Legal
Privacy Policy
Last updated: May 2026
What we collect
From you (the supplier): name, email, company, password (hashed), the QuickBooks OAuth token if you connect, and the data you choose to import (invoices, customers, vendors).
About your customers (your buyers): name, email, phone, payment terms, invoices, and payment history. We hold this on your behalf as a data processor.
Automatically: log data, IP address for rate limiting and abuse prevention, email open/click events for the chases you send.
How we use it
Only to operate the Service: drafting and sending the chase emails you authorize, computing reliability scores, generating statements, syncing with your accounting system. We do not sell your data. We do not use customer data to train shared AI models.
Who we share it with
Sub-processors strictly necessary to run the Service: Resend (email delivery), Twilio (SMS), Stripe (payments), Vercel (hosting), Turso/libSQL (database). Each is bound by a data-processing addendum. We do not share with anyone else.
How long we keep it
For as long as your account is active. On cancellation we keep your data for 30 days for export, then delete it. Anonymized aggregate logs (counts, durations) may be retained longer for service improvement.
Your rights
Under GDPR and similar regimes, your customers have the right to access, correct, or delete their data. As the data controller, you can fulfill these requests directly in Tahsil or by emailing privacy@tahsil.ai. Customers can also unsubscribe with one click from any chase email we send on your behalf.
Security
Data in transit is TLS-encrypted. Passwords are bcrypt-hashed. Payment information is handled exclusively by Stripe — Tahsil never sees card numbers. Webhook endpoints verify signatures. We log access to sensitive routes for audit.
Cookies
We use a single session cookie for authentication. No tracking pixels, no analytics cookies, no third-party advertising cookies.
Contact
Privacy questions: privacy@tahsil.ai. Data Protection Officer: dpo@tahsil.ai.