Privacy Policy
Effective date: 26 February 2026 | Version 1.0
Keystone AI Business Support Ltd ("we", "us", "our") is the data controller for personal data processed through the Keystone AI platform ("Platform"). We are registered in England & Wales.
1. What This Policy Covers
This policy explains how we collect, use, store, share, and protect personal data when you use the Platform, including when you connect third-party services such as Intuit QuickBooks Online ("QBO"). It applies to all users of the Platform, including business owners, their employees, and end-customers whose data may be processed through the Platform.
2. Data We Collect
2.1 Data you provide directly
| Category | Examples | Purpose |
|---|---|---|
| Account information | Name, email, phone, business name, address | Account creation, billing, support |
| Platform content | Notes, SOPs, job records, communications you create | Delivering Platform functionality |
| Support correspondence | Emails, chat messages to our support team | Resolving issues, improving service |
2.2 Data from connected services
When you authorise a connection to a third-party service, we access data within the scopes you approve. For QuickBooks Online, this typically includes:
| QBO Data Category | Examples | Why We Access It |
|---|---|---|
| Company information | Business name, address, fiscal year settings | Syncing your business context into the Platform |
| Customer records | Customer names, contact details, billing addresses | Unified customer view, invoicing, job matching |
| Financial documents | Invoices, estimates, payments, credit notes | Cross-platform reporting, reconciliation, KPI dashboards |
| Product/service items | Service names, rates, descriptions | Job-type mapping, pricing automation |
| Account/transaction data | Chart of accounts, journal entries (if authorised) | Financial reporting, margin analysis |
2.3 Data collected automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage analytics | Pages visited, features used, session duration | Improving the Platform, identifying issues |
| Device/browser info | IP address, browser type, operating system | Security, compatibility |
| Cookies | Session cookies, preference cookies | Authentication, personalisation |
3. Legal Basis for Processing (UK GDPR)
| Processing Activity | Legal Basis |
|---|---|
| Providing the Platform and connected integrations | Contract — necessary to perform our agreement with you |
| Connecting to QBO and other third-party services | Consent — you explicitly authorise each connection via OAuth |
| Usage analytics and service improvement | Legitimate interest — improving our product and detecting issues |
| Billing and financial records | Legal obligation — UK tax and accounting requirements |
| Security monitoring | Legitimate interest — protecting you and us from threats |
4. How We Use Your Data
We use your data to:
- Provide, maintain, and improve the Platform and its features.
- Sync, display, and generate reports from your connected services (including QBO).
- Generate AI-powered insights, suggestions, and outputs based on your data.
- Send service-related communications (e.g. alerts, updates, support responses).
- Ensure security, prevent fraud, and comply with legal obligations.
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties for their own marketing purposes.
5. AI Processing
The Platform uses artificial intelligence to analyse your data and generate outputs such as reports, recommendations, and operational insights. This processing is carried out to deliver the core features of the Platform (legal basis: contract performance). AI outputs are decision-support tools; they do not constitute professional advice.
Where AI processing involves automated decision-making with significant effects, you have the right to request human review. Contact us at the address in Section 13.
6. Who We Share Data With
| Recipient | Why | Safeguards |
|---|---|---|
| Cloud infrastructure providers (e.g. hosting, databases) | Running the Platform | Data processing agreements, encryption at rest and in transit |
| Intuit / QBO | Two-way sync you authorised | OAuth 2.0, Intuit's own security programme |
| AI model providers | Generating AI outputs | Data processing agreements, no model training on your data |
| Payment processors | Subscription billing | PCI DSS compliant |
We may also disclose data where required by law, regulation, or valid legal process.
7. International Transfers
Some of our sub-processors operate outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place, such as UK International Data Transfer Agreements (IDTAs), Standard Contractual Clauses (SCCs), or reliance on an adequacy decision. Details of specific transfers are available on request.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of your subscription + 30 days |
| QBO synced data | Cached during active connection; deleted within 30 days of disconnection |
| Billing records | 6 years (UK legal requirement) |
| Usage analytics | 24 months (anonymised thereafter) |
| Support correspondence | 24 months from resolution |
When you disconnect a Connected Service (e.g. QBO), we delete or anonymise the associated data within 30 days unless retention is required by law.
9. Data Security
We implement appropriate technical and organisational measures, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
- Access controls with least-privilege principles and role-based permissions.
- Regular security reviews and vulnerability assessments.
- Audit logging of data access and administrative actions.
- Incident response procedures with breach notification within 72 hours to the ICO where required.
10. Your Rights (UK GDPR)
You have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data (subject to legal retention requirements).
- Restriction — ask us to limit how we process your data.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent (e.g. Connected Services), you can withdraw at any time by disconnecting the service or contacting us.
To exercise any right, email info@keystoneai.tech. We will respond within one calendar month.
11. Disconnecting QuickBooks Online
You can disconnect QBO from the Platform at any time by:
- Going to Settings → Connected Services in the Platform and clicking "Disconnect" next to QuickBooks Online; or
- Revoking access via Intuit's App Management page.
Upon disconnection, our OAuth tokens are revoked immediately and cached QBO data is deleted within 30 days. You may also request immediate deletion by contacting us.
12. Cookies
We use essential cookies for authentication and session management. We use analytics cookies to understand how the Platform is used. You can manage cookie preferences through your browser settings. A detailed cookie notice is available within the Platform.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before they take effect. The "effective date" at the top of this page will be updated accordingly.
14. Contact Us
Keystone AI Business Support Ltd
Data Protection queries: info@keystoneai.tech
General enquiries: info@keystoneai.tech
Registered in England & Wales — Company No. 16962475
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).