Privacy Policy | Solostash

Effective date: [INSERT DATE BEFORE LAUNCH]
Last updated: [INSERT DATE BEFORE LAUNCH]

This Privacy Policy describes how AURIA Digital s.r.o. ("Company", "we", "us", "our") collects, uses, stores, and protects your personal data when you use Solostash ("Service", "Platform"), accessible at solostash.com and app.solostash.com.

We are committed to protecting your privacy and handling your data with transparency. Solostash is designed and operated in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

AURIA Digital s.r.o.
Slovak Republic
Email: support@solostash.com
Website: https://solostash.com

If you have questions about how your data is processed or wish to exercise your rights, contact us at support@solostash.com.

2. What Data We Collect

2.1 Data You Provide Directly

When you create an account and use Solostash, you provide us with:

Data	Purpose	Legal Basis
Email address	Account creation, login, transactional emails, support	Contract performance
Password	Account authentication (stored as a secure hash, never in plain text)	Contract performance
Display name	Personalization within the Service	Contract performance
Profile avatar	Personalization within the Service	Consent
Business logo	Branding on your invoices and estimates	Contract performance
Timezone and locale preferences	Correct time display, currency formatting	Contract performance

2.2 Business Data You Create

All business data you enter into Solostash is processed to provide the Service. This includes:

Client information (names, emails, phone numbers, company names, websites)
Project details (names, descriptions, budgets, dates)
Tasks (titles, descriptions, priorities, due dates)
Time entries (durations, descriptions, rates)
Invoices and estimates (line items, amounts, terms)
Expenses (amounts, categories, descriptions, receipts)
Notes (content, attachments)
Calendar events (titles, descriptions, dates, attendees)
Subscription tracking data (tool names, costs, renewal dates)

Important: This business data belongs to you. We process it solely to provide and improve the Service. We do not sell, share, or use your business data for advertising.

2.3 Data Collected Automatically

When you use the Service, we automatically collect certain technical data:

Data	Purpose	Legal Basis
IP address	Security, rate limiting, abuse prevention	Legitimate interest
Browser type and version	Compatibility, debugging	Legitimate interest
Device type	Responsive design, performance optimization	Legitimate interest
Error logs and stack traces	Debugging and Service stability (via Sentry)	Legitimate interest
API request metadata	Rate limiting, performance monitoring	Legitimate interest

We do not collect or use:

Location data (beyond what can be inferred from your IP address)
Browsing history outside of Solostash
Data from other apps on your device
Biometric data

2.4 Payment Data

Payment processing is handled entirely by Stripe. We do not collect, store, or have access to your full credit card number, CVV, or banking details. Stripe provides us with:

The last 4 digits of your card (for your reference in account settings)
Card brand (Visa, Mastercard, etc.)
Billing country
Payment status (success, failure)
Subscription status and billing history

For Stripe's data handling practices, see Stripe's Privacy Policy.

3. How We Use Your Data

We use your personal data for the following purposes:

Purpose	Data Used	Legal Basis
Providing the Service	Account data, business data	Contract performance
Processing payments	Payment data (via Stripe)	Contract performance
Sending transactional emails	Email address	Contract performance
Password reset and account security	Email address	Contract performance
Customer support	Email, account data, usage context	Contract performance
Error detection and debugging	Error logs, browser/device info	Legitimate interest
Rate limiting and abuse prevention	IP address	Legitimate interest
Service performance monitoring	Aggregated usage metrics	Legitimate interest
Sending product updates and newsletters	Email address	Consent
Legal compliance	Account and payment data	Legal obligation

What We Do NOT Do

We do not sell your personal data to third parties
We do not use your data for targeted advertising
We do not share your data with data brokers
We do not profile you for marketing purposes
We do not use your business data to train AI models

4. Third-Party Services

We use a limited number of third-party services to operate Solostash. Each has been selected with data protection in mind.

4.1 Supabase (Database & Authentication)

Purpose: Stores your account data and all business data. Manages authentication (login, password hashing, session tokens).
Data processed: All data listed in Sections 2.1 and 2.2.
Location: European Union
Security: Row-Level Security (RLS) ensures only you can access your own data. All data is encrypted at rest and in transit.
Privacy policy: https://supabase.com/privacy

4.2 Stripe (Payments)

Purpose: Processes subscription payments, manages billing portal.
Data processed: Payment method details, billing address, transaction history.
Location: EU/US (Stripe is certified under the EU-US Data Privacy Framework)
Privacy policy: https://stripe.com/privacy

4.3 Brevo (Email)

Purpose: Sends transactional emails (welcome emails, password resets, invoice notifications, estimate sharing, summary notifications).
Data processed: Email address, display name, email content.
Location: European Union (France)
Privacy policy: https://www.brevo.com/legal/privacypolicy/

4.4 Vercel (Hosting)

Purpose: Hosts the Solostash website and web application. Provides edge caching and serverless computing.
Data processed: IP address, request headers, page requests.
Location: Global edge network with EU presence
Privacy policy: https://vercel.com/legal/privacy-policy

4.5 Sentry (Error Tracking)

Purpose: Monitors application errors and performance issues to maintain Service stability.
Data processed: Error stack traces, browser and device information, IP address (anonymized).
Data NOT processed: Sentry does not receive your business data (clients, invoices, etc.).
Location: EU data processing available
Privacy policy: https://sentry.io/privacy/

4.6 Upstash (Rate Limiting)

Purpose: Provides rate limiting to protect the Service from abuse.
Data processed: Anonymized request identifiers, request count.
Location: European Union
Privacy policy: https://upstash.com/privacy

4.7 Google (Calendar Integration — Optional)

Purpose: Two-way calendar synchronization, Google Meet link generation.
Data processed: Calendar events (titles, descriptions, dates, attendees) — only when you explicitly connect your Google Calendar.
Note: This integration is entirely optional. No data is shared with Google unless you enable the connection.
Privacy policy: https://policies.google.com/privacy

5. Data Storage and Security

5.1 Where Your Data Is Stored

Your data is stored on servers within the European Union. Our primary database is hosted on Supabase (PostgreSQL) with data centers in the EU. File uploads (such as business logos and receipt images) are stored on Vercel Blob storage.

5.2 Security Measures

We implement the following security measures to protect your data:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS).
Encryption at rest: Your data is encrypted at rest on the database server.
Password hashing: Passwords are hashed using industry-standard algorithms (bcrypt). We never store plain-text passwords.
Row-Level Security (RLS): Database-level security ensures that each user can only access their own data. This is enforced at the database level, not just the application level.
Authentication tokens: Session tokens are managed by Supabase Auth with automatic expiration and refresh.
Rate limiting: API requests are rate-limited to prevent brute force attacks and abuse.
Error monitoring: Sentry monitors for security-relevant errors and anomalies.

5.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
Notify affected users without undue delay
Document the breach and corrective measures taken

6. Data Retention

Data Type	Retention Period
Active account data	Retained for the duration of your account
Business data (clients, projects, tasks, etc.)	Retained for the duration of your account
After account deletion	Permanently deleted from active systems within 30 days
Encrypted backups	Purged within 90 days of account deletion
Trial data (no subscription)	Retained for 30 days after trial expiration, then deleted
Payment records	Retained as required by tax and accounting law (typically 10 years)
Error logs (Sentry)	Automatically deleted after 90 days
Email delivery logs (Brevo)	Retained per Brevo's data retention policy

7. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

7.1 Right of Access

You have the right to request a copy of the personal data we hold about you. You can access most of your data directly within the Service through the export functionality (CSV/JSON).

7.2 Right to Rectification

You have the right to correct inaccurate or incomplete personal data. You can update your account information at any time through your account settings.

7.3 Right to Erasure ("Right to Be Forgotten")

You have the right to request the deletion of your personal data. You can:

Delete individual data items within the Service (clients, projects, tasks, etc.)
Request full account deletion by contacting us at support@solostash.com

We will comply with erasure requests within 30 days, except where we are legally required to retain certain data (e.g., payment records for tax purposes).

7.4 Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or have objected to processing.

7.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Solostash provides built-in data export functionality in CSV and JSON formats.

7.6 Right to Object

You have the right to object to the processing of your personal data based on legitimate interests. If you object, we will cease processing unless we demonstrate compelling legitimate grounds.

7.7 Right to Withdraw Consent

Where processing is based on your consent (such as newsletter subscriptions), you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

7.8 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In the Slovak Republic, the relevant authority is:

Úrad na ochranu osobných údajov Slovenskej republiky
(Office for Personal Data Protection of the Slovak Republic)
Website: https://dataprotection.gov.sk

7.9 How to Exercise Your Rights

To exercise any of your rights, contact us at support@solostash.com. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

8. Cookies and Tracking

8.1 What Cookies We Use

Solostash uses a minimal number of cookies, all of which are necessary for the Service to function:

Cookie	Type	Purpose	Duration
Supabase auth tokens	Strictly necessary	Keeps you logged in and authenticates API requests	Session / 7 days
Stripe session	Strictly necessary	Manages the checkout and billing portal session	Session
Cookie consent preference	Strictly necessary	Remembers your cookie consent choice	1 year

8.2 What We Do NOT Use

No advertising cookies
No social media tracking pixels
No Google Analytics or similar tracking tools
No third-party marketing cookies
No cross-site tracking

8.3 Cookie Consent

Because we only use strictly necessary cookies (required for the Service to function), we are not required to obtain consent for these cookies under the ePrivacy Directive. However, we provide transparency about their use.

If we add any non-essential cookies in the future (such as analytics), we will update this policy, implement a cookie consent banner, and obtain your consent before setting those cookies.

For more details, see our Cookie Policy.

9. International Data Transfers

Your data is primarily stored and processed within the European Union. In some cases, our third-party service providers may process data outside the EU (e.g., Stripe has operations in the United States). In such cases, appropriate safeguards are in place:

EU-US Data Privacy Framework: Stripe is certified under the EU-US Data Privacy Framework.
Standard Contractual Clauses (SCCs): Where applicable, our providers use EU-approved Standard Contractual Clauses.
Adequacy decisions: Where the European Commission has determined that a non-EU country provides an adequate level of data protection.

We do not transfer your business data (clients, invoices, projects, etc.) outside the EU.

10. Children's Privacy

Solostash is not directed to children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will delete that data promptly. If you believe a child has provided us with personal data, please contact us at support@solostash.com.

11. Third-Party Links

The Service may contain links to third-party websites or services (such as client websites stored in your CRM, or links in estimates and invoices). We are not responsible for the privacy practices of these third-party sites. We encourage you to review the privacy policies of any third-party services you interact with.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

Update the "Last updated" date at the top of this document
Notify you via email or through the Service at least 14 days before the changes take effect

Your continued use of the Service after the updated Privacy Policy takes effect constitutes your acceptance of the changes.

13. Data Processing for Invoices and Estimates

13.1 Shared Estimates

When you share an estimate with a client via a public URL, the estimate content (line items, pricing, terms) is accessible to anyone with the link. We track the number of views on shared estimates to provide you with engagement insights. The viewer's IP address is not stored.

13.2 Emailed Invoices and Estimates

When you send an invoice or estimate via email through Solostash, the email is delivered by Brevo. The recipient's email address is used solely for delivery purposes and is not added to any marketing list.

14. Offline Data

Solostash supports offline usage through its Progressive Web App (PWA) architecture. When you use the Service offline:

Data is stored locally on your device using standard browser storage mechanisms
This data is automatically synchronized with our servers when your internet connection is restored
We do not have access to your locally stored offline data until it is synchronized
You are responsible for the security of your device and locally stored data

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

AURIA Digital s.r.o.
Email: support@solostash.com
Website: https://solostash.com

We aim to respond to all privacy-related inquiries within 30 days.

This Privacy Policy is provided as a template tailored to Solostash. We strongly recommend having it reviewed by a qualified legal professional before publication, particularly regarding compliance with GDPR, Slovak data protection law, and the ePrivacy Directive.