The short version: we collect what we need to run the Service and nothing more. We don't sell your data. You can export or delete it anytime.
1. Who we are
TinSuite Inc. ("we") is the data controller for personal information you provide. Reach us at [email protected]. EU users: our representative is the same; Quebec users: see Bill 64 section below.
2. What we collect
Information you give us directly
- Account details: name, email, password (hashed), business name and address.
- Billing details: payment method (held by Stripe, not us), subscription history.
- Business data you put in: customers, vendors, invoices, transactions, bank account links.
- Communications: support tickets, feedback, replies to onboarding emails.
Information collected automatically
- Device and browser info (user agent, screen size).
- IP address, approximate location (country/city level).
- Usage events: pages visited, features clicked, errors. Anonymous, aggregated, and only if you opted into Analytics cookies.
- Cookies — see Cookie Policy.
From third parties
- Plaid: bank account names, balances, transactions (only when you connect a bank).
- Stripe: payment status, card last 4 digits.
- Google / Microsoft / Apple OAuth: email, name (when you sign in with social).
3. How we use it
- To run the Service: account creation, sending invoices, syncing bank data, generating reports.
- To bill you: processing subscription payments via Stripe.
- To support you: responding to questions, fixing bugs.
- To improve: aggregated analytics on what features matter (only if you consented).
- To stay legal: tax record retention, fraud prevention, compliance with subpoenas.
- To send updates: product news, security alerts. You can opt out of marketing emails anytime.
We never sell your personal information. We do not share it with advertisers.
4. Legal bases (GDPR)
- Contract: account, billing, core features.
- Legitimate interest: security, fraud prevention, product improvement.
- Consent: analytics cookies, marketing emails.
- Legal obligation: tax records, AML/KYC where required.
5. Sub-processors
We use these vetted vendors to deliver the Service:
| Vendor | Purpose | Location |
|---|
| Hetzner Online GmbH | Primary hosting | Germany (EU) |
| Stripe Inc. | Payment processing | USA |
| Plaid Inc. | Bank connections | USA / Canada |
| Resend Inc. | Transactional email | USA |
| Track1099 / TaxBandits | 1099-NEC e-file | USA |
| Cloudflare Inc. | CDN, DDoS protection | Global |
Up-to-date list at tinsuite.com/sub-processors.
6. Data retention
- Active accounts: while you use the Service.
- Inactive accounts: 24 months, then we ask if you still want them.
- Deleted accounts: 30-day soft delete, then permanent wipe — except tax-relevant records, which we retain anonymized for 7 years per IRS / CRA requirements.
- Backups: 30 days.
- Audit logs: 12 months for non-paying accounts; 7 years for Business plan.
7. Your rights
You can, at any time:
- Access & export — request a JSON archive from Settings → Privacy (GDPR Art. 15, 20).
- Correct — edit account data directly in the app.
- Delete — request account deletion from Settings → Privacy (GDPR Art. 17).
- Restrict / object — email [email protected].
- Withdraw consent — for analytics cookies, marketing emails.
- Complain — to your local data protection authority (e.g., your EU member state DPA, Canadian Privacy Commissioner).
We reply to verified requests within 30 days.
8. California (CCPA)
If you're a California resident, you have the right to know what personal info we collect, how it's used, to delete it, and to opt out of sale (we don't sell). To exercise rights, email [email protected].
9. Quebec (Bill 64 / Law 25)
If you're a Quebec resident: our Privacy Officer is reachable at [email protected]. We don't make automated decisions affecting you. Bill 96: where applicable, French-language documents are available; version française.
10. International transfers
We host primarily in Germany (Hetzner). Some sub-processors are in the USA — for these, we rely on Standard Contractual Clauses or equivalent safeguards approved by the European Commission.
11. Security
- TLS 1.3 in transit; AES-256 at rest.
- Bcrypt for password hashing (cost factor 12).
- 2FA available; backup codes; rate limiting on auth endpoints.
- Bank tokens encrypted with keys we control, not Plaid's.
- SOC 2 Type II audit in progress.
- Breach notification: within 72 hours of confirmation, per GDPR Art. 33.
12. Children
The Service is not for children under 16. We don't knowingly collect their data. If we learn we have, we'll delete it.
13. Changes
For material changes, we'll notify you 30 days in advance via email and in-app banner. Minor edits may be made anytime; we'll update the "Last updated" date.
14. Contact
Privacy questions or rights requests: [email protected]
Mailing: TinSuite Inc., Wilmington, DE, USA