Privacy Policy | GoodTaco

1. Introduction

GoodTaco Inc. commits to protecting privacy and explains how we collect, use, share, and safeguard information when users access our services. By accessing the Services, you agree to the practices described herein.

2. Information We Collect

We collect several categories of data:

Account Data

Name, email, job title/function, intended use (for account creation and management)

Billing Data

Payment method details handled by PCI-compliant providers (for subscription processing)

Integration Data

Google user data (Sheets, OAuth), Xero, HubSpot, QuickBooks, Airtable data when connected (to provide requested integrations)

Google Compliance: We never use Google data for advertising or disclose it except as needed to run the Services.

Usage Data

Log files, device/browser info, IP address (to operate, secure, and improve Services)

3. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain Services including integrations with Google, Xero, HubSpot, QuickBooks, Airtable, Railway, AWS, and Cloudflare
Communicate about feature updates, beta invitations, billing, and support
Understand aggregate usage to improve performance and reliability

We never sell or rent Personal Data to third parties.

We do not engage in automated decision-making or profiling with legal effects.

4. Legal Basis for Processing

Personal Data processing occurs only with consent or when lawful. You may withdraw consent by emailing [email protected].

5. How and Why We Share Your Information

Data sharing occurs solely to deliver Services or comply with law through:

Service Providers

Vetted vendors for communications, infrastructure hosting, and payment processing

Legal Requirements

When necessary to meet legal obligations or defend rights

Sub-processors

Google LLC: User authentication (OAuth) and optional Google Sheets integration
Railway: Hosting of application servers and databases
Amazon Web Services, Inc.: Cloud infrastructure for user-generated tools and storage
Cloudflare, Inc.: Global edge caching, TLS termination, and traffic acceleration

Only minimum required data for each function is shared.

6. Data Security

Encryption: All Personal Data is encrypted in transit (TLS 1.2+) and at rest within cloud providers
US data residency: All primary production data stores reside within the United States; no production data stored outside the US
Breach notification: Within 72 hours of discovery, affected users and regulators are notified

Security researchers may report vulnerabilities to [email protected] through our responsible-disclosure bug-bounty program.

7. Data Retention

Active accounts: Data kept for the account's lifetime
Account deletion: Basic contact details archived unless full deletion requested
Backups: Encrypted, rotating backups for disaster-recovery only

Integration-derived data is retained only as long as needed. You may request deletion via [email protected].

8. Your Rights

You have the following rights with 30-day SLAs (except consent withdrawal, which is immediate):

Access: Obtain a copy of Personal Data
Correction: Fix inaccurate or incomplete data
Deletion: Request data erasure
Withdraw Consent: Opt-out of marketing or integrations

Contact [email protected] to exercise any right.

9. Cookies & Tracking

We use cookies strictly for essential authentication and performance. No third-party advertising or cross-site tracking cookies are deployed.

10. Third-Party Links

External website links are independent of our privacy practices. You should review external policies before providing data.

11. Children's Privacy

Services are not directed to children under 13, and we do not knowingly collect information from them.

12. Changes to This Policy

Material changes are announced at least 30 days in advance via email and in-app notice. The Effective Date reflects the latest version.

13. Contact Us

Questions or concerns should be directed to [email protected].