Privacy Policy
Effective date: June 30, 2026 · Last updated: June 30, 2026
This Privacy Policy explains how Hollis Technologies, Inc. ("Hollis Technologies," "we," "us," or "our") collects, uses, stores, and shares information when you use Attachly ("Attachly," the "Service") and the website at attachlysync.com. Attachly is a file-synchronization service that migrates document attachments from QuickBooks® Desktop into QuickBooks® Online and links each file to the corresponding record.
1. Who We Are
Hollis Technologies, Inc. is a United States software company and the operator of Attachly. Our registered privacy contact is [email protected].
We act as a data controller for information we collect directly through our website, account registration, and support channels, and as a data processor acting on your behalf when we access your QuickBooks Online data and your document files to perform a migration you have requested.
2. The Service This Policy Covers
This policy covers the Attachly web application and the attachlysync.com website. Attachly connects to your QuickBooks Online company, reads transaction records in order to match them to your document files, uploads matched files to QuickBooks Online as attachments, and records each created attachment so the operation can be reversed.
3. Information We Collect
3.1 Account Information
Account creation and authentication are handled by our identity provider, Clerk. When you create an account we collect your name, email address, and authentication metadata (including, if you enable it, two-factor authentication settings). We do not receive or store your password; it is managed by Clerk.
3.2 QuickBooks Online Data
When you connect a QuickBooks Online company, you authorize Attachly, through Intuit's OAuth 2.0 flow, to access that company using the com.intuit.quickbooks.accounting scope. Depending on your migration, we access:
- Company information — company name, QuickBooks Online plan, and realm (company) ID.
- Transaction records — fields from records such as invoices, bills, expenses, payments, deposits, customers, and vendors (for example reference numbers, amounts, dates, and payee names), read only to identify which record a document belongs to.
- Existing attachments — metadata about attachments already present on a record, used to avoid creating duplicates.
- OAuth tokens — the access and refresh tokens that authorize our API calls, which are encrypted at rest and deleted when you disconnect the company.
3.3 File Manifest and Document Files (Manifest-First)
Attachly is designed to minimize the document data we receive:
- Free analysis (manifest only). When you scan your QuickBooks Desktop Attach folder for a free analysis, only a manifest — file names, relative paths, sizes, and folder identifiers — is generated. The manifest is produced on your own device, and the contents of your document files are not uploaded during analysis.
- After purchase (matched files only). Document file contents are uploaded only after you purchase a migration, and only for the files that were matched to a QuickBooks Online record (or that you choose to upload unattached). These files are stored temporarily so they can be uploaded to QuickBooks Online, then deleted on the schedule in Section 8.
3.4 Billing Information
Payments are processed by Stripe. We do not collect or store your full payment-card details; Stripe handles card data directly. We retain billing metadata such as the plan or tier purchased, amounts, transaction identifiers, and subscription status.
3.5 Information Collected Automatically
When you use the Service we automatically collect usage data (features used, actions taken), technical data (browser type, operating system, IP address), and error/diagnostic logs used to detect and fix problems. Error logs are processed through our monitoring provider (Sentry) and are scrubbed to remove file names, document contents, financial values, tokens, and other sensitive fields before transmission.
4. How We Use Information
We use the information we collect to:
- Provide and operate the Service — analyze your manifest, match files to QuickBooks Online records, upload matched files as attachments, and enable one-click undo.
- Authenticate you and secure your account.
- Process payments and manage subscriptions through Stripe.
- Send transactional email (for example analysis-ready, migration-complete, and client-upload notifications) through our email provider, Resend.
- Respond to support requests and communicate about your account.
- Monitor performance, diagnose errors, and improve the Service.
- Comply with legal obligations, enforce our agreements, and protect the security and integrity of our systems.
We do not sell your data, and we do not use your data — including your QuickBooks Online data or document files — for advertising.
5. Automated Processing and AI
For document files that cannot be matched to the correct QuickBooks Online record by identifier or metadata, Attachly may send the contents of an individual document to a large language model provided by Anthropic in order to extract identifying fields (such as amount, date, and payee) and propose the most likely matching record. This processing is used only to suggest a match; it does not create, modify, or delete QuickBooks Online data, and every proposed match is recorded and reversible. Document content is transmitted to the model only transiently to return the extracted fields and is not used to train any AI model.
6. How We Share Information
We share information only as described here:
- Service providers (subprocessors). We use vendors to operate the Service, each bound by a data processing agreement and permitted to use data only to provide services to us: Intuit (QuickBooks Online API), Cloudflare R2 (temporary document storage), Anthropic (AI content matching, Section 5), Stripe (payment processing), Clerk (authentication), Resend (transactional email), Railway (hosting and database), and Sentry (error monitoring).
- Legal requirements. We may disclose information where required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of Hollis Technologies, our users, or others.
- Business transfers. If Hollis Technologies is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction; we will notify you before your information becomes subject to a different privacy policy.
7. QuickBooks Online Data — Access, Use, Storage, and Deletion
To summarize how we handle data obtained from QuickBooks Online specifically:
- Access is granted by you via Intuit OAuth and is limited to the accounting scope necessary to read records and create or delete attachments.
- Use is limited to matching your document files, avoiding duplicates, creating attachments, and enabling undo.
- Storage of QuickBooks Online data is limited to the minimum needed to run and verify a migration; OAuth tokens are encrypted at rest.
- Deletion of OAuth tokens occurs when you disconnect a company; cached QuickBooks Online data and uploaded files are deleted on the schedule in Section 8. You may request deletion at any time using the contacts in Section 15.
8. Data Retention
We retain data only as long as needed to provide the Service and meet legal obligations:
- Uploaded document files and cached QuickBooks Online data — automatically deleted 30 days after a migration completes, configurable to 7 days or immediate deletion in your settings.
- Attachment ledger (undo records) — retained for the 30-day undo window, then purged.
- OAuth tokens — deleted upon disconnection of the company.
- Account information — retained while your account is active and deleted on request after closure.
- Billing records — retained as required by financial and tax regulations (up to 7 years).
- Error and security logs — retained for up to 90 days.
9. Data Security
We implement industry-standard safeguards, including: encryption of data in transit using TLS/HTTPS; encryption of sensitive data at rest (including OAuth tokens); access controls limiting who can access production data; the manifest-first model that avoids uploading document contents during free analysis; redaction of sensitive fields from error logs; rate limiting and abuse protections; and regular security reviews and dependency updates. No method of transmission or storage is completely secure; if you believe your data has been compromised, contact [email protected] immediately.
10. GDPR — Rights of EEA, UK, and Swiss Users
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the GDPR and applicable local law, including the rights of access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent. Our legal bases for processing include performance of a contract, our legitimate interests in operating and improving the Service, and compliance with legal obligations. To exercise these rights, contact [email protected]; we will respond within 30 days.
11. CCPA / CPRA and Other US State Privacy Rights
If you are a California resident, the CCPA as amended by the CPRA gives you rights to know, delete, and correct your personal information, to opt out of the sale or sharing of personal information (we do not sell or share it for cross-context behavioral advertising), and to non-discrimination for exercising your rights. Residents of other states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Texas, and others) have similar rights. To exercise these rights, contact us using the details in Section 15.
12. International Data Transfers
Hollis Technologies is based in the United States and processes data there. If you are located elsewhere, your data may be transferred to and processed in the United States. Where required by applicable law, we use appropriate safeguards, such as standard contractual clauses, for international transfers.
13. Children's Privacy
The Service is not directed to individuals under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.
14. Cookies and Tracking
The attachlysync.com website and application use only the cookies necessary for authentication and session management (including those set by our identity provider) and basic analytics. You can control cookies through your browser settings.
15. Changes and Contact
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date above and, where appropriate, notify you by email or in-app. If you have questions or requests:
- Privacy: [email protected]
- Security: [email protected]
- Support: [email protected]
- Website: attachlysync.com
Attachly — file sync for QuickBooks®, by Hollis Technologies. Attachly is not affiliated with, endorsed by, or sponsored by Intuit Inc. QuickBooks and QuickBooks Online are trademarks of Intuit Inc., used here for identification only.
This Privacy Policy is provided for informational purposes. Hollis Technologies recommends consulting a qualified legal professional to ensure full compliance with the laws applicable to your business.