SideQuest Automation — Privacy Policy

Effective: May 2026 Last updated: May 2026

This policy explains what personal information SideQuest Automation collects, why we collect it, where we store it, and how you can control it. It applies to everyone who uses our website, signs up for an account, or installs the SideQuest connector.

Who we are

SideQuest Automation is an independent operator based in the United States. Contact: hello@sidequestautomation.com.

What we collect

We collect three categories of information, and only these.

1. Account information you give us. When you fill out the signup form at sidequest-control-plane.fly.dev/signup, we collect:

• Your email address (required)
• Your company name (required)
• Your first name (optional)
• Rough monthly PO volume (optional, used for sizing your tier)
• Current tool used (optional, used for sales context)
• How you heard about us (optional, used for marketing attribution)
• Free-form notes you provide (optional)

If you become a paying customer, we additionally collect the billing information your payment processor (Stripe) supplies us, which is limited to your subscription tier and customer ID. We do not see your credit card number.

2. Usage counters. When the SideQuest connector processes a purchase order on your Mac, the connector reports one small event to our control plane containing:

• Your license key
• The fact that one PO was processed
• The Gmail message ID of the PO (an opaque identifier with no content)
• The count of line items in the PO
• The QuickBooks realm ID (which identifies which QBO company received the estimate)
• A timestamp

We use these counters to enforce your monthly tier (free, starter, growth, scale, unlimited).

3. Technical logs. Our servers automatically record:

• HTTP request timestamps, response codes, and byte counts
• IP addresses (used briefly for rate-limiting and abuse prevention, then aggregated)

We do not log request bodies. We do not log query parameters that contain personal information.

What we deliberately do NOT collect

To be explicit, the following are NOT collected, stored, or transmitted to our servers:

• The contents of any purchase order email
• Buyer names, addresses, or contact information from your POs
• Part numbers, descriptions, quantities, or prices
• Your QuickBooks catalog
• Your QuickBooks customer list
• Your Gmail message bodies, attachments, or threads other than the message IDs noted above
• Your OAuth refresh tokens for Gmail or QuickBooks (these live only on your Mac)
• Any contents of files in your ~/.qb-distributor-mcp/ directory
• Credit card numbers (Stripe processes these directly)

Why we collect what we collect

If you are in the EU or UK, the legal bases above reference GDPR Article 6.

Where data lives

All data we hold is stored in the United States. We do not transfer customer data outside the US except where the customer themselves accesses our service from outside the US (in which case standard HTTPS transit applies).

How long we keep it

• Active customer account data: for as long as you have an active license, plus 90 days after cancellation for billing reconciliation.
• Usage counters: kept for 24 months for trend analysis, then deleted automatically.
• Server access logs: 30 days, then deleted automatically.
• Stripe data: retained per Stripe's own retention policy, which we cannot override.
• Closed accounts that you ask us to delete: purged within 30 days of your request.

How we share data

We share data with three categories of recipients, and only these:

• Subprocessors that operate our infrastructure: Fly.io (hosting), Neon (database), Stripe (payments), Cloudflare (DNS, future). Each is bound by their own privacy commitments.
• Law enforcement, when legally compelled: subpoena, court order, or equivalent legal process. We will notify you if legally permitted to do so.
• A successor entity in the event SideQuest Automation is acquired or merges with another company. We will give you 30 days notice and the right to delete your account first.

We do not sell customer data. We do not share data with advertisers. We do not use customer data to train AI models.

Your rights

Regardless of where you live, you can:

• Access your data: email us and we will send you everything we have about you in machine-readable form within 30 days.
• Correct your data: email us with the change.
• Delete your data: email us. We delete your account, license, and counters within 30 days.
• Export your data: same as access; we will provide JSON or CSV.

If you are in the EU, UK, or California, you have additional rights under GDPR / UK GDPR / CCPA including the right to lodge a complaint with a supervisory authority. Contact for all rights requests: hello@sidequestautomation.com.

Cookies and tracking

The SideQuest website and signup form do not use cookies, web beacons, or other tracking technology. We do not run analytics on the signup page. The only state we keep about a visitor is what they choose to type into the signup form and submit.

The admin dashboard at /admin uses a session cookie (HTTP Basic Auth credentials cached by your browser) for the operator only.

Children

The SideQuest service is intended for businesses. We do not knowingly collect information from anyone under 18. If you believe we have, email us and we will delete it.

Changes to this policy

If we make material changes to this policy, we will email every active customer at least 30 days before the change takes effect. The "Last updated" date at the top reflects the most recent change.

Contact

Privacy questions, requests, complaints: hello@sidequestautomation.com

We acknowledge requests within 5 business days and complete them within 30 days. If you do not receive a response, please assume the email did not arrive and try again.