QuickBooks - Privacy Policy

Name: 12th Annual Warfighter Made Open House and Car Show – 12/5/2026
Start: 2026-12-05T10:00:00-08:00
End: 2026-12-05T15:00:00-08:00
Location: Warfighter Made

WARFIGHTER MADE - Directors Portal

PRIVACY POLICY

Scope: This Privacy Policy applies exclusively to the WFM Directors Portal plugin and its QuickBooks Online integration. It governs personal information collected from Warfighter Made board members and officers who use the Directors Portal.

1. Introduction

Warfighter Made ("we," "us," or "our") is committed to protecting the privacy of the individuals who use the WFM Directors Portal plugin ("Portal"). This Privacy Policy explains what personal information we collect through the Portal and its QuickBooks Online integration, how we use and protect that information, and the rights available to users.

This policy applies solely to information collected through the Portal. It does not govern information collected through Warfighter Made's public website, donation platforms, program operations, or any other channel.

2. Who This Policy Covers

This Privacy Policy applies to Authorized Users of the Portal — current members of the Warfighter Made Board of Directors and current Warfighter Made corporate officers who have been granted portal accounts. It does not apply to program participants, donors, veterans served by Warfighter Made, or the general public.

3. Information We Collect

3.1 Account Information

When a portal account is created for an Authorized User, we collect and store:

Full name
Email address
Role within Warfighter Made (e.g., Board Director, Executive Officer)
Account creation date
Account status (active or deactivated)

Note: Portal accounts are created by administrators (Board Chair or Executive Officer) on behalf of Authorized Users. Users do not self-register.

3.2 Authentication Information

To secure portal access, we collect and store:

Hashed password (WordPress bcrypt hash — the original password is never stored in readable form)
Session tokens and cookies used to maintain a logged-in session (expired and invalidated after 60 minutes of inactivity)
Last login timestamp
IP address associated with each login event

3.3 Activity and Audit Data

The Portal maintains a tamper-evident audit log for governance and security purposes. The following actions are automatically recorded with a timestamp, the user's identity, and their IP address:

Document uploads, views, downloads, archives, and deletions
Calendar event creation, updates, and deletions
File attachments added to or removed from calendar events
RSVP responses to calendar event invitations
Financial report views, downloads, and QuickBooks sync events
Login and logout events
Account changes (role updates, password resets, account activation and deactivation)
Notification emails sent and distribution list changes

Note: The audit log is accessible only to Board Chairs and Executive Officers. It is used to support governance accountability and to investigate potential security incidents.

3.4 QuickBooks Integration Data

When the QuickBooks integration is used, the Portal collects and stores:

OAuth access tokens and refresh tokens issued by Intuit, stored encrypted using AES-256-CBC encryption keyed to the WordPress installation. These tokens authorize the Portal to retrieve financial reports from the Warfighter Made QuickBooks Online account.
The QuickBooks Company ID (Realm ID) associated with the authorized company.
Financial report data retrieved from QuickBooks, stored in the Portal's database as structured JSON and as generated PDF documents in the secure document repository.
The identity of the user who initiated each QuickBooks sync, recorded in the audit log.

Note: The Portal does not store QuickBooks login credentials (username or password). Authentication is handled exclusively through Intuit's OAuth 2.0 flow. The Portal is granted read-only access to financial reporting data.

3.5 Uploaded Documents

Documents uploaded by Authorized Users (board minutes, financial reports, officer documents, etc.) are stored in the secure document repository. Metadata associated with each document — including the uploader's identity, upload date, file name, file size, and document category — is stored in the Portal's database.

3.6 Calendar and RSVP Data

When Authorized Users create calendar events or respond to RSVP invitations, the Portal stores the event details (title, date, time, description, category, attachments), the creator's identity, and each recipient's RSVP response linked to their email address. RSVP responses are stored with a unique token per recipient; no portal login is required to submit an RSVP response.

3.7 Communications

The Portal sends automated email notifications to Authorized Users when documents are uploaded, calendar events are created or updated, and when RSVP invitations are issued. Email delivery status (sent or failed) and SMTP error messages are logged for diagnostic purposes. The Portal does not store the content of outgoing emails after delivery.

4. How We Use Information

We use the information collected through the Portal exclusively for the following purposes:

Purpose	Information Used	Legal Basis
Providing portal access and authentication	Account information, hashed passwords, session tokens, IP addresses	Legitimate interest in securing governance systems; performance of member duties
Delivering governance documents and financial reports	Account information, document metadata, financial report data	Legitimate interest in fulfilling board governance functions
QuickBooks financial report retrieval	OAuth tokens, Realm ID, financial data from QuickBooks	Legitimate interest in financial oversight and transparency
Sending notifications and RSVP invitations	Email addresses, event data, RSVP tokens	Legitimate interest in board communication and coordination
Security, audit, and accountability	Audit log data, IP addresses, activity records	Legitimate interest in protecting organizational systems and meeting fiduciary obligations
Usage analytics for portal administrators	Login frequency, recent actions per user	Legitimate interest in monitoring portal health and engagement
Investigating security incidents	Audit log data, session data, IP addresses	Legitimate interest in protecting personal data and organizational assets

We do not use personal information collected through the Portal for marketing, fundraising, advertising, or any purpose unrelated to Warfighter Made's internal governance.

5. Information Sharing and Disclosure

5.1 Within Warfighter Made

Personal information visible within the Portal is accessible only to Authorized Users in accordance with their assigned role. Board Chairs and Executive Officers have broader access than Directors, Officers, and Finance Staff. No Authorized User has access to information beyond their role permissions.

5.2 Intuit / QuickBooks Online

To use the QuickBooks integration, the Portal connects to Intuit's QuickBooks Online API. In the course of this connection, Intuit may receive:

The Portal's API credentials (Client ID) to identify the authorized application
OAuth authorization codes and tokens to authenticate the connection
API requests identifying the specific financial reports being retrieved

Intuit's collection and use of information in connection with QuickBooks Online is governed by Intuit's Privacy Statement, available at intuit.com/privacy. Warfighter Made does not control Intuit's data practices.

5.3 Hosting Provider

The Portal operates on servers provided by BGM Hosting. The hosting provider has access to server infrastructure and may process personal data stored on those servers in accordance with its own data processing terms. Physical document files are stored in a directory outside the public web root and are not directly accessible via URL.

5.4 Email Delivery (FluentSMTP)

Notification emails are sent via FluentSMTP using a configured SMTP provider. The SMTP provider processes email addresses and message content to deliver notifications. Delivery logs retained by FluentSMTP include recipient addresses and delivery status.

5.5 Legal Requirements

We may disclose personal information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of Warfighter Made, its board members, or the public.

5.6 No Sale of Personal Information

Warfighter Made does not sell, rent, trade, or otherwise transfer personal information of Authorized Users to any third party for commercial purposes.

6. Data Storage and Security

6.1 Storage Location

Personal information and portal data are stored in the WordPress MySQL database hosted on Warfighter Made's web server. Physical document files (including QuickBooks-generated PDFs) are stored in a secure directory at /home/warfightermde/secure_docs/ — outside the public web root and inaccessible by direct URL.

6.2 Security Measures

Warfighter Made implements the following technical and organizational measures to protect personal information stored in the Portal:

HTTPS/TLS encryption for all data in transit between users' browsers and the server
Bcrypt password hashing — passwords are never stored in plain text
AES-256-CBC encryption for QuickBooks OAuth tokens stored in the database
Role-based access control limiting each user's access to information appropriate to their governance role
Cryptographically signed, time-limited (15-minute) download links for all documents
Session idle timeout enforced at 60 minutes, requiring re-authentication after inactivity
Tamper-evident audit logging of all sensitive actions
File storage outside the public web root with no direct URL access
WordPress file editing disabled in production (DISALLOW_FILE_EDIT)
SSL enforcement for the WordPress admin area (FORCE_SSL_ADMIN)

Note: No security measure is perfect. While we implement industry-standard protections, Warfighter Made cannot guarantee absolute security. Authorized Users should use strong passwords, protect their login credentials, and report any suspected unauthorized access immediately to greg@warfightermade.org.

6.3 Backups

Portal data and document files are backed up using JetBackup, covering both the WordPress database/files (in public_html) and the secure document repository (/home/warfightermde/secure_docs/). Backup data is subject to the same security controls as live data.

7. Data Retention

Data Category	Retention Period	Basis
Account information	Duration of service as board member or officer, plus 3 years after deactivation	Governance records and accountability
Audit log entries	7 years from date of entry	Nonprofit governance obligations and California law
Financial reports and documents	Permanent (subject to archival by administrators)	Fiduciary records retention requirements
QuickBooks OAuth tokens	Until disconnection or token expiry (maximum 100 days for refresh tokens)	Functional necessity; tokens auto-expire
Session tokens and cookies	60 minutes of inactivity, then invalidated	Security; minimum necessary for function
Email delivery logs (FluentSMTP)	Retained per FluentSMTP configuration; typically 30–90 days	Diagnostic purposes
RSVP response tokens	Linked to event lifetime; cleared when event is deleted	Functional necessity

8. Cookies and Session Data

The Portal uses WordPress standard authentication cookies to maintain logged-in sessions. These cookies are:

Session-scoped — they expire when the browser is closed or after 60 minutes of inactivity, whichever comes first.
Necessary — they are required for the Portal to function and cannot be disabled while using the Portal.
First-party only — the Portal does not set third-party cookies or use tracking cookies.

The Portal does not use analytics cookies, advertising cookies, or any cookies for purposes beyond authentication and session management.

9. California Privacy Rights

Authorized Users who are California residents have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), to the extent applicable:

9.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected about you, the purposes for which it is used, and the categories of third parties with whom it is shared.

9.2 Right to Delete

You have the right to request deletion of personal information we have collected about you, subject to certain exceptions. We may retain information necessary to complete governance obligations, comply with legal requirements, maintain security, or fulfill other purposes permitted by law.

9.3 Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you. Account information corrections (name, email, role) can be made by contacting greg@warfightermade.org.

9.4 Right to Non-Discrimination

We will not discriminate against any Authorized User for exercising their privacy rights. Exercising these rights will not affect your access to the Portal or your standing as a board member or officer, except where the information requested to be deleted is necessary to maintain your portal account.

9.5 How to Submit a Request

To exercise any of the rights described in this Section, contact us at:

Warfighter Made — Privacy Requests

Email: info@warfightermade.org

Please include "Privacy Request" in your subject line and identify the right you wish to exercise. We will respond within 45 days.

10. Children's Privacy

The Portal is intended solely for use by adults serving as board members or officers of Warfighter Made. We do not knowingly collect personal information from individuals under 18 years of age. If we become aware that we have inadvertently collected information from a minor, we will promptly delete it.

11. Third-Party Links and Services

The Portal integrates with Intuit's QuickBooks Online API and uses FluentSMTP for email delivery. These third-party services have their own privacy policies that govern their data practices, which are independent of this Privacy Policy. We encourage Authorized Users to review:

Intuit Privacy Statement: https://www.intuit.com/privacy/
BGM Hosting Privacy Policy: Available at your hosting provider's website

Warfighter Made is not responsible for the privacy practices of third-party services.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Portal's functionality, or applicable law. When we make material changes, we will update the Effective Date at the top of this policy and notify Authorized Users through the Directors Portal or by email to their registered portal address. Continued use of the Portal after notification of a change constitutes acceptance of the updated policy.

We encourage Authorized Users to review this Privacy Policy periodically. The current version will always be accessible through the portal administrator.

13. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:

Warfighter Made

Attn: Executive Officer