Reckonry — operated by Reckonry LLC — is a profitability service for US accounting firms that run on Karbon. This Privacy Policy explains what personal data we process, why, and how. It applies to the Reckonry web app (reckonry.ai), the OAuth bridge (auth.reckonry.ai), the marketing site, and any supporting APIs (collectively, the “Service”).
Plain-English summary. Your firm’s practice data — clients, work items, time, invoices — is processed for the sole purpose of computing the metrics you see in Reckonry. We don’t sell it, share it with advertisers, or train AI on it. Sub-processors are listed below; you can export reports from your dashboards or delete your firm at any time from Settings › Account › Delete account.
1. Who we are
The data controller is Reckonry LLC, PO Box 735, International Falls, MN 56649, USA. For Customer Data we sync from your Karbon tenant, your firm is the controller and Reckonry is the processor under your instructions. For your Member account data (sign-in, profile, in-app activity), Reckonry is the controller.
1.1 Geographic scope
The Service is offered to US-based accounting firms only. We do not target or knowingly accept sign-ups from residents of the EU, EEA, United Kingdom, or Switzerland, and the Service is not designed to comply with the GDPR, the UK GDPR, or other non-US data-protection regimes. If you’re outside the United States, please don’t use the Service.
2. Data we process
2.1 Customer Data (synced from Karbon)
With the Karbon Access Key and Bearer Token your administrator provides, we read and store the following from api.karbonhq.com:
- Users / Staff. Name, email, role/title, employment status. Used to attribute time and to compute per-staff cost.
- Clients. Client name, key identifiers, contact fields. Used as the bucket for per-client revenue and margin.
- Work items.Title, status, dates, fee type (Fixed Fee / T&M), assigned staff. Used for per-work-item and per-work-type recognition.
- Time entries. Hours, date, work item, staff, billable / non-billable, billed status. The core driver of cost and recognition.
- Invoices and invoice lines. Issued, sent, billed amounts, fee values, billing references back to work items or time entries. Used to recognise revenue.
2.2 Cost data you enter directly
Settings › Cost data lets you record per-staff hourly cost (with effective-dating) and tenant-wide overhead allocations. We process those numbers only to compute the metrics in your reports.
2.3 Member account data
We collect, for each Member who signs in:
- The verified email address and the unique identifier provided by your identity provider (Google or Microsoft Entra). We don’t store passwords — sign-in is delegated to your identity provider.
- The display name from the OAuth profile (editable on
/me). - Membership in your firm and role (member, admin) plus the optional self-set role-in-firm string.
- An audit log of impersonation, deletion, trial control, and other support actions.
Reckonry support staff can impersonate a Member only at the explicit request of an Administrator for support purposes, and every impersonation event is recorded in your firm’s audit log alongside the actor, target, and reason.
2.4 Telemetry and product analytics
We use PostHog Cloud (US region) for product analytics: which routes are visited, which buttons are clicked, and metadata about sync jobs (record counts, run durations, error codes). PostHog never receives Customer Data such as client names, work-item titles, or financial figures. PostHog events are keyed by an opaque distinct ID derived from the Member ID, never by email. We do not run third-party advertising trackers and we do not use any cookies for cross-site tracking.
2.5 Marketing-attribution data
On first visit to the marketing site, we record the utm_* parameters and HTTP referer in a first-party cookie. If the same visitor signs up later, we copy that attribution onto the firm record so we can measure which campaigns convert. The cookie’s contents are described in section 5.
2.6 Operational logs
Cloud Run, Cloud SQL, and Cloudflare emit access and audit logs that record IP address, user-agent, request path, and HTTP status. We retain those for 90 days for security and operational troubleshooting.
2.7 How we protect your Karbon credentials
When you paste your Karbon Access Key and Bearer Token into Settings › Karbon, the values are envelope-encrypted with AES-256-GCM before they reach the database. The wrapping key lives in Google Secret Manager and is granted only to the background sync workload — the user-facing web workload that serves your dashboards has no IAM permission to retrieve it and cannot decrypt the stored credentials. Karbon reads run inside the sync workload, which holds the key only for the duration of the sync. A compromise of the web tier alone would not yield usable Karbon credentials.
3. Notice at collection
The categories of personal information we collect, where it comes from, who we share it with, and the purpose for each. We do not sell personal information, and we do not share it for cross-context behavioral advertising. We have not done so in the past 12 months.
| Category | Sources | Shared with | Purpose |
|---|---|---|---|
| Identifiers (Member name, email, identity-provider subject) | You and your identity provider | Google / Microsoft (sign-in only); PostHog (as pseudonymous distinct ID); Resend (transactional email) | Authenticate, contact, and audit Members |
| Commercial information (firm practice data: clients, work items, time, invoices) | Your Karbon tenant | Google Cloud (hosting); Karbon (source) | Compute the metrics you see in Reckonry |
| Financial information (payment method token, billing-event metadata) | You via Stripe | Stripe (processor) | Charge for subscription usage |
| Internet / network activity (request logs, page views, button clicks) | Your browser, our servers | PostHog (pseudonymous events); Cloudflare, Google Cloud (security logs) | Operate, secure, and improve the Service |
| Inferences (recognized revenue, margin, recovery figures) | Computed from the above | Google Cloud (hosting only) | Power your reports |
4. Purposes
Plain-English versions of what we do with each category:
- Service delivery
- Sync from Karbon, compute reports, take payment, send transactional email about your account.
- Security
- Detect abuse, investigate incidents, keep your firm’s data safe.
- Product improvement
- Understand which features get used and where flows break, using pseudonymous events only.
- Legal & tax obligations
- Retain billing and audit records as required by US tax, accounting, and breach-notification laws.
We do not use Customer Data to train machine-learning models, and we do not share Customer Data with third parties for their own marketing or advertising.
5. Who we share data with
Reckonry uses the following sub-processors. Each is bound by a data-processing agreement that limits their use of Customer Data to providing the relevant service to us.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Google Cloud (GCP) | Application hosting (Cloud Run), database (Cloud SQL Postgres), object storage, Secret Manager, Cloud Tasks, Cloud Scheduler. | United States |
| Cloudflare | DNS, WAF, CDN, the OAuth bridge Worker, and the PR preview router. | Global edge |
| Karbon | The source of practice data we sync on your firm’s authorization. Your firm controls the Karbon relationship; Reckonry only reads. | Per Karbon’s policies |
| Stripe (incl. Stripe Radar) | Payment-method storage and off-session charges. We never store full card numbers; Stripe holds a tokenized payment method linked by your firm’s customer ID. Stripe Radar processes device, IP, and behavioral signals from the checkout for fraud detection — see Stripe’s Privacy Policy. | United States |
| Google & Microsoft (OAuth) | Single sign-on for Members. We receive the verified email and provider-issued identifier; they never see your Karbon data. | Provider-managed |
| PostHog Cloud (US) | Product analytics on pseudonymous Member IDs. Receives metadata about sync jobs (record counts, run durations, error codes) only — never Customer Data such as client names or financial figures. | United States |
| Resend | Transactional email (invitations, sync alerts, billing failures). | United States |
We don’t share Customer Data with anyone else. We don’t sell it, rent it, or trade it. If we’re compelled by valid legal process to disclose data, we’ll notify the affected firm unless the order forbids it.
6. Cookies
The Service uses these cookies:
- Session
authjs.session-token,authjs.csrf-token,authjs.callback-url, plus the short-lived OAuthstate/pkce/noncecookies. Required to sign you in and keep you signed in.- Marketing attribution
- First-party cookie storing the first-touch UTM tags and HTTP referer for 30 days. Set on the marketing site, never on the authenticated app.
- Invitation flow
- Three short-lived cookies that thread your invitation token, chosen name, and self-selected role through the OAuth round-trip. Cleared on completion.
We do not use cookies for cross-site tracking, advertising, or third-party analytics that identify you across other websites.
7. How long we keep it
Derived Data is the recognition rows, margin figures, and reports Reckonry produces from Customer Data plus the cost numbers you enter, as defined in our Terms of Service.
- Customer Data & Derived Data. For as long as your firm is a customer. When the firm is deleted from Settings › Account › Delete account, we remove the data immediately from primary storage. Encrypted backups age out within 35 days. We retain only what we’re legally required to keep (see below).
- Member account data. Until the Member is removed by an Administrator or the firm is deleted.
- Audit log. Retained for the period required by US recordkeeping laws (currently up to 7 years) to support security investigations and statutory recordkeeping.
- Operational logs. 90 days.
- Billing records. Retained for the period required by US tax and accounting laws (currently up to 7 years).
- Marketing-attribution cookie. 30 days from first touch.
8. Your state privacy rights
Reckonry honors the rights granted by US state privacy laws, including the laws of California (CCPA / CPRA), Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island, Tennessee, Indiana, Iowa, and Florida.
If you’re a resident of one of those states, you can:
- Know & access — ask for a copy of the personal information we hold about you. Members can see their account data in-app on
/me; firm practice data is exportable from your dashboards in Reckonry, and the source of truth is your Karbon tenant. - Correct — fix inaccurate personal information. Names and roles are editable in-app from your account settings.
- Delete — have your personal information deleted. Administrators can delete the firm from Settings › Account › Delete account; individual Members are removed by their Administrator. Direct deletion requests can be sent via the privacy contact below.
- Portability — receive your information in a machine-readable format. CSV exports are available from each report page in your dashboard.
- Opt out of sale, sharing, and targeted advertising — we don’t do any of these, so there’s nothing to opt out of. We will honor a Global Privacy Control signal if your browser sends one.
- Opt out of profiling for decisions that produce legal or similarly significant effects — we don’t engage in such profiling.
- Appeal — if we deny a rights request, you can appeal through the privacy contact below; we’ll respond within 60 days.
We don’t discriminate against you for exercising any of these rights. We may need to verify your identity before acting on a request — typically by confirming you control the email address on file.
9. Children
Reckonry is a B2B service for accounting firms. It’s not directed at children, and we don’t knowingly collect personal information from anyone under 16. If you’re a parent or guardian and believe we’ve collected such information, please contact us at [email protected] and we’ll delete it.
10. Data-breach notification
If we discover a security incident that compromises Customer Data, we’ll notify affected firms’ Administrators without undue delay and within 72 hours of confirming impact. The notification will describe the nature of the incident, the categories of data involved, the steps we’ve taken in response, and the contact for follow-up. We’ll also comply with any applicable US state breach-notification laws, which may require notice to affected residents and state attorneys general within shorter or longer windows.
11. Sub-processor changes
Before adding or replacing a sub-processor that processes Customer Data, we’ll publish at least 30 days’ advance notice on our public sub-processor list and notify firm Administrators by email. If you object to a new sub-processor, you may terminate the Service for that reason and receive a refund of any prepaid, unused fees.
12. Changes to this policy
We’ll post material changes here at least 30 days before they take effect, and notify firm Administrators in-app when we do. The “last updated” date at the top tells you the current version.
13. Contact
Privacy questions, access requests, deletion requests, and appeals: [email protected], or by post to Reckonry LLC, Attn: Privacy, PO Box 735, International Falls, MN 56649, USA.