Privacy Policy

Effective May 5, 2026

LumberStax ("we", "our", or "us") provides a software-as-a-service platform that helps lumber companies manage purchase orders, inventory, shipping, customer relationships, and accounting integrations. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have.

1. Information We Collect

Account information. When a user signs up or is invited to a LumberStax tenant, we collect their name, email address, role, and the company (tenant) they belong to. Authentication is handled by Supabase Auth using industry-standard JSON Web Tokens.

Business operations data. Within the platform, users enter or upload data such as purchase orders, sawmill invoices, customer records, freight invoices, run sheets, dispatch sheets, BOLs, PODs, and inventory transactions. This data is stored under the user's tenant and is only visible to authorized members of that tenant.

Connected-service data (QuickBooks Online). When you connect your QuickBooks Online (QBO) company to LumberStax, we receive an OAuth refresh token, an access token, and your QBO Realm ID. We use these tokens solely to create or update invoices in your QBO company on your behalf. We do not read, store, or transmit data from your QBO company beyond what is required to complete the operation you requested (e.g. looking up a customer by name to attach an invoice).

Document attachments. When invoices, BOLs, PODs, or other documents are uploaded or forwarded by email, the files are stored in a private Supabase Storage bucket. AI-based parsing (Claude) is used to extract structured fields such as line items, totals, and reference numbers; the extracted text and the original document are retained on our infrastructure for audit purposes.

Usage and diagnostic logs. We log API requests, status changes, and integration events (such as QuickBooks push attempts) to help diagnose problems and provide audit trails. These logs include user identifiers, tenant identifiers, timestamps, and high-level outcomes. They do not include passwords or raw credit card numbers.

2. How We Use Information

  • Provide and operate the LumberStax service.
  • Authenticate users and authorize access to tenant data.
  • Send invoices to QuickBooks Online and similar third-party services that you have explicitly connected.
  • Send transactional emails (shipping confirmations, payment reminders, document approvals).
  • Diagnose bugs, monitor performance, and improve the service.
  • Comply with legal obligations.

We do not sell or rent personal information. We do not use your business data to train machine learning models that benefit other customers.

3. Sharing & Service Providers

We share information with the following categories of service providers, each under a contract that limits their use of the data to providing services for us:

  • Hosting & infrastructure: Vercel, Supabase.
  • Email delivery: Resend.
  • AI document parsing: Anthropic (Claude API).
  • Accounting integration (when you connect it): Intuit / QuickBooks Online.

4. Data Security

Data in transit is encrypted with TLS. Data at rest is encrypted by our infrastructure providers. Access to the production database is restricted to authorized personnel using separate credentials. Tenant isolation is enforced at the database layer via row-level security policies and at the application layer by explicit tenant scoping in every API route.

5. Your Rights

You may request a copy of the data associated with your account, ask us to correct inaccurate information, or ask us to delete your account. For tenants with an admin user, a self-service export and deletion flow is available in Settings. To exercise these rights for an individual user, contact your tenant administrator or email privacy@lumberstax.com.

6. Disconnecting QuickBooks

You can disconnect QuickBooks at any time from Settings → QuickBooks Online → Disconnect. When you do, we revoke the refresh token at Intuit and delete the stored token from our database. Invoices already pushed to your QuickBooks company remain there; we do not delete data inside QuickBooks on disconnect.

7. Retention

Tenant data is retained for as long as the account is active and for a reasonable period thereafter to permit recovery from accidental deletion. Audit logs and sync history are retained for up to 24 months. Deleted-tenant data is purged within 90 days of deletion request.

8. Changes to This Policy

We may update this policy as the service evolves. Material changes will be announced in the application and via email to tenant administrators at least 14 days before they take effect. The current version is always available at this URL.

9. Contact

Questions about this policy: privacy@lumberstax.com.

© 2026 LumberStax. All rights reserved.