuse
  • DDoS protection: Cloudflare-powered protection against distributed denial-of-service attacks
  • Security headers: CSP, HSTS, X-Frame-Options, and X-Content-Type-Options enforced on all responses
  • Audit logging: Comprehensive, tamper-resistant logging of all data access and modifications
  • Regular backups: Automated database backups with geographic redundancy
  • Infrastructure: Cloud hosting on hardened infrastructure with restricted access

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security vulnerabilities that are discovered.

10. Data Retention

We retain your data according to the following schedule:

  • Active accounts: Your data is retained for as long as your account remains active and your subscription is in effect.
  • Cancelled accounts: We retain your data for ninety (90) days following account cancellation to allow for data export and potential reactivation. After this period, your data is permanently and irreversibly deleted.
  • Deleted files: Files you delete within the Service enter a 7-day soft-delete grace period (allowing recovery), after which they are permanently deleted.
  • Audit logs: Retained for the life of your account plus one (1) year after cancellation, to support compliance, dispute resolution, and regulatory requirements.
  • Payment records: Retained as required by applicable tax and financial record-keeping regulations (typically 7 years for US tax purposes).
  • Backups: Rotated on a rolling schedule. Deleted data may persist in encrypted backups for up to thirty (30) days after permanent deletion from the primary database.
  • Anonymized data: Aggregated, anonymized data that cannot identify you may be retained indefinitely for analytical purposes.

11. Data Breach Notification

We maintain a documented incident response plan. In the event of a confirmed data breach affecting your personal data:

  • We will notify affected users within seventy-two (72) hours of confirming the breach, via email to the address associated with your account.
  • We will notify relevant regulatory authorities as required by applicable law, including the California Attorney General if the breach affects 500 or more California residents.
  • Our notification will include: the nature and scope of the breach, the categories of data affected, the steps we are taking to contain and remediate the breach, and recommended steps you should take to protect yourself.
  • We will provide ongoing updates as our investigation progresses.

12. Your Data Rights

Regardless of your location, we provide all users with the following data rights:

  • Right to access: Request a copy of the personal information we hold about you.
  • Right to export: Download your financial data at any time through the Service's built-in export features (CSV, PDF).
  • Right to correction: Update or correct inaccurate personal information through your account settings or by contacting us.
  • Right to deletion: Request deletion of your account and all associated data. We will process deletion requests within thirty (30) days, subject to our retention obligations.
  • Right to restrict processing: Request that we limit the processing of your data in certain circumstances.
  • Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
  • Right to withdraw consent: Withdraw your consent for optional data processing at any time. Withdrawal does not affect the lawfulness of processing conducted before withdrawal.
  • Right to object: Object to processing of your data based on our legitimate interests.

To exercise any of these rights, contact us at support@ekue.com or privacy@ekue.com. We will verify your identity and respond within thirty (30) days. We will not charge a fee for processing reasonable requests.

13. California Residents — CCPA/CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information:

  • Right to know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell (we sell none) about you.
  • Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to opt-out of sale: We do not sell your personal information. We have never sold personal information. No opt-out is necessary because we never sell.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you services, charge different prices, or provide a different quality of service.
  • Right to correct: You have the right to request correction of inaccurate personal information.
  • Right to limit use of sensitive personal information: Your financial data is used solely to provide the accounting service you requested. We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.
  • Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authorization.

Categories of personal information collected in the preceding 12 months: Identifiers (name, email, IP address), commercial information (billing records, subscription history), financial information (accounting data you enter), internet activity (usage data, log data), and professional information (company name, role).

Categories of personal information sold: None. We do not sell personal information.

Categories of personal information disclosed for a business purpose: Identifiers and financial information disclosed to service providers listed in Section 7 (Stripe, Plaid, etc.), solely as necessary to operate the Service.

To exercise your CCPA/CPRA rights, email privacy@ekue.com or support@ekue.com. We will verify your identity and respond within forty-five (45) days.

14. European Users — GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, and to the extent the General Data Protection Regulation (GDPR) applies:

  • Legal bases for processing: We process your data based on: (a) performance of our contract with you (providing the Service); (b) our legitimate interests (security, fraud prevention, product improvement); (c) your consent (optional integrations, AI features); and (d) compliance with legal obligations.
  • Data transfers: Your data is processed and stored in the United States. We rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by the European Commission to safeguard international data transfers.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
  • Data Protection Officer: For GDPR-related inquiries, contact privacy@ekue.com.

15. Cookies and Tracking Technologies

We use only essential (strictly necessary) cookies required for the Service to function:

  • Authentication session cookies: Identify you as a logged-in user. Expire when you close your browser.
  • Refresh token cookies: Maintain your session across browser restarts. HTTP-only (not accessible to JavaScript). Expire after 30 days.

We do NOT use:

  • Third-party advertising or tracking cookies
  • Analytics cookies (e.g., Google Analytics)
  • Social media tracking pixels
  • Cross-site tracking technologies
  • Fingerprinting technologies

Because we use only essential cookies required for the Service to function, no cookie consent banner is required under the ePrivacy Directive.

16. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will take immediate steps to delete that information. If you believe a child under 16 has provided us with personal information, please contact us at privacy@ekue.com.

17. International Data Transfers

The Service is operated from the United States. Your data is processed and stored on servers located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States. By using the Service, you consent to this transfer. We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy and applicable data protection laws.

18. Do Not Track

We honor Do Not Track (DNT) signals sent by your browser. Because we do not engage in cross-site tracking, advertising tracking, or third-party behavioral tracking, our practices are consistent with DNT principles by default.

19. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' advance notice via email to the address associated with your account. The "Effective date" at the top of this page indicates when the policy was last updated. Your continued use of the Service after the effective date of any revision constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you must stop using the Service before the effective date.

20. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

The Solution Desk LLC
39116 Fremont Hub, Fremont, CA 94538
(408) 408-6842
privacy@ekue.com
support@ekue.com

For privacy-specific requests (data access, deletion, CCPA/CPRA rights), please use privacy@ekue.com for fastest response.

Looking for a simpler alternative to QuickBooks?

See How Ekue Compares