We collect information you give us directly: account details (name, email, password hash), the contacts, projects, and notes you add to your workspace, and billing details processed by our payment provider Stripe (we never see your full card number). We also collect basic usage analytics — pages visited, features used, error reports — to improve the product. We do not buy data from third parties.
We use your data to operate the service, authenticate you, process payments, send essential service emails (receipts, security alerts, important product changes), provide customer support, and improve features. We never sell your data, ever. We don't run third-party advertising on our service.
Only you and the people you explicitly invite to your workspace can see your data. Our staff access customer data only when you ask us to (for support) or when legally required. All employee access is logged and audited monthly.
We use a small set of trusted vendors to run the service: Stripe (payments), Supabase (database & auth), Cloudflare (hosting & DDoS), Resend (transactional email), and PostHog (analytics). All are GDPR-compliant. A current list with links is available on request.
Your data is primarily stored in the EU (Frankfurt) with read replicas in the US. Where data crosses borders, we rely on Standard Contractual Clauses approved by the European Commission.
We use essential cookies for authentication and session management, and a small number of analytics cookies to understand product usage. You can opt out of analytics cookies in your account settings or via your browser. We don't use advertising cookies.
Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Passwords are hashed with bcrypt. We enforce 2FA for all staff with production access, run automated dependency scans, and conduct an annual third-party penetration test.
You can export your data, correct it, or delete your account at any time from the Billing & Settings page. EU/UK users have rights under GDPR; California users have rights under CCPA — including access, portability, deletion, and the right to object. Email support@myonlinestaff.com to exercise any right; we respond within 30 days.
We keep your account data for as long as your account is active. After account deletion, personal data is removed within 30 days from primary systems and within 90 days from backups. Anonymized analytics may be retained indefinitely.
In the unlikely event of a data breach affecting your personal data, we'll notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR.
My Online Staff is intended for business use and not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we'll delete it.
We'll notify you by email at least 30 days before any material change to this policy. Minor edits (typos, clarifications) may be made without notice but will always be reflected in the 'last updated' date above.