Privacy Policy

1. Controller & Contact

The data controller responsible for your personal data is:

For any privacy-related questions, data subject requests, or to exercise your rights, contact us at privacy@etapsky.com.

2. Information We Collect

2.1 Information you provide directly

• Account information: Email address, password (stored as an Argon2id hash — we never store your plaintext password), organization name, and role when you register for a portal account.
• Profile information: Display name and optional profile details you add to your account.
• Billing information: Subscription plan selection. Payment card details are processed by our payment processor and are not stored on Etapsky servers.
• Communications: Information you provide when contacting support or sending us email.

2.2 Information collected automatically

• Usage data: API request logs including endpoint paths, HTTP methods, response codes, timestamps, and request sizes. These are retained for security, billing, and debugging purposes.
• IP addresses: Collected on every authenticated request and stored in the audit log. Used for abuse detection, rate limiting, and security investigations.
• Device and browser information: User-agent strings collected during web portal sessions.
• Cookies: Session cookies and authentication tokens. See Section 8 for details.

2.3 API keys

When you generate an API key, we store only a SHA-256 hash of the key — the raw key is shown once at generation time and never stored. The prefix (first 8 characters) is stored for display purposes.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Etapsky Service
• Authenticate your identity and manage your account sessions
• Process your subscription and billing
• Enforce per-tenant rate limits and prevent abuse
• Generate and maintain an immutable audit log of actions within your organization
• Send transactional emails (email verification, password reset, subscription receipts)
• Improve the Service, diagnose bugs, and conduct security investigations
• Comply with legal obligations and enforce our Terms of Service

We do not use your personal data or your document data for advertising, training machine-learning models, or any purpose beyond operating the Service.

4. Document Data & SDF Files

• SDF files you upload are stored in your tenant's isolated S3/object-storage bucket namespace under the key pattern {tenant_id}/{year}/{month}/{document_id}.sdf.
• Cross-tenant data access is architecturally prevented — every query is scoped by tenant_id.
• Documents are retained for the duration of your subscription. Upon account deletion, documents are removed within 30 days unless legal hold obligations apply.
• Document metadata (file size, document type, signing status) is stored in our database indexed by your tenant ID.
• Digital signing private keys are encrypted at rest using AES-256-GCM with a key stored in environment secrets — never in the database in plaintext.

5. Data Sharing & Disclosure

We do not sell your personal data. We share data only in the following circumstances:

• Service providers: We use AWS for cloud infrastructure (compute, storage, database). AWS processes data on our behalf under a Data Processing Addendum. We do not share data with analytics vendors, advertising networks, or data brokers.
• Payment processing: Billing information is transmitted to our payment processor (Stripe or equivalent). We do not receive or store raw card data.
• Legal requirements: We may disclose data if required by law, court order, or regulatory authority. We will notify you of such requests unless legally prohibited.
• Business transfers: If Etapsky is acquired or merges with another entity, your data may be transferred as part of that transaction. We will notify you in advance.
• Your ERP integrations: If you configure ERP connectors (SAP, Oracle), documents you explicitly push via POST /connectors/push-to-erp/:id are transmitted to your ERP system using credentials you provide. Etapsky does not retain copies of those transmissions beyond your audit log entry.

6. Data Retention

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of your personal data we hold.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your personal data, subject to our retention obligations (e.g., audit log, billing records).
• Portability: Receive your personal data in a machine-readable format.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any right, email privacy@etapsky.com. We will respond within 30 days. We may request identity verification before processing sensitive requests.

8. Cookies & Tracking

The Etapsky web portal uses the following cookies:

• Authentication cookie: A Secure; HttpOnly; SameSite=Strict cookie containing your session token. Required for portal access. Expires with your session or after 30 days.
• Theme preference: A localStorage entry (theme) storing your light/dark mode preference. Not transmitted to servers.

We do not use advertising cookies, third-party tracking pixels, or analytics services (Google Analytics, Segment, Mixpanel, etc.). The marketing site (etapsky.com) does not set any tracking cookies.

9. Data Security

We implement security measures appropriate to the sensitivity of the data we process:

• All data in transit is encrypted via TLS 1.2+
• Passwords are hashed using Argon2id — we never store or transmit plaintext passwords
• API keys are stored as SHA-256 hashes; raw keys are shown once at creation
• Signing private keys and ERP credentials are encrypted at rest using AES-256-GCM
• Refresh tokens are stored as SHA-256 hashes; token theft detection revokes all sessions
• All authentication operations use timing-safe comparison to prevent timing attacks
• Per-tenant data isolation enforced at the query layer — cross-tenant reads are architecturally impossible
• Audit logs are append-only and cannot be modified or deleted

Despite these measures, no system is perfectly secure. If you discover a security vulnerability, please report it responsibly to security@etapsky.com.

10. Children's Privacy

The Etapsky Service is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, contact us at privacy@etapsky.com and we will delete it promptly.

11. International Transfers

Etapsky operates on AWS infrastructure. Data may be processed in the United States and other regions where AWS operates data centers. If you are located in the European Economic Area (EEA), the transfer of your data to the United States is covered by the EU-U.S. Data Privacy Framework or by Standard Contractual Clauses. For details, contact privacy@etapsky.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and notify you via email if you have an account. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.