Effective Date: January 30, 2026 | Last updated: March 9, 2026
EZDocPro, operated by ABCD Systems LLC ("we,""us," or"our"), provides cloud-based bookkeeping, tax categorization, payroll, and financial management services ("Services"). This Privacy Policy describes how we collect, use, store, share, and protect your personal and financial information when you use our website at ezdocpro.com and our Services.
By creating an account or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use our Services.
We collect information that you voluntarily provide to us when you register, use our Services, or contact us:
| Category | Data Collected | Purpose |
|---|---|---|
| Account Information | Name, email address, company/firm name, phone number, password (stored as bcrypt hash only) | Account creation, authentication, communication |
| Billing Information | Payment method details (processed by Square — we never store full card numbers) | Subscription billing, payment processing |
| Client Data | Client names, business names, contact information you input into our system | Client management, document organization |
| Financial Documents | Uploaded bank statements, tax documents, receipts, invoices (PDFs) | Transaction extraction, categorization, tax preparation |
| Transaction Data | Dates, descriptions, amounts, categories, account identifiers (last 4 digits only) | Bookkeeping, reporting, Schedule C preparation |
| Bank Connection Data | Institution name, account type, last 4 digits (via Plaid) | Automated bank feeds, reconciliation |
| Payroll Data | Employee names, compensation, tax withholdings, state of employment | Payroll processing, tax compliance |
| Tax Identifiers | Last 4 digits of SSN or EIN only — we never store full tax identification numbers | Customer identification, tax document preparation |
| Communications | Any information you provide when contacting our support team | Customer support, service improvement |
When you access our Services, we automatically collect certain information:
We use the information we collect for the following purposes:
When you choose to connect a bank account through our Services, we use Plaid Inc. ("Plaid") to establish a secure connection between your financial institution and EZDocPro. By connecting your bank account, you authorize Plaid to access your financial data on your behalf.
Plaid's handling of your data is governed by Plaid's End User Privacy Policy. We encourage you to review it.
You may disconnect your bank account at any time from your EZDocPro dashboard. Upon disconnection, we revoke the Plaid access token and cease retrieving new data. Previously retrieved transaction data remains in your account unless you request deletion.
EZDocPro uses artificial intelligence to extract transaction data from uploaded bank statements and to automatically categorize transactions for tax compliance purposes.
When you upload a bank statement PDF, the document text is sent to Google's Gemini AI API for structured data extraction. The API processes the text and returns structured transaction data. Google does not retain your data after processing under their API terms of service.
Transactions are first categorized using our rules engine (pattern matching against known merchants and transaction types). Only uncategorized transactions may be sent to the AI API for classification suggestions.
Your financial data is not used to train AI models. It is processed for extraction and categorization only, then the AI provider discards it per their API data processing agreements.
All AI-generated categorizations are presented as suggestions. You or your bookkeeper/CPA retain full control to accept, modify, or reject any categorization before it is finalized.
We implement appropriate technical and organizational security measures to protect your personal and financial information:
| Security Layer | Implementation |
|---|---|
| Encryption in Transit | All data encrypted using TLS 1.2 or higher. HTTPS enforced on all pages via server configuration. |
| Encryption at Rest | Sensitive data (Plaid tokens, API keys) encrypted using AES-256 before database storage. |
| Password Security | Passwords hashed using bcrypt (PHP PASSWORD_DEFAULT). Cannot be reversed or retrieved. We never store plaintext passwords. |
| Session Management | 64-character cryptographically random session tokens with automatic expiration (30 days). Sessions regenerated on login to prevent fixation attacks. |
| Access Control | Role-based access with 10 permission levels and 60+ granular permissions. Every data request verifies ownership before returning results. |
| Bot & Brute Force Protection | Multi-layer protection: honeypot fields, timing analysis, behavioral scoring, and IP-based rate limiting on all login and registration forms. |
| Input Validation | All queries use parameterized prepared statements (PDO). All displayed content escaped to prevent cross-site scripting (XSS). |
| CSRF Protection | Cross-site request forgery tokens on all forms to prevent unauthorized actions. |
| Audit Trail | All logins, data modifications, permission changes, and administrative actions logged with timestamps and IP addresses. |
| Payment Security | Payment processing handled by Square (PCI DSS compliant). Credit card data transmitted directly to Square and never touches our servers. |
| File Upload Protection | Upload directories block PHP execution. Files validated by MIME type, extension, and size. Only PDF and ZIP formats accepted. |
We do not sell your personal information. We may share your information only in the following limited circumstances:
| Third Party | Data Shared | Purpose |
|---|---|---|
| Square, Inc. | Billing information | Payment processing, subscription management |
| Plaid, Inc. | Bank connection authorization | Secure bank account linking, transaction retrieval |
| Google (Gemini AI) | Document text for extraction | AI-powered transaction extraction and categorization |
| Brevo (Sendinblue) | Email address, name | Transactional emails (password resets, invoices, notifications) |
These providers are contractually obligated to protect your information and use it only for the specific services they provide to us.
We may disclose your information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, prevent fraud, or ensure the safety of our users.
In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
We may share information for other purposes with your explicit consent.
We do not:
We retain your data only as long as necessary to provide our Services and comply with legal obligations:
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Uploaded PDF bank statements | 7 days (configurable by admin) | Automated purge via daily scheduled task |
| Session tokens | 30 days from last activity | Automatic expiration |
| Password reset tokens | 1 hour | Automatic expiration |
| Transaction & financial data | Duration of account + 7 years | Deleted upon account closure request (after retention period) |
| Payroll records | Duration of account + 7 years | Retained per IRS record-keeping requirements |
| Payment records | 7 years | Required by tax and accounting regulations |
| Audit logs | 7 years | Automated purge after retention period |
| Usage logs | 90 days | Automated purge for security/troubleshooting |
| Account information | Duration of account + 2 years | Deleted within 30 days of request (after retention period) |
The 7-year retention period for financial records aligns with IRS record-keeping requirements for tax-related documents. You may request early deletion of non-tax-critical data at any time by contacting us.
Depending on your location, you have the following rights regarding your personal information:
To exercise any of these rights, contact us at support@ezdocpro.com or use the controls available within your account dashboard.
EZDocPro uses a minimal set of cookies strictly necessary to operate the service:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Essential | Maintains your authenticated login session | 30 days |
| CSRF token | Essential | Prevents cross-site request forgery attacks | Session |
We do not use: third-party analytics cookies, advertising cookies, social media tracking pixels, or any form of cross-site tracking. There are no Google Analytics, Facebook Pixel, or similar services on our platform. You can control cookies through your browser settings; however, disabling essential cookies may prevent the Services from functioning properly.
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.
Your rights under CCPA/CPRA include:
Categories of personal information collected in the past 12 months:
| CCPA Category | Collected | Sold | Shared for Advertising |
|---|---|---|---|
| Identifiers (name, email) | Yes | No | No |
| Financial information | Yes | No | No |
| Commercial information | Yes | No | No |
| Internet activity | Yes (login logs) | No | No |
| Professional information | Yes (company/firm) | No | No |
| Sensitive personal info | SSN/EIN last 4 only | No | No |
To submit a CCPA/CPRA request, email support@ezdocpro.com with the subject line"CCPA Request." We will verify your identity and respond within 45 days as required by law.
Our Services may contain links to third-party websites or services that are not operated by us. If you click a third-party link, you will be directed to that third party's site. We are not responsible for the privacy practices or the content of these third-party websites or services.
We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
Our Services are hosted in the United States on servers managed by GoDaddy. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.
By using our Services, you consent to the transfer of your information to the United States and acknowledge that your data will be subject to United States laws. We take appropriate measures to ensure that your personal information remains protected in accordance with this Privacy Policy.
EZDocPro is a business financial management service and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us immediately.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
Your continued use of the Services after any changes constitutes your acceptance of the updated Privacy Policy.
If you enable the optional Lead Center feature, we process publicly available business information (company names, addresses, websites, phone numbers from public directories and registries) to identify potential prospects. We do not purchase private personal data or scrape private social media accounts. Lead data is stored within your account, encrypted at rest, and permanently deleted within 30 days of disabling Lead Center or closing your account. Lead data is never sold to or shared with third parties.
When you create a CPA or bookkeeper seat, we collect their name and email address for authentication purposes. CPA seat holders access your accounting data according to the permissions you configure. All CPA seat activity is logged in the audit trail with clear attribution ("CPA" vs"Owner" entries). CPA seat credentials are hashed using bcrypt and are not accessible to EZDocPro staff.
Timeclock records include clock-in/clock-out timestamps and, if enabled by the employer, GPS coordinates at the time of clocking in or out. This data is used solely for payroll calculation and is accessible only to the account owner and authorized CPA seat holders. GPS data is not shared with any third party. Employees may view their own timeclock records through the employee portal.
When you connect optional third-party services, specific data is shared as follows:
No third-party integration is enabled by default. You must explicitly connect each service. You may disconnect any integration at any time from Settings.
When you import data (QuickBooks IIF, Sage CSV, or generic CSV files), uploaded files are processed in memory and not stored on disk after parsing. Extracted data is stored in your encrypted database. When you export data, files are generated on-demand and transmitted over HTTPS. Export files are not cached or stored on the server after download.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We will respond to all privacy-related inquiries within 10 business days.