Privacy Policy

1. Who we are

Infacam (the “Service”) is an independently operated product based in the United States. We act as the data controller under applicable US federal and state privacy laws (such as the California Consumer Privacy Act, as amended) for all personal data you provide through the Service.

Questions or requests? Email support@infacam.com.

2. What we collect

Account data

• Name, email address, and password (stored as a bcrypt hash — we never see your plain-text password).
• Profile photo, if you choose to upload one.
• Business information you provide during onboarding or settings: business name, legal entity type, address, EIN, phone, and website.

Operational / business data

• Everything you create inside Infacam: clients, projects, invoices, contracts, time entries, welcome documents, and files (logos, signatures, attachments).
• Payment and subscription records: payment processor IDs, subscription IDs, plan history, and billing amounts. We do not store card numbers or bank account details — those are handled entirely by our payment processor.
• Client portal activity: messages sent and received, files shared, and timestamps.

AI workflow inputs

• When you use the Ask AI feature, the text you type (your prompt) is sent to Groq’s API to generate a structured response. This includes the descriptions you write for invoices, contracts, welcome documents, clients, and projects.
• We minimise what is sent: only the text you enter in the AI chat and the workspace context you explicitly select (client name, project name) are forwarded.
• Infacam does notuse your AI prompts or the content of your workspace to train any AI model. Groq’s API is used for inference only.

Telemetry and logs

• IP address, user agent, and access timestamps — retained for 90 days for security and abuse prevention.
• Product usage events (e.g. which features are used, pages visited, button clicks) — collected via PostHogwith personal identifiers stripped. These events respect your browser’s Do Not Track signal.
• Session recordings and heatmaps via Microsoft Clarity to understand how users interact with the interface. Clarity automatically masks text input fields so your invoice and client data is not captured in recordings.
• Error reports via Sentry — scrubbed of credentials and sensitive field values before transmission.

Cookies and local storage

• Strictly necessary: Authentication session cookies (HTTP-only, Secure) set by Supabase. These are required for you to stay logged in and cannot be opted out of while using the Service.
• Analytics: PostHog and Microsoft Clarity use cookies to distinguish sessions. PostHog respects Do Not Track. You can opt out of Clarity via browser settings or a privacy-respecting browser extension.
• Support: Crisp chat sets a cookie to associate your support conversation with your account.
• We do not place any third-party advertising or retargeting cookies.

3. How we use your data

• To operate the Service: authenticate you, store your workspace data, generate invoices and contracts, process payments, and deliver transactional emails.
• To power AI workflows: forward your AI chat prompts to Groq’s API to generate invoice drafts, contract drafts, welcome document drafts, client records, and project records on your behalf.
• To process payments and subscriptions: pass transaction data to our PCI-compliant payment processor.
• To send transactional email: invoice delivery, payment receipts, contract signature requests, security alerts, and password resets — via Resend.
• To improve the product: aggregated, anonymised analytics help us understand which features are used and where users encounter friction.
• To prevent fraud and ensure security: monitor login attempts, detect suspicious activity, and enforce rate limits.
• To meet legal obligations: retain invoice and tax records as required by applicable US federal and state tax law.

We do not sell your data. We do not use your data to train AI models. We do not use your data for advertising.

4. Third-party sub-processors

We share data with the following service providers, each under a data processing agreement, and only to the extent necessary to deliver the Service:

• Supabase (Frankfurt, Germany) — PostgreSQL database and authentication. All business data lives here.
• Cloudflare R2 (EU region) — object storage for files you upload: logos, contract attachments, portal files, signed PDFs.
• Stripe(USA) — payment processing and subscription management. Governed by Stripe’s own privacy policy and PCI-DSS compliance.
• Resend (USA) — transactional email delivery. Your name and email are shared with Resend only to send emails on your behalf.
• Groq (USA) — AI inference API used by the Ask AI feature. Your AI prompts and the workspace context you select are sent to Groq. No training on your data.
• PostHog (EU) — product analytics. Anonymised usage events only.
• Microsoft Clarity(USA) — session recording and heatmaps. Input fields are masked. Governed by Microsoft’s privacy policy.
• Sentry (EU) — error and performance monitoring. Credentials and sensitive values are scrubbed before transmission.
• Crisp (EU) — in-product live chat for support. Conversations you start are stored by Crisp.
• Zoho Desk (USA/EU) — support ticket management. Support requests submitted through Infacam are processed here.
• Vercel(USA) — hosting and edge network. Request logs are retained per Vercel’s policy.

5. International data transfers

Several of our sub-processors process data outside the United States (notably Supabase in Germany, Cloudflare R2 in the EU, and Vercel globally). We rely on standard contractual clauses or equivalent transfer mechanisms where required. We choose processors with strong data protection practices and are satisfied they adequately protect your data.

6. Data retention

• Account and operational data: retained while your account is active.
• On account deletion: your data is soft-deleted immediately (no longer accessible to you or us in normal operation) and permanently deleted after a 30-day recovery window.
• Tax and invoice records: retained in anonymised form for the period required by applicable US federal and state tax law (generally at least several years), even after account deletion.
• Server and access logs: 90 days.
• Support conversations: retained for 2 years in Crisp and Zoho Desk to assist with follow-up.
• AI prompt logs: Infacam does not store your AI prompt text beyond the current session. Groq’s own retention policy governs API request logs on their side.

7. Your rights

Under US state privacy laws (such as the CCPA/CPRA in California and similar laws in other states) and general principles of data protection, you have the right to:

• Access: know what data we hold about you.
• Correction: update inaccurate or incomplete data (most of this you can do yourself in Settings).
• Erasure: request deletion of your account and all associated data (subject to legal retention obligations for tax and invoice records).
• Portability: export your data as JSON from Settings → Data & export in the dashboard.
• Objection / restriction: object to specific processing activities by emailing us.
• Withdraw consent: where processing is based on consent (e.g. optional analytics), you can withdraw it by adjusting your browser settings or contacting us.

To exercise any right, email us at:

• support@infacam.com — we respond within 30 days.
• Or delete your account directly from Settings → Account → Delete account.

You may also lodge a complaint with your state Attorney General or the Federal Trade Commission if you are unsatisfied with our response.

8. Security

• All data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted at the database and storage layer.
• Workspace data is isolated using Supabase Row Level Security (RLS) — users can only access their own data.
• Passwords are hashed with bcrypt; sessions use secure, HTTP-only cookies.
• Two-factor authentication (TOTP) is available in account settings and strongly recommended.
• We monitor for security events and alert on suspicious activity such as multiple failed login attempts.
• In the event of a confirmed data breach, we will notify affected users without undue delay, in accordance with applicable US state breach notification laws.

9. Children

Infacam is not intended for users under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered, please contact us at support@infacam.com and we will delete the account promptly.

10. Changes to this policy

We may update this policy when we add new features or sub-processors, or when laws change. Material changes will be announced via email or in-product notice at least 14 days before they take effect. The effective date at the top of this page always reflects the latest version. Continued use of Infacam after the effective date constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions, data requests, or complaints:

• Email: support@infacam.com
• General contact: infacam.com/contact
• Address: Infacam, United States

12. Privacy concerns and escalation

If you have a privacy concern that our support team has not resolved to your satisfaction, you can escalate it directly to our privacy contact:

• Email: privacy@infacam.com
• We acknowledge privacy complaints within 48 hours and aim to resolve them within 15 days of receipt.

If you remain unsatisfied after our response, you may file a complaint with your state Attorney General or the Federal Trade Commission.