Data Handling

When you engage RecurSave for a Financial Leakage Review, you are asked to share sensitive financial information from your business. This page explains, in plain English, exactly what happens to that information between the moment you send it and the moment the engagement ends.

This page is not a legal document. Our Privacy Policy and Terms of Use are our legal documents. This page exists because we believe you deserve to know how your financial data is handled before you decide to share it, and because the security of your information is not something we treat as boilerplate.

Engagement Agreement first. Before any financial records are shared, you are asked to sign RecurSave's Engagement Agreement. The Engagement Agreement sets out the review scope, the fee structure, how your data will be handled, and confidentiality obligations binding on both parties. No financial information is requested or transferred until the Engagement Agreement is signed.

Secure upload after signing. Once the Engagement Agreement is signed, RecurSave provides secure upload instructions for the agreed evidence set through RecurSave's native secure upload portal. We request only the exports and files needed for the agreed scope. We do not request data that falls outside that scope.

For a standard Financial Leakage Review, RecurSave requests the QuickBooks Online exports needed for the agreed review scope.

These are standard static QuickBooks Online exports. We request exports as files, not live system access, and do not rely on direct accounting-platform integrations.

What we do not request. We do not ask for:

• Login credentials to your accounting system, bank, or any other service
• Direct connection or integration with your accounting software
• Personal information about your staff, clients, or vendors beyond what naturally appears in the financial exports
• Any information not required for the agreed review scope

Financial data is transferred through RecurSave's native secure upload portal.

Native secure upload portal.Where RecurSave's native secure upload portal is used:

• Each engagement uses access-controlled upload access
• Files are uploaded from your browser
• Files are uploaded directly to private Supabase Storage using short-lived signed upload URLs
• Upload access is not public

We do not accept financial data by regular email, because email is not suitable for sensitive financial information.

While financial data is in RecurSave's possession, it is stored only in approved engagement storage locations.

• For the native upload portal, files are stored in private Supabase Storage for the engagement.
• Access is restricted to authorized RecurSave personnel and authorized client-side users
• RecurSave does not publish uploaded files publicly
• RecurSave does not request login credentials to your accounting system, bank, or other services
• RecurSave does not submit client financial data to public consumer tools for general-purpose use
• It is not printed or downloaded to personal devices except as reasonably required for the review
• It is accessed only by authorized RecurSave personnel, using work devices with appropriate security controls

Our review process may use controlled internal analysis workflows to help structure submitted records and identify evidence-supported patterns within the agreed scope. Client financial data is not submitted to public consumer tools for general-purpose use.

Retention and deletion are governed by the Engagement Agreement and written instructions for the engagement.

Client-shared source files are retained only as long as required for the engagement, or as required by law.

Where deletion is requested or required under the engagement process, RecurSave may confirm completion in writing where applicable.

Any copies held in provider backups are deleted according to the relevant provider's standard retention schedule, where applicable.

The only records retained after deletion are the engagement agreement itself, the findings report we produced, and the commercial records of the engagement (invoices, payments, correspondence), which we retain for legal and tax compliance for seven years.

The security of your financial data depends partly on your own practices during the engagement. We ask that you:

• Use a secure email account and strong authentication where available
• Verify the upload instructions and sender before uploading files
• Do not share upload links, portal access, or folder links with unauthorized people
• Notify RecurSave immediately if you suspect unauthorized access to your upload access or shared files

If we become aware of any security incident affecting your data, we will notify you within 72 hours with full details of what happened, what data was affected, and what actions we are taking. We will cooperate fully with any investigation you undertake and will comply with breach notification requirements under applicable privacy law.

If you have any questions about how your data is handled, or if you would like to see the technical details of any of the above, contact hello@recursave.com. We will answer any question a prospective client reasonably asks about data security before you sign the Engagement Agreement.