Privacy Policy

1. Introduction

SimplaTask ("SimplaTask," "we," "us," or "our") is a payment processing platform that provides merchants and their customers with tools for payment processing, invoicing, e-commerce, and appointment booking. We are committed to protecting the privacy and security of your personal information.

This Privacy Policy describes how we collect, use, disclose, retain, and protect information when you use our services, including:

• The SimplaTask merchant dashboard (web application)
• The SimplaTask customer portal (web application)
• The SimplaTask mobile application
• The SimplaTask API and backend services
• Any other services, features, or content we offer (collectively, the "Services")

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the practices described herein, please do not use our Services.

2. Scope of This Policy

This Privacy Policy applies to all users of our Services, including:

• Merchants — businesses and individuals who use SimplaTask to process payments, manage invoices, sell products, and schedule appointments.
• Customers (Members) — individuals who make payments, purchase goods, or book appointments through SimplaTask-powered experiences.
• Mobile App Users — merchants or staff who use the SimplaTask mobile application to process in-person transactions.

This Privacy Policy does not apply to the practices of third parties that we do not own or control, including but not limited to payment gateways, banking institutions, or other third-party services linked from or integrated with our Services.

3. Information We Collect

We collect information in several categories as described below.

3.1 Personal Information

We collect the following personal information that you provide directly to us:

• Identity Information: First name, last name, business name, and avatar or profile images.
• Contact Information: Email address, phone number (including country code), and mobile number.
• Address Information: Mailing address, billing address, and shipping address, including street address, city, state, postal code, and country.
• Account Credentials: Email address and password (passwords are stored only in hashed form using bcrypt; we never store plaintext passwords).

3.2 Payment Information

• Credit and Debit Card Data: We store only the last four digits and the card brand (e.g., Visa, Mastercard) for your reference. Full card numbers are never stored on our systems. Card data is transmitted directly to our payment gateway partner (NMI) for tokenization and processing.
• ACH/Bank Account Data: We store only the last four digits of the account number, the bank name, and the account type (checking or savings). Full bank account numbers are transmitted directly to our ACH processing partner.
• Payment Tokens: We store gateway-issued tokens that allow us to process recurring or future transactions without re-collecting sensitive payment data.
• Transaction Records: We store transaction details including amounts, fees, tips, taxes, authorization codes, settlement status, and the IP address from which the transaction was initiated.

3.3 Device and Technical Data (Mobile Application)

When you use our mobile application, we may collect:

• Device Name: The name of the device on which the application is installed.
• Bluetooth Data: Bluetooth permission status, used solely for connecting to NMI payment terminals for in-person card processing.
• Camera Data: Camera permission status, used solely for QR code scanning functionality.
• Authentication Tokens: Securely stored in the device's encrypted storage (SecureStore) for maintaining your authenticated session.

We do not collect device advertising identifiers, precise GPS location, or background location data through our mobile application.

3.4 Business Data (Merchants)

If you are a merchant, we collect and store:

• Business Details: Business name, location details, and geographic coordinates for location-based services and mapping.
• Branding Assets: Business logos and other branding materials you upload.
• Gateway Credentials: Payment gateway API credentials, stored in encrypted form.
• Operational Data: Invoices, orders, product listings, pricing information, and inventory data.
• Staff Records: Information about employees or staff members you add to your account, including their names, roles, and contact details.

3.5 Activity and Usage Data

• Audit Trail: We maintain an activity log that records who made changes to data, what was changed, and when the change occurred.
• Engagement Metrics: We track payment link click counts and sales conversion data.
• Transaction History: We maintain a complete history of transactions for reporting and analytics purposes.

4. How We Collect Information

We collect information through the following means:

• Directly from You: When you create an account, complete a profile, submit a payment, place an order, book an appointment, or otherwise interact with our Services.
• From Your Devices: When you use our mobile application, including device information and permissions as described above.
• From Transactions: When you initiate or receive payments through our platform, including transaction metadata and IP addresses.
• From Third-Party Authentication: If you choose to sign in using Google OAuth, we receive your name, email address, and profile picture from Google.
• From Merchants: If you are a customer, the merchant you transact with may provide us with your name, email, phone number, and address in the course of creating invoices, orders, or bookings on your behalf.

5. How We Use Your Information

We use the information we collect for the following purposes:

• Payment Processing: To process credit card, debit card, ACH, and other payment transactions on your behalf.
• Account Management: To create and manage your account, authenticate your identity, and maintain your profile.
• Service Delivery: To provide invoicing, e-commerce, appointment booking, and other core platform features.
• Communications: To send transactional communications including invoice reminders, payment confirmations, booking reminders, and receipts via email and SMS.
• Security and Fraud Prevention: To detect, prevent, and respond to fraud, unauthorized access, and other security threats.
• Compliance: To comply with applicable legal and regulatory requirements, including tax reporting and payment industry standards.
• Analytics and Improvement: To understand how our Services are used and to improve functionality, performance, and user experience.
• Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical support.
• Merchant Operations: To enable merchants to manage their businesses, including staff management, inventory tracking, and financial reporting.

6. Cookies and Tracking Technologies

6.1 Cookies We Use

SimplaTask uses a minimal set of cookies, all of which are essential for the operation of our Services:

• XSRF Token Cookie: A cross-site request forgery protection token used to secure your interactions with our web applications. This cookie is essential for security and cannot be disabled.
• Sanctum Session Cookie: An authentication session cookie with a 120-minute lifetime that maintains your logged-in state. This cookie is essential for using authenticated features of our Services.

Both cookies are encrypted via server-side middleware.

6.2 What We Do Not Use

• We do not use Google Analytics or any third-party web analytics services.
• We do not use third-party tracking pixels or advertising beacons.
• We do not use cookies for behavioral advertising or cross-site tracking.
• We do not participate in any advertising networks.

6.3 Mobile Application

Our mobile application does not use cookies. Authentication is maintained via bearer tokens stored securely in the device's encrypted storage (SecureStore).

7. Information Shared with Third Parties

We share personal information with the following categories of third-party service providers, solely for the purposes described below. We do not sell your personal information to any third party.

7.1 Payment Processors

Provider	Purpose	Data Shared
NMI	Primary credit/debit card processing and tokenization	Card data, customer name, email, phone, billing address, transaction amounts
Payliance	ACH/bank account payment processing	Bank account details, customer name, contact information, transaction amounts
PayPal	Alternative payment method	Customer email address, transaction amounts

7.2 Communication Providers

Provider	Purpose	Data Shared
Twilio	SMS notifications (invoice reminders, payment confirmations, booking reminders)	Phone numbers, message content
SMTP Email Provider	Email communications (invoices, payment confirmations, booking confirmations)	Email addresses, message content, invoice PDF attachments

7.3 Infrastructure and Authentication Providers

Provider	Purpose	Data Shared
Google	OAuth authentication; Google Maps for merchant location and address services	Name, email, profile picture (OAuth); merchant coordinates, customer addresses (Maps)
AWS S3	Optional cloud file storage	Product images, business logos, user avatars
Sentry	Optional error tracking and crash reporting	Error logs, stack traces, and associated technical metadata

7.4 Legal and Regulatory Disclosures

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of SimplaTask, our users, or the public.

7.5 Business Transfers

If SimplaTask is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

8. Data Security

We implement a variety of security measures designed to protect your personal information:

• PCI DSS Compliance: We maintain compliance with Payment Card Industry Data Security Standards through our payment gateway partners. Sensitive card data is handled exclusively by PCI-compliant processors (NMI) and is never stored on our servers.
• Password Security: All user passwords are hashed using the bcrypt algorithm before storage. Plaintext passwords are never stored or logged.
• Transport Encryption: All data transmitted between your device and our servers is encrypted using HTTPS (TLS) in production environments.
• Signed URLs: Sensitive operations such as email verification, password reset, and checkout processes use cryptographically signed URLs with limited validity periods.
• Rate Limiting: Authentication endpoints are rate-limited to six (6) requests per minute to mitigate brute-force attacks.
• Role-Based Access Control: Our platform implements role-based access control with three tiers — administrator, manager, and user — ensuring that individuals only have access to data and functions appropriate to their role.
• Two-Factor Authentication: We support two-factor authentication (2FA) for an additional layer of account security.
• CSRF Protection: All web application requests are protected against cross-site request forgery attacks via encrypted XSRF tokens.
• Encrypted Storage: Payment gateway API credentials and other sensitive configuration data are stored in encrypted form. Mobile application authentication tokens are stored in the device's encrypted SecureStore.

While we implement commercially reasonable security measures, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your information.

9. Data Retention

We retain your information for the following periods:

Data Category	Retention Period
Transaction records	Retained indefinitely for financial reporting, dispute resolution, and regulatory compliance
Invoices	Retained indefinitely for financial reporting and tax compliance
Payment methods (cards, bank accounts)	Retained until you delete them from your account
Activity/audit logs	Retained indefinitely for security and compliance purposes
Account information	Retained for the duration of your account and thereafter as described below
Business/merchant data	Retained for the duration of the merchant account and thereafter as described below

Soft Deletion: When you delete your account or specific data, we employ soft deletion, meaning the data is marked as deleted and no longer visible or accessible through our Services, but is retained in our systems. This approach supports dispute resolution, fraud prevention, regulatory compliance, and data recovery in the event of accidental deletion.

No Automatic Purge: We do not currently operate an automatic data purge schedule. If you wish to have your data permanently removed, please submit a request as described in Section 10 or Section 11 of this Policy.

10. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

10.1 Access and Portability

You may access and view your personal data through your account dashboard, including transaction history, invoices and order records, saved payment methods, and profile and account information. You may export your data (orders, invoices, and transactions) through the export features available in your account.

10.2 Correction

You may update and correct your profile information, contact details, and business information at any time through your account settings.

10.3 Deletion

You may:

• Delete saved payment methods from your account at any time.
• Request account deactivation, which will soft-delete your account and associated data.
• Request permanent deletion of your personal information by contacting us at hello@simplatask.com. Please note that we may retain certain information as required by law or for legitimate business purposes such as dispute resolution and fraud prevention.

10.4 Communication Preferences

You may opt out of non-essential communications. However, you cannot opt out of transactional communications that are necessary for the operation of the Services (such as payment confirmations and security alerts).

10.5 Exercising Your Rights

To exercise any of your rights, please contact us at hello@simplatask.com. We will respond to your request within thirty (30) days, or within the timeframe required by applicable law.

11. California Privacy Rights (CCPA/CPRA)

This section applies solely to residents of the State of California and supplements the information contained elsewhere in this Privacy Policy, provided pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA").

11.1 Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:

CCPA Category	Examples from SimplaTask	Collected
A. Identifiers	Name, email address, phone number, IP address, account credentials	Yes
B. Personal information (Cal. Civ. Code §1798.80(e))	Name, address, telephone number, bank account number (last 4 digits), credit card number (last 4 digits)	Yes
C. Protected classification characteristics	None	No
D. Commercial information	Transaction records, products or services purchased, purchasing histories, invoices	Yes
E. Biometric information	None	No
F. Internet or electronic network activity	Interaction with our Services, payment link click data, audit trail of actions	Yes
G. Geolocation data	Merchant business coordinates; transaction IP addresses	Yes
H. Sensory data	Profile images, business logos, product images	Yes
I. Professional or employment-related information	Business name, staff/employee records added by merchants	Yes
J. Non-public education information	None	No
K. Inferences drawn from personal information	Transaction analytics and engagement metrics	Yes
L. Sensitive personal information	Account credentials (email and password), payment card data (last 4 digits only), bank account data (last 4 digits only)	Yes

11.2 Sale and Sharing of Personal Information

SimplaTask does not sell your personal information. We have not sold personal information in the preceding twelve (12) months, and we have no plans to sell personal information. SimplaTask does not share your personal information for cross-context behavioral advertising purposes.

11.3 Your California Privacy Rights

As a California resident, you have the following rights under the CCPA: the Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of Sale or Sharing, Right to Limit Use of Sensitive Personal Information, and Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights.

11.4 Submitting Verifiable Consumer Requests

To exercise your rights under the CCPA, you may submit a verifiable consumer request by:

• Email: hello@simplatask.com (include "California Privacy Request" in the subject line)
• Phone: 626-554-9772
• Mail: SimplaTask, 1616 S Date Ave, Alhambra, CA 91803

We will acknowledge your request within ten (10) business days and provide a substantive response within forty-five (45) calendar days.

12. Children's Privacy

Our Services are not directed to individuals under the age of sixteen (16). We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete that information as soon as reasonably practicable. If you believe that a child under 16 has provided personal information to us, please contact us at hello@simplatask.com.

13. International Data Transfers

Our Services are primarily operated in the United States. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States or other jurisdictions where our service providers operate. By using our Services, you consent to the transfer of your information to jurisdictions that may have different data protection laws than your country of residence.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this Policy and notify you by email or through a prominent notice on our Services prior to the changes becoming effective.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: