Privacy Policy

Last updated: November 21, 2025

1. Introduction

Client Stash ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

We collect information that you provide directly to us:

  • Account Information: Email address and password when you create an account.
  • Project Data: Information about your client projects, services, and vendors that you add to the platform.
  • Credentials: API keys, passwords, and other credentials you choose to store (encrypted at rest).
  • Invoice Data: Invoice files and billing information you upload.
  • Usage Data: Information about how you use the service, including access logs and feature usage.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Send you renewal reminders and notifications you've configured
  • Respond to your comments, questions, and support requests
  • Monitor and analyze trends, usage, and activities
  • Detect, investigate, and prevent security incidents

4. Data Security

We take security seriously. All credentials are encrypted using AES-256-GCM encryption before storage. We use industry-standard security measures to protect your data, including:

  • Encryption at rest and in transit
  • Secure authentication via Supabase Auth
  • Row-level security policies for data isolation
  • Audit logging for credential access

5. Data Sharing

We do not sell, trade, or rent your personal information to third parties. We may share information only in the following circumstances:

  • With your consent
  • To comply with legal obligations
  • To protect our rights and prevent fraud
  • With service providers who assist in operating our service (e.g., hosting, email delivery)

6. Data Retention

We retain your data for as long as your account is active or as needed to provide you services. If you delete your account, we will delete your data within 30 days, except where we are required to retain it for legal purposes.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Withdraw consent for data processing

8. Analytics

We use Plausible Analytics, a privacy-friendly analytics service, to understand how our service is used. Plausible:

  • Does not use cookies
  • Does not track you across websites
  • Does not collect personal information
  • Is fully compliant with GDPR, CCPA, and PECR
  • Collects only aggregated, anonymized data

We also use essential cookies to maintain your session and preferences.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at hello@clientstash.dev.