← Kentucky Professional Fire Fighters

Privacy Policy

Effective: May 2, 2026 · KPFF Trustee Portal · v1.0

The Kentucky Professional Fire Fighters ("KPFF") respects the privacy of its members and Trustees. This policy explains how data flows through the KPFF Trustee Portal ("the App").

1. What we collect

• Trustee session — a server-side PHP session cookie identifying that you've authenticated. No personal information is stored in this cookie beyond a logged-in flag and a login timestamp.
• QuickBooks tokens — when a Trustee connects QuickBooks, we store the OAuth access token, refresh token, realm ID, and expiry timestamp in our MySQL database. These tokens are scoped to the com.intuit.quickbooks.accounting scope (read-only) and are required to display KPFF's financial reports.
• Cached report data — for performance, we cache QuickBooks report responses (Profit & Loss, recent Bills, recent Purchases) for up to 60 minutes in server-side files. Caches are cleared on disconnect.

2. What we do NOT collect

• No analytics tracking (no Google Analytics, no Meta Pixel, no third-party trackers).
• No advertising networks. No data sold or shared with anyone.
• No data ever leaves the KPFF MySQL server (hosted on a dedicated VPS in the United States).

3. Data retention

QuickBooks tokens persist until the Trustee or Secretary-Treasurer clicks Disconnect QuickBooks, at which point the row is deleted from MySQL and all cached report files are wiped. If Intuit notifies us that a user revoked access on QuickBooks's side (via webhook to our disconnect URL), we delete the tokens automatically.

4. Security

The App is served exclusively over HTTPS (TLS via Let's Encrypt). Tokens at rest are stored in a PHP-only MySQL table (qb_settings) accessible only to the application user.

5. Your rights

Trustees may at any time:

• Disconnect QuickBooks via the in-app link.
• Request deletion of all session and token data by emailing sectreas@kpff-iaff.org.
• Revoke the App's QuickBooks access directly inside Intuit's My Apps dashboard.

6. Contact

Questions, deletion requests, or compliance inquiries:
Matthew Silvati, Secretary-Treasurer · KPFF
P.O. Box 72031, Newport, KY 41072
sectreas@kpff-iaff.org · (513) 509-8666