Streamline Reports, Inc. (“Streamline Reports,” “we,” “us,” or “our”) operates the Streamline Reports platform — a SaaS tool that enables bookkeeping professionals to generate, customize, and deliver financial reports to their clients. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Service. By using Streamline Reports, you agree to the practices described here.
Information We Collect
Account Information
When you register, we collect your name, email address, and a hashed password. If you subscribe to a paid plan, your billing information is handled directly by Stripe — we do not store raw card numbers on our servers.
Integration Data
When you connect an accounting platform (QuickBooks Online, Xero) or a sending email account (Gmail, Outlook), we store the OAuth access and refresh tokens that authorize us to retrieve data and send messages on your behalf. We request only the minimum scopes required to generate and deliver reports. We never see or store your password for any connected service.
Client Financial Data
The Service processes financial reports — profit & loss statements, balance sheets, cash flow statements, and related data — retrieved from your connected accounting software. This data belongs to you and your clients. We process it only as directed by you in order to provide the Service.
Usage Data
We automatically collect log data including IP addresses, browser type, pages visited, and feature usage in order to operate, secure, and improve the Service. This data is not linked to your clients' financial information.
Communications
If you contact us by email or through support channels, we retain those communications to respond to your inquiry and improve our service.
How We Use Your Information
- To provide, operate, and maintain the Service
- To authenticate your identity and authorized accounting integrations
- To generate and deliver financial reports as directed by you
- To process subscription payments and send billing receipts
- To send transactional emails (account confirmations, password resets)
- To improve the Service through aggregated, anonymized usage analytics
- To detect, investigate, and prevent fraud or security incidents
- To comply with applicable legal obligations
We do not use your clients' financial data to train machine learning models, sell to advertisers, or for any purpose other than providing the Service to you.
Sharing and Disclosure
We do not sell your personal information or your clients' financial data. We may share information only in the following circumstances:
- Sub-processors: We engage trusted third-party vendors to help operate the Service (see list below). Each is bound by data protection obligations.
- Legal compliance: When required by law, court order, or a governmental authority with valid jurisdiction.
- Business transfers: In connection with a merger, acquisition, or sale of assets, with advance notice to affected users.
- With your consent: For any purpose you explicitly authorize.
Sub-Processors
| Vendor | Purpose | Location |
|---|---|---|
| Clerk, Inc. | User authentication and session management | United States |
| Railway Corp. | Cloud hosting, application runtime, and cron scheduling | United States |
| Railway Corp. (Managed PostgreSQL) | Managed PostgreSQL database (encrypted at rest) | United States |
| Stripe, Inc. | Payment processing and subscription management | United States |
| Anthropic, PBC | AI model provider (Claude). Receives your prompt when you chat with the in-app assistant. See “AI Processing” below. | United States |
| Resend, Inc. | Transactional and broadcast email delivery; stores newsletter audience emails and bounce/complaint events. | United States |
| Cloudflare, Inc. (R2) | Object storage for generated report PDFs. | United States / global edge |
| Gotenberg (self-hosted on Railway) | Headless PDF rendering engine. Runs in our isolated infrastructure; report HTML transits to it and is discarded after rendering. | United States (Railway) |
| Axiom, Inc. | Structured application logging and observability. Receives event logs used to operate and debug the Service; not used for marketing or analytics. | United States |
| Intuit, Inc. (QuickBooks Online) | Accounting platform you connect via OAuth. We retrieve your books from Intuit's API; Intuit acts as a controller of the underlying accounting data. | United States |
| Xero Limited | Accounting platform you connect via OAuth. Same processor role as Intuit. | New Zealand / global |
| Google LLC (Gmail API) | When you connect Gmail to send client emails through Streamline, your outbound report email transits Google's API and is delivered from your Gmail account. | United States / global |
| Microsoft Corp. (Microsoft Graph / Outlook) | When you connect Outlook to send client emails, your outbound report email transits Microsoft's API and is delivered from your Outlook account. | United States / global |
AI Processing
The Service uses Anthropic, PBC (Claude) for one feature: the in-app help assistant. When you chat with the assistant, your message and the help documentation that anchors the assistant's responses are sent to Anthropic for inference. Your accounting data and your clients' financial figures are not sent to the AI provider.
Per Anthropic's commercial API terms, Anthropic does not use this data to train its models, and retains inference data only briefly for abuse monitoring.
You can avoid AI processing entirely by not using the help chat — every other part of the Service (data pulls, report rendering, PDF generation, scheduled sends, billing) operates without invoking any AI provider.
Data Security
We implement industry-standard technical and organizational security measures to protect your information, including:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest
- OAuth 2.0 with minimal required scopes for accounting platform integrations
- Role-based access controls limiting internal staff access to customer data
- Continuous security monitoring and intrusion detection
- Regular vulnerability assessments
No system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and for promptly notifying us of any suspected unauthorized access.
Data Retention
We retain your account information and usage data for as long as your account is active or as necessary to provide the Service. Financial report data retrieved from connected accounting platforms is retained only for the duration of active report generation unless you explicitly save it within the Service.
Upon account deletion, we delete or anonymize your personal data within 30 days, except where retention is required by applicable law or legitimate business necessity (e.g., billing records).
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your personal data (subject to legal retention obligations)
- Restriction: Request that we restrict processing in certain circumstances
- Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interests
- Withdrawal of consent: Where processing is based on consent, withdraw it at any time
California residents may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected and the right to opt out of sale (we do not sell personal information).
To exercise any of these rights, contact us at miles@streamlinereports.com. We will respond within 30 days.
Cookies and Tracking
We use essential cookies to maintain your authenticated session and ensure the Service functions correctly. We do not use third-party advertising trackers or behavioral profiling cookies.
You may disable cookies in your browser settings, but doing so will prevent you from logging in and using the Service.
Children's Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us at miles@streamlinereports.com and we will take steps to delete it.
Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and by posting a notice within the Service at least 14 days before the new policy takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
Contact Us
For privacy-related questions, requests, or concerns, please reach out to us: