Privacy Policy

1. Scope & Controller

TAX HUB is the data controller for personal information collected through our platform. This policy applies to all users of our services including CLIENT, TEAM_MEMBER, and ADMIN roles.

2. Data We Collect

We collect the following categories of personal data:

• Account data: name, email, phone, company, role, permissions, profile settings.
• Booking & service data: appointment details, service preferences, invoices, payment metadata (no payment card data unless provided to payment processor).
• Communications: messages, email logs (via SendGrid), support requests.
• Usage data: analytics, IP, device and browser information, locale and preferences.
• Audit & activity logs: role changes, profile updates, admin actions for security and compliance.

3. How We Use Data

We use personal data to provide and improve services, process bookings and payments, communicate with users, and fulfill legal and accounting obligations. Typical uses include:

• Authentication: account management, and access control.
• Service delivery: delivering booked services and invoicing.
• Communications: sending transactional and marketing emails via SendGrid (subject to user consent).
• Analytics: performance monitoring to improve the product.
• Security: fraud prevention, and compliance (including audit logging).

4. Role-based Access & Special Considerations

Different roles have different access rights. We limit access based on the principle of least privilege:

• CLIENT: access to own profile, bookings, invoices, and shared documents.
• TEAM_MEMBER: access to client data required for service delivery and internal collaboration.
• ADMIN: elevated controls for user management, billing, and system settings; activity is logged for audit purposes.

5. Third-party Integrations

We work with third-party providers to deliver features. These providers may process personal data on our behalf:

• SendGrid: transactional and marketing email delivery.
• Payment processors: payment authorization and settlement (we do not store full card data on our servers).
• Analytics & monitoring: Google Analytics, Sentry, or similar for product analytics and performance monitoring.
• CDN/Hosting: static asset delivery and caching.

6. Data Retention

We retain financial and accounting records for a minimum of seven (7) years to comply with applicable accounting and regulatory requirements. Other personal data is retained only as long as necessary to provide services, meet legal obligations, resolve disputes, and enforce agreements.

7. Your Rights & Choices

Depending on your jurisdiction, you may have rights including access, rectification, deletion, portability, and restriction of processing. For residents of:

• GDPR (EU): right to access, rectify, erase, restrict processing, data portability, and object to processing.
• CCPA (California): right to know, delete, and opt-out of sale of personal information (if applicable).
• PIPEDA (Canada): similar privacy rights and access to personal information.

To exercise your rights, contact us at null. We may ask for verification to protect your data.

8. Security

We implement reasonable technical and organizational measures to protect personal data. This includes encryption in transit (TLS), access controls, audit logging, and periodic security reviews. No system is fully secure; in the event of a breach we will follow applicable notification requirements.

9. International Transfers

Our services may involve cross-border transfer of personal data. We rely on appropriate safeguards where required, such as standard contractual clauses or reliance on service providers located in compliant jurisdictions.

10. Children

Our services are intended for businesses and adults. We do not knowingly collect personal information from children under 16. If you believe we have collected such information, contact us to request deletion.