Privacy Policy

We collect only the information needed to operate the Service:

• Account information. When you create a client portal account we collect your email address and, optionally, a display name. Authentication is provided by Stack Auth; passwords (when used) are stored by Stack and are not visible to us.
• Payment information. We do not collect, store, or process credit card numbers, bank account numbers, or other sensitive payment credentials. All payments are processed by Stripe, Inc.; we receive only non-sensitive metadata such as a Stripe customer ID, the products purchased, invoice and subscription status, billing email, the last 4 digits of the card, receipt URLs, and the country/region returned by Stripe.
• Files and documents. Files we upload to your account (contracts, deliverables, shared documents) are stored privately on Vercel Blob storage and are accessible only to you and authorized administrators.
• Communications. Messages submitted via the contact form (name, email, phone, company, subject, message) are sent to us by email.
• Operational data. Server logs may temporarily contain your IP address, user agent, and request paths for security, debugging, and abuse prevention.

• To create and maintain your client portal account.
• To deliver the products, subscriptions, and files you have purchased.
• To process payments, issue invoices, and manage refunds through Stripe.
• To send you transactional emails such as receipts, file-upload notifications, and important changes to your account.
• To respond to inquiries you submit through the contact form.
• To detect, prevent, and address fraud, abuse, or technical issues.

We do not sell your personal information, and we do not use it for third-party advertising.

Payments on the Service are processed by Stripe, Inc. When you enter card details, that information is collected directly by Stripe's PCI-DSS-compliant systems and never touches our servers. Stripe's handling of your payment information is governed by Stripe's Privacy Policy. We strongly encourage you to review it. Stripe acts as an independent data controller for the payment data it collects from you.

Where required, Stripe relies on Standard Contractual Clauses for cross-border data transfers and maintains its own compliance program for PCI DSS, GDPR, and other applicable regulations.

We rely on the following processors to operate the Service. Each is contractually obligated to protect your data and to use it only for the purposes we direct:

• Stripe — payment processing, invoicing, subscriptions (Privacy Policy)
• Stack Auth — account authentication and session management (Privacy Policy)
• Vercel — application hosting and Vercel Blob file storage (Privacy Policy)
• Neon — managed PostgreSQL database for application data (Privacy Policy)
• Resend — delivery of transactional emails (Privacy Policy)

We use cookies and browser storage strictly for sign-in sessions and essential site functionality (set by Stack Auth and Stripe). We do not use third-party advertising or analytics cookies. Disabling cookies will prevent you from signing in to the client portal.

We retain account information for as long as your client portal account is active. Stripe retains payment and invoice records for the duration required by their own retention policies and applicable financial regulations. Files uploaded to your account are retained until you or an administrator deletes them, or until your account is closed.

Server logs are typically retained for a short period (days to weeks) and then rotated.

• Access, correction, deletion. You can update your profile or permanently delete your account from the Account settings page in the portal. Account deletion cancels active subscriptions and removes your files from our systems.
• Cancel a subscription. You can cancel any active subscription at any time from the Purchase history page; you will retain access until the end of the paid period.
• GDPR / CCPA. If you are located in the EEA, UK, or California, you have additional rights, including the right to access, port, restrict, or object to processing of your personal data. To exercise these rights, contact us at john@highsierratechnology.com.
• Marketing. We do not send marketing email; you will only receive transactional messages related to your account.

We use industry-standard technical and organizational safeguards to protect your data, including encryption in transit (HTTPS/TLS), private access controls on stored files, and least-privilege access for administrators. No system can guarantee absolute security; please use a strong, unique password for your account.

The Service is not directed to children under 13, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us so we can remove it.

We operate the Service from the United States. By using the Service, you understand that your information may be processed in countries whose data-protection laws may differ from those in your jurisdiction.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, for material changes, notify account holders by email.

If you have any questions about this Privacy Policy or how we handle your data, contact us at john@highsierratechnology.com or via the contact form.