Skip to main content
Back to Home

Privacy Policy

Last Updated: January 2026

Encrypted
Transparent
Your Data

1. Data Controller

Tomas Financial LLC ("we", "us", "our") is the data controller responsible for your personal data.

Tomas Financial LLC

Westminster, Colorado, USA

Email: privacy@tomasfinancial.com

2. Information Collection

We collect information to provide financial architecture, bookkeeping, and tax services. This includes Personal Identifiable Information (PII) such as names, Tax IDs (SSN/EIN), financial records, and contact details provided via our Secure Client Portal.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

  • Contract: Processing necessary to provide our financial services
  • Legal Obligation: Tax document retention per IRS requirements
  • Legitimate Interest: Improving our services, fraud prevention
  • Consent: Analytics cookies and marketing communications (where applicable)

4. Data Usage & Security

We leverage enterprise-grade encryption for all data transmission. Your financial data is stored using Row-Level Security (RLS) protocols via Supabase and AWS infrastructure. We do not sell your data to third parties. Data is used strictly for:

  • Tax preparation and compliance filing
  • Financial reporting and dashboard generation
  • AI-driven workflow optimization (scheduling/intake)

5. Third-Party Processors & International Transfers

International Data Transfer: Your data may be processed in the United States. By using our services, you consent to this transfer. We ensure appropriate safeguards are in place with all processors.

We utilize trusted third-party vendors to execute our services:

  • ClerkIdentity management and authentication.
  • SupabaseDatabase and document storage.
  • StripePayment processing. We do not store credit card details.
  • Intuit QuickBooksAccounting data sync (P&L, Balance Sheet, transactions). OAuth tokens encrypted at rest.
  • UploadThingSecure document and file storage.
  • ResendTransactional email delivery.
  • VercelWebsite hosting, analytics, and performance monitoring (with your consent).
  • Cal.comAppointment scheduling and calendar management.
  • Bland.aiAI-powered voice calls for scheduling and intake (call recordings retained per retention policy).
  • SentryError tracking and application monitoring (no PII collected).
  • Upstash RedisRate limiting and security controls.
  • ADP (optional)Payroll data integration when connected by you.

6. QuickBooks Online Integration

If you choose to connect your QuickBooks Online account, we access the following data through Intuit's secure OAuth 2.0 protocol:

  • Company Information: Business name, legal name, and address
  • Financial Reports: Profit & Loss statements, Balance Sheets
  • Transactions: Recent invoices, payments, and expenses (read-only)

How We Use This Data:

  • Display financial KPIs and charts on your dashboard
  • Generate financial reports and insights
  • Calculate month-over-month performance metrics

Data Storage & Security:

  • OAuth access tokens are encrypted at rest and automatically refreshed
  • Financial data is cached locally for up to 24 hours to improve performance
  • We use read-only access and never modify your QuickBooks data
  • All API communications use TLS 1.2+ encryption

Disconnecting QuickBooks:

You can disconnect your QuickBooks account at any time from your dashboard. Upon disconnection:

  • Your OAuth tokens are immediately revoked at Intuit
  • All cached QuickBooks data is permanently deleted from our systems
  • Your Tomas Financial account remains active with other features

7. Data Retention

We retain data according to the following schedule:

  • Tax Documents: 7 years minimum (per IRS guidelines)
  • Financial Reports: Duration of your subscription plus 90 days
  • QuickBooks Cache: Up to 24 hours, refreshed on demand
  • Account Data: Until you request deletion

You may request deletion of non-essential account data by contacting support.

8. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR) and other applicable laws, you have the right to:

  • Access: Request a copy of your personal data
  • Correction: Request corrections to inaccurate data
  • Deletion: Request deletion of non-essential data ("right to be forgotten")
  • Portability: Download your data in JSON format via Settings → Data & Privacy (requires login)
  • Restriction: Request we limit processing of your data
  • Objection: Object to processing based on legitimate interests
  • Revocation: Withdraw consent or disconnect third-party integrations at any time

To exercise any of these rights, visit your Data & Privacy settings (requires login) or contact us at privacy@tomasfinancial.com. We will respond to requests within 30 days.

9. Cookies & Tracking Technologies

We use cookies and similar technologies to enhance your experience:

  • EssentialRequired for authentication, security, and basic site functionality. Cannot be disabled.
  • AnalyticsHelp us understand how visitors interact with our site (Vercel Analytics). No personally identifiable information is collected.
  • PerformanceMonitor site speed and performance to improve user experience (Vercel Speed Insights).

Managing Cookie Preferences:

  • You can accept or decline non-essential cookies via the consent banner on your first visit
  • To change your preference later, clear your browser's localStorage or use your browser's cookie settings
  • Your browser settings can also be used to block or delete cookies
  • Declining analytics cookies will disable Vercel Analytics and Speed Insights

10. Colorado Privacy Rights (CPA)

As a Colorado-based company, we comply with the Colorado Privacy Act (CPA). Colorado residents have the following rights:

  • Right to Access: Confirm whether we process your personal data and access that data
  • Right to Correct: Correct inaccuracies in your personal data
  • Right to Delete: Delete personal data you provided or we obtained
  • Right to Data Portability: Obtain your data in a portable format
  • Right to Opt Out: Opt out of targeted advertising, sale of data, or profiling

We Do Not Sell Your Personal Data. We do not engage in targeted advertising or profiling for decisions with legal effects.

To exercise your CPA rights, contact us at privacy@tomasfinancial.com. We will respond within 45 days.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the "sale" of personal information
  • Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

We Do Not Sell Your Personal Information. Tomas Financial does not sell, rent, or trade your personal information to third parties for monetary consideration.

To exercise your CCPA rights, contact us at privacy@tomasfinancial.com or use the "Do Not Sell My Info" link in our website footer.

12. Contact Us

For privacy concerns, data requests, or to exercise your rights, please contact our Data Protection Officer at:
privacy@tomasfinancial.com