Privacy Policy
Effective June 11, 2026 · Contact support@figureshq.com
Figures (“we,” “us”) syncs reports from QuickBooks Online into Google Sheets. This policy explains what we access, what we store, and what we never do.
The short version
- We read your QuickBooks data to generate the reports you choose. Figures only ever reads from QuickBooks. We never create, modify, or delete anything in your books.
- We can only open Google Sheets files that Figures created or that you explicitly picked. We cannot see the rest of your Google Drive.
- We don’t store your financial data. Report contents pass through our servers to your Google Sheet and are not retained after the sync completes.
- We never sell your data or use it for advertising. No third party receives your financial data except the processors listed below, strictly to run the service.
What we collect and store
| Data | Why | Stored? |
|---|---|---|
| Your name and email (Google sign-in) | Your account and alerts | Yes |
| QuickBooks company ID and company name | Identifying your connected companies | Yes |
| Encrypted QuickBooks and Google access tokens | Performing syncs on your schedule | Yes, encrypted at rest (AES-256-GCM) |
| Sync configuration (report, destination, schedule) | Running your syncs | Yes |
| Sync run records (status, timing, row counts, error codes) | Showing sync health and alerting you to failures | Yes, report contents are not included |
| Report data (your financial numbers) | Writing to your Google Sheet | No, processed in transit, not retained |
Google user data (Google API Services disclosure)
Figures’ use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We request the drive.file scope, which limits us to files Figures created or you selected; we use that access solely to write the reports you configured; we do not transfer Google user data to third parties except the processors below; we do not use it for advertising; and humans do not read it except with your permission for support, or as required by law.
QuickBooks data
We access QuickBooks Online through Intuit’s official API using OAuth (scope com.intuit.quickbooks.accounting, which Figures uses for read operations only; we never write to your books). You can revoke our access at any time from your Intuit account settings or by deleting the connection in Figures; revocation takes effect immediately.
AI connectors (Claude, ChatGPT, and similar)
You can connect your own AI app (such as Claude or ChatGPT) to Figures. When you do, that app can read your synced reports through a connection you authorize: it is read-only by design, scoped to your account only, and sends data to your chosen AI app at your direction. Figures stores nothing new for this feature beyond the connection itself (which app you connected, when, and when it was last used); report data is served from your existing syncs and is never additionally retained. Your prompts and conversations stay in your AI app and never reach us. What the AI provider does with data you send it is governed by that provider’s terms, not ours. You can revoke a connected app at any time from Settings, and revocation takes effect within a minute.
Processors (subprocessors)
We use a small set of services to run Figures, each receiving only what’s necessary: Railway (hosting and database: account data, encrypted tokens, sync configs), Resend (transactional email: your email address and alert content), Sentry (error monitoring: error details with personal-data scrubbing enabled; no report contents), Stripe (payments: your email address and your card details, which are collected and stored by Stripe; card numbers never touch our servers), and Google and Intuit (the APIs you connect).
Retention & deletion
We keep your account data while your account is active. Delete a sync and its configuration and run history are removed within 30 days. To close your account, email support@figureshq.com and we delete all stored data (account, tokens, configurations, run records, and billing records we hold; Stripe retains transaction records it is legally required to keep) within 30 days. Your Google Sheets are yours and are never touched by deletion.
Security
OAuth tokens are encrypted at rest; all traffic uses TLS; access to production systems is limited to the founder. If we become aware of a breach affecting your data, we will notify you at your account email without undue delay.
Your rights
Depending on where you live (e.g., California/CCPA, EU/GDPR), you may have rights to access, correct, delete, or export your data. Email support@figureshq.com and we’ll honor reasonable requests regardless of jurisdiction.
Changes
We’ll post changes here and, for material changes, email you. Continued use after changes means acceptance.