Privacy Policy

Last Updated: December 15, 2025

Structur (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our QuickBooks Invoicing integration for HubSpot (the “Service”).

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide

When you install and authorize the Service, we collect:

• Account Information: Your HubSpot account ID, user ID, and email address
• QuickBooks Account Information: Your QuickBooks company ID and user identifier
• Authorization Tokens: OAuth tokens required to access your HubSpot and QuickBooks accounts (stored encrypted)
• Application Settings: Your configuration preferences for the integration (e.g., field mappings, sync preferences, default invoice templates)

1.2 Information We Access But Do Not Store

The Service accesses the following data to provide synchronization functionality, but does not store or persist this data on our servers:

• HubSpot CRM Data: Contact information, company records, deal information, and custom properties (accessed in real-time during sync operations only)
• QuickBooks Data: Customer records, invoice data, payment status, and product/service items (accessed in real-time during sync operations only)

This data is transmitted directly between HubSpot and QuickBooks through our Service but is not retained in our databases or systems after the synchronization completes.

1.3 Information Collected Automatically

Through your use of the Service, we automatically collect:

• Usage Data: Information about how you interact with the Service, including actions taken (e.g., “invoice created”), features used, and frequency of use
• Technical Data: IP addresses, browser type, device information, timestamps, and log data
• Error Logs: Technical error messages and debugging information (without storing customer data content)

1.4 Scopes and Permissions

The Service requests only the minimum OAuth scopes necessary to function:

HubSpot Scopes:

• crm.objects.contacts.read - Read contact information for invoice creation
• crm.objects.companies.read - Read company information for invoice creation
• crm.objects.deals.read - Read deal information to trigger invoice creation
• crm.objects.deals.write - Update deal stages based on invoice status
• crm.schemas.contacts.read - Read contact property definitions
• crm.schemas.companies.read - Read company property definitions
• crm.schemas.deals.read - Read deal property definitions

QuickBooks Scopes:

• com.intuit.quickbooks.accounting - Full access to QuickBooks accounting data (customers, invoices, products, payment status)

We do not request access to any sensitive data as defined in HubSpot’s Terms of Service.

2. How We Use Your Information

We use the information we collect to:

2.1 Provide the Service

• Authenticate and authorize access to your HubSpot and QuickBooks accounts
• Facilitate real-time data synchronization between HubSpot and QuickBooks
• Create and update invoices in QuickBooks based on HubSpot deals
• Update HubSpot deal stages based on QuickBooks invoice status
• Display invoice information within HubSpot
• Store your integration settings and preferences

2.2 Maintain and Improve the Service

• Monitor and analyze aggregated usage patterns to improve functionality (without accessing customer data content)
• Detect, prevent, and address technical issues
• Develop new features and enhancements
• Ensure the Service remains compatible with HubSpot and QuickBooks API changes

2.3 Communicate with You

• Send transactional emails related to your use of the Service
• Provide customer support and respond to your inquiries
• Notify you of important changes to the Service or this Privacy Policy
• Send optional marketing communications (with your consent)

2.4 Ensure Security and Compliance

• Protect against fraud, abuse, and unauthorized access
• Enforce our Terms of Service
• Comply with legal obligations and respond to legal requests

Important: We act solely as a data conduit. Your HubSpot and QuickBooks data passes through our Service during synchronization but is not stored, analyzed, or used for any purpose other than real-time transfer between the two platforms.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you have requested
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving the Service, preventing fraud, and ensuring security
• Consent: Where you have provided explicit consent for specific processing activities
• Legal Obligation: Processing necessary to comply with legal requirements

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following limited circumstances:

4.1 With Your Consent

We may share your information with third parties when you have given us explicit permission to do so.

4.2 Service Providers

We may share limited information with trusted third-party service providers who assist us in operating the Service, including:

• Cloud Hosting Providers: For storing OAuth tokens (encrypted) and application settings
• Analytics Providers: For aggregated usage analysis and performance monitoring (no customer data content)
• Customer Support Tools: For providing customer support

All service providers are contractually obligated to protect your information and use it only for the purposes we specify.

4.3 HubSpot and QuickBooks

The Service facilitates data exchange between HubSpot and QuickBooks as necessary to provide the integration functionality. Your use of HubSpot and QuickBooks is governed by their respective privacy policies:

• HubSpot Privacy Policy: https://legal.hubspot.com/privacy-policy 
• Intuit Privacy Statement: https://www.intuit.com/privacy/statement/ 

Data flows directly between HubSpot and QuickBooks through our Service without persistent storage on our servers.

4.4 Business Transfers

If Structur is involved in a merger, acquisition, or sale of assets, your information (OAuth tokens and settings) may be transferred as part of that transaction. We will notify you of any such change and your choices regarding your information.

4.5 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, or government agencies).

4.6 Protection of Rights

We may disclose your information to:

• Enforce our Terms of Service and other agreements
• Protect the rights, property, or safety of Structur, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues

5. Data Retention

Because we do not store your HubSpot CRM data or QuickBooks data, our data retention practices are minimal:

5.1 What We Retain

• OAuth Tokens: Retained while your account is active and deleted within 24 hours of account termination or authorization revocation
• Application Settings: Retained while your account is active and deleted within 90 days of account termination
• Usage Logs: Aggregated and anonymized usage data retained for up to 12 months for analytical purposes
• Technical Logs: System logs containing IP addresses and timestamps retained for up to 90 days for security and troubleshooting

5.2 What We Do NOT Retain

• HubSpot contact, company, or deal data
• QuickBooks customer, invoice, or transaction data
• Any customer-specific business information beyond OAuth tokens and settings

5.3 Data Deletion

You can request deletion of your OAuth tokens and settings at any time by:

• Revoking authorization in your HubSpot or QuickBooks account settings
• Uninstalling the Service from HubSpot
• Contacting support@structur.app

Upon termination, we delete your OAuth tokens within 24 hours and application settings within 90 days.

6. Data Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction:

6.1 Technical Measures

• Encryption in Transit: All data transmitted between your browser, our servers, HubSpot, and QuickBooks is encrypted using TLS 1.2 or higher
• Encryption at Rest: OAuth tokens are encrypted at rest using AES-256 encryption
• OAuth Security: We use OAuth 2.0 for authentication and never store your HubSpot or QuickBooks passwords
• No Data Persistence: HubSpot and QuickBooks data is processed in memory during sync operations and not written to disk or databases
• Access Controls: We implement role-based access controls to limit internal access to encrypted OAuth tokens and settings
• Monitoring: We monitor systems for suspicious activity and security threats
• Regular Security Audits: Periodic vulnerability assessments and penetration testing

6.2 Organizational Measures

• Employee training on data protection and security best practices
• Confidentiality agreements with all employees and contractors
• Incident response procedures for security events
• Least-privilege access principles

Despite our efforts, no security measures are perfect or impenetrable. We cannot guarantee absolute security of your information.

7. Your Data Protection Rights

Depending on your location, you may have the following rights regarding your personal

7.1 Right of Access

You have the right to request a copy of the personal data we hold about you (OAuth tokens, settings, and usage logs).

7.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data (application settings).

7.3 Right to Erasure

You have the right to request deletion of your personal data. Because we store minimal data, you can easily delete your data by revoking authorization or uninstalling the Service.

7.4 Right to Restriction

You have the right to request restriction of processing of your personal data in certain circumstances.

7.5 Right to Data Portability

You have the right to receive your personal data (application settings) in a structured, commonly used, and machine-readable format.

7.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

7.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time by revoking OAuth authorization.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

To exercise any of these rights, please contact us at support@structur.app. We will respond to your request within 30 days.

8. International Data Transfers

The Service is operated from and hosted in the United Kingdom. If you are located outside the UK, your information (OAuth tokens and settings) will be transferred to, stored, and processed in the UK.

Important: Your HubSpot and QuickBooks data is not transferred to or stored by us. It remains in HubSpot’s and QuickBooks’ respective data centers and is subject to their data residency policies.

For users in the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place for international data transfers of OAuth tokens and settings, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable
• Other legally recognized transfer mechanisms

By using the Service, you consent to the transfer of your OAuth tokens and settings to the UK.

9. Children’s Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us at support@structur.app, and we will take steps to delete such information.

10. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services that are not operated by us. This Privacy Policy does not apply to third-party services. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access.

11. Do Not Track Signals

Some browsers include a “Do Not Track” (DNT) feature that signals to websites that you do not want your online activities tracked. The Service does not currently respond to DNT signals.

12. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

12.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected about you (OAuth tokens, settings, usage logs).

12.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

12.3 Right to Opt-Out of Sale

We do not sell personal information. If our practices change, we will update this policy and provide an opt-out mechanism.

12.4 Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising your CCPA rights.

To exercise these rights, contact us at support@structur.app. We will verify your identity before processing your request.

13. Data Processing Agreement

For customers subject to GDPR or other data protection regulations, we act as a data processor on your behalf with respect to OAuth tokens and application settings. We do not process or store your HubSpot CRM data or QuickBooks data - these remain under your control in their respective platforms.

You are the data controller responsible for ensuring lawful processing of personal data in HubSpot and QuickBooks.

Upon request, we can provide a Data Processing Agreement (DPA) that includes:

• Details of data processing activities (limited to OAuth tokens and settings)
• Security measures implemented
• Sub-processor information
• Data breach notification procedures
• Assistance with data subject requests

To request a DPA, contact support@structur.app.

14. Cookies and Tracking Technologies

The Service uses minimal cookies and similar tracking technologies:

14.1 Essential Cookies

Cookies necessary for the Service to function, including authentication and session management.

14.2 Analytics Cookies

Cookies that help us understand how you use the Service to improve functionality (with your consent where required). Analytics are aggregated and do not include customer data content.

14.3 Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may affect the functionality of the Service.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Privacy Policy on our website with a new “Last Updated” date
• Sending an email notification to the address associated with your account
• Providing an in-app notification

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes acceptance of the changes. We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Structur
Email: support@structur.app
Website: https://structur.app 
Address: London, United Kingdom

Data Protection Officer: For GDPR-related inquiries, contact support@structur.app with “DPO Request” in the subject line.

17. Supervisory Authority

If you are located in the EEA or UK and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local supervisory authority:

UK: Information Commissioner’s Office (ICO) - https://ico.org.uk 
EEA: Your local data protection authority - https://edpb.europa.eu/about-edpb/board/members_en 

18. Summary of Our Privacy-First Approach

To summarize our minimal data collection practices:

What We Store:

• Encrypted OAuth tokens (for authentication)
• Your application settings and preferences
• Aggregated usage logs (no customer data content)

What We Do NOT Store:

• HubSpot contacts, companies, or deals
• QuickBooks customers, invoices, or transactions
• Any of your business data or customer information

How Data Flows:

1. You trigger a sync action in HubSpot
2. We retrieve relevant data from HubSpot using your OAuth token
3. We immediately transmit that data to QuickBooks using your OAuth token
4. Data is processed in memory and not persisted to our databases
5. Sync status is recorded (success/failure) without storing data content

This architecture ensures maximum privacy and minimal compliance burden for both you and us.

Acknowledgment: By using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to our collection, use, and disclosure of your information as described herein.