Privacy Policy

1. Information We Collect

Account Information

• Name and email address
• Company/organization name
• Password (stored securely hashed, never in plain text)

Data You Store

You may choose to store the following types of information:

• Exemption certificates and related documentation
• Customer information including names, email addresses, and tax identifiers
• Certificate metadata such as exemption types, jurisdictions, and expiration dates
• Certificate request and communication history
• Integration connection data from connected systems

Automatically Collected Information

• IP address and browser type
• Usage data and access times
• Device information

2. How We Use Your Information

We use your information to:

• Provide and maintain the Service
• Process payments and manage subscriptions
• Send service-related communications (certificate requests, reminders, expiration notices)
• Respond to support requests
• Improve and optimize the Service
• Comply with legal obligations

3. Data Security

Data safety is paramount to ExemptHQ. We employ comprehensive security measures:

Encryption in Transit

All data transmitted between your browser and our servers uses TLS 1.2+ encryption to prevent interception.

Secure Storage

• Certificate files stored with strict access controls
• Passwords hashed using bcrypt with salt
• API keys stored securely with one-way hashing

Additional Security Measures

• Role-based access controls (owner, admin, viewer)
• Organization-level data isolation (multi-tenant scoping)
• HMAC-verified webhook signatures
• CSRF protection on all forms
• Regular security assessments

4. Data Sharing

We do not sell, trade, or rent your personal information. Data may be shared only in these circumstances:

• Service Providers: Third-party providers contractually bound to protect your data (e.g., hosting, email delivery, payment processing)
• Legal Requirements: When required by court order or government request
• Business Transfer: In connection with a merger or acquisition, with equivalent privacy protections
• With Your Consent: When you provide explicit authorization

5. Data Retention

• Active Accounts: Data is retained and secured for the duration of your account activity
• Cancelled Subscriptions: Data retained for 30 days after subscription expiration
• Account Deletion: All data permanently deleted upon request
• Backups: Purged within 30 days of account deletion

6. Your Rights

You have the right to:

• Access: View all your account data at any time
• Export: Download your data in CSV and PDF formats
• Correction: Update your information through your account settings
• Deletion: Request permanent deletion of your account and data
• Portability: Receive your data in a structured, machine-readable format

7. Cookies

We use essential cookies to:

• Maintain your login session
• Remember your preferences
• Ensure security through CSRF protection

We do not use advertising or tracking cookies. Your data is not sold to advertisers.

8. Third-Party Services

• Postmark: Transactional email delivery
• Hostinger: Web hosting infrastructure
• Unified.to: Third-party integration connectivity (when enabled)

Each third-party provider maintains their own privacy practices and is contractually obligated to protect your data.

9. Children's Privacy

ExemptHQ is not intended for individuals under 18 years old. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and, for material changes, by email or through the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

ExemptHQ LLC

Email: support@exempthq.com

Website: exempthq.com