Privacy Policy

1. Introduction

Welcome to Effitrio ("we," "our," "us," or "Effitrio"). Effitrio is an ERP mini tool suite that helps businesses manage invoices, expenses, projects, and customer relationships efficiently. We are committed to protecting your privacy and ensuring the security of your personal information.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at www.effitrio.com and use our services (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Account Information (Required at Registration)

To create a Effitrio account, we require:

• Email address (used for login and communication)
• Full name (displayed in your profile)
• Password (encrypted with bcrypt, never stored in plain text)

2.2 Business Data (Optional, You Control What's Entered)

You optionally enter business data when using Effitrio features. We only collect what you provide:

• Company Profile: Name, address, email, phone, tax ID, VAT number, logo, bank details (all optional fields you control)
• Clients/Customers: Name, email, phone, address, tax ID, contact person, notes (only what you enter)
• Invoices: Invoice number, dates, line items, amounts, tax calculations, payment terms, notes (you create these)
• Expenses: Description, category, amount, date, vendor, notes, receipt images (you upload)
• Projects: Name, description, timeline, assigned team members, tasks (you define)

💡 You're in control: All business data is entered and managed by you. No mandatory fields beyond what's needed for basic functionality.

2.3 Payment Information

If you upgrade to a paid subscription (Pro Beta or Pro V1):

• Billing address (for invoicing)
• Payment method (credit card info is handled by Stripe; we never see or store card numbers)
• Subscription tier and history (managed by our payment processor)

2.4 Automatically Collected Information

We automatically collect technical data necessary to operate and secure the Service:

• Device & Technical Data: IP address, browser type, operating system (for security and support)
• Usage Analytics: Pages visited, features used, interaction patterns (to improve product and identify issues)
• Session Information: Login/logout times, session duration (for account security)
• Authentication Tokens: JWT tokens for secure session management
• Browser Storage: Company details stored in localStorage (only for your convenience, never transmitted to our servers)

2.5 Communication Data

If you contact us:

• Support messages: We collect your message content to help resolve issues
• Feedback: Feature requests and bug reports you voluntarily share
• Email communications: Newsletters, feature announcements, billing notifications (you can unsubscribe anytime)

✅ What we DON'T collect: We don't use third-party analytics trackers, don't track you across websites, and don't share your data with advertisers.

3. How We Use Your Information

We use your information for the following purposes:

• Service Delivery: To provide, maintain, update, and support all Effitrio features (invoicing, expense tracking, project management, reporting).
• Account Management: To create accounts, authenticate users, manage workspaces, reset passwords, and handle subscription changes.
• Data Persistence: For registered users, to store business data in our secure database for access and management across devices and sessions.
• Communication: To send service updates, feature announcements, billing notifications, invoices, and support responses (email from Resend).
• AI Features: To power AI-assisted features (summarization, insights) by processing data within your workspace (OpenAI API; see Section 6 for data sharing).
• Analytics & Improvement: To understand usage patterns and improve product features (anonymized, aggregated data only).
• Security & Fraud Prevention: To detect, prevent, and address technical issues, unauthorized access, fraud, and data breaches.
• Legal Compliance: To comply with tax law requirements, audit obligations, and respond to lawful legal requests.

4. Data Storage and Security

4.1 Data Storage for Registered Users

All your business data is stored in our PostgreSQL database hosted on secure infrastructure. Your data includes invoices, clients, expenses, projects, and workspace settings. You can access, modify, or delete individual records at any time via your dashboard.

Storage Duration: Data is retained as long as your account is active. Upon account deletion, we securely delete your data within 30 days (with the exception of transaction logs retained for 7 years per tax/accounting requirements).

4.2 Data Storage for Unregistered Users

Invoice data generated without an account remains entirely on your device. It is never transmitted to our servers. Only optional company details (name, address, etc.) are stored in your browser's localStorage for auto-fill convenience.

4.3 Security Measures

We implement industry-standard security practices to protect your data:

• Encryption in Transit: All connections use HTTPS/TLS 1.2+ encryption.
• Encryption at Rest: Database encryption and secure key management.
• Password Security: Passwords hashed using bcrypt with salt.
• Authentication: JWT-based session management with secure token storage.
• Access Controls: Role-based access control (RBAC) and workspace isolation.
• Infrastructure: Hosted on secure, SOC 2-compliant infrastructure (Railway).
• Monitoring: Regular security audits and vulnerability assessments.

4.4 Limitations

While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute protection against all threats. During the alpha phase, security measures may be enhanced based on feedback and best practices.

5. GDPR Compliance (EU Users)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have certain rights under the General Data Protection Regulation (GDPR):

5.1 Your Rights

• Right to Access: You can request a copy of all personal data we hold about you
• Right to Rectification: You can correct inaccurate or incomplete data
• Right to Erasure: You can request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: You can request that we limit how we use your data
• Right to Data Portability: You can request your data in a structured, machine-readable format
• Right to Object: You can object to processing of your data for certain purposes
• Right to Withdraw Consent: You can withdraw consent at any time where processing is based on consent

5.2 Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: To provide the invoice generation service you requested
• Legitimate Interests: To improve our service, ensure security, and prevent fraud
• Consent: Where you have provided explicit consent for specific processing activities
• Legal Obligation: To comply with applicable laws and regulations

5.3 Exercising Your Rights

To exercise any GDPR rights, contact us at: privacy@effitrio.com

Include your request details, account email, and any relevant documentation. We will verify your identity and respond within 30 days (or inform you of delays). If you are dissatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

5.4 Data Portability

Upon request, we can provide your personal data in a structured, machine-readable format (JSON or CSV) to facilitate transfer to another service.

6. Data Sharing and Third-Party Processors

We do not sell, trade, or rent your personal information to third parties for marketing. We share your data only with service providers necessary to operate Effitrio, and only to the extent required. Our current third-party processors include:

6.1 Service Providers

• Stripe: Payment processing and subscription management (payment data only; PCI DSS compliant).
• Resend: Transactional email delivery (email addresses, invoice data for email content).
• OpenAI: AI-powered features like invoice summarization and insights (data processed within your workspace; see Section 4.4).
• Railway: Cloud infrastructure and database hosting.

6.2 AI Data Processing

Effitrio uses OpenAI's API for AI-powered features like invoice insights and analysis. Here's how we handle your data:

• PII Protection: Before sending any data to OpenAI, we mask personally identifiable information (PII). Names, email addresses, phone numbers, and sensitive details are replaced with tokens (e.g., `__PII_1__`) that OpenAI never sees the real values of.
• Tool-Based Access: OpenAI doesn't receive your full database. Instead, it accesses only necessary data through controlled tools for specific operations (e.g., "get invoice summary" returns only that summary, not all invoices).
• OpenAI Retention: OpenAI may retain your data for up to 30 days for abuse monitoring (see OpenAI's API Privacy Policy).
• No Training: Your data is not used to train OpenAI's models (as per OpenAI's data policy for business customers).

💡 What this means: OpenAI processes your data but never sees your actual customer names, emails, phone numbers, or other PII.

6.3 Legal Requirements & Protection

We may disclose your information when required by law, court order, or government regulation. We may also share information to:

• Protect Effitrio's intellectual property, privacy, and safety.
• Prevent or investigate possible wrongdoing in connection with the Service.
• Protect the rights, property, or safety of Effitrio, users, or the general public.
• Enforce legal obligations or this Privacy Policy.

6.4 Business Transfers

If Effitrio is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify users of any such change and any choices they may have regarding their information.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your session and authentication state
• Remember your preferences (e.g., company details in localStorage)
• Analyze service usage and improve functionality

You can control cookies through your browser settings. However, disabling cookies may affect the functionality of our service.

8. Data Retention

Registered Users: We retain your invoice data and account information for as long as your account is active or as needed to provide services. You can delete your account or specific invoices at any time.

Public Users: No data is retained on our servers. Any data stored in your browser's localStorage can be cleared by you at any time.

We may retain certain information for longer periods if required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution).

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable data protection laws.

10. Children's Privacy

Our service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of our service after such changes constitutes acceptance of the updated policy.

12. Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected users within 72 hours (or as required by law). Notifications will include details of the breach, data affected, and recommended security actions.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

14. Policy Updates

We review this Privacy Policy regularly and update it to reflect changes in our practices, technology, legal requirements, or other factors. Significant changes will be posted on this page with an updated "Last Updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.