Privacy Policy

1. Who we are

SalesThumb, Inc. (“SalesThumb,” “we,” “us”) operates the SalesThumb platform at salesthumb.com, a multi-tenant software-as-a-service product for service businesses. This Privacy Policy explains how we handle personal information.

2. The two roles we play

SalesThumb processes data in two distinct roles, and your rights depend on which applies:

• Controller — for data we collect about you directly, including account information for shop owners and their staff, billing data, support correspondence, and product telemetry.
• Processor— for data shop owners enter into SalesThumb about their customers, vehicles, appointments, invoices, and so on. The shop is the controller; we process that data only on the shop’s instructions.

If you are a customer of a shop using SalesThumb and want to exercise rights against your data, please contact that shop directly. We will assist them in fulfilling your request.

3. What we collect

Account & identity

• Name, email address, phone number, hashed password.
• Shop name, address, vertical, business hours.
• Profile photo (optional).

Billing

• Stripe customer identifier and the last four digits of the most recent card. We never receive or store full card numbers.
• Subscription plan, billing history, and invoices.

Product usage

• Pages viewed, features used, error events. Used to debug, plan the roadmap, and bill metered usage where applicable.
• IP address, user-agent, device type, referrer. Retained 30 days for abuse and security investigation.

Customer-of-a-shop data

• When a shop uses SalesThumb, it enters customer information, vehicle details, photos, payment data, warranty registrations, and message history. We process this on the shop’s behalf.

4. How we use it

• To provide, secure, and improve the SalesThumb service.
• To bill you and prevent fraud.
• To send transactional email (receipts, security alerts).
• To send product update emails to shop owners (you can opt out from any such email; opting out doesn’t affect transactional messages).
• To respond to support requests.
• To comply with law, court orders, and lawful requests.

5. Who we share it with

We share personal information only with vendors who help us run the service, all under contract:

• Vercel— application hosting (US).
• Neon— managed Postgres database (US, AWS us-east-1).
• Cloudflare R2— file storage (global edge).
• Stripe— payment processing.
• Twilio— SMS sending and receiving.
• Resend— transactional email delivery.
• Inngest— scheduled background jobs.

We do not sell personal information. We do not share it with advertisers or data brokers.

6. International transfers

We are a US company and our infrastructure is primarily in the United States. If you are in the European Economic Area, the UK, or another jurisdiction with data-export restrictions, your information will be transferred to the US under Standard Contractual Clauses where required.

7. How long we keep it

• Account data— for the life of your account, then 60 days after cancellation, then deleted.
• Backups— 7-day rolling point-in-time recovery window.
• Invoices and tax records— 7 years per US tax law.
• Security logs— 30 days unless involved in an open investigation.

8. Your rights

You can:

• See what we have about you — export from Settings → Data export in the app, or email info@roffik.com.
• Correct inaccurate information by editing it in the app.
• Delete your account at any time from billing settings.
• Request immediate erasure beyond the 60-day window.
• Object to processing or restrict it, subject to our legal obligations.
• File a complaint with your local data-protection authority.

9. California & US state privacy

California, Colorado, Connecticut, Virginia, Utah, Texas, and a growing list of states grant residents specific privacy rights. We honor those rights as written for each state. We do not sell personal information as defined under the CCPA, CPRA, or equivalent state law. We do not engage in “sharing” for cross-context behavioral advertising.

10. Children

SalesThumb is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, email info@roffik.com and we will delete it promptly.

11. Cookies

We use first-party cookies for authentication and to remember preferences. We do not use third-party advertising cookies. A short list of analytics cookies (Vercel Analytics) help us understand product usage in aggregate; these are anonymized and you can opt out at the operating-system level.

12. Changes to this policy

We’ll post material updates here at least 30 days before they take effect, and email account holders if the change affects their data. The current version is always available at this URL.

13. Contact

Privacy questions: info@roffik.com.
EU representative: contact us first; we’ll route the request appropriately.