Terms of Service

Effective Date: February 12, 2026

1. Agreement to Terms

By accessing or using BookWise ("the Service"), you agree to be bound by these Terms of Service ("Terms"). If you do not agree to these Terms, you may not access or use the Service. The Service is operated by BookWise, LLC ("we," "us," or "our").

2. Description of Service

BookWise is a financial management platform for mental health providers. The Service enables you to:

• Connect bank accounts via Plaid for transaction synchronization
• Store financial data in your own Google Sheets
• Categorize transactions and generate financial reports
• Manage receipts and documentation
• Grant accountant access for collaboration

3. Eligibility

The Service is intended for use by licensed mental health providers and healthcare professionals. By using the Service, you represent that you are at least 18 years of age and have the legal capacity to enter into these Terms.

4. User Accounts

You must authenticate via Google OAuth to use the Service. You are responsible for maintaining the security of your Google account credentials and for all activities that occur under your account.

5. Subscription and Payment

• Monthly Subscription: $40 per month
• Free Trial: 30-day free trial for new users
• Billing: Processed securely through Stripe
• Cancellation: You may cancel at any time; access continues until the end of the billing period
• Refunds: No refunds for partial subscription periods

6. User Responsibilities

6.1 General Responsibilities

• Provide accurate information
• Maintain the security of your account
• Comply with all applicable laws and regulations
• Not use the Service for any unlawful purpose

6.2 Healthcare Provider Responsibilities

If you are a healthcare provider using BookWise for practice finances:

• You must use Google Workspace (not free Gmail) for HIPAA compliance
• You are responsible for signing a BAA directly with Google
• You must determine what constitutes PHI in your financial records
• You remain responsible for compliance with HIPAA and state privacy regulations

7. Intellectual Property

The Service and its original content, features, and functionality are owned by BookWise, LLC and are protected by copyright, trademark, and other intellectual property laws. Your financial data stored in your Google Sheets and receipts stored in your Google Drive remain your property.

8. Third-Party Services

The Service integrates with third-party services including Google, Plaid, and Stripe. Your use of these services is subject to their respective terms and privacy policies. We are not responsible for the practices of third-party services.

9. Disclaimers and Limitation of Liability

9.1 No Professional Advice

BookWise provides financial management tools only. We do not provide accounting, tax, legal, or financial advice. You should consult with qualified professionals for such advice.

9.2 Service Availability

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND. WE DO NOT GUARANTEE UNINTERRUPTED OR ERROR-FREE SERVICE.

9.3 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, BOOKWISE, LLC SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING FROM YOUR USE OF THE SERVICE. OUR TOTAL LIABILITY SHALL NOT EXCEED THE AMOUNT PAID BY YOU IN THE TWELVE MONTHS PRECEDING THE CLAIM.

10. Business Associate Agreement

10.1 Definitions

1. "HIPAA Rules" means, collectively, the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule at 45 C.F.R. Parts 160 and 164.
2. "Protected Health Information" or "PHI" has the meaning set forth at 45 C.F.R. § 160.103, and for purposes of this Agreement includes all individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, in any form or medium.
3. "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted or maintained in electronic media, as defined at 45 C.F.R. § 160.103.
4. "Breach" has the meaning set forth at 45 C.F.R. § 164.402, and refers to the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA Rules that compromises the security or privacy of the PHI.
5. "Unsecured PHI" has the meaning set forth at 45 C.F.R. § 164.402, and refers to PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of HHS.
6. "Security Incident" has the meaning set forth at 45 C.F.R. § 164.304.
7. "Secretary" means the Secretary of the U.S. Department of Health and Human Services or the Secretary's designee.
8. Capitalized terms used but not otherwise defined in this Agreement shall have the meanings given to them in the HIPAA Rules.

10.2 Obligations of Business Associate

(a) Permitted Use and Disclosure. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, as permitted or required by applicable law, or as otherwise authorized in writing by Covered Entity.

(b) Safeguards. Business Associate shall use appropriate administrative, physical, and technical safeguards, including a risk analysis and risk management program, access controls, and workforce security measures, to prevent the use or disclosure of PHI other than as provided for by this Agreement. With respect to ePHI, Business Associate shall comply with the applicable requirements of the Security Rule at 45 C.F.R. Part 164, Subpart C. Specifically, Business Associate implements:

• AES-256 encryption at rest for all stored data (via sodium library)
• TLS 1.2+ encryption in transit for all connections
• AWS Secrets Manager for credential and encryption key storage
• Google OAuth 2.0 for user authentication
• Role-based access controls (user, accountant, admin)
• Automatic session timeout (30 minutes) and account lockout (5 failed attempts)
• Encrypted audit logging for authentication and data access events
• Serverless container architecture (AWS ECS Fargate) with ephemeral instances

(c) Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or its employees, agents, or subcontractors in violation of this Agreement or the HIPAA Rules.

(d) Reporting of Breaches and Security Incidents. Business Associate shall report to Covered Entity any Breach of Unsecured PHI in accordance with 45 C.F.R. § 164.410 and any Security Incident that results in unauthorized access, use, or disclosure of PHI. Such report shall be made without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the Breach or Security Incident. The report shall include, to the extent available, the information required by 45 C.F.R. § 164.410(c), and any additional information reasonably requested by Covered Entity.

(e) Subcontractors and Agents. Business Associate shall ensure that any subcontractor, agent, or other third party to whom it provides PHI on behalf of Covered Entity agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI, including compliance with the applicable provisions of the HIPAA Rules. Business Associate has entered into Business Associate Agreements with the following subcontractors:

• Amazon Web Services (AWS) — Infrastructure hosting, data storage, and AI services (Bedrock). BAA signed September 17, 2025.
• Google Workspace/Cloud Identity — Cloud platform and application services. BAA signed February 12, 2026.

(f) Access to PHI. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity, or, at Covered Entity's direction, to the individual who is the subject of the PHI, in order to meet Covered Entity's obligations under 45 C.F.R. § 164.524. Such access shall be provided within the time frames required by the HIPAA Rules.

(g) Amendment of PHI. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available for amendment and shall incorporate any amendments to PHI as directed by Covered Entity in accordance with 45 C.F.R. § 164.526.

(h) Accounting of Disclosures. Business Associate shall maintain and, within a reasonable time following Covered Entity's written request, provide to Covered Entity such information as is necessary to permit Covered Entity to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

(i) Internal Practices, Books, and Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Rules. To the extent permitted by law, Business Associate shall promptly notify Covered Entity of any such request.

(j) Minimum Necessary Standard. Business Associate shall request, use, and disclose only the minimum necessary PHI required to accomplish the intended purpose, consistent with 45 C.F.R. § 164.502(b).

(k) Compliance with Law. Business Associate shall comply with the HIPAA Rules and any other applicable federal or state laws and regulations governing the privacy or security of PHI, including any amendments that affect Business Associate's obligations under this Agreement.

10.3 Workforce Training and Security Awareness

Business Associate shall provide training on the requirements of the HIPAA Privacy Rule and Security Rule to all members of its workforce who create, receive, maintain, or transmit PHI. Business Associate shall implement a security awareness and training program in accordance with 45 C.F.R. § 164.308(a)(5). Business Associate shall document that such training has been provided.

10.4 Permitted Uses and Disclosures

(a) Services for Covered Entity. Business Associate may use or disclose PHI only as necessary to perform the financial management services set forth in these Terms, including: transaction categorization, financial report generation, receipt management, bank account synchronization via Plaid, accountant collaboration features, and AI-assisted financial queries via AWS Bedrock. In performing such services, Business Associate shall use only the minimum necessary PHI required.

(b) Proper Management and Administration. Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided that such use is permitted by the HIPAA Rules and applicable law.

(c) Disclosures for Administration. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law, or (ii) Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed, and that the recipient will notify Business Associate of any breach of confidentiality.

(d) De-identified Information. Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c). De-identified information is no longer subject to this Agreement.

(e) Prohibited Uses. Business Associate shall not sell PHI or use PHI for marketing or fundraising purposes in a manner that would violate the HIPAA Rules, unless expressly authorized in writing by Covered Entity and, if required by law, by the individual whose PHI is involved.

10.5 Term and Termination

(a) Term. This Agreement shall become effective as of the date Covered Entity accepts these Terms and shall remain in effect until terminated or until the termination of the BookWise Terms of Service, whichever occurs first.

(b) Termination for Cause. Covered Entity may terminate this Agreement immediately if it determines that Business Associate has materially breached this Agreement and Business Associate has not cured the breach within thirty (30) days after receiving written notice, if the breach is reasonably capable of cure. If cure is not possible, Covered Entity may terminate immediately upon written notice.

(c) Other Termination Rights. Business Associate may terminate this Agreement upon written notice if continuing to perform would cause Business Associate to violate the HIPAA Rules and the parties are unable to amend this Agreement to prevent such violation.

(d) Obligations Upon Termination. Upon termination, Business Associate shall: (i) retain only PHI necessary for its proper management or legal responsibilities; (ii) return to Covered Entity or destroy all remaining PHI; (iii) continue to use appropriate safeguards for any retained PHI; and (iv) not use or disclose retained PHI other than for the purposes that make return or destruction infeasible, or as required by law.

(e) Infeasibility of Return or Destruction. If return or destruction of PHI is infeasible, Business Associate shall notify Covered Entity, extend the protections of this Agreement to such PHI, and limit further uses and disclosures to those purposes that make return or destruction infeasible.

10.6 Miscellaneous

(a) Amendment. The parties agree to amend this Agreement as necessary to comply with HIPAA, the HIPAA Rules, and any other applicable law. Business Associate shall provide notice of material amendments via the BookWise platform or email.

(b) Survival. Sections 10.2, 10.3, 10.4, 10.5(d), 10.5(e), and this Section 10.6 shall survive termination or expiration of this Agreement.

(c) Interpretation. Any ambiguity in this Agreement shall be resolved to permit compliance with the HIPAA Rules. In the event of a conflict between this Section 10 and any other provision of these Terms, this Section 10 shall control with respect to PHI.

(d) Indemnification. Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any claims, damages, fines, penalties, costs, and expenses (including reasonable attorneys' fees) arising out of Business Associate's breach of this Agreement or violation of the HIPAA Rules, except to the extent caused by Covered Entity's negligence or willful misconduct.

(e) Electronic Acceptance. This Agreement is entered into electronically when Covered Entity accepts these Terms of Service. Such electronic acceptance is as binding as a paper-based agreement. Business Associate maintains a timestamped record of acceptance.

11. Indemnification

You agree to indemnify and hold harmless BookWise, LLC from any claims, damages, or expenses arising from your use of the Service, your violation of these Terms, or your violation of any rights of a third party.

12. Termination

We may terminate or suspend your access to the Service immediately, without prior notice, for conduct that we believe violates these Terms or is harmful to other users, us, or third parties, or for any other reason at our sole discretion. Upon termination, your right to use the Service ceases immediately.

13. Governing Law and Disputes

These Terms shall be governed by the laws of the State of Washington, without regard to conflict of law principles. Any disputes shall be resolved in the state or federal courts located in Seattle, Washington.

14. Changes to Terms

We reserve the right to modify these Terms at any time. We will provide notice of material changes by posting the updated Terms on our website. Your continued use of the Service after such changes constitutes acceptance of the new Terms.

15. Contact Information

For questions about these Terms, contact:

BookWise, LLC
Email: [email protected]
Website: https://bookwise.software

© 2026 BookWise, LLC. All rights reserved.