Privacy policy.
Last updated: April 23, 2026
1. Who we are
ConsultVector (“we,” “us,” “our”) is an AI automation consulting company. We are incorporated in Panama and provide services to small businesses in Canada and North America through our website at consultvector.com.
For the purposes of the Personal Information Protection and Electronic Documents Act (PIPEDA), our Privacy Officer can be reached at:
- Email: admin@consultvector.com
- Phone: (431) 450-AUTO
- Address: Winnipeg, MB, Canada
2. What information we collect
We collect personal information that you provide directly to us through our website:
Contact form
Name, email address, phone number (optional), business name (optional), and your message.
Lead capture and free trial forms
Name, email address, phone number, business name, industry, number of employees, revenue range, pain points, and current tools you use.
Automation audit form
Business type, tools you currently use, primary pain point, name, email address, and phone number (optional).
Newsletter signup
Email address only.
AI chatbot conversations
Messages you send to our chatbot widget. These conversations are processed in real time by Anthropic's Claude AI and are not stored on our servers after the conversation ends. See Section 7 for details on AI processing.
Automatically collected information
We use Vercel Analytics and Vercel Speed Insights to collect anonymized usage data including page views, referral sources, device type, browser type, approximate geographic location, and page load performance metrics (Core Web Vitals). This data does not identify you personally.
3. How we use your information
We use your personal information for the following purposes:
- To respond to your inquiries and provide the services you request
- To send you the newsletter you subscribed to (with your express consent)
- To evaluate your business needs and provide automation recommendations
- To improve our website, services, and user experience
- To comply with legal obligations
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
4. Consent
We obtain your consent before collecting, using, or disclosing your personal information, as required by PIPEDA:
- Express consent: When you submit a form, subscribe to our newsletter, or initiate a chatbot conversation, you are providing express consent for us to process that information for its stated purpose.
- Opt-in consent for analytics: Analytics tools (Google Analytics, Vercel Analytics, Vercel Speed Insights) only load after you grant consent via our cookie banner. You may decline analytics entirely by choosing “Necessary only.”
You may withdraw your consent at any time by contacting us at admin@consultvector.com. Withdrawal of consent may limit our ability to provide certain services to you.
5. How we share your information
We may share your personal information with the following third-party service providers who assist us in operating our business:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Vercel | Website hosting, analytics, performance monitoring | Anonymized usage data, form submission logs | United States |
| Google (Google Analytics 4) | Website analytics (consent-gated) | Anonymized page views, session data, device type, approximate location (IP anonymized) | United States |
| Anthropic | AI chatbot processing | Chat messages (not stored after session) | United States |
| Workflow automation tools | Processing form submissions and lead routing | Form data you submit | United States / Canada |
Each provider is contractually bound to protect your information and use it only for the purposes we specify.
6. Cross-border data transfers
Your personal information may be processed and stored in Canada, the United States, and Panama. When your information is transferred outside of Canada, it may be subject to the laws of those jurisdictions, which may differ from Canadian privacy laws.
We take reasonable steps to ensure that your information receives a comparable level of protection regardless of where it is processed, in accordance with PIPEDA requirements for cross-border transfers.
7. AI and automated processing
Our website includes an AI-powered chatbot that uses Anthropic's Claude language model to answer questions about our services. When you use the chatbot:
- Your messages are sent to Anthropic's API for processing in the United States
- Conversations are not stored on our servers after the session ends
- The chatbot does not make decisions that produce legal or similarly significant effects about you
- Chatbot responses are informational only and do not constitute professional advice
We recommend that you do not share sensitive personal information (financial details, passwords, health information) through the chatbot.
8. Data retention
- Form submissions: Retained for as long as necessary to fulfill the purpose for which they were collected, or as required by law
- Newsletter subscriptions: Until you unsubscribe
- Chatbot conversations: Not retained after the session ends
- Analytics data: Retained by Vercel in accordance with their privacy policy
9. Your rights under PIPEDA
You have the right to:
- Access the personal information we hold about you
- Correct any inaccurate or incomplete information
- Withdraw consent for the collection, use, or disclosure of your information
- Challenge our compliance with this policy
To exercise any of these rights, contact our Privacy Officer at admin@consultvector.com. We will respond to your request within 30 days.
If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.
10. Security safeguards
We protect your personal information using organizational, technological, and physical security measures appropriate to the sensitivity of the information, including:
- Encrypted data transmission (HTTPS/TLS) on all pages
- Secure hosting infrastructure through Vercel
- Access controls limiting who can view submitted data
- Regular review of security practices
11. Cookies and tracking
Our website uses minimal cookies and tracking technologies. Analytics tools only load after you grant consent via our cookie banner:
- Google Analytics 4 (consent-gated): Collects anonymized page views, session data, referral sources, device type, and approximate geographic location. IP addresses are anonymized before processing. Data is sent to Google servers in the United States. Only loads after you click “Accept all” or enable analytics in cookie preferences.
- Vercel Analytics (consent-gated): Collects anonymized page view and interaction data. Cookie-free and privacy-focused. Only loads after analytics consent.
- Vercel Speed Insights (consent-gated): Measures page load performance (Core Web Vitals). Only loads after analytics consent.
We do not use advertising cookies, behavioral tracking pixels, or social media tracking widgets. You can change your cookie preferences at any time by clearing your browser's local storage for this site.
12. Data breach notification
In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will:
- Report the breach to the Office of the Privacy Commissioner of Canada as soon as feasible
- Notify you directly with details of the breach and steps you can take to protect yourself
- Maintain a record of all breaches for a minimum of two years, as required by PIPEDA
13. Children's privacy
Our services are designed for businesses and business professionals. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have collected information from a minor, we will delete it promptly.
14. Changes to this policy
We may update this privacy policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page. We encourage you to review this policy periodically.
15. ConsultVector Bookkeeping — QuickBooks Online integration
This Section 15 applies specifically to ConsultVector Bookkeeping, our QuickBooks Online (QBO) integration service for a closed set of engaged Canadian small-business clients. It supplements the rest of this policy for users whose QuickBooks Online company file (“realm”) is connected to ConsultVector via Intuit’s OAuth 2.0 authorization. Our Intuit application is registered as ConsultVector Bookkeeping (App ID 499a955b-9276-47d2-a39e-4555ffa6956c) and operates under Intuit’s Private App (Path B) program. Where this Section 15 conflicts with any earlier section as it relates to QuickBooks Online data, this Section 15 controls.
15.1 Processor role and scope
When we process QuickBooks Online data on behalf of an engaged client, the client is the data controller and ConsultVector is a data processor acting on the client’s documented instructions as set out in the client’s service agreement. We access QuickBooks Online only for the purposes of bookkeeping, chart-of-accounts hygiene, bank-feed categorization, bill entry, journal entries, period-close reporting, and tax-return preparation support for the specific realm(s) the client authorizes. We do not use QuickBooks Online data for advertising, resale, model training, product development across unrelated clients, or any purpose not authorized by the client.
15.2 Data we receive from QuickBooks Online
When a client connects a QuickBooks Online realm to ConsultVector Bookkeeping, the client is directed through Intuit’s own OAuth 2.0 authorization screens, where they consent to the following Intuit OAuth scopes: com.intuit.quickbooks.accounting, openid, profile, and email. We request and receive only the data these scopes grant, via Intuit’s authorized APIs, for the purpose of delivering the bookkeeping service. The com.intuit.quickbooks.payment scope is not requested. Subject to those scopes, we receive:
- Company metadata (company name, fiscal year start, home currency, country, realm ID)
- Chart of Accounts (account names, types, detail types, balances, parent-child hierarchy)
- Customers, Vendors, Employees (as vendor payees only), and Items / Products & Services
- Invoices, Sales Receipts, Credit Memos, Refund Receipts, Estimates
- Bills, Bill Payments, Vendor Credits, Purchases, Purchase Orders
- Journal Entries and Transfers
- Attachables (source-document PDFs and images the client or we upload against transactions)
- Classes, Departments (Locations), and Projects where used
- Tax Codes, Tax Rates, and Tax Agencies (GST/HST, PST/RST/QST)
- Standard financial Reports (Trial Balance, Profit & Loss, Balance Sheet, General Ledger, A/R and A/P Aging)
- Webhook event notifications for the entities listed above (create / update / delete / merge / void)
- OAuth tokens issued by Intuit to authorize the connection (stored per Section 15.4)
15.3 Data we do not receive
ConsultVector Bookkeeping does not request or receive, and we do not store on behalf of the client:
- Raw bank-feed transactions prior to QuickBooks import, or direct bank-account login credentials
- Credit-card numbers, full card PANs, or any cardholder data subject to PCI DSS
- QuickBooks Payments merchant credentials or ACH/EFT account numbers used to move money
- Full QuickBooks Online Payroll records, employee SINs, direct-deposit banking, or T4 employee-level payroll data. Where payroll totals are needed for close, we receive summarized journal entries only, never employee-level compensation rows.
- QuickBooks Time (TSheets) personal location data or employee GPS trails
- End-user Intuit account passwords — authorization is delegated entirely through Intuit’s OAuth 2.0 flow and Intuit’s sign-in screens, which we never see or capture
15.4 OAuth token storage and handling
OAuth access tokens and refresh tokens issued by Intuit are:
- Stored in a dedicated vault within 1Password, our secrets-management sub-processor, encrypted at rest with AES-256-GCM under keys derived from the vault’s Secret Key plus account password (zero-knowledge architecture — 1Password cannot read the tokens)
- Transmitted only over TLS 1.2 or higher to Intuit’s OAuth endpoints
- Scoped per realm (per connected client company file). Tokens are never shared across realms, and code paths that read tokens take the realm ID as an explicit, required parameter
- Refresh tokens are rotated automatically on every use as required by Intuit; the stored value is overwritten on every token response, and expired or revoked tokens are purged from storage within 24 hours. We honor Intuit’s absolute refresh-token lifetime ceiling and maintain a registered Reconnect URL with Intuit so that expiring tokens trigger a re-consent flow with the client before access is lost.
- Never logged in plaintext, never written to disk outside the 1Password vault, never committed to source control, and never transmitted to any system other than Intuit and 1Password
- Access to the 1Password vault storing QBO tokens, and to our Intuit Developer account, is protected by multi-factor authentication (MFA). MFA is enforced on every operator account that can view, exchange, or revoke OAuth tokens. Access is granted per engagement and revoked on engagement end or operator offboarding.
15.5 Data residency
All QuickBooks Online data we receive on behalf of Canadian clients is processed and stored on infrastructure located in Canada, primarily in Manitoba. Specifically:
- Persistent storage of QBO data (working files, export archives, attachables) is on Canadian disks under our control at our Winnipeg operations. Storage media is encrypted at rest using full-disk encryption (Apple FileVault on macOS workstations, LUKS on Linux where applicable)
- OAuth tokens are held by 1Password in its Canadian data residency region
- QuickBooks Online data is not transferred outside Canada. The Section 6 cross-border disclosure (United States, Panama) applies only to website data described in Sections 2–11; it does not apply to QBO bookkeeping data governed by this Section 15
- Incidental human-review assistance using the Anthropic Claude API for categorization hints (see Section 15.7) is configured to use Anthropic’s zero-retention endpoint so that QBO data fragments sent to the model are not stored by Anthropic and are not used to train any model. Where a Canadian-region Claude deployment is available on the engagement date, we prefer it
15.6 Per-tenant isolation
Each connected client realm is isolated by realm ID. Our internal data model requires realm ID on every read and every write. We do not run cross-tenant queries, cross-tenant reports, or cross-tenant analytics. Engineers and bookkeepers are granted 1Password vault access only for the specific clients they actively serve, and access is revoked on engagement end.
15.7 Sub-processors for QuickBooks Online data
The complete list of sub-processors that may receive QuickBooks Online data on our behalf is as follows. We do not share QuickBooks Online data with any third-party accounting, CRM, marketing, or analytics SaaS.
| Sub-processor | Purpose | QBO data shared | Location |
|---|---|---|---|
| Intuit Inc. | Source of truth — QuickBooks Online itself | All QBO data originates here under the client’s own Intuit account | United States (Intuit’s data residency) |
| 1Password (AgileBits Inc.) | Encrypted OAuth token and credential vault | OAuth access and refresh tokens only; no transactional QBO data | Canada |
| Anthropic PBC (Claude API) | Transaction-categorization assistance and chart-of-accounts suggestions for human bookkeeper review. Configured with zero retention — Anthropic does not store inputs or outputs and does not train on them. | Transaction descriptions, amounts, vendor names, and proposed account codes only — never OAuth tokens, attachables, full customer or employee records, or full ledger exports | United States (zero-retention enterprise endpoint) |
If we add or change a sub-processor that receives QuickBooks Online data, we will update this Section 15.7 and notify connected clients by email at least 30 days before the change takes effect, giving them an opportunity to object and, if they choose, to disconnect under Section 15.9.
15.8 Retention and destruction
We retain QuickBooks Online data for the period required to deliver the engaged service and to meet the client’s Canadian tax-record retention obligations under the Income Tax Act (Canada), s.230 and s.230.1, and the Excise Tax Act, s.286, which generally require business records to be kept for six (6) years from the end of the last taxation year to which they relate (or longer where a return is filed late, under objection, or under appeal). Attachables and source documents are retained for the same period.
At the end of the engagement, or on earlier written instruction from the client:
- OAuth tokens are revoked via Intuit’s
revokeendpoint and purged from the 1Password vault within 24 hours - Working copies of QBO data on our systems are irreversibly deleted (cryptographic erasure of the encrypted volumes, or multi-pass overwrite in accordance with CRA Information Circular IC78-10R5 on the retention and destruction of books and records)
- Archived engagement files are held in encrypted cold storage for the statutory retention period and then destroyed under the same IC78-10R5 standard
- On request, we provide the client with a written certificate of destruction identifying the realm, the data categories destroyed, the method of destruction, and the date
The original QuickBooks Online data remains in the client’s own Intuit account and is not affected by our destruction of our working copies.
15.9 Client rights — access, correction, export, disconnect, deletion
Clients retain full control of their QuickBooks Online data at all times:
- Access: Clients can see and query the underlying data directly in their own QuickBooks Online account at any time. On request, we will also provide a copy of any derived working papers we hold.
- Correction: Corrections are made directly in QuickBooks Online by the client or by us with the client’s documented approval. No write is posted without human approval (see our Terms of Service).
- Export: On request, we provide the client with a complete export of every working file, journal-entry proposal, categorization worksheet, and reconciliation we hold for their realm, in CSV or their preferred format, at no additional cost.
- Disconnect (OAuth revocation): A client may disconnect ConsultVector Bookkeeping from their QuickBooks Online account at any time by either (a) signing in to QuickBooks Online, opening Apps → My Apps (or Settings → Apps), locating “ConsultVector Bookkeeping,” and clicking Disconnect, or (b) sending a written revocation to admin@consultvector.com. We honor disconnect requests received by either channel within one (1) business day and revoke our tokens against Intuit within 24 hours.
- Deletion: Following disconnect or engagement termination, we destroy our working copies of QBO data as described in Section 15.8, subject only to records we are legally required to retain under the Income Tax Act and Excise Tax Act, or records under legal hold.
15.10 Incident response
If we become aware of a security incident that has, or is reasonably believed to have, resulted in the loss of, unauthorized access to, or unauthorized disclosure of QuickBooks Online data or OAuth tokens entrusted to us, we will:
- Contain the incident and preserve forensic evidence immediately on detection. Where OAuth tokens are implicated, we immediately revoke the affected tokens via Intuit’s
/v2/oauth2/tokens/revokeendpoint and trigger a re-consent flow with the client through our registered Reconnect URL - Notify the affected client in writing within 72 hours of confirmed detection, with the facts known at that time, the categories of data affected, the mitigation steps taken, and our contact for follow-up
- Notify Intuit Developer Support and the Intuit Security team without undue delay where the incident affects QuickBooks Online data, tokens, or the integrity of our Intuit-registered application, as contemplated by the Intuit Developer Terms
- Report the breach to the Office of the Privacy Commissioner of Canada as soon as feasible where the incident creates a real risk of significant harm, and directly notify affected individuals as required by PIPEDA s.10.1
- Maintain a written record of the breach for a minimum of two years and provide a post-incident report to the affected client within 30 days of resolution
15.11 Alignment with Intuit’s Data Stewardship Principles
ConsultVector acknowledges and operates consistently with Intuit’s Data Stewardship Principles. Specifically, we will not sell, publish, or share QuickBooks Online data entrusted to us that identifies a client or any person without that client’s explicit permission; we use QuickBooks Online data only to deliver the bookkeeping service the client has engaged us to deliver; we give clients clear explanations of how we use their data and meaningful choices, including the disconnect right in Section 15.9; and we train the people who handle QuickBooks Online data on how to keep it safe. We do not combine QuickBooks Online data with data from other sources in ways that would re-identify individuals, and we do not use QuickBooks Online data to train machine-learning models.
15.12 Panama parent entity — no cross-border flow of QBO data
For the avoidance of doubt: ConsultVector’s parent entity, Soberano S.A., is incorporated in the Republic of Panama, and this relationship is disclosed in Section 1 of this policy. QuickBooks Online data is not transferred to Panama, is not processed in Panama, and is not accessible to personnel in Panama. QBO operations, data storage, tooling, and personnel are located in Canada, in accordance with Section 15.5. The Panama parent holds the ConsultVector trade name and commercial contracts; it does not process client bookkeeping data.
15.13 PIPEDA compliance attestation
We attest that ConsultVector Bookkeeping’s collection, use, disclosure, retention, and destruction of personal information contained in QuickBooks Online data complies with the ten fair-information principles of the Personal Information Protection and Electronic Documents Act (PIPEDA), Schedule 1: accountability, identifying purposes, consent, limiting collection, limiting use / disclosure / retention, accuracy, safeguards, openness, individual access, and challenging compliance. Our Privacy Officer (Section 1) is accountable for this compliance and is the point of contact for any access request, correction request, or complaint relating to QuickBooks Online data.
16. Contact us
If you have questions about this privacy policy or our privacy practices, contact us:
- Email: admin@consultvector.com
- Phone: (431) 450-AUTO
- General inquiries: Contact page