Privacy Policy
Last updated: April 1, 2026
TinSuite respects your privacy. This policy explains what data we collect, why, and your rights over it.
1. Data We Collect
- Account data: name, email, password hash, company info.
- Business data: invoices, customers, transactions, products — everything you enter or import.
- Financial data (via Plaid): bank account balances and transactions, only after your explicit consent.
- Usage data: pages viewed, features used, IP address, device type.
- Payment data: handled by Stripe; we never store credit card numbers.
2. How We Use Data
- To provide the Service: run the app, sync bank feeds, send invoices, generate reports.
- To improve the Service: aggregated analytics on what features are used.
- To communicate: product updates, billing, support responses.
- For security: fraud detection, abuse prevention.
We never sell your data. We never use it to train AI models without opt-in.
3. Data Sharing
We share data only with:
- Subprocessors that run our infrastructure (hosting, email delivery, analytics) under strict contracts.
- Financial partners when you apply for their products through TinSuite — and only the info you submit.
- Law enforcement when legally compelled.
4. Subprocessors
Current list: Hetzner (hosting, Germany), Stripe (payments, USA), Plaid (banking aggregation, USA), Resend (email, USA), Cloudflare (CDN, USA). Full list at /subprocessors.
5. Your Rights
- Access: request a full export of your data.
- Correction: fix anything inaccurate.
- Deletion: request we delete your account and data. Some records (billing, legal) may be retained per law.
- Portability: export your data in machine-readable format (CSV, JSON).
- Opt-out: stop marketing emails; refuse analytics cookies.
To exercise any right, email [email protected].
6. Security
Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Plaid access tokens are encrypted with keys we control. We run regular security reviews. SOC 2 Type II audit in progress.
7. Data Retention
Active accounts: data retained as long as you're a customer. After account deletion: financial/billing records retained for 7 years per tax law, then destroyed.
8. International Transfers
If you're outside the US/Canada, your data may be transferred to and processed in the US. We use standard contractual clauses where required (EU SCCs).
9. Children
TinSuite is for businesses. We do not knowingly collect data from anyone under 16.
10. California Rights (CCPA)
California residents have the right to know, delete, and opt out of data sales. We do not sell personal data.
11. European Rights (GDPR)
If you're in the EU/UK, you have all rights under GDPR. Our DPO: [email protected].
12. Cookies
We use essential cookies for authentication and session management. Analytics cookies are opt-in via the cookie banner on first visit.
13. Changes
Material changes will be notified via email or in-app at least 14 days in advance.