Legal

Privacy Policy

1. Who We Are

TamarindPay ("we", "us", "our") is a cloud-based invoicing platform operated from The Commonwealth of The Bahamas. We provide invoicing, quoting, client management, and financial reporting tools to small and medium-sized businesses.

For data protection purposes, we are the data controller of your personal information.

Contact: privacy@tamarindpay.com

2. What Data We Collect

Account & Business Data

• Full name and email address (for account creation and login)
• Business name, address, phone number, tax/VAT number
• Business logo (uploaded image)
• Password (stored as a one-way encrypted hash — we cannot read it)

Client Data You Enter

• Names, email addresses, phone numbers and addresses of your clients
• Invoice and quote details, line items, payment records
• Notes associated with clients or transactions

You are the data controller for your clients' personal information. We process it only on your behalf as a data processor.

Technical Data

• IP addresses (stored in audit logs for security purposes)
• Browser session data (stored in cookies for authentication)
• Error logs (for debugging — purged regularly)

Data We Do NOT Collect

• Credit card or banking details (we do not process payments directly)
• Government ID numbers or passports
• Biometric data
• Data from minors under 18

3. Why We Collect Your Data (Legal Basis)

Under the Bahamas Data Protection Act 2003, we process your data on the following legal bases:

• Contract performance: To provide you with the TamarindPay service you signed up for
• Legitimate interests: To maintain security, prevent fraud, and improve the platform
• Legal obligation: To maintain records as required by Bahamian law
• Consent: For any optional communications such as product updates

4. How We Use Your Data

• To provide, operate, and maintain your TamarindPay account
• To generate invoices and quotes on your behalf
• To send emails you initiate (invoice delivery to clients)
• To authenticate you securely when you log in
• To maintain audit logs of account activity for security
• To provide customer support when you contact us
• To improve and develop new features (using aggregated, anonymised data only)

We do not sell, rent, or trade your data to third parties. We do not use your data for advertising.

5. How We Store & Protect Your Data

• All data is stored on servers located in the United States (shared hosting)
• Passwords are hashed using bcrypt (industry standard one-way encryption)
• SMTP credentials stored in the database are encrypted using AES-256
• All connections to our platform use HTTPS/TLS encryption
• Database access is restricted to application-level users with minimal permissions
• Uploaded files (logos) are stored outside the public web root and served through a secure script

6. Data Sharing

We share your data only in the following limited circumstances:

• Hosting provider: Our server infrastructure provider stores your data as part of providing hosting services. They are bound by their own data processing agreements.
• Email delivery: When you configure SMTP and send invoices, your email provider processes those emails. We do not share data with email providers beyond what you configure.
• Payment processors: When clients pay via Stripe, PayPal, or SunCash, those providers process payment data under their own privacy policies.
• Legal requirements: If required by Bahamian law, court order, or government authority, we may disclose data as legally required.

We do not use third-party analytics, advertising networks, or tracking pixels.

7. Your Rights Under the Bahamas Data Protection Act 2003

Under the Data Protection (Privacy of Personal Information) Act, 2003, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate personal data (via Settings)
• Deletion: Request deletion of your account and all associated data
• Restriction: Request that we restrict processing of your data
• Objection: Object to processing of your data in certain circumstances
• Portability: Request your data in a machine-readable format

To exercise any of these rights, use the data deletion request form in your account settings, or contact us at privacy@tamarindpay.com. We will respond within 30 days as required by law.

8. Data Retention

• Active accounts: Data retained for as long as your account is active
• Deleted accounts: All personal data permanently deleted within 30 days of account deletion request
• Audit logs: Retained for 12 months for security purposes, then purged
• Error logs: Retained for 30 days, then purged automatically
• Invoice/financial records: You may download your data before account deletion. After deletion, records are permanently removed from our systems.

9. Cookies

We use only essential cookies required for the service to function:

• Session cookie: Keeps you logged in during your browser session. Expires when you close your browser or after 2 hours of inactivity.
• CSRF token: Protects against cross-site request forgery attacks.

We do not use tracking, advertising, or analytics cookies. We do not use Google Analytics or any third-party tracking.

10. Children's Privacy

TamarindPay is a business tool intended for users 18 years and older. We do not knowingly collect personal data from minors. If you believe a minor has created an account, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and display a notice in the application. Continued use of TamarindPay after changes are posted constitutes acceptance of the updated policy.

12. Complaints

If you have concerns about how we handle your data, please contact us first at privacy@tamarindpay.com. We take all complaints seriously and will respond within 14 days.

You also have the right to lodge a complaint with the relevant Bahamian data protection authority.