Privacy Policy

1. Introduction

Easy Build Inc. ("Easy Build," "we," "us," or "our") operates the Taffy platform at heytaffy.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

We are committed to protecting your privacy. Taffy is designed to be tracker-free — we do not use Google Analytics, advertising cookies, third-party tracking pixels, or any invasive data collection tools. This policy applies to all users worldwide, including those protected under the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other applicable privacy laws.

2. Information We Collect

2.1 Information You Provide

• Account information: email address, password (hashed and stored securely by our authentication provider), display name, and chosen handle.
• Profile information: optional bio, avatar image, and linked wallet handles (e.g., Venmo username, Cash App cashtag) that you choose to display on your public pay page.
• Transaction data: sender and recipient identifiers, transaction amounts, fees, status, timestamps, and Wrapper messages (memos, stickers, or notes attached to payments).
• Candy Jar data: fundraising jar titles, descriptions, goals, categories, updates, and donor information for community fundraising campaigns.
• Support communications: any messages, feedback, or support requests you send to us.

2.2 Information Collected Automatically

• Usage data: pages visited, features used, timestamps, and interaction patterns within the Service. This data is collected through first-party analytics only — no third-party tracking scripts.
• Device information: browser type, operating system, device type, and screen resolution, collected via standard HTTP headers.
• Cookies: essential cookies required for authentication, session management, and security. See Section 7 for details.

2.3 Information We Do NOT Collect

• Credit card numbers, debit card numbers, CVVs, or full bank account details. All payment credentials are collected and stored exclusively by Stripe and never touch Taffy's servers.
• Social Security numbers or government-issued identification numbers.
• Precise geolocation data.
• Biometric data.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: processing transactions, managing your account, displaying your public pay page, and enabling features like Wrappers, Candy Jar, Taffy Pull, The Snap, and The Tug.
• Communication: sending transactional emails (payment confirmations, Tug reminders, Candy Jar updates), account security alerts, and service announcements. We use Resend as our email delivery provider.
• Safety and fraud prevention: detecting and preventing fraudulent transactions, abuse, and unauthorized access to accounts.
• Improvement: analyzing usage patterns (using first-party data only) to improve the Service, fix bugs, and develop new features.
• Legal compliance: fulfilling legal obligations, including tax reporting (e.g., 1099-K for qualifying transactions) and responding to lawful requests from government authorities.

4. Third-Party Service Providers

We share your information with the following trusted third-party service providers, solely to the extent necessary to operate the Service:

We do not sell, rent, or trade your personal information to any third party. We do not share your information with advertisers. We do not use any Google services, analytics tools, fonts, or CDN resources.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account data: retained for the lifetime of your account plus 30 days after account deletion to allow for recovery.
• Transaction records: retained for a minimum of 7 years to comply with tax reporting and financial record-keeping obligations (including IRS 1099-K requirements).
• Usage data: aggregated and anonymized after 12 months; raw usage logs are deleted after 90 days.
• Support communications: retained for 3 years after the last communication.

When data is no longer required, it is securely deleted or anonymized in accordance with industry best practices.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (TLS 1.2+) and at rest.
• Row-level security (RLS) policies in our database ensuring users can only access their own data.
• Secure password hashing via our authentication provider (Supabase Auth).
• Regular security assessments and vulnerability monitoring.
• Stripe-managed PCI DSS compliance for all payment card data.

While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Cookies

Taffy uses only essential cookies required for the Service to function. We do not use advertising cookies, analytics cookies, or third-party tracking cookies.

7.1 Essential Cookies

• Authentication cookies: session tokens issued by Supabase Auth to keep you signed in securely.
• Security cookies: CSRF protection and session integrity verification.

7.2 Local Storage

We use browser local storage to persist user preferences (such as privacy settings and theme preferences). This data remains on your device and is not transmitted to our servers.

You can manage cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

8.1 Rights for All Users

• Access: request a copy of the personal information we hold about you. You can download your data at any time through Settings > Privacy > Download Your Data.
• Correction: update or correct inaccurate personal information through your account settings.
• Deletion: request deletion of your account and associated personal data by contacting admin@heytaffy.com or using the account deletion feature in your privacy settings. Some data may be retained as required by law (see Section 5).
• Data portability: export your profile and transaction data in a human-readable format (.txt) via the data download feature.

8.2 Additional Rights Under CCPA (California Residents)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act:

• Right to Know: you may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: you may request that we delete personal information we have collected from you, subject to certain legal exceptions.
• Right to Non-Discrimination: we will not discriminate against you for exercising any of your CCPA rights.
• No Sale of Personal Information: we do not sell your personal information as defined under the CCPA. We do not share your personal information for cross-context behavioral advertising.

To exercise your CCPA rights, email admin@heytaffy.com with the subject line "CCPA Request." We will verify your identity before processing your request and respond within 45 days.

8.3 Additional Rights Under GDPR (EEA, UK, and Swiss Residents)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation:

• Legal basis for processing: we process your personal data based on: (a) your consent (account creation); (b) performance of our contract with you (providing the Service); (c) our legitimate interests (fraud prevention, service improvement); and (d) legal obligations (tax reporting, financial regulations).
• Right to Restrict Processing: you may request that we restrict the processing of your data in certain circumstances.
• Right to Object: you may object to processing based on our legitimate interests.
• Right to Withdraw Consent: where processing is based on consent, you may withdraw consent at any time.
• Right to Lodge a Complaint: you have the right to file a complaint with your local data protection authority.

To exercise your GDPR rights, email admin@heytaffy.com with the subject line "GDPR Request." We will respond within 30 days.

9. International Data Transfers

Taffy is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. By using the Service, you consent to the transfer of your information to these countries, which may have different data protection laws than your country of residence. We take steps to ensure that your data is treated securely and in accordance with this Privacy Policy.

10. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under the applicable minimum age, we will take steps to promptly delete that information. If you believe a child has provided us with personal information, please contact us at admin@heytaffy.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy. We encourage you to review this page periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: admin@heytaffy.com
• Company: Easy Build Inc.
• Website: heytaffy.com

For privacy-specific inquiries, use the subject line "Privacy Inquiry" to help us route your request to the appropriate team.