Security & data handling

You're trusting us with client financial data. Here is exactly how the connection works and how you stay in control. Plain English, no jargon.

We never see your QuickBooks password

The connection runs through Intuit's official OAuth 2.0 authorization. You log in on Intuit's own screen, and Intuit hands us a revocable access token. Your QuickBooks username and password never pass through us, and we never store them. If you can revoke a token, you never gave away the keys.

We only touch what the job requires

Ground Control reads and writes only the QuickBooks data needed to do the work you asked for: things like invoices, payments, and customers for matching and posting. We don't crawl your books for anything beyond the task at hand, and we move data only through Intuit's official APIs.

We do not sell, share, or train on your data

Your financial data is used for one thing: delivering the service you signed up for. We do not sell it. We do not share it for advertising. We do not use it to train AI models, and the AI providers we use do not train on it either. To read uploaded documents we send them to Anthropic's Claude model, routed through OpenRouter. Neither provider trains on your data, and it is retained only briefly for operational and abuse-prevention purposes, then deleted.

Encrypted in transit and at rest

All connections use encrypted TLS. Data is stored on secure, encrypted servers with access controls and securely stored credentials. We keep your data only as long as needed to provide the service.

You stay in control

You can cut off access whenever you want, two ways:

  • Disconnect Ground Control from inside your QuickBooks Online settings. The token is invalidated and we stop making calls.
  • Ask us to delete your data. After your service ends, we delete it within 30 days unless the law requires us to keep it.

The services we rely on

We keep the stack small and name everyone who touches your data:

  • Intuit QuickBooks Online — the accounting platform we connect to, via OAuth 2.0.
  • OpenRouter — routes our AI requests to the model provider. Does not retain your prompts or train on them.
  • Anthropic Claude — reads uploaded documents to extract data. Does not train on your data; retained only briefly, then deleted.
  • Resend — transactional email only.

A real person stands behind it

Ground Control is built and run by Donovan Watts, a working bookkeeper who uses this software in his own practice every day. You can read who we are on the about page, and the full legal detail lives in our privacy policy.

Questions about security

Ask before you connect. Email donovan@groundcontrolbookkeeping.com and a real person will answer.