Privacy Policy
General Principles
This policy commits to data minimization, transparency, and user control. Only data necessary for service delivery, security, and improvement is collected. No extraneous personal details are solicited. You remain in control of optional data sharing.
Information Types
We collect authentication credentials, basic profile details, and system logs for troubleshooting. No financial or health information is ever requested. Optional preferences and survey responses require explicit consent. Collection points are clearly labeled and explained.
Purpose Specification
Personal data is processed only for authentication, fraud prevention, performance monitoring, and legal compliance. Non-essential personalization is activated only with your opt-in. Aggregated analytics inform product roadmaps but never reveal individuals. Any new processing scope is announced upfront.
User Controls
Your privacy dashboard allows you to manage cookie preferences, revoke consents, and download your data. Changes take effect immediately for future data collection. Previously collected data remains subject to existing retention policies. You may also delete your account at any time.
Data Security Practices
In-transit encryption uses TLS, while at-rest data is stored with AES encryption. Access to personal data requires multi-factor authentication and adheres to the principle of least privilege. Regular security audits, vulnerability scans, and penetration tests validate these protections. Any weaknesses are addressed promptly.
Retention Periods
Active user data is retained for the life of the account plus 30 days. Anonymized logs and backups are kept up to twelve months. After retention periods, data is securely deleted or rendered anonymous. The retention policy is reviewed annually.
Data Access Requests
To exercise your right of access, correction, or deletion, submit a request via the support portal. Requests are handled within thirty days unless legal constraints apply. You may receive a report of all personal data stored about you. Deletion requests are irreversible.
Breach Procedures
A documented incident response plan outlines roles, detection, containment, and recovery steps. Breaches triggering personal data exposure prompt notifications to affected users within 72 hours. Regulator notification follows applicable timelines. Post-incident analyses enhance future resilience.
Third-Party Integrations
Data is shared only with essential service providers under data processing agreements. Providers are vetted for security and privacy compliance. No personal data is sold or shared for marketing. All third-party transfers are logged and auditable.
Automated Decisions
Automated fraud-detection and recommendation systems operate on anonymized data unless you opt in. You will be informed if any automated decision significantly affects you. Appeals to human review are supported. Automation logic and criteria are documented for audit.
Policy Updates
This policy is updated as required by law or operational changes, with prior notice for material amendments. A “Last Updated” timestamp is displayed. Material changes are communicated via notification and email at least 14 days before taking effect. Continued use after that date signifies acceptance.
