Privacy Policy

1. Information We Collect

1.1 Information You Provide to Us

• Account Information: Name, email address, password, and company details
• Business Profile Data: Business type, industry, location, employee count, revenue range
• Compliance Information: Regulatory requirements, compliance status, deadlines, and notes
• Document Storage: Files you upload for compliance documentation
• Communication Data: Contact form submissions, support requests, and feedback
• Payment Information: Billing details processed through secure third-party payment processors

1.2 Information We Collect Automatically

• Usage Data: How you interact with our platform, features used, time spent
• Device Information: IP address, browser type, operating system, device identifiers
• Cookies and Tracking: See our Cookie Policy below for details
• Log Data: Access times, pages viewed, errors, and system activity

2. How We Use Your Information

2.1 Primary Uses

• Service Provision: Provide compliance analysis, deadline tracking, and document management
• Personalization: Create customized compliance roadmaps based on your business profile
• Communication: Send important notifications, deadlines, and platform updates
• Support: Respond to your questions and provide customer assistance
• Platform Improvement: Analyze usage patterns to enhance our services

2.2 Legal Bases for Processing (GDPR)

• Contract Performance: Processing necessary to provide SMBRegs services
• Legitimate Interests: Improving our platform and preventing fraud
• Consent: Marketing communications and optional features
• Legal Compliance: Meeting our own regulatory obligations

3. Information Sharing and Disclosure

3.1 We Do Not Sell Your Data

We never sell, rent, or trade your personal information or business data to third parties for their marketing purposes.

3.2 Limited Sharing

We may share your information only in these specific circumstances:

• Service Providers: Trusted third parties who help us operate our platform (hosting, payments, analytics)
• Legal Requirements: When required by law, court order, or legal process
• Business Transfers: In the event of a merger, acquisition, or sale of assets
• Safety and Security: To protect against fraud, abuse, or security threats
• Consent: When you explicitly authorize us to share specific information

3.3 Third-Party Service Providers

We work with the following types of service providers who may access your data:

• Cloud Infrastructure: Supabase (data storage and authentication)
• Payment Processing: Stripe (billing and payments)
• Analytics: Web analytics services (usage patterns and performance)
• Communication: Email service providers for notifications

4. Data Security

4.1 Security Measures

• Encryption: All data is encrypted in transit (SSL/TLS) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication
• Infrastructure Security: Hosted cloud providers with published security controls
• Regular Reviews: Ongoing security maintenance and vulnerability review
• Employee Training: Regular security awareness training for all staff

4.2 Data Breach Protocol

In the unlikely event of a data breach, we will:

• Notify affected users within 72 hours of discovery
• Report to relevant authorities as required by law
• Take immediate steps to secure the breach and prevent further access
• Provide clear information about what data was affected and steps being taken

5. Your Privacy Rights

5.1 Access and Control

You have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Update or correct inaccurate information in your account
• Deletion: Request deletion of your account and associated data
• Portability: Export your data in a machine-readable format
• Opt-out: Unsubscribe from marketing communications at any time

5.2 California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

• Right to know what personal information is collected and how it's used
• Right to delete personal information (subject to certain exceptions)
• Right to opt-out of the sale of personal information (we don't sell data)
• Right to non-discrimination for exercising privacy rights

5.3 EU Privacy Rights (GDPR)

If you are in the European Union, you have additional rights:

• Right to object to processing based on legitimate interests
• Right to restrict processing in certain circumstances
• Right to withdraw consent where processing is based on consent
• Right to lodge a complaint with supervisory authorities

6. Data Retention

6.1 Retention Periods

• Active Accounts: We retain your data while your account is active
• Inactive Accounts: Data is deleted after 2 years of inactivity
• Compliance Documents: Retained for 7 years as recommended for business records
• Payment Records: Kept for 7 years for tax and accounting purposes
• Support Communications: Deleted after 3 years

6.2 Account Deletion

When you delete your account:

• Personal information is permanently deleted within 30 days
• Business data and documents are securely destroyed
• Some information may be retained for legal compliance (anonymized when possible)
• Backups are purged according to our data retention schedule

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

• Essential Cookies: Required for platform functionality and security
• Performance Cookies: Help us understand how users interact with our platform
• Functional Cookies: Remember your preferences and settings
• Marketing Cookies: Used to deliver relevant advertisements (with consent)

7.2 Cookie Management

You can control cookies through:

• Your browser settings to block or delete cookies
• Our cookie preference center (available in your account settings)
• Third-party opt-out tools for marketing cookies

8. International Data Transfers

SMBRegs is based in the United States. If you access our services from outside the US:

• Your data may be transferred to and stored in the United States
• We implement appropriate safeguards for international transfers
• We comply with applicable data protection laws in your jurisdiction
• You consent to such transfers by using our services

9. Children's Privacy

SMBRegs is designed for business use and not intended for individuals under 16 years old. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do:

• We'll post the updated policy on this page with a new "Last Updated" date
• For material changes, we'll notify you by email or platform notification
• Your continued use of SMBRegs after changes constitutes acceptance
• We'll maintain previous versions for your reference

11. Contact Information

If you have questions about this Privacy Policy or want to exercise your privacy rights:

12. Compliance Frameworks and Provider Commitments

SMBRegs is designed with these privacy frameworks and provider claims in mind:

• GDPR: We support common privacy rights workflows for applicable users
• CCPA: We describe California privacy rights and how to exercise them
• Provider Certifications: Some infrastructure vendors advertise certifications such as SOC 2 Type II
• PIPEDA: We aim to handle personal information in a manner consistent with applicable privacy obligations

This Privacy Policy was last updated on February 13, 2025. Previous versions are available upon request.