1. Introduction
SyncBooks ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cloud-based accounting, payroll, and AI-powered financial management platform. This policy complies with the Ghana Data Protection Act, 2012 (Act 843), the Ghana Revenue Authority Act (Act 896), and international data protection standards.
2. Information We Collect
2.1 Information You Provide
- Account Information: Name, email address, phone number, company name, business registration details
- Financial Data: Bank account details, transaction records, invoices, expenses, payroll information, tax records
- Payment Information: Credit card details, billing address (processed securely through third-party payment processors)
- Employee Data: Names, contact details, salary information, tax identification numbers, employment records
- AI Interaction Data: Questions, prompts, and conversations with our AI assistant
2.2 Automatically Collected Information
- Usage Data: Pages visited, features used, time spent, click patterns
- Device Information: IP address, browser type, operating system, device identifiers
- Cookies and Tracking: Session cookies, preference cookies, analytics cookies
- Log Data: Access times, error logs, system activity
3. How We Use Your Information
We use collected information for:
- Service Delivery: Provide accounting, payroll, invoicing, expense tracking, and reporting features
- AI Features: Process your queries through OpenAI's API to provide financial insights, expense categorization, anomaly detection, and forecasting
- Account Management: Create and manage your account, authenticate users, process payments
- Communication: Send transactional emails, service updates, security alerts, and support responses
- Improvement: Analyze usage patterns to enhance features, fix bugs, and optimize performance
- Security: Detect fraud, prevent unauthorized access, ensure data integrity
- Compliance: Meet legal obligations, tax reporting requirements, and regulatory standards
- Marketing: Send promotional content (with your consent, which you can withdraw anytime)
4. AI Data Processing
Our AI features are powered by OpenAI's GPT models. When you use AI features:
- Your prompts and financial data summaries are sent to OpenAI's API for processing
- OpenAI processes this data according to their Privacy Policy and Business Terms
- OpenAI does not use your data to train their models (as per their enterprise agreement)
- AI conversations are stored in our secure database for your reference
- You can delete AI conversations at any time from your dashboard
- Shared AI conversations are publicly accessible via unique links until you revoke sharing
- AI usage is subject to monthly request limits based on your subscription plan (Starter: 500, Professional: 1,500, Enterprise: 3,500, Custom: unlimited)
- An in-app disclaimer is shown at the start of every new AI conversation informing users that AI responses may contain errors and that financial data should be independently verified. Continued use of the AI assistant constitutes acknowledgment of this notice
5. Data Sharing and Disclosure
We share your information only in these circumstances:
5.1 Third-Party Service Providers
- OpenAI: AI processing and natural language understanding
- Payment Processors: Paystack for payment processing
- Cloud Hosting: AWS, Vercel for infrastructure and hosting
- Email Services: For transactional and notification emails
- Analytics: Usage analytics (anonymized)
5.2 Legal Requirements
We may disclose information to comply with legal obligations, court orders, government requests, or to protect our rights, safety, and property.
5.3 Business Transfers
In case of merger, acquisition, or sale of assets, your information may be transferred to the new entity.
6. Data Security
We implement comprehensive security measures:
- Encryption: AES-256-CBC encryption for sensitive data (API keys, bank accounts, passwords), HTTPS/TLS for data in transit
- Access Controls: Role-based access, multi-factor authentication (2FA), session management
- Authentication: Secure JWT-based authentication with refresh tokens
- Infrastructure: Secure cloud hosting with regular security updates
- Monitoring: Activity logging and audit trails
7. Data Retention
We apply a two-tier retention policy that balances your right to erasure with Ghana's statutory record-keeping obligations:
7.1 Active Accounts
All data is retained for as long as your account remains active and your subscription is in good standing.
7.2 Subscription Expiry & Grace Period
When your subscription expires, you enter a 7-day grace period during which your account remains fully accessible. If you renew within this period, no data is affected.
7.3 Suspended Accounts & Deletion Schedule
If the grace period passes without renewal, your account is suspended (read-only access) and a 60-day deletion countdown begins immediately. You will be notified of the exact deletion date. During these 60 days you can still export your data and renew your subscription to cancel the deletion.
If no action is taken within 60 days of suspension, the following occurs automatically:
- Non-financial data purged immediately: AI conversations, audit logs, notification history, preferences, and session data are permanently deleted
- Financial records retained for 7 years: Invoices, expenses, payroll runs, journal entries, bank transactions, and general ledger entries are archived and retained until the 7-year statutory period expires, as required by the Ghana Revenue Authority Act (Act 896)
- User accounts deactivated: All user logins for the organization are permanently disabled
7.4 Voluntary Account Closure
If you close your account voluntarily, the same two-tier policy applies: non-financial data is deleted within 60 days, and financial records are retained for 7 years from the date of closure to meet statutory obligations. You have 60 days from closure to export your data before non-financial records are purged.
7.5 Specific Retention Periods
- Financial records (invoices, expenses, payroll, journal entries): 7 years — Ghana Revenue Authority Act (Act 896)
- AI conversations: Until you delete them, or 60 days after account suspension/closure
- Audit logs: 2 years for active accounts; purged 60 days after suspension/closure
- Backups: Purged data removed from backups within 60 days
8. Your Rights (Ghana Data Protection Act)
Under Ghana's data protection laws, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data (subject to the 7-year statutory retention requirement for financial records)
- Portability: Export your data in CSV, JSON, Excel, or PDF format at any time
- Restriction: Limit how we process your data
- Objection: Object to processing for marketing purposes
- Withdraw Consent: Revoke consent for optional data processing
- Lodge Complaint: File a complaint with the Data Protection Commission of Ghana
To exercise these rights, contact us at privacy@syncbooks.com
9. International Data Transfers
Your data may be transferred to and processed in countries outside Ghana, including the United States (OpenAI servers, Vercel, AWS). We ensure adequate safeguards through standard contractual clauses and data processing agreements that meet international standards.
10. Cookies and Tracking
We use cookies for:
- Essential Cookies: Authentication, security, session management (cannot be disabled)
- Functional Cookies: Remember preferences, language settings
- Analytics Cookies: Understand usage patterns, improve features (can be disabled)
- Marketing Cookies: Personalized advertising (requires consent)
You can manage cookie preferences in your browser settings or through our cookie consent banner.
11. Children's Privacy
SyncBooks is not intended for individuals under 18 years of age. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately for deletion.
12. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be notified via email and in-app notification 30 days before taking effect. Continued use after changes constitutes acceptance.