UppaGo

Data Security

Deleting your data

You can request deletion of your account and Customer Content by emailing privacy@uppago.com. Each request is reviewed and approved by UppaGo's founders and processed manually. We are working toward customer-initiated deletion controls.

When we delete an account at your request, the following is removed or anonymized: documents and their extracted data, vendor records, bank-feed transactions, learned approval patterns specific to your workspace, and your profile fields.

Our deletion workflow includes QuickBooks and Plaid provider-revocation steps. Provider revocation, hosted-record removal, and account anonymization run as an audited deletion workflow once a request is approved. Approval requires a second admin's co-approval and explicit founder authorization; live customer deletions are not initiated automatically. We have verified the audited deletion workflow end-to-end on a disposable test workspace.

Before a deletion can be executed, any active paid subscription must be canceled. If you have a paid plan, please cancel via your Stripe Customer Portal before submitting a deletion request — otherwise the request is paused at approval until billing is in a canceled or free state. Subscription cancellation alone does not delete your data; deletion is a separate request.

Some records are retained even after deletion, by design:

  • The audit trail of actions taken on your account is append-only and never deleted, so we keep a faithful record of what happened.
  • 1099 forms generated through UppaGo are retained for IRS-required tax-record obligations, with the recipient's name, tax identification number, and address redacted at the time of deletion.
  • Stripe retains its own billing records for finance and tax obligations, independent of UppaGo. We sever UppaGo's local link to the Stripe customer record during approved deletion; we do not delete records inside Stripe.

A few things sit outside what we can delete on our end: files you have already downloaded — CSVs, PDFs, reports — live on your own devices and cloud-storage accounts. Deleting your UppaGo account does not reach those copies; please remove them from your devices yourself.

We do not use any of your data to train public AI models.

Key data-handling actions are recorded

UppaGo's audit trail records the data-handling actions you and Tally take inside your workspace, including:

  • Document extraction
  • Approval, rejection, and correction
  • QuickBooks push (Bill commits and previews)
  • Provider connection changes (QuickBooks and Plaid connect and disconnect)
  • Document deletion
  • Deletion-request processing

Update and delete on audit records are blocked at the database layer for every role, including ours. The records are append-only by design.

Audit records are designed not to contain raw credentials, raw tokens, document contents, or unsafe personal details. Before an audit record is written, a redaction layer enforces a per-category allowlist and blocks known secret and token patterns.

When you push a Bill to QuickBooks, we record whether QuickBooks accepted it, whether a duplicate already existed, or whether the push failed — each outcome is its own audited event. When QuickBooks or Plaid is connected or disconnected from your workspace, the connection lifecycle is audited. We never record a clean success if the step that stores your authorization on our side fails.

Questions

For deletion requests or privacy questions, email privacy@uppago.com. For product support, use the Support link in the page footer.

Verification we're working toward

We are working toward SOC 2 Type II independent verification. We do not claim security or compliance certifications we do not currently hold.

We do not train AI on your business data

We do not train AI models on your business data. Documents, transactions, corrections, vendor records, and other Customer Content you submit are not used to train, fine-tune, retrain, or improve any general-purpose AI model — neither ours nor any third-party provider's. Third-party AI providers we send extracts to operate under contracts that prohibit them from using your data to train their models.

Working with QuickBooks, Plaid, Stripe, and AI providers

QuickBooks. You connect QuickBooks through Intuit's standard OAuth flow. UppaGo holds the authorization to push Bills and read the data needed for matching. The connection lifecycle is audited end-to-end.

Plaid. Bank-feed credentials are entered with Plaid, not with us. We don't see your bank login. Transaction data Plaid returns is stored in your tenant-scoped workspace.

Stripe. Payment information is handled by Stripe. We don't store card numbers, bank routing numbers, or billing addresses on our systems.

AI providers. Where we send extracts of your data to AI providers for processing (for example, document extraction and embeddings), those providers operate under contracts that prohibit them from using your data to train their own models.

Your workspace is private

Every business in UppaGo has its own private workspace. Documents, vendors, learned patterns, and memory for one workspace are scoped to that workspace at the database query layer. Two SMBs using UppaGo independently never see each other's data.

Tenant isolation is enforced at the application query layer on every read and write to tenant-owned tables. Row-level security policies are also enabled at the database layer as a defense-in-depth backstop.

If you're a bookkeeper firm with multiple clients in UppaGo, each client has their own workspace. Your firm's access to a client's workspace is explicit — it's set up at onboarding, not assumed.