Privacy Policy

What data we collect

• Account data: business name, billing email, contact name, industry, monthly invoice volume.
• Invoice data: invoice numbers, amounts, due dates, and customer (debtor) names and email addresses that you authorize us to process on your behalf.
• Communications data: chase emails we send for you, inbound replies from your debtors, and metadata about delivery, opens, clicks, and bounces.
• Authentication data: hashed passwords, TOTP 2FA seeds, and (if you connect Gmail or Microsoft 365) encrypted OAuth refresh tokens. See the OAuth section below.
• Usage data: log of actions you take inside the portal, with timestamps. Used for product analytics and audit trails. We do not sell this data.

How we use your data

• To send chase emails to your debtors on your behalf, using only the pre-approved template content you select.
• To classify replies (intent and sentiment) so we can route them to the right next action — e.g., a payment promise, a dispute, or a request to stop contact.
• To produce reporting on the performance of your AR collections workflow.
• To maintain audit logs required under the Fair Debt Collection Practices Act (FDCPA) and adjacent state regulations.
• To detect abuse, fraud, or breach of our Terms of Service.

OAuth Permissions and Data Use

When you connect your Gmail or Microsoft 365 account to JMJ Billings, we request the minimum permissions needed to send chase emails on your behalf.

What we request

Gmail:

• gmail.send — send messages as you from your authorized address
• openid and email — confirm the email address you authorized with (used to show which account you connected; not used for marketing)

Microsoft 365:

• Mail.Send — send messages as you from your authorized address
• openid, email, profile — confirm the email address you authorized with (used to show which account you connected; not used for marketing)

What we do NOT access

• We do NOT read your inbox or any incoming messages
• We do NOT access your contacts, address book, or recipient lists
• We do NOT access your drafts, sent folder, or any other mail folder
• We do NOT access your calendar, files, Drive, OneDrive, or any other Google/Microsoft service beyond mail sending
• We do NOT use your data to train machine learning models
• We do NOT share your data with third parties for advertising or marketing purposes
• We do NOT use your data for any purpose unrelated to sending chase emails you have authorized

How we store OAuth tokens

OAuth refresh and access tokens are encrypted at rest using AES-256-GCM encryption before being stored in our database. The encryption key is held separately from the database. Tokens are only decrypted at send time when a chase email needs to go out on your behalf.

Revoking access

You can revoke JMJ Billings’ access to your email account at any time:

• Gmail: https://myaccount.google.com/permissions → find “JMJ Billings” → Remove access
• Microsoft 365: https://account.microsoft.com/privacy/app-access → find “JMJ Billings” → Remove access

After revoking access, JMJ Billings cannot send chase emails on your behalf until you reconnect. We retain the encrypted tokens in our database in case you want to reconnect with the same account, but you can request full deletion by emailing info@jmjbillings.com.

Data retention

Email content, sender metadata, and send logs are retained for 13 months to support invoice dispute resolution and regulatory audits. After 13 months, content is deleted; metadata is retained indefinitely for analytics and business continuity.

Compliance

JMJ Billings complies with the Google API Services User Data Policy, including the Limited Use requirements. We comply with Microsoft’s Identity Platform terms and the requirements for Verified Publisher status.

Contact

For questions about how your data is used, email info@jmjbillings.com.

How We Handle QuickBooks Data

When you connect QuickBooks Online to JMJ Billings, we request the minimum scope needed to read invoice, customer, and payment records so we can advance them through the AR escalation workflow on your behalf.

What we request

• com.intuit.quickbooks.accounting — read access to invoice, customer, and payment records used to drive AR escalation

We do NOT request the com.intuit.quickbooks.payment scope. JMJ Billings does not move money through QuickBooks.

How we use Intuit data

• We read your invoice, customer, and payment data from QuickBooks Online to populate the AR escalation workflow and the chase emails you have authorized.
• JMJ Billings currently operates as a read-only consumer of QuickBooks data. We do not write invoice updates, payments, or any other changes back to QuickBooks. If we ever extend the integration to write back to QuickBooks, this section will be updated before that change ships.
• We do NOT sell, rent, license, or otherwise share Intuit data with third parties for advertising or marketing purposes.
• We do NOT use Intuit data to train machine-learning models, and we do NOT send QuickBooks invoice amounts, balances, line items, or any other financial data to any AI provider. Our reply-intent classifier operates only on the content of inbound reply emails (which is not Intuit data). Where AI is used to classify a customer as a business or an individual, only that customer’s name and email address are processed for that classification.
• We do NOT use Intuit data for any purpose unrelated to the AR escalation workflow you authorized.

Where Intuit data is stored

Intuit data we sync is stored in our Postgres database hosted in the United States by our subprocessor Supabase, Inc. OAuth refresh and access tokens issued by Intuit are encrypted at rest using AES-256-GCM at the application layer before being written to the database; the encryption key is held separately from the database.

Retention and deletion on disconnect

If you disconnect QuickBooks from JMJ Billings (either inside the portal or by revoking access at Intuit’s account manager), we delete the synced customer, invoice, and payment records pulled from your QuickBooks company within 30 days. Audit logs and billing records that reference invoice IDs are retained as required by law and by the audit-trail requirements of our service.

Revoking access

You can revoke JMJ Billings’ access to your QuickBooks Online company at any time from Intuit’s account security page. After revoking, JMJ Billings cannot sync new data from your QuickBooks company until you reconnect.

Subprocessors

JMJ Billings uses third-party subprocessors to deliver the Service. The categories below summarize the role of each subprocessor; the authoritative, current list (with vendor names, purposes, data categories, and locations) lives at /subprocessors.

• Supabase — Postgres database, authentication, file storage
• Vercel — application hosting
• Postmark — outbound and inbound email delivery
• Stripe — subscription billing (we never see your full card number)
• Anthropic — large-language-model API for reply classification only. We do NOT send outbound debtor email content to Anthropic; outbound is pre-approved templates.
• Google and Microsoft — for customers who connect Gmail or Microsoft 365 as their sending provider (see OAuth section above).
• Intuit — for customers who connect QuickBooks Online as their accounting source (see QuickBooks section above).

Cookies and analytics

We use first-party session cookies to keep you signed in. We use product analytics (event logs in our own database) to understand how customers move through onboarding and the dashboard. We do not run third-party advertising trackers.

Your rights

You can request a copy of your data, correction of errors, or deletion of your account at any time by emailing info@jmjbillings.com. For deletion requests, we honor the request within 30 days. Some records (audit logs, billing records) are retained as required by law.

Changes to this policy

We will post material changes here with an updated “Last updated” date. If a change affects how we use your data in a way you would reasonably object to, we will email account owners before the change takes effect.

See also

• Terms of Service
• Subprocessors
• Accessibility Statement

Contact

Questions about this policy? Email info@jmjbillings.com.