Privacy Policy

This Privacy Policy describes how Wauvel(“we”, “us”, “our”) collects, uses, shares, and protects information when you visit wauvel.com or use the Wauvel service.

This policy works together with our Terms of Service. The Terms define the contract between you and Wauvel; this policy explains what we do with the information you give us along the way.

When you sign up, we collect your email address and a one-way hash of your password. We don't store your password in readable form — only the hash, used to verify future sign-ins.

The financial statements you upload — profit and loss statements, balance sheets, transaction exports — are the core data you put into Wauvel. We store them encrypted, scoped to your account.

Each report you generate is stored in your account so you can revisit it. Reports contain calculated values, written commentary, and references to the source data.

We log basic activity — sign-in timestamps, uploads, report generations — to operate the service, debug issues, and detect misuse.

When you load the site or service, our servers receive standard request data — IP address, browser type, request timestamps, and pages requested. We use this for security, abuse prevention, and operational debugging.

If you subscribe, payment is processed by our payment processor (Stripe). We don't store full credit card numbers. We do store the customer ID Stripe issues us, the subscription status, and the last four digits of the card for display purposes.

If you choose to connect a QuickBooks Online company, we use Intuit's official authorization to read your financial reports — your profit and loss statement (including transaction-level detail), balance sheet, cash flow statement, and chart of accounts — along with your company name, so we can generate your reports. We only read this data: we do not write to, modify, or delete anything in your QuickBooks account. Connecting is optional, and you can disconnect at any time (see 06.5).

If you accept analytics cookies (see 08.1), we collect first-party usage data to understand how the site and service are used: the pages you view and buttons you click, the referring site and any UTM campaign tags from the link you arrived through, your device type, and your country (derived from your IP, which we do not store). We keep a random visitor and session identifier in your browser's local storage for this; when you are signed in, we also associate these events with your account. This is first-party only — never shared with advertisers and never used to track you across other websites. If you decline, none of it runs.

If you subscribe to our newsletter or content updates, we store the email address you give us and where you signed up from, so we can send what you asked for. You can unsubscribe at any time.

We operate a referral program. If you arrive through someone's referral link, we store a referral code in a cookie (only if you accept analytics cookies) so the referrer can be credited if you subscribe. If you refer others, we record which accounts you referred and the commissions you earn. See Section 06.7 of the Terms of Service for how the program works.

We don't ask for your business legal name, EIN, or tax ID. We don't run third-party advertising or behavioral tracking. We don't track you across other websites.

We use Your Content and account information to generate your reports, store them in your account, and provide the service you signed up for.

If you contact us, we use your email and any context you share to respond.

We may email you about account activity (sign-in attempts, password resets), billing (renewals, failed charges), and material changes to these policies. You can't opt out of these — they're operationally required.

We may also send occasional product updates. You can opt out of these from your dashboard or any email footer; doing so will not affect the service communications above.

We use account activity and device data to detect unauthorized access, abuse, fraud, and violations of our Terms — including the business-use-only provisions in Section 03 of the Terms of Service.

We may use aggregated, de-identified usage patterns (for example, “X% of uploads include a balance sheet”) to understand how the service is used and improve it. This never includes identifiable customer data.

If you take part in our referral program, we use the referral data in 02.10 to credit referrers and pay commissions. If you join our newsletter, we use your email to send the updates you asked for, until you unsubscribe.

To generate your report, the calculated values and line-item categories from Your Content — whether you uploaded it or we retrieved it from a connected QuickBooks account — are sent to Anthropic's Claude API. The same API powers our optional conversational features — the in-app assistant you can ask about your numbers and the site-wide help bubble — so text you type into those is sent to it as well. For report generation we do not send your name, your email, the file name, your business name, or any QuickBooks account identifier. Anthropic's API terms prohibit training on customer data.

We use third-party infrastructure to host the service — including Supabase (database and authentication) and Vercel (hosting). These providers process data on our behalf under written data processing terms and only as needed to operate the service.

Subscription payments are processed by Stripe. Stripe handles card data directly; we receive only the limited information described in 02.6.

We may disclose information if required by law, court order, or to respond to a valid government request, or to protect the safety, rights, or property of Wauvel, our users, or the public.

We do not sell your personal information or Your Content — including any data we retrieve from a connected QuickBooks account. We do not use it for advertising. We do not share it with data brokers. We do not use it to train any AI model, and the AI provider is contractually prohibited from training on it.

If Wauvel is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will notify you in advance, and your information becomes subject to a different privacy policy.

Data is encrypted in transit (HTTPS) and at rest (encrypted database and object storage).

Per-user storage paths and database row-level security ensure that only your account can see your data. Our infrastructure cannot bypass this without going through the same authentication wall you do.

A small number of authorized personnel may access systems for debugging or support, only as necessary, and under strict confidentiality and access controls.

When you connect QuickBooks, Intuit issues us access tokens that authorize the connection — your QuickBooks password is never shared with us. We encrypt those tokens (AES-256-GCM) and never store them in plaintext. They are accessible only to the server-side process that retrieves your reports, and are revoked at Intuit and deleted when you disconnect.

While we work hard to protect your information, we can't guarantee that all transmissions and storage are absolutely secure. If we become aware of a breach affecting your data, we will notify you in accordance with applicable law.

Files and reports you generate are retained in your account until you delete them or close your account. After account closure, we retain Your Content for up to 30 days, then delete it.

We retain basic account records (email, account creation date, subscription history) for as long as your account is active, plus a period afterward for legal, tax, and accounting purposes (typically up to seven years).

Operational logs (sign-ins, request logs) are retained for up to 90 days, then aggregated or deleted.

You may request earlier deletion of Your Content at any time. See 07.3.

You can disconnect QuickBooks at any time. When you do, we revoke the connection at Intuit and delete the stored access tokens. Reports already generated from QuickBooks data are retained in your account like any other report until you delete them or close your account.

You can see the information associated with your account — your email, your subscription status, and Your Content — directly from your dashboard.

You can update your email or password from your dashboard. For anything else, email us.

Email hello@wauvel.com to request deletion of Your Content. We will delete the requested files and the reports derived from them within 24 hours, except where we are required to retain certain records for legal, tax, or accounting purposes.

On request, we will provide a copy of Your Content and your reports in a portable format.

You can stop using the service at any time by canceling your subscription and requesting account deletion.

Email hello@wauvel.com. We respond to verified requests within 30 days.

Essential cookies keep you signed in and secure — session authentication and security tokens. These are required to operate the service and are always on. Non-essentialstorage — the first-party usage analytics described in 02.8 (kept in your browser's local storage) and a referral-attribution cookie — runs only after you opt in. On your first visit a banner lets you accept or decline; we remember your choice, and you can change it at any time by clearing this site's data in your browser. We don't use third-party advertising or behavioral tracking cookies.

Our analytics are first-party and built in-house — there is no third-party analytics provider, and no data is shared with one. When you are signed in, analytics events are associated with your account (see 02.8); for signed-out visitors they are tied only to a random identifier. Analytics run only if you accept (see 08.1).

We respect “Do Not Track” signals where technically practical.

Wauvelis not directed to children under 18 and is intended for use by business owners and operators. We don't knowingly collect information from anyone under 18. If we learn that we have, we will delete it.

Wauvel is operated from the United States. If you access the service from outside the U.S., your information will be transferred to and processed in the U.S. and other locations where our infrastructure providers operate.

Depending on where you live, you may have additional rights under laws such as the EU GDPR or the California Consumer Privacy Act — including rights of access, correction, deletion, and portability. We honor these rights for all users regardless of location. To exercise them, email hello@wauvel.com.

We may update this policy as the service evolves. For material changes — to what we collect, how we use it, or who we share it with — we will notify you by email at least 30 days before the change takes effect.

The current version's effective date appears at the top of this page.

Privacy questions or requests: email hello@wauvel.com.

This Privacy Policy is effective as of June 27, 2026.