Privacy Policy

1. Introduction

ClientDocs ("we," "our," or "us") operates the ClientDocs service (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using ClientDocs, you agree to the collection and use of information in accordance with this policy.

If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Personal Information

We collect the following types of personal information:

• Account Information: Email address, password (hashed), firm name, and user role
• Profile Information: Name, contact details, and authentication provider data (Google OAuth)
• Client Information: Client names, email addresses, and contact information that you input into the Service
• Billing Information: Payment card details, billing address, and transaction history (processed by Stripe)
• Communication Data: Emails sent through our Service, including invitation emails and reminders

2.2 Uploaded Files

Files uploaded to the Service by you or your clients, including tax documents, financial records, and other business documents. All uploaded files are stored securely in encrypted cloud storage.

2.3 Usage Data

We automatically collect information about how you interact with the Service:

• IP address and device information
• Browser type and version
• Pages visited and time spent on pages
• Actions performed within the Service
• Access times and dates
• Referring website addresses

2.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and store certain information. These include:

• Essential Cookies: Required for authentication and security
• Analytics Cookies: Help us understand how users interact with the Service
• Preference Cookies: Remember your settings and preferences

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Provision: To provide, maintain, and improve the Service functionality
• Account Management: To manage your account, authentication, and access control
• Communication: To send checklist invitations, reminders, and service notifications
• Billing: To process payments and manage subscriptions
• Security: To detect, prevent, and address technical issues and fraudulent activity
• Compliance: To comply with legal obligations and enforce our Terms of Service
• Analytics: To analyze usage patterns and improve user experience
• Customer Support: To respond to your inquiries and provide technical support

4. Third-Party Service Providers

We use third-party service providers to operate and improve our Service. These providers have access to your personal information only to perform specific tasks on our behalf and are obligated not to disclose or use it for other purposes.

4.1 Service Providers We Use

• Supabase: Database hosting and authentication services
  Privacy Policy: https://supabase.com/privacy
• Stripe: Payment processing and subscription management
  Privacy Policy: https://stripe.com/privacy
• Amazon Web Services (AWS S3): Secure file storage
  Privacy Policy: https://aws.amazon.com/privacy
• Resend: Transactional email delivery
  Privacy Policy: https://resend.com/legal/privacy-policy
• Vercel: Application hosting and infrastructure
  Privacy Policy: https://vercel.com/legal/privacy-policy
• Google: OAuth authentication services
  Privacy Policy: https://policies.google.com/privacy

5. Data Security

We implement industry-standard security measures to protect your personal information:

• Encryption: All data is encrypted in transit using SSL/TLS and at rest using AES-256
• Access Controls: Row-level security policies ensure users can only access their own firm's data
• Private Storage: All uploaded files are stored in private AWS S3 buckets with no public access
• Pre-Signed URLs: File access is granted through time-limited, secure URLs
• Authentication: Secure password hashing and OAuth 2.0 authentication
• Magic Link Security: Client upload links use SHA-256 hashed tokens that cannot be reverse-engineered
• Regular Audits: Periodic security reviews and updates

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

6. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy:

• Active Accounts: Data is retained while your account is active
• Archived Data: Archived clients and checklists are retained until permanently deleted by you
• Deleted Accounts: Account data is deleted within 30 days of account closure
• Billing Records: Retained for 7 years for tax and legal compliance
• Backups: Deleted data may persist in backups for up to 90 days

7. Your Data Rights

7.1 General Rights

You have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Rectification: Correct any inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to certain processing of your data
• Restriction: Request restriction of processing under certain circumstances

7.2 GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including:

• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority
• Right to know the legal basis for processing your data

7.3 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by businesses
• Right to opt-out of sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your CCPA rights

7.4 Colombian Law Rights (Colombian Users)

If you are located in Colombia, your personal data is protected under Law 1581 of 2012 (Ley de Protección de Datos Personales). You have the following rights:

• Right to Access (Derecho de Acceso): Request information about your personal data we hold
• Right to Rectification (Derecho de Rectificación): Correct inaccurate or incomplete data
• Right to Deletion (Derecho de Supresión): Request deletion of your personal data
• Right to Revoke Authorization (Derecho de Revocación): Withdraw consent for data processing
• Right to File Complaints: File complaints with the Superintendencia de Industria y Comercio (SIC)

Authorization and Consent: By using our Service, you authorize ClientDocs to collect, store, use, and process your personal data as described in this Privacy Policy. This authorization is voluntary and can be revoked at any time by contacting us at privacy@clientdocs.com.

Responsible Party (Responsable del Tratamiento): ClientDocs is the party responsible for the processing of your personal data. For questions or to exercise your rights under Colombian Law 1581, please contact privacy@clientdocs.com.

To exercise any of these rights, please contact us at the email address provided in Section 12.

8. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• With Your Consent: When you explicitly authorize us to share information
• Service Providers: With third-party vendors who assist in operating our Service (see Section 4)
• Legal Requirements: When required by law, subpoena, or other legal process
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• Protection of Rights: To protect our rights, property, or safety, or that of our users
• Aggregate Data: Anonymous, aggregated data that cannot identify individuals

9. International Data Transfers

Your information may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ. By using the Service, you consent to the transfer of your information to the United States and other countries where our service providers operate.

We ensure that such transfers comply with applicable data protection laws and that appropriate safeguards are in place, including Standard Contractual Clauses for transfers from the EEA.

10. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us. If we discover that a child under 18 has provided us with personal information, we will delete such information immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Updating the "Last Updated" date at the top of this Privacy Policy
• Sending you an email notification for material changes
• Displaying a prominent notice on the Service

Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

13. Consent

By using our Service, you acknowledge that you have read this Privacy Policy and agree to its terms. If you do not agree to this Privacy Policy, please do not use the Service.