Privacy Policy
Controller (for our own data): [Operator Legal Entity — set LEGAL_ENTITY_NAME] · Contact: [legal contact — set LEGAL_CONTACT_EMAIL] · Effective: 2026-07-01
1. Scope
This Policy explains how we handle personal data we control (account holders/visitors). For your customers' data that you process via the Service, you are the controller and the DPA governs our role as processor.
2. Data we collect
Account data (name, email, phone, business details); authentication and security logs (IP, device, timestamps); billing data (tokenized payment references, invoices — never raw card numbers); usage and metering data; support communications.
3. Why we use it (legal bases)
To provide and secure the Service (contract); to bill and prevent fraud (legitimate interests / legal obligation); to comply with law (AML, tax, accounting); with consent where required (e.g. certain cookies/marketing).
4. Sharing
With sub-processors (hosting, payment processors such as Stripe/PayPal, email/messaging, analytics, error monitoring) under contract; with authorities where legally required; in a corporate transaction (with safeguards). We do not sell personal data.
5. International transfers
Where data is transferred across borders, we rely on appropriate safeguards (e.g. standard contractual clauses) as applicable.
6. Retention
We retain data for as long as the account is active and as required for legal, tax, and accounting purposes. Financial records (invoices, ledger, receipts) are retained for at least 7 years. You may request deletion subject to these obligations.
7. Security
We apply technical and organizational measures: encryption in transit (TLS) and at rest (AES-256-GCM) for sensitive secrets and tokens, access controls, rate limiting, and audit logging. No system is perfectly secure.
8. Your rights
Subject to law, you may access, correct, export, or delete your data, object to or restrict processing, and withdraw consent. Contact [legal contact — set LEGAL_CONTACT_EMAIL]. We provide a self-service data export/erasure path in the dashboard.
9. Children
The Service is not directed to anyone under 18 and we do not knowingly collect their data.
10. Changes
Material changes require renewed consent.