Privacy Policy

Effective date

May 26, 2026

This policy applies to Blaine Heffron Consulting, operated by Blaine Heffron. A signed client agreement, statement of work, NDA, data processing agreement, or vendor authorization controls if it gives more specific instructions for a client engagement.

Custom operations dashboards and internal tools.
Workflow automations, reporting systems, and approval queues.
OAuth-connected services such as accounting, billing, ecommerce, CRM, workspace, shipping, analytics, and support tools.
Public websites, contact forms, support requests, and business communications.

Information handled

Data depends on the systems a client connects

Business account, contact, customer, vendor, product, inventory, order, invoice, quote, payment, shipment, support, and task records.
Connected-app metadata, OAuth scopes, access status, refresh-token status, sync timestamps, error states, and audit logs.
Files, exports, notes, documents, workflow rules, approval decisions, and other materials a client provides for a project.
Technical data such as browser type, IP address, device information, request logs, diagnostic logs, crash reports, and security events.

Use

Data is used to operate and support the requested tools

Build, operate, secure, debug, and improve client dashboards, integrations, reports, queues, and automations.
Read or sync information from third-party services when a client authorizes the connection.
Prepare summaries, exception lists, approval queues, draft messages, reconciliation views, and operational reports.
Provide consulting, support, billing, project management, compliance records, security review, and incident response.

OAuth and connected services

Connected-account access is used for the client-authorized workflow

When a client connects a third-party account, Blaine Heffron Consulting requests access needed for the approved dashboard or automation. OAuth tokens, API keys, client secrets, and refresh tokens are handled as secrets and are not sold, rented, or used for unrelated advertising. Access can be revoked through the third-party provider or by contacting Blaine Heffron Consulting.

For accounting and financial platforms, including Intuit QuickBooks and Stripe, connected data is used only to provide the requested dashboard, reporting, billing, reconciliation, or automation service. QuickBooks data is not provided to third parties, exported, saved, or stored except as needed for the functional use of the approved app or service and as permitted by Intuit's developer requirements.

Data posture

Least-privilege scopes where practical.
Server-side secret storage or secret-manager references.
Redacted logs and evidence summaries where practical.
Human approval gates for sensitive writes unless separately authorized.

Google API data

Google user data is limited to the authorized feature

Use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Google Workspace data is used only to provide or improve the client-authorized dashboard, integration, report, search, automation, or support workflow visible to the authorized user.
Google user data is not sold, used for advertising, used to determine creditworthiness or lending eligibility, or used to create, train, or improve generalized AI or machine-learning models.
Humans access Google user data only with documented client consent, for support or security purposes, to comply with law, or when data has been aggregated and anonymized for internal operations.
Clients may request deletion, export, access revocation, or connection removal for Google data, subject to provider controls, backup cycles, security records, legal duties, and any signed agreement.

Automation and AI

Human review stays central for sensitive actions

Customer-facing, financial, inventory-affecting, fulfillment-affecting, destructive, public publishing, or claim-submission actions remain draft-only, disabled, or human-approved unless a client gives narrower written authorization.
AI systems may be used to classify, summarize, draft, reconcile, search, or prepare operational work when authorized by the client agreement or project instructions and permitted by the connected provider's terms.
Where practical, inputs are minimized or redacted before being sent to vendors used for hosting, monitoring, email, storage, databases, LLM/API services, or other project infrastructure. Provider-restricted data, including Google Workspace and QuickBooks data, is handled under the stricter provider-specific limits in this policy.

Sharing

Service providers are used to run the work

Data may be processed by infrastructure, hosting, database, storage, monitoring, analytics, email, payment, LLM/API, and development-support vendors needed to deliver the service, except where provider rules or a written agreement require narrower handling.
Data may be sent to third-party services that the client connects or instructs Blaine Heffron Consulting to use.
Data may be disclosed when required by law, to protect rights and security, to complete a business transfer, or with the client's direction or consent. Provider-restricted data is transferred in a business transfer only with any explicit consent or other conditions required by the applicable provider policy.

Retention and rights

Data is retained only as needed for the engagement and records

Project data is retained while needed to deliver, support, secure, audit, or improve the requested work, or as required for legal, tax, billing, and dispute records.
Clients may request export, correction, deletion, access revocation, or connection removal, subject to backup cycles, legal duties, security records, and any signed agreement.
Blaine Heffron Consulting uses reasonable administrative, technical, and operational safeguards, but no internet-connected system can be guaranteed perfectly secure.
This service is intended for business use and is not directed to children under 13.