Security & Privacy

Your data stays in your Google Drive

When you're signed in, your bookkeeping is stored as a single JSON file in a "Booktist" folder in your own Google Drive. It is written browser-to-Drive directly. Booktist's servers never receive, route, or keep a copy.

Demo mode is local-only

If you use the demo without signing in, your data lives only in your browser's local storage, on your device. It is never transmitted anywhere.

Encrypted at rest, by Google

Your Drive file is encrypted at rest and in transit by Google's infrastructure. You manage it with the same controls as any other file you own.

Sign in with Google — no password to store

Authentication is handled entirely by Google. Booktist never sees or stores a password, and there is no client secret in our application.

Per-file Drive access only (drive.file)

Booktist can only see and manage the files it creates — the "Booktist" folder and its data file. It has no ability to read, list, or touch any other file in your Drive.

Tokens live in memory, briefly

Your Google access token is short-lived (about an hour) and held only in your browser's memory for the session. No long-lived refresh token is ever stored, by us or in your browser.

Revoke anytime

You can remove Booktist's access to your Google account at any moment from your Google Account → Data & privacy → Third-party access.

We hold essentially no financial data

Because your records live in your Drive, Booktist has no server-side store of your transactions. We can't read your numbers, and there's nothing of yours for us to lose or leak.

No patient data, ever

Booktist handles business overhead only — insurance remittance deposits and operating expenses. No patient names, no health information, no individual claims, no clinical records. That data never enters the app.

Your Google profile, in your browser

Your name, email, and profile photo from Google are used in your browser to show who's signed in. They are not collected into a Booktist database.

HTTPS everywhere

All connections use TLS. HTTP is redirected to HTTPS, and HSTS is enforced with a one-year max-age and preload.

Strict Content Security Policy

A CSP restricts what the page can load and connect to — limited to Booktist itself and Google's sign-in and Drive endpoints. This blocks injected or third-party scripts from running.

Hardened security headers

Every response sends X-Frame-Options: DENY (clickjacking protection), X-Content-Type-Options: nosniff, a restrictive Permissions-Policy, and Referrer-Policy. The framework's identifying header is suppressed.

Export-injection protection

CSV and Excel exports are sanitized against spreadsheet formula injection, so a malicious description can't execute when opened in Excel or Sheets.

You control what you share

Sharing happens on your terms: export a CSV, Excel workbook, or Google Sheet and send it to your accountant. Booktist never transmits your records to a third party on your behalf.

A read-only CPA view

The CPA view presents your categorized transactions, T2125 line totals, and benchmarks for filing — a clean working file your accountant can read, without changing your data.

Because Booktist holds almost no personal information — your data stays in your own Drive — there is very little for privacy law to govern on our side. We collect only what's necessary, never sell data, and give you direct access and deletion through your own Google account. Alberta and BC PIPA are addressed the same way.

Your bookkeeping file lives in your Google Drive, in the region and under the terms tied to your own Google account — not on any Booktist-controlled infrastructure. Quebec clinics evaluating Law 25 cross-border requirements should review their Google Workspace / Google account data-location settings.

CRA requires business records to be kept for six years. Because your file is in your own Drive and exports include CRA-aligned T2125 fields, retention is entirely in your hands — nothing depends on Booktist keeping your data.

A deliberately small blast radius

Most bookkeeping breaches happen because a provider stores everyone's financial data in one place. Booktist doesn't have that place. There is no central database of clinic records to compromise, and we hold no long-lived access to your Drive. If we ever became aware of a security issue affecting the app, we would notify users promptly and publish what changed. Report anything to security@booktist.com.