How Numbers Game handles your data and your clients’.

Numbers Game B.V. (KvK 81465688) operates the Numbers Game service at ai.numbersgame.xyz — an AI-assisted bookkeeping product that connects to QuickBooks Online on behalf of accounting firms and their clients.

Registered office

Privacy contact: [email protected]

We have not appointed a Data Protection Officer, because our processing activities do not meet the thresholds in Article 37 GDPR. The privacy contact above is our designated point of contact for all data protection enquiries.

Because our establishment is in the Netherlands, our lead supervisory authority is the Autoriteit Persoonsgegevens (Dutch DPA), Hoge Nieuwstraat 8, 2514 EL The Hague — autoriteitpersoonsgegevens.nl.

This policy describes how we handle personal information in three distinct contexts.

Firm users. Partners, accountants, and staff who use Numbers Game to keep books for clients. For Firm users, we are the controller.

Client records. Bookkeeping data the Firm authorizes us to access in QuickBooks Online — chart of accounts, vendors, customers, transactions, journal entries, and the actions we take on them. For client records, the Firm is the controller and Numbers Game is the processor. The terms of our processing are set out in our Data Processing Agreement, which forms part of the Master Subscription Agreement. A current copy is available on request — email [email protected].

Website visitors and prospects. Anyone browsing numbersgame.xyz or ai.numbersgame.xyz, or who contacts us about the product. For these contexts, we are the controller.

Numbers Game uses Anthropic’s Claude models to assist with bookkeeping tasks. When you interact with the product, the relevant prompt — together with the minimum QBO context needed to answer it — is sent to Anthropic over a TLS-encrypted connection.

Training. Under our enterprise agreement with Anthropic, our prompts and the model’s outputs are not used to train any Anthropic model.

Retention at Anthropic. Inputs and outputs are retained for the period set in our Anthropic configuration (currently the zero-retention default, with limited short-retention for abuse-detection on specific endpoints). The current state is available on request — email [email protected].

Tenancy isolation. Numbers Game stores Firm and client data in per-Firm tenancies. We do not commingle data across Firms and we do not share data across Firms’ tenancies.

Automated decision-making (Article 22 GDPR). Numbers Game uses AI to suggest transaction categorizations, journal entries, and reconciliations. A Firm user reviews and authorizes material write-backs to QuickBooks Online before they post. We do not use AI to take legal or significantly similar decisions about individuals without meaningful human review. If you believe a specific automated suggestion has produced an outcome that affects you, you can ask us to involve a human reviewer using the contact above.

Numbers Game B.V. is established in the Netherlands. Because we provide a service to firms in the United States and use US-based sub-processors, personal information is transferred to the United States and (depending on Cloudflare edge routing) other countries.

For each transfer outside the EEA, we rely on one or more of the following:

• The EU–US Data Privacy Framework (and the UK Extension, where UK personal data is in scope), for recipients that maintain a current self-certification;
• The 2021 Standard Contractual Clauses (Commission Decision 2021/914), with the appropriate module per relationship, supplemented by a Transfer Impact Assessment and supplementary technical measures (encryption in transit and at rest, key management, access controls, and minimization);
• Where applicable, derogations under Article 49 GDPR — but only for occasional and necessary transfers.

A copy of the SCCs and our TIA for a specific recipient is available to Firm controllers on request.

Numbers Game is built around minimization, separation, and a tight audit trail.

• TLS 1.3 in transit; AES-256 at rest.
• OAuth refresh tokens for QuickBooks Online and Slack are stored under envelope encryption with 90-day key rotation.
• Per-Firm tenancy isolation in storage and processing; no cross-tenant queries.
• Role-based access control on the product; production access by Numbers Game personnel is logged, time-bound, and reviewed.
• Continuous vulnerability monitoring and a coordinated disclosure program at [email protected].
• SOC 2 Type II audit in progress; report expected Q3 2026. Current attestations and the security overview are available at numbersgame.xyz/security.

Personal data breach handling. Where Numbers Game acts as controller, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of a personal data breach where required by Article 33 GDPR, and will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR). Where Numbers Game acts as processor, we will notify the affected Firm controller without undue delay — and in any event within 48 hours — of becoming aware of a personal data breach, with the information the Firm needs to meet its own 72-hour notification obligation.

Subject to the conditions in the applicable law, you have the rights listed below.

Under the GDPR / UAVG, you have the right to:

• access the personal data we hold about you (Article 15);
• have inaccurate personal data corrected (Article 16);
• have personal data erased in defined circumstances (Article 17);
• restrict our processing (Article 18);
• receive your personal data in a portable, machine-readable format and transmit it to another controller (Article 20);
• object to processing based on legitimate interests, including any profiling (Article 21);
• withdraw consent where processing is based on consent (Article 7(3)) — withdrawal does not affect the lawfulness of processing before withdrawal;
• not be subject to a solely automated decision producing legal or similarly significant effects (Article 22) — see section 4 for how we handle human review;
• lodge a complaint with the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or, if you live elsewhere in the EEA, with your local supervisory authority.

For US residents. Depending on where you live, US state privacy laws (CCPA/CPRA in California; VCDPA in Virginia; CPA in Colorado; CTDPA in Connecticut; UCPA in Utah; and equivalents in other states) give you the right to know what personal information we hold, request deletion or correction, opt out of ‘sale’ or ‘sharing’ (we do neither), and limit the use of sensitive personal information. We will respond to verifiable requests within the timeframes those laws require (typically 45 days, extendable once).

How to exercise these rights. Email [email protected]. Where you are a client of a Firm and the request concerns client records, we will route the request to the controlling Firm; we will support the Firm’s response, but we cannot act unilaterally on the Firm’s data.

We may need to verify your identity in a manner proportionate to the sensitivity of the request. We do not charge for handling a request unless it is manifestly unfounded or excessive (in which case we will tell you, and you can challenge our assessment).

numbersgame.xyz and ai.numbersgame.xyz use only strictly necessary cookies (session, authentication, CSRF protection, load-balancer affinity). We do not use third-party advertising cookies, cross-site trackers, or behavioral analytics. We do not currently run a web analytics product on the site.

If we add web analytics in future, we will publish an updated cookie notice and — where consent is required under Dutch implementation of the ePrivacy directive — collect prior consent before any non-essential storage or reading takes place on your device.

We may email Firm users about product updates, security notices, and account administration. These are service messages relating to the contract and you cannot opt out without closing the account.

Where we send a marketing email — a newsletter, an event invitation, a feature announcement to a prospect — you can unsubscribe via the link in every message, or by emailing [email protected]. We do not buy marketing lists.

Numbers Game is a business product for accounting firms. It is not directed at children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

We will publish material changes here and email the administrator on every active Firm account at least 30 days before they take effect. The ‘Last reviewed’ date at the top of this policy is the authoritative version marker. Continued use of the service after the effective date is acceptance of the updated policy. Where a change requires fresh consent under the GDPR, we will collect that consent before applying the change to your data.

Firms using Numbers Game enter into a Data Processing Agreement (DPA) that incorporates the EU 2021 Standard Contractual Clauses (Module 2/3) and addresses:

• the subject-matter, duration, nature, and purpose of processing;
• the categories of data subject and personal data;
• our Article 28 GDPR obligations as processor, including sub-processor approval, breach notification, and assistance with data subject requests;
• audit rights — including acceptance of our SOC 2 Type II report where adequate, with on-cause audit rights preserved;
• deletion or return of data on termination.

A counter-signed copy is provided on contract execution. To request the current template before signing, write to [email protected].

Privacy: [email protected]
Security disclosures: [email protected]
Sub-processor list: on request
Data Processing Agreement: on request
Security overview: numbersgame.xyz/security

If you believe we are not handling your personal information appropriately, please contact us first so we can try to resolve it — and remember you can always lodge a complaint with the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl) or your local supervisory authority.