Privacy Policy

Controller (for our own data): [Operator Legal Entity — set LEGAL_ENTITY_NAME] · Contact: [legal contact — set LEGAL_CONTACT_EMAIL] · Effective: 2026-07-01

1. Scope

This Policy explains how we handle personal data we control (account holders/visitors). For your customers' data that you process via the Service, you are the controller and the DPA governs our role as processor.

2. Data we collect

Account data (name, email, phone, business details); authentication and security logs (IP, device, timestamps); billing data (tokenized payment references, invoices — never raw card numbers); usage and metering data; support communications.

3. Why we use it (legal bases)

To provide and secure the Service (contract); to bill and prevent fraud (legitimate interests / legal obligation); to comply with law (AML, tax, accounting); with consent where required (e.g. certain cookies/marketing).

4. Sharing

With sub-processors (hosting, payment processors such as Stripe/PayPal, email/messaging, analytics, error monitoring) under contract; with authorities where legally required; in a corporate transaction (with safeguards). We do not sell personal data.

5. International transfers

Where data is transferred across borders, we rely on appropriate safeguards (e.g. standard contractual clauses) as applicable.

6. Retention

We retain data for as long as the account is active and as required for legal, tax, and accounting purposes. Financial records (invoices, ledger, receipts) are retained for at least 7 years. You may request deletion subject to these obligations.

7. Security

We apply technical and organizational measures: encryption in transit (TLS) and at rest (AES-256-GCM) for sensitive secrets and tokens, access controls, rate limiting, and audit logging. No system is perfectly secure.

8. Your rights

Subject to law, you may access, correct, export, or delete your data, object to or restrict processing, and withdraw consent. Contact [legal contact — set LEGAL_CONTACT_EMAIL]. We provide a self-service data export/erasure path in the dashboard.

9. Children

The Service is not directed to anyone under 18 and we do not knowingly collect their data.

10. Changes

Material changes require renewed consent.

Document version 2026-07-01

bnoula - Multi-Industry Business Management