Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

Account Registration:

Organization information: Company name, organization slug, industry, size
User information: Full name, email address, job title, department
Contact details: Phone number (optional), office location
Authentication data: Password (hashed and encrypted)

Operational Data:

Supply requests: Item descriptions, quantities, justifications
Catalogue items: Product names, descriptions, pricing
Sites and areas: Location names, addresses, organizational structure
Audit logs: User actions, timestamps, IP addresses

Payment Information:

Billing name and address
Payment details processed by Paddle Billing (not stored on our servers)
We receive only transaction confirmations from Paddle

1.2 Information Collected Automatically

Usage data: Pages visited, features used, time spent
Device information: IP address, browser type, operating system
Cookies and tracking technologies for session management and analytics

2. How We Use Your Information

Provide Service

Account management, core functionality, access control, data storage

Improve Service

Product development, performance optimization, user experience

Communications

Transactional emails, service updates, customer support

Security

Security monitoring, fraud detection, compliance

Legal Basis (GDPR): Performance of contract, legitimate interests, consent (for marketing), legal obligation

3. Data Sharing and Disclosure

We do NOT sell your personal data to third parties.

3.1 Service Providers (Data Processors)

We share data with third-party service providers who process it on our behalf:

Hosting: Railway (cloud hosting platform)
Database: PostgreSQL, Redis (session management)
Payment Processing: Paddle Billing
Analytics: Google Analytics (with IP anonymization)
Email: Transactional and marketing email service providers

3.2 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or valid government request. We will notify you when legally permitted and disclose only the minimum information required.

4. Multi-Tenant Data Isolation

OfficeStore operates as a multi-tenant SaaS platform. We implement comprehensive data isolation to ensure your organization's data is completely separated from other organizations.

Data Isolation Measures:

Database-Level Security: Row-Level Security (RLS) ensures your data is visible only to your organization
Application-Level Security: User authentication validates organization membership
Encryption: Data encrypted at rest (AES-256) and in transit (TLS 1.3)
Auditing: All cross-organization access attempts are logged and monitored

5. Data Security

Technical Security

Encryption: AES-256 at rest, TLS 1.3 in transit
Access Controls: Role-based access control (RBAC), MFA available
Infrastructure: Firewalls, intrusion detection, DDoS protection
Application: Input validation, SQL injection protection, XSS/CSRF protection

Data Breach Notification

In the event of a data breach, we will notify affected users within 72 hours (GDPR) via email and in-app notification, including information about the breach, affected data, and steps to take.

6. Data Retention

Active Accounts

All data retained while account is active

Days 1-30

Data available for export and reactivation

Day 90+

Complete data deletion from all systems

Audit Logs: Retained for 7 years to comply with regulatory requirements

Financial Records: Billing and payment records retained for 7 years

7. Your Data Protection Rights

For EU/EEA Users (GDPR)

Right to Access: Request a copy of your personal data in a structured format
Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure: Request deletion of your personal data
Right to Data Portability: Receive your data in machine-readable format
Right to Object: Object to processing based on legitimate interests

For California Users (CCPA)

Right to know what personal information we collect and how we use it
Right to delete personal information
Right to opt-out of sale (Note: We do NOT sell personal information)
Right to non-discrimination for exercising your rights

How to Exercise Your Rights: Email [email protected] with your request. We respond within 30 days (GDPR) or 45 days (CCPA).

8. Cookies and Tracking Technologies

Types of Cookies We Use

Essential Cookies (Required): Session management, authentication, security
Functional Cookies (Opt-in): Remember preferences, language settings
Analytics Cookies (Opt-in): Google Analytics with IP anonymization

Managing Cookies: You can manage cookie preferences in your account settings or browser settings. Essential cookies are required for the Service to function.

9. International Data Transfers

OfficeStore is operated from the United States. For users in the EU/EEA, we ensure adequate data protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Encryption during transfer and at rest
Access controls and data minimization
Regular compliance audits

10. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your data:

Privacy Team: [email protected]
Support: [email protected]
Website: https://officestoreapp.com

Response Time: We respond to privacy requests within 30 days (GDPR) or 45 days (CCPA).

Summary of Key Points

What we collect: Account info, usage data, operational data
How we use it: Provide Service, improve features, communicate with you
Who we share with: Service providers only (we don't sell your data)
Your rights: Access, delete, correct, export your data
Security: Encryption, access controls, multi-tenant isolation
Retention: Data deleted 90 days after account termination

Last Updated: January 2026

Version: 1.0

This Privacy Policy complies with GDPR, CCPA, and international data protection standards.

Your Privacy Matters