Privacy Policy

Effective Nov, 2024

Hesabooks Inc. (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application and related services. We align our practices with SOC 2, ISO/IEC 27001, and applicable North American privacy regulations such as PIPEDA (Canada) and U.S. state-specific laws.

What We Collect

We collect only what is necessary to deliver our services and meet compliance standards:

  • Account Information: Name, email, company name, subscription preferences.
  • Financial Data: Transaction and bookkeeping data, where relevant to your use of our services.
  • Usage Logs: Metadata like browser type, device identifiers, and feature usage for security and performance tuning.
  • Support Interactions: Information provided during support requests.

We do not knowingly collect data from individuals under 18.

How We Use Information

We use your information to:

  • Deliver, maintain, and improve our services.
  • Ensure platform availability, confidentiality, and integrity, in line with SOC 2 and ISO 27001 controls.
  • Support financial reporting and compliance for your business.
  • Communicate service updates and respond to support inquiries.
  • Meet our legal, regulatory, and contractual obligations.

Information Sharing

We do not sell or rent your personal information. We only share data with trusted third parties:

  • Cloud providers (e.g., AWS) under data processing agreements.
  • Sub-processors who support infrastructure or analytics (e.g., billing, crash logging).
  • Regulators or legal entities, when compelled by applicable law.

Each vendor is subject to review under our Vendor Management Policy and must meet security obligations aligned with SOC 2 and ISO/IEC 27001 Annex A.

Data Retention

We retain:

  • Financial and transaction data for 7 years, or as required by tax and accounting laws.
  • User accounts and associated information as long as your account is active, and for up to 12 months after termination unless otherwise requested.
  • Logs and system-level data based on operational and audit requirements.

Data no longer needed is securely deleted or anonymized.

Security Practices

We implement strong administrative, technical, and physical controls:

  • Access Control: Role-based access, MFA, and least privilege principles.
  • Monitoring: Real-time alerting and log retention via AWS CloudTrail, GuardDuty, and CloudWatch.
  • Encryption: All sensitive data encrypted in transit (TLS 1.2+) and at rest using AES-256.

We continuously assess our security posture through internal audits, penetration tests, and third-party reviews, consistent with SOC 2 Type II and ISO/IEC 27001 frameworks.

Your Rights

For users in Canada, we comply with PIPEDA and will, upon request:

  • Provide access to your personal data.
  • Correct inaccuracies.
  • Delete your information unless retention is required by law.

U.S. users may have state-specific rights depending on jurisdiction (e.g., CCPA, if expanded to your state).

International Data Transfers

While our services are primarily hosted in the U.S., we may process or store data in Canada or other jurisdictions using secure and compliant methods. We ensure cross-border safeguards are in place.

Updates to this Policy

We may revise this Privacy Policy from time to time. We will notify users of material changes via in-app notices or email. Continued use of the app constitutes acceptance of the updated policy.

Contact Us

For questions, access requests, or privacy concerns, contact our Privacy Officer:

Email: [email protected]ffective Nov, 2024