Privacy Policy

Effective Date: March 28, 2026

1. Introduction

This privacy policy describes how Bivvey ("we," "us," "our") collects, uses, stores, and protects your personal information when you use our platform.

This policy applies to all users of the Bivvey platform, including account owners, administrators, staff members, and viewers. By using Bivvey, you consent to the practices described in this policy.

2. Information We Collect

2a. Information You Provide Directly

• Account registration information: name, email address, company name, and chosen subdomain.
• Login credentials: email and password. Passwords are stored as one-way cryptographic hashes using bcrypt with a cost factor of 12. We never store plaintext passwords.
• Business data: inventory items, categories, suppliers, customers, purchase orders, sales, transactions, serial numbers, locations, and all related records you enter into the platform.
• Billing information: payment details are collected and processed by Stripe. We do not store credit card numbers, CVVs, or full card details on our servers.
• Communications: emails you send to our support address, feedback, and any other correspondence with us.

2b. Information Collected Automatically

• Session data: session identifiers stored in secure, HTTP-only cookies for authentication purposes.
• Server logs: IP addresses, request timestamps, URLs accessed, HTTP methods, response codes, and user agent strings.
• Error logs: application errors and stack traces (which may include request parameters) collected for debugging purposes.

We do NOT use third-party tracking cookies, advertising pixels, or behavioral analytics tools.

3. How We Use Your Information

• To provide and operate the Bivvey platform, including processing your inventory data, generating reports, and calculating costs.
• To authenticate your identity and maintain your session.
• To process subscription payments through Stripe.
• To send transactional emails: welcome emails, password reset links, trial expiration notices, and billing notifications.
• To respond to support requests and communicate with you about your account.
• To monitor and improve the security, performance, and reliability of the service.
• To enforce our Terms of Service and prevent abuse.
• To comply with legal obligations.

We do NOT sell, rent, or trade your personal information to third parties. We do NOT use your data for advertising or marketing purposes beyond service-related communications.

4. Data Storage and Isolation

• Your data is stored on servers located in Ashburn, Virginia, United States.
• Each tenant's data is stored in a separate, isolated database schema. No tenant can access another tenant's data.
• All data is encrypted in transit using TLS/SSL.
• Database backups are performed daily and stored in encrypted form at secure off-site locations.
• Backups are retained for 30 to 90 days, depending on backup tier, and are then permanently deleted.

5. Data Sharing and Third-Party Services

We share your data with third parties only in the following limited circumstances:

5a. Stripe (Payment Processing)

We share your email address, company name, and tenant identifier with Stripe to create and manage your subscription. Stripe processes and stores your payment information according to their privacy policy. Stripe is PCI DSS Level 1 certified.

5b. Xero (Accounting Integration, Optional)

If you choose to connect Xero, we transmit inventory valuation and cost of goods sold (COGS) data to your Xero account as manual journal entries. This integration is entirely optional and is initiated by you. Xero processes your data according to their privacy policy.

5c. Anthropic (AI Product Lookup, Optional)

If you use the AI Product Lookup feature, we send product identifiers (SKU, UPC, or model number) to the Anthropic API to retrieve product information. We do not send your personal information, customer data, or financial data to Anthropic. Anthropic processes data according to their privacy policy.

5d. Postmark (Transactional Email)

We use Postmark to send transactional emails such as welcome messages, password resets, and trial notices. Postmark receives recipient email addresses and email content for delivery purposes. Postmark processes data according to their privacy policy.

5e. Legal Requirements

We may disclose your information if required to do so by law, court order, or government regulation. We may also disclose your information if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Cookies and Session Management

Bivvey uses a single session cookie for authentication purposes. This cookie is HTTP-only (not accessible to JavaScript), secure (transmitted only over HTTPS in production), and has a same-site restriction to prevent cross-site request forgery.

The session cookie expires after 24 hours of inactivity or when you log out. We do not use advertising cookies, tracking cookies, or third-party analytics cookies. We do not participate in ad networks or cross-site tracking.

7. Data Retention

• Active account data: retained for as long as your account is active and your subscription is current.
• After cancellation: your data is retained for 90 days, during which you may resubscribe and regain access.
• After trial expiration without subscription: your data is retained for 90 days.
• After the 90-day retention period: your data, including all inventory records, customer data, transaction history, and reports, may be permanently deleted.
• Server logs: retained for 30 days and then automatically purged.
• Password reset tokens: expire after 30 minutes and are deleted from the database.
• Backup data: retained for 30 to 90 days as described in section 4.

8. Your Rights and Choices

• Access: you may access all data stored in your Bivvey account at any time by logging in. Reports can be exported as PDF or CSV.
• Correction: you may update or correct any data in your account at any time through the application interface.
• Deletion: you may request deletion of your account and all associated data by contacting support@bivvey.com. Deletion requests will be processed within 30 days.
• Data export: you may request a complete export of your data by contacting support@bivvey.com. We will provide the export in a standard format (CSV or JSON) within 30 days.
• Objection: if you object to any aspect of our data processing, please contact us at support@bivvey.com.

We do not currently serve users in the European Economic Area (EEA) as a primary market. However, if you are located in the EEA, you may have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with a supervisory authority.

9. Children's Privacy

Bivvey is a business-to-business service and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

10. Security Measures

• All data transmitted between your browser and our servers is encrypted using TLS/SSL.
• Passwords are hashed using bcrypt with a cost factor of 12. We never store or transmit plaintext passwords.
• Sessions are managed with secure, HTTP-only cookies with same-site restrictions.
• Login attempts are rate-limited to prevent brute force attacks.
• Accounts are locked after 10 consecutive failed login attempts for a 15-minute period.
• Input validation and sanitization is applied to all user-submitted data to prevent injection attacks.
• The application runs in isolated Docker containers with least-privilege access.
• Database queries use parameterized statements to prevent SQL injection.
• Content Security Policy (CSP) headers are enforced to prevent cross-site scripting (XSS) attacks.
• Regular security updates are applied to all server software and dependencies.

11. International Data Transfers

Your data is processed and stored in the United States. If you access Bivvey from outside the United States, your data will be transferred to and processed in the United States. By using Bivvey, you consent to this transfer.

12. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via email to the address associated with your account at least 30 days before they take effect.

The "Effective Date" at the top of this policy indicates when it was last updated. Your continued use of the service after changes take effect constitutes acceptance of the updated policy.

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you via email within 72 hours of discovering the breach. The notification will include a description of the breach, the types of data affected, the steps we are taking to address the breach, and recommendations for protecting yourself.

We will also notify any applicable regulatory authorities as required by law.

14. Contact Information

For questions, concerns, or requests related to your privacy or this policy, contact us at:

Email: support@bivvey.com