Privacy Policy

Last updated: 2026-06-08

This privacy policy describes how the Magnetic Mic ACH Automation app ("the App") handles data when connected to a QuickBooks Online ("QBO") company.

What this app is

The App is an internal automation built for Innovative Products, Inc. d/b/a Magnetic Mic ("the Business"). It runs once per day, identifies QBO invoices flagged for automatic ACH collection on their due date, and initiates ACH debits via Intuit's QuickBooks Payments API.

The App is not a public service. It is operated by Greg Curtiss as an independent contractor on behalf of the Business and is used solely for the Business's own customer collections.

What QBO data the App accesses

When connected to a QBO company, the App accesses the following data via Intuit's APIs:

• Customer records — name, contact information, the value of the "ACH Auto Payment Form On File?" custom field
• Invoice records — amount, due date, balance, customer reference
• Stored bank accounts on customer records — referenced by Intuit token (not raw account or routing numbers)
• Payment records created by the App itself

The App does not access:

• Bank statements, transactions, or account balances
• Employees, payroll, or vendor data
• Reports, journals, or general ledger data
• Any other QBO data outside the scope listed above

What the App does with this data

The App reads invoices due on or before the current date, evaluates each customer's "ACH Auto Payment Form On File?" status, and (for opted-in customers with a stored bank account) initiates an ACH debit via Intuit's Payments API and records the resulting payment in QBO.

The App does not export QBO data anywhere. All API calls are between the App and Intuit's servers. No customer data is sent to third parties.

How data is stored

• OAuth tokens (refresh token, realm ID) are stored in a 1Password vault under the operator's control, encrypted at rest and in transit. The vault is scoped exclusively to this App.
• A local ledger of processed invoices (invoice ID, eCheck ID, payment ID, amount, timestamp) is stored in a SQLite database on a DigitalOcean droplet to prevent double-charging.
• No QBO customer data, bank account details, or transaction history beyond the ledger is persisted by the App.
• The droplet runs Ubuntu LTS with system-level security updates applied automatically, a restrictive firewall (SSH only), and fail2ban for SSH brute-force protection. SSH access is key-only; password authentication is disabled.

Who has access

Only the operator (Greg Curtiss) has access to the App's infrastructure, secrets vault, and ledger. The Business's authorized personnel can request inspection of any of these at any time.

Data retention and deletion

• OAuth tokens are retained for as long as the App is connected to a QBO company.
• The processed-invoice ledger is retained for the operating lifetime of the App.
• Upon disconnect (via QBO's Apps & subscriptions page), the App's refresh token is invalidated by Intuit and can no longer be used. The operator will delete the corresponding 1Password entry within 30 days of disconnect notification.
• The ledger may be deleted upon written request from the Business.

Disconnecting the App

The Business may disconnect the App at any time by signing into QBO and visiting Settings → Apps & subscriptions → Connected apps → Magnetic Mic ACH → Disconnect. Once disconnected, the App's refresh token becomes invalid and no further API calls succeed.

Operational email notifications

The App sends daily summary emails and operational failure alerts to the operator's personal email address. These emails contain invoice numbers, customer names, dollar amounts, and operational status. They do not contain bank account numbers, routing numbers, full card numbers, or other sensitive payment data.

Third-party services

The App relies on the following third-party services:

• Intuit QuickBooks Online and QuickBooks Payments — payment processing services are provided by Intuit Payments Inc.; data sent to Intuit's APIs is subject to Intuit's own privacy policy
• DigitalOcean — hosting provider for the App's runtime
• Resend — transactional email service for the daily summary emails
• 1Password — secrets management for OAuth tokens

These vendors process App data subject to their own terms and privacy policies. The App does not share customer-identifying data with these vendors beyond what is operationally necessary (e.g. customer names appear in summary emails sent via Resend; OAuth tokens are stored in 1Password).

Contact

Questions about this policy or the App's data handling:

Greg Curtiss — gcurtiss91@proton.me

Updates

The operator may update this policy from time to time. Updates are made by replacing this page at https://ach.magneticmic.com/privacy. The Last updated date at the top reflects the current version.