Effective Date: May 21, 2026·Last Updated: May 21, 2026
Version 2026-05-21
Verde Labs, Inc. ("Verde," "we," "us," "our") provides an AI-powered financial reporting and analysis service for businesses. This Privacy Policy explains what information we collect, how we use and protect it, who we share it with, and the rights you have. It applies to our service at useverde.ai and related applications (the "Service").
Verde is a business-to-business service offered to business users in the United States.
When you sign up, Verde collects:
profiles table.If you sign in via Google OAuth, we receive only your verified email address and a Supabase-generated user ID. We do not store your Google profile name, photo, or other Google account data.
We do not collect your name (beyond an optional company contact name), phone number, mailing address, billing address, or payment card data at signup. Billing address and payment card data are held exclusively by Stripe (see §1.4 and §3).
When you complete onboarding, you may provide your company name, associated with your account for personalized financial analysis. No other company information (address, EIN, etc.) is collected by Verde directly.
When you connect your QuickBooks Online ("QBO") account, Verde uses Intuit's OAuth 2.0 authorization and requests these scopes:
com.intuit.quickbooks.accounting — Intuit's Accounting API scope;openid profile email — to verify the QBO user identity.Disclosure regarding the Accounting scope: Intuit does not offer a read-only sub-scope for QuickBooks Accounting data, so the Accounting scope technically grants both read and write access. Verde's code does not write data back to your QuickBooks account — all data flow is one-way, from QBO into Verde. You can verify this in your QBO audit log, which will show only read API calls from Verde's application credentials.
Data categories Verde reads from your QBO account: financial statements (income statement, balance sheet, cash flow, trial balance); chart of accounts; customer and vendor records (names and basic identifiers); transaction-level data (journal entries, invoices, bills, payments, deposits — including amounts, dates, references, and memo text); receivables and payables aging; and banking balances and reconciliation data.
Verde stores OAuth access and refresh tokens in encrypted form (AES-256-GCM application-layer encryption, in addition to at-rest encryption). Access tokens expire approximately hourly; refresh tokens follow Intuit's standard expiry.
When you subscribe, Verde initiates a Stripe checkout session and passes Stripe your email address for receipt delivery. Verde receives back a Stripe customer identifier and subscription reference. Verde does not receive, store, or have access to your billing address, payment card data, bank account information, or other payment instrument data. All payment data is held exclusively by Stripe, subject to Stripe's Privacy Policy.
When you interact with Finn through the Verde portal or your connected Slack workspace, Verde processes and stores: the content of your messages; Finn's responses; a conversation identifier and timestamp; and token usage and cost telemetry (which does not include message content). This is subject to the retention periods in §8.
Verde collects standard usage data via our hosting provider (Vercel) and database provider (Supabase): request logs (HTTP method, route, status, response time), error logs, and authentication session metadata. These do not include your QBO data or chat content.
Verde uses only essential cookies required to operate the Service: authentication session cookies (sb-*); and verde_active_client (operator tenancy switching; HTTP-only). Verde does not use marketing, analytics, advertising, or third-party tracking cookies.
Global Privacy Control (GPC): Because Verde does not sell or share personal information, there is nothing to opt out of in that respect. To the extent Verde receives a GPC or similar opt-out preference signal, Verde treats it consistently with its no-sale and no-share posture.
Verde uses the information we collect to: deliver the Service (reports, dashboards, Finn responses, digests); process payments (Stripe billing and renewals); support and onboard you; maintain security (detect abuse, prevent fraud, secure accounts); comply with legal obligations (responding to lawful requests, with notice where permitted); and improve the Service operationally (performance monitoring, debugging, capacity planning).
We do not:
Verde engages the following sub-processors to operate the Service. Verde remains responsible for the protection of your data when processed by these sub-processors and contractually requires each to maintain data-protection standards consistent with this policy and, where applicable, our Data Processing Agreement.
| Sub-processor | Role | Data Processed | Location |
|---|---|---|---|
| Supabase Inc. | Database (PostgreSQL), Authentication, file storage | All Verde-controlled data including QBO data, chat history, billing references, account information | AWS US-East-1 |
| Intuit Inc. (QuickBooks Online) | Source-of-truth financial data provider | Your QBO data accessed via OAuth (one-way read into Verde) | US |
| Stripe Inc. | Payment processing, subscription management | Email, billing address, payment card data (held directly by Stripe; Verde does not see them) | US, with Stripe's own sub-processors for card-network processing |
| Anthropic PBC | AI inference for Finn responses | Chat message content, financial context data, customer/vendor names from your QBO data | US (commercial API terms — does not use commercial customer data for model training) |
| Vercel Inc. | Application hosting, content delivery, serverless compute | HTTP request metadata; auth-gated content not cached at edge | US application origin; global CDN edge for static assets only |
| Resend | Transactional email delivery | Your email address, transactional email content | US |
| Slack Technologies | Channel integration for Finn delivery (when you connect Slack) | Financial briefings, chat messages, and figures delivered to your Slack workspace as configured | US; residency depends on your Slack plan |
| Google LLC | Identity provider (only if you sign in via Google) | Email address verification only | US |
A current list of sub-processors is maintained in the table above; this section is the canonical list at launch.
When you interact with Finn: your message text is sent to Anthropic's commercial API for inference; Verde includes context that may include your company name, top customer and vendor names, revenue figures, expense categories, and other figures derived from your QBO data; tool-use rounds may send transaction-level data (journal entries, including references and memo text) to Anthropic for analysis; and Anthropic processes the request and returns a response.
Verde uses Anthropic under commercial API terms that do not use customer prompt or completion data for model training, and Verde does not opt into any training-eligible data sharing.
Finn-generated responses are AI-generated text for informational and decision-support purposes only. Finn is not a licensed accountant, attorney, financial advisor, or fiduciary. Do not rely on Finn responses as the sole basis for material business, legal, tax, or accounting decisions. Verify material conclusions with your licensed professional. (See Terms of Service §3.2–§3.5.)
Verde may share your information with: sub-processors (§3), limited to operating the Service for you; legal authorities, when required by valid legal process, with notice to you where permitted; an acquiring entity in a merger, acquisition, or sale of substantially all assets, subject to this policy; and parties you direct us to share with (for example, your bookkeeper or accountant). Verde does not sell, rent, share, or trade your personal information.
Verde implements reasonable technical and organizational measures, including: TLS 1.2+ encryption in transit (enforced by Vercel); AES-256 encryption at rest (Supabase); additional AES-256-GCM field-level encryption on QBO OAuth tokens; Row-Level Security on all customer-data tables; service-role isolation of sensitive tables; an MFA option via Supabase Auth; and audit logging of operator actions affecting customer data.
We require employees and contractors with access to customer data to follow security policies and complete data-handling training. In the event of a security incident affecting your personal data, Verde will notify affected customers without undue delay and, where feasible, within 72 hours of confirming the incident, consistent with applicable breach-notification laws.
No system is perfectly secure. Verde cannot guarantee absolute security, and you acknowledge this risk in using any internet-based service.
If you are a California resident (including a business representative whose data Verde processes), the CCPA/CPRA grants you the rights to: know the categories of personal information collected, the purposes, and the sub-processors; access a copy of the personal information Verde holds about you; delete your personal information (subject to legal exceptions, such as billing records retained for tax purposes); correct inaccurate personal information; receive a machine-readable copy of your personal information (portability); limit the use of sensitive personal information (Verde does not intentionally collect sensitive personal information — see §7.2); and not be discriminated against for exercising your rights.
Residents of Colorado, Virginia, Connecticut, Utah, and other states with comprehensive privacy laws have comparable rights, and Verde extends similar treatment regardless of state of residence.
To exercise any right, email privacy@useverde.ai or use the self-serve tools in your account settings (account deletion and data export). To protect your data, Verde will verify your identity before fulfilling an access, deletion, correction, or portability request — typically by confirming control of the email address associated with the account and, where reasonably necessary, additional information matching our records. Verde responds to verified requests within 45 days, extendable by an additional 45 days where permitted by law, with notice to you. You may use an authorized agent where permitted by law, subject to verification.
If a self-serve tool for a particular request is not yet available in your account, Verde fulfills the request manually within the response window above upon a verified request to privacy@useverde.ai.
Verde does not intentionally collect, request, or use "sensitive personal information" as defined under the CPRA. Customer financial records synced from your connected QBO account may incidentally contain such information (for example, financial-account identifiers entered by your bookkeeper). Verde does not use any such information for any purpose other than providing the Service, and instructs customers (in the Terms of Service and Data Processing Agreement) not to store unnecessary sensitive information in connected accounts.
Verde retains personal information only as long as necessary for the purposes described in this policy, then deletes or de-identifies it. Our retention periods are:
| Data category | Retention period |
|---|---|
| Account information (email, profile) | Duration of active subscription, then up to 90 days after cancellation |
| QBO synced data | Duration of active subscription, then up to 90 days after cancellation |
| Chat conversations with Finn | Up to 90 days from each message's creation date |
| Telemetry (token usage) | Up to 12 months (billing reconciliation and cost monitoring) |
| Stripe customer references | Duration of the customer relationship, plus the period required by tax law (typically up to 7 years for billing records) |
| Error logs and security logs | Up to 12 months |
| Bot conversation summaries (Slack) | Up to 90 days from last update |
| Backups (Point-in-Time Recovery) | 7-day rolling window, regardless of source deletion |
How deletion works. Within 90 days after your subscription is cancelled, Verde deletes your customer data from production systems. You may request earlier deletion at any time by emailing privacy@useverde.ai or using the account-deletion tool in your settings; Verde fulfills verified deletion requests within the response window in §7.1. Disconnecting your QBO integration immediately revokes Verde's stored QBO tokens. Backup copies are purged on the rolling schedule above. Certain records may be retained where required by law (see the table) or to resolve disputes and enforce our agreements.
Verde's primary data infrastructure is located in the United States (AWS US-East-1 via Supabase). Our sub-processors are predominantly US-based; some (such as Stripe and Slack) may transfer limited data internationally for their own operations.
Verde does not solicit, target, or knowingly serve users located in the European Economic Area, the United Kingdom, or other regions with comprehensive cross-border transfer requirements, and requires a US-presence representation at signup (see Terms of Service §2.2). If you access Verde from outside the United States, your information will be processed in the United States. When Verde expands to support international customers, this section will be supplemented with appropriate transfer mechanisms.
Verde is a B2B service for business users and does not knowingly collect personal information from individuals under 16. If we learn we have, we will delete it promptly.
Verde does not currently offer the Service to users in the European Economic Area, the United Kingdom, or Switzerland, and does not knowingly process the personal data of EEA/UK/Swiss data subjects. If you are accessing from one of these regions, please refrain from using the Service until our international supplements are published.
When Verde makes material changes to this policy, we will update the effective date, notify active customers by email at least 14 days before the changes take effect, and maintain a changelog in the Version History section at the end of this document. Continued use of the Service after the effective date constitutes acceptance.
This section provides additional disclosures required under California law. California's prior exemption for business-to-business personal information has expired, so these disclosures apply to business-context personal information that Verde processes.
Categories of personal information collected. In the 12 months preceding the effective date, Verde collects: identifiers (such as business email address and user account identifiers); commercial and financial information (financial records derived from your connected QBO account, and subscription information); internet or network activity (usage and request logs); and the contents of your communications with Finn.
Sources. Directly from you; from your connected QBO account; and automatically through your use of the Service.
Business purposes for collection. As described in §2 (delivering and supporting the Service, processing payments, security, legal compliance, and operational improvement).
Categories of third parties. Verde discloses personal information only to the sub-processors listed in §3, for business purposes, to operate the Service. Verde does not disclose personal information for any party's independent commercial use.
Sale or sharing of personal information. Verde does not sell or share personal information as those terms are defined under the CCPA/CPRA, and has not done so in the preceding 12 months. Because Verde does not sell or share, there is no financial incentive program. A "Do Not Sell or Share My Personal Information" control is made available on our website for transparency even though Verde does not sell or share.
Sensitive personal information. Verde does not intentionally collect or use sensitive personal information and does not use any incidentally present sensitive information for purposes that would trigger the right to limit its use (see §7.2).
Retention. Verde retains personal information for the periods described in §8.
Your California rights and how to exercise them. You have the rights described in §7. Submit requests to privacy@useverde.ai or via your account settings; Verde verifies and responds as described in §7.1, and will not discriminate against you for exercising your rights.
Residents of Colorado, Virginia, Connecticut, Utah, and other states with comprehensive privacy laws have rights comparable to those in §7, including the rights to access, correct, delete, and obtain a portable copy of their personal information, and to appeal a denied request. To exercise these rights or appeal a decision, contact privacy@useverde.ai. Verde does not sell personal information or process it for targeted advertising or profiling with legal or similarly significant effects.
| Version | Effective Date | Notes |
|---|---|---|
| 1.0 | 2026-05-21 | Initial production-ready release |