Privacy Policy

How esnaf.io collects, uses, and protects your personal and business data.

esnaf.io

Last updated: October 2, 2025

beta

Privacy Policy

How esnaf.io collects, uses, and protects your personal and business data.

Introduction

This Privacy Policy describes how esnaf.io ("we", "us", "our") collects, uses, discloses, and protects personal and business information when you use our cloud-based accounting, ecommerce integration, payment reconciliation, and AI-powered services (collectively, the "Services"), including our free plan and paid subscription plans.

By using our Services, you agree to the collection and use of information in accordance with this policy.

WARNING: Beta Service Notice
esnaf.io is currently in beta/development phase. While we implement industry-standard security measures and data protection practices, please be aware that beta services may undergo significant changes, updates, and improvements. We recommend maintaining your own backup copies of critical data during the beta period.

Important: Data Controller vs. Data Processor Distinction

esnaf.io as Data Controller

For personal data about you (the user of esnaf.io), such as your account information, contact details, payment information, and usage data, esnaf.io is the Data Controller under GDPR and applicable data protection laws worldwide. This Privacy Policy explains how we process this data.

esnaf.io as Data Processor - Your Responsibility

When you use esnaf.io to manage your business and enter data about your own customers, vendors, employees, or other third parties (such as customer names, invoice details, contact information, transaction records), you are the Data Controller and esnaf.io is the Data Processor.

This means:

You are responsible for complying with GDPR and other applicable data protection laws in your jurisdiction regarding the personal data you enter into esnaf.io
You must inform your customers, vendors, and other third parties about how their data will be processed
You must obtain necessary consents from individuals whose data you process through esnaf.io
You must ensure you have legal grounds to collect and process that data
esnaf.io has no direct relationship with your customers or other third parties whose data you process
esnaf.io is not responsible for your compliance obligations as a data controller

What We Do as Data Processor

As a data processor for your business data:

We provide secure infrastructure and tools for you to manage data
We implement technical and organizational security measures
We process data only according to your instructions through use of the Services
We do not use your business data for our own purposes
We do not sell, share, or disclose your business data to third parties (except as necessary to provide the Services or as required by law)
We assist you with data security, breach notifications, and data protection impact assessments when required

Information We Collect

1. Account Information

When you register for esnaf.io, we collect:

Full name
Email address
Phone number
Company/business name
Business address
Business registration details
Tax identification number

2. Payment Information (Paid Plans Only)

We use Paddle.com as our payment processor for global transactions across 100+ countries. When you subscribe to our paid plans:

Payment card information is collected and processed by Paddle.com
We receive confirmation of payment status
We store billing addresses and payment history
Paddle.com's privacy policy applies to payment data: https://www.paddle.com/legal/privacy

Free plan users: No payment information is collected or stored.

3. Business & Financial Data

Data you input when using our Services, including:

Customer and vendor information
Invoices and receipts
Financial transactions
Bank reconciliation data
Inventory records
Product catalogs
Sales and expense records
Tax calculation data

4. Integration Data

When you connect third-party services (marketplaces, payment gateways, banks):

API credentials (encrypted)
Transaction synchronization data
Integration settings and preferences

5. Usage & Analytics Data

IP address
Browser type and version
Device information
Pages visited and features used
Time spent on the platform
Click patterns and navigation paths
Error logs and technical diagnostics

6. Communications

Support requests and correspondence
Feedback and survey responses
Marketing preferences
Email engagement metrics

7. Cookies & Tracking Technologies

Session cookies for authentication
Preference cookies for settings
Analytics cookies for service improvement
Advertising cookies (with your consent)

See our Cookie Policy for detailed information.

8. AI Training Data

When you use AI-powered features:

Prompts and queries you submit
Documents you upload for AI processing
Generated outputs and recommendations
Your feedback on AI suggestions

We do not use your proprietary business data to train third-party AI models without your explicit consent.

How We Use Your Information

We process your personal data based on:

Contract performance: To provide Services you've subscribed to
Legal obligations: Tax compliance, fraud prevention, data breach notifications
Legitimate interests: Service improvement, security, customer support
Consent: Marketing communications, non-essential cookies, AI features

Specific Purposes

Service Delivery: Operate and provide the accounting, integration, and AI features
Payment Processing: Bill for subscriptions and process payments via Paddle.com
Customer Support: Respond to inquiries, troubleshoot issues, provide assistance
Service Improvement: Analyze usage patterns to enhance features and user experience
Security: Detect fraud, prevent unauthorized access, maintain data security
Legal Compliance: Meet tax, accounting, and regulatory obligations
Communications: Send service updates, security alerts, and promotional content (with consent)
AI Features: Provide intelligent insights, automation, and predictive analytics

Third-Party Service Providers

We share data with trusted partners who assist in providing Services:

Payment Processing:

Paddle.com: Global payment processor for subscription billing

Cloud Infrastructure:

Cloud hosting providers: For secure data storage and computing
CDN providers: For content delivery and performance

Communication Services:

Email service providers: For transactional and marketing emails
SMS providers: For two-factor authentication and notifications

Analytics & Monitoring:

Analytics platforms: For usage insights and service optimization
Error tracking tools: For monitoring and debugging

AI & Machine Learning:

AI API providers: For intelligent features (with data anonymization where possible)

Legal Requirements

We may disclose information when required to:

Comply with legal obligations, court orders, or government requests
Enforce our Terms & Conditions
Protect our rights, property, and safety
Prevent fraud or illegal activities
Respond to data protection authority requests

Business Transfers

If esnaf.io undergoes a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

We may share data for other purposes with your explicit consent.

We do not sell your personal or business data to third parties.

Data Retention

Account Information: Retained while your account is active and for 7 years after closure for tax and legal compliance
Financial Records: Retained for 10 years to meet accounting and tax law requirements
Usage Analytics: Aggregated and anonymized data may be retained indefinitely
Support Communications: Retained for 3 years for quality assurance
Marketing Data: Retained until you unsubscribe or request deletion

You can request earlier deletion subject to legal and contractual obligations.

Your Data Protection Rights

Under GDPR and other data protection laws, you have the following rights:

1. Right of Access

Request copies of your personal data and information about how we process it.

2. Right to Rectification

Request correction of inaccurate or incomplete personal data.

3. Right to Erasure (Right to be Forgotten)

Request deletion of your personal data, subject to legal retention obligations.

4. Right to Restriction of Processing

Request that we limit how we use your data.

5. Right to Data Portability

Receive your data in a structured, machine-readable format and transfer it to another controller.

6. Right to Object

Object to processing based on legitimate interests, including direct marketing.

Withdraw consent at any time for processing based on consent (e.g., marketing emails).

8. Right to Lodge a Complaint

File a complaint with a data protection supervisory authority.

How to Exercise Your Rights

We will respond to your request within:

30 days under GDPR (EU/EEA/UK)
45 days under other applicable laws

International Data Transfers

esnaf.io operates globally and may transfer data to countries outside your residence, including Turkey and countries within the European Economic Area (EEA).

When transferring data internationally, we ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions by the European Commission
Data Processing Agreements with all third-party processors
Encryption and security measures during transfer and storage

If you have questions about international transfers, contact us at support@esnaf.io.

Data Security

We implement comprehensive security measures:

Technical Measures

Encryption: SSL/TLS for data in transit, AES-256 for data at rest
Access Controls: Role-based permissions and multi-factor authentication
Firewalls: Network segmentation and intrusion detection systems
Regular Security Audits: Vulnerability assessments and penetration testing
Backup Systems: Automated daily backups with geographic redundancy

Organizational Measures

Employee Training: Regular data protection and security awareness programs
Confidentiality Agreements: All employees and contractors sign NDAs
Incident Response Plan: Documented procedures for data breaches
Data Protection Officer: Dedicated oversight of data protection practices

Beta Service Security Note: While we implement industry-standard security practices during our beta phase, please be aware that no system is 100% secure. We recommend maintaining independent backups of critical data.

Data Breach Notification

In the event of a data breach affecting your personal data, we will:

Notify you within 72 hours of becoming aware of the breach (as required by GDPR)
Report to relevant supervisory authorities as required by law
Provide information about the nature of the breach and steps taken to mitigate harm
Recommend protective actions you can take

Children's Privacy

esnaf.io is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, contact us immediately at support@esnaf.io and we will promptly delete it.

Changes to This Privacy Policy

We may update this Privacy Policy to reflect:

Changes in legal or regulatory requirements
New features or services
Improvements in data protection practices
Feedback from users or supervisory authorities

When we make material changes:

We will update the "Last updated" date at the top of this policy
We will notify you via email (if you have an account)
We will display a prominent notice on our website
You will be asked to review and accept the updated policy upon your next login

Continued use of Services after changes constitutes acceptance of the updated policy.

General Data Protection Regulation (GDPR) for users in the EU/EEA
International data protection laws for users in other jurisdictions

If you are a consumer in the EU/EEA, you retain the protections afforded by mandatory consumer protection laws in your country of residence.

Last updated: October 2, 2025

For the most current version of this policy, visit: https://esnaf.io/privacy-policy