Privacy Policy
Effective Date: [TO BE COMPLETED BY COUNSEL BEFORE PUBLICATION]
Last Updated: February 26, 2026
1. Who We Are
NSuite Solo ("NSuite," "we," "us," or "our") is a business management software platform built for independent, solo service-based business operators — including mobile detailers, hair studio owners, photographers, and similar professionals. NSuite Solo is operated by [COMPANY NAME], a [STATE/COUNTRY] company located at [COMPANY ADDRESS].
We are the data controller for information you provide directly to us when creating and managing your NSuite account and business profile.
We act as a data processor (or "service provider" under CCPA) for personal data that business owners ("Operators") input about their own customers ("End Clients") while using the platform. In that capacity, we process End Client data on behalf of the Operator, who remains the data controller for their clients' information.
Questions about this Privacy Policy may be directed to: [PRIVACY CONTACT EMAIL]
2. Scope of This Policy
This Privacy Policy describes how NSuite Solo collects, uses, stores, shares, and protects personal information in connection with our web application, API, and all related services (collectively, the "Service").
This Policy covers two distinct groups of people:
- Operators: Business owners who register for NSuite Solo accounts, subscribe to a plan, and use the platform to run their business.
- End Clients: The individual customers of Operators whose contact details, appointments, invoices, and related records are managed within the platform on the Operator's behalf.
If you are an End Client whose information appears in NSuite Solo, your information is processed at the direction of the Operator. For privacy questions about data an Operator holds about you, we recommend contacting the Operator directly.
3. Information We Collect
3.1 Information You Provide — Operators
When you register for and use NSuite Solo, we collect the following directly from you:
| Category | Data Points | When Collected |
|---|---|---|
| Account Identity | First name, middle name, last name | Registration |
| Contact | Email address, phone number (E.164 format) | Registration |
| Credentials | Password (stored as a bcrypt hash; plaintext is never retained) | Registration |
| Business Profile | Business name, description, business phone number | Onboarding |
| Business Address | Street address (line 1 & 2), city, state (2-letter), postal code, country | Onboarding |
| Geolocation | Business latitude and longitude coordinates | Onboarding (optional) |
| Email Preferences | Custom email "from" display name, custom reply-to email address | Settings (Starter/Pro plans only) |
| Stripe Identifiers | Stripe Customer ID, Stripe Subscription ID, Stripe Connect Account ID | Generated by Stripe; stored as opaque reference IDs |
Password Security: Passwords are hashed using bcrypt with 12 salt rounds before storage. The plaintext password is never logged, stored, or transmitted. The password hash is never returned in any API response.
3.2 Information Operators Provide About End Clients
| Category | Data Points |
|---|---|
| Identity | First name, middle name, last name |
| Contact | Email address, phone number |
| Appointment Records | Scheduled start/end times, service type, appointment status |
| Appointment Address | Street address, city, state, postal code, country of the service location |
| Invoice Records | Invoice status, line items, subtotal, total, currency, issue date, due date, payment date |
| Staff Notes | Free-form text notes authored by the Operator or authorized staff |
| Activity Log | Audit trail of actions taken with associated timestamps and actor identification |
3.3 Information Collected Automatically
| Category | Data Points | Purpose |
|---|---|---|
| Authentication Token | JSON Web Token (JWT) stored as an access_token cookie | Authentication and session management |
| Server Logs | Structured application logs via the Pino logging library | Operations, debugging, security monitoring |
No analytics or behavioral tracking data is collected. We do not integrate Google Analytics, Meta Pixel, Mixpanel, Hotjar, or any equivalent tracking service.
4. Cookies and Browser Storage
For a detailed description of every cookie and storage item used, please see our Cookie Policy.
In summary: we set one first-party cookie — access_token — which is strictly necessary for authentication. We do not use advertising cookies, analytics cookies, or cross-site tracking cookies. When you access a public invoice payment page, Stripe's JavaScript library sets Stripe-operated cookies for fraud prevention.
5. How We Use Your Information
5.1 Service Delivery (Performance of Contract)
- Authenticating your identity on login; maintaining your logged-in session
- Providing all platform features: client management, appointment scheduling, invoicing, inventory management
- Processing subscription payments via Stripe
- Enabling End Client invoice payments via Stripe Connect
- Sending transactional emails (invoice delivery, payment receipts, low-stock alerts)
- Computing and collecting platform application fees on invoice payments
5.2 Account Support and Security
- Enabling password reset through time-limited, single-use reset tokens
- Rate-limiting API requests (100 requests per 60 seconds) to protect availability
- Responding to support inquiries
5.3 Legal and Financial Compliance
- Retaining invoice and payment records for financial reporting and audit purposes, consistent with applicable record-keeping requirements (including IRS Section 6001, which requires retention of financial records for a minimum of seven years)
- Maintaining an audit log for transaction integrity and dispute resolution
- Responding to lawful legal requests, court orders, and regulatory demands
We do not use your personal information for targeted advertising or advertising profiling, selling or renting data to third parties, or automated decision-making or profiling with legal effect.
6. Payment Processing and Financial Data
We do not store, transmit, or have access to your payment card numbers, expiration dates, or CVV codes. All payment card data is collected directly by Stripe's infrastructure.
For subscription payments, you are redirected to a Stripe-hosted Checkout page. For invoice payments, payment data is entered into Stripe's PaymentElement iframe, which communicates directly with Stripe. No payment card data passes through NSuite Solo's servers at any point.
Stripe, Inc. is our payment processor and acts as a sub-processor for payment data. Stripe's use of your information is governed by Stripe's Privacy Policy.
7. Email Communications
NSuite Solo sends the following transactional emails on behalf of Operators: invoice delivery (to End Client), payment receipt (to End Client and Operator), and low-inventory alerts (to Operator only). These emails are delivered via Resend in production.
Every commercial email includes a one-click unsubscribe link in compliance with CAN-SPAM and CASL requirements. NSuite Solo does not send marketing or promotional emails.
8. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| User account (Operator) | Until erasure request is processed (30-day grace period) | Contractual necessity |
| Business profile | Until erasure request processed | Contractual necessity |
| Client records (End Clients) | Until Operator or End Client erasure request is processed | Operator direction |
| Invoice and payment records | Minimum 7 years from payment date | IRS Section 6001 / financial record-keeping compliance |
| Staff notes | Hard deleted upon user erasure | No ongoing legal basis after erasure |
| Activity / audit log | Retained indefinitely in anonymized form; PII anonymized to [REDACTED] on erasure | Audit integrity |
| Email queue (outbox) | Email body HTML nullified immediately after successful delivery; metadata retained 90 days | Operational necessity |
| Password reset tokens | Deleted immediately upon use or expiry (1-hour window) | Security hygiene |
| Public invoice tokens | Expire and become inaccessible 90 days after invoice is sent | Data minimization |
9. Your Privacy Rights
Irrespective of your location, you may request access, correction, or lodge a complaint by contacting [PRIVACY CONTACT EMAIL].
9.1 California Residents (CCPA / CPRA)
California residents have the right to know, delete, correct, and opt out of sale of their personal information. We do not sell, rent, or share personal information with third parties for monetary consideration or cross-context behavioral advertising. No opt-out of sale is necessary.
9.2 EU/EEA Residents (GDPR)
If you are located in the European Economic Area, you have rights under GDPR including: access (Art. 15), rectification (Art. 16), erasure / right to be forgotten (Art. 17 — subject to the 7-year invoice retention exception), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and withdrawal of consent. You also have the right to lodge a complaint with your local supervisory authority (see edpb.europa.eu).
GDPR Erasure Limitations: Invoice and payment records are retained for seven years under Article 17(3)(b). Activity log entries are anonymized (not deleted) to preserve audit integrity.
9.3 Submitting a Privacy Request
Submit requests to [PRIVACY CONTACT EMAIL]. We will acknowledge within 5 business days and respond substantively within 30 calendar days.
10. Data Sharing and Third-Party Sub-Processors
We do not sell, rent, or trade personal information. We share data only as follows:
| Sub-Processor | Purpose | Data Shared |
|---|---|---|
| Stripe, Inc. | Payment processing, subscription billing, Connect payouts | Business owner email and name; Stripe identifiers |
| Resend | Transactional email delivery | Recipient email address, full rendered email body |
No other third-party services receive personal data from NSuite Solo as part of normal platform operations.
11. Data Security
We implement the following technical and organizational security measures:
- Password hashing: bcrypt with 12 salt rounds; plaintext passwords never stored or logged
- Authentication cookies: HttpOnly, Secure (production), SameSite=Lax; inaccessible to client-side JavaScript
- HTTPS: All production traffic encrypted in transit via TLS
- Rate limiting: API requests limited to 100 per 60-second window per client
- Payment card data isolation: No card data stored or transited through NSuite servers; fully delegated to Stripe
- Webhook signature verification: All Stripe webhooks verified via HMAC signature
- Input validation: All API inputs validated and sanitized; undeclared fields stripped via whitelist
12. Children's Privacy
NSuite Solo is designed for use by adult business operators and their adult clients. We do not knowingly collect personal information from children under the age of 13 (or 16 in the EU/EEA). If you believe we have inadvertently collected data from a minor, please contact [PRIVACY CONTACT EMAIL] immediately.
13. Cross-Border Data Transfers
NSuite Solo is operated from the United States. If you are accessing the Service from outside the United States — including from the EU/EEA — your information will be transferred to and processed in the United States.
[COUNSEL NOTE: Confirm production hosting infrastructure and insert applicable transfer mechanism(s) — e.g., EU Standard Contractual Clauses — before publication.]
14. Governing Law
This Privacy Policy is governed by the laws of [STATE/JURISDICTION], without regard to conflict of laws principles. Any disputes shall be resolved in accordance with our Terms of Service.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this document and notify you by email. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.
16. Contact Us
[COMPANY NAME]Attn: Privacy
[COMPANY ADDRESS]
Email: [PRIVACY CONTACT EMAIL]