Privacy Policy

Effective Date: [Insert Date]
Company: Boulangeries de Paris LLC (dba Chaumont / Chaumont Vegan)
App: Chaumont Wholesale Order Portal
Contact: contact@chaumontbakery.com

1. What this policy covers

This policy explains how we collect, use, and protect information when you use the Chaumont Wholesale Order Portal, including the optional connection to QuickBooks Online to create invoices on demand.

2. Information we process

2.1 Account and business data

  • Company name, location, contact details
  • User account details (name, email, role, location)
  • Subscription and billing details (via Stripe)

2.2 App usage and operational data

  • Orders, items, location assignments, schedules, and reports you create in the app
  • System and security logs (timestamps, IP, user ID, action type) for auditing and fraud prevention
  • Error and performance telemetry (via Sentry) without storing secrets

2.3 QuickBooks Online data (limited, on demand)

  • Realm ID and OAuth tokens to authorize a user-initiated invoice action
  • Invoice payloads necessary to create or update invoices

We do not continuously sync your QuickBooks file. We do not pull bank data or unrelated ledgers.

2.4 Emails and notifications

  • Email address, preference settings, delivery logs and failures

2.5 Cookies and similar tech

  • Essential cookies for login sessions and CSRF
  • Google reCAPTCHA Enterprise on auth or sensitive forms to prevent abuse

No advertising cookies.

3. Why we use data (lawful bases)

  • Provide the service you request, including creating invoices in QuickBooks Online
  • Secure the platform, prevent abuse, and maintain audit trails
  • Fulfill payments and subscription management
  • Comply with legal obligations and respond to lawful requests
  • Improve reliability and usability (aggregate analytics, not ads)

4. How we store and protect data

  • Encryption in transit (TLS) and at rest where supported
  • Secrets and tokens stored in secure secret storage with least-privilege access
  • Role-based access control and company-level data isolation
  • Audit logs for sensitive operations
  • Regular dependency updates and vulnerability patching

5. Sub-processors and key third parties

We use reputable providers to operate the service:

  • Google Cloud (Cloud Run, Storage, Secret Manager, reCAPTCHA Enterprise)
  • Stripe (payments, subscription management)
  • Sentry (error monitoring)
  • Email service provider (SMTP/transactional email)
  • Intuit QuickBooks Online API (only when you connect)

We update this list as vendors change.

6. Data retention

  • App data: retained while your account is active, then deleted or anonymized within a reasonable period
  • Logs: typically 12–24 months, for security and compliance
  • OAuth tokens: rotated and revoked on disconnect or inactivity

You can request deletion of identifiable data where applicable.

7. Your choices and rights

  • Disconnect QuickBooks at any time from within your QuickBooks account or by contacting us
  • Access, correct, or delete your account data where applicable
  • Opt in or out of non-essential notifications

California residents: you may have CPRA rights. EEA/UK residents: you may have GDPR rights. Contact us to exercise rights. We verify requests to protect privacy.

8. International transfers

We primarily process in the United States. If data is transferred internationally, we use appropriate safeguards.

9. Children

The service is for business users. We do not knowingly collect data from children under 16.

10. Changes to this policy

We may update this policy. Material changes will be posted with a new effective date.

11. Contact

Questions or requests: contact@chaumontbakery.com

Back to Login