Taxpoynt Privacy Policy (Draft – NDPR-aligned)

Last updated: 11 Jul 2024
Scope: Taxpoynt SI, AP, and Hybrid services.

1. What we collect

• Account data: name, email, organization details.
• Operational data: invoices and related business/financial fields needed for IRN/QR generation, validation, and routing.
• Technical data: logs and metrics (redacted, no secrets), request/trace IDs, and limited device metadata for security and fraud prevention.

2. How we use data

• To deliver contracted services (ingest, validate, sign, route, notify).
• To provide support, reliability, security, and compliance reporting.
• To meet legal/regulatory obligations (e.g., FIRS requirements).

3. Sharing and subprocessors

• We do not sell customer data. We share only with vetted subprocessors required to operate the service (infrastructure, email, observability). A current list is provided on request and in your agreement.

4. Security and retention

• Encryption in transit and at rest; strict access controls; immutable audit trails for critical actions.
• Logs are redacted; secrets and crypto keys are never echoed. Data is retained only as long as needed for services, legal obligations, or your contractual terms.

5. Your rights (NDPR)

• You may request access, correction, deletion (where legally permissible), or restriction of processing. Contact support@taxpoynt.com.
• Objections to processing and data portability requests will be honored subject to regulatory requirements.

6. International transfers

• Data is hosted in the declared regions for your tenant. Any cross-border transfers follow applicable safeguards (e.g., contractual clauses).

7. Children

• The services are not directed to minors; we do not knowingly process children’s data.

8. Contact

• For privacy questions or to exercise rights: support@taxpoynt.com.