Privacy Policy — Cal2Cash

Jurisdiction notices: EEA / UK / Switzerland residents — RCLOUD LABS LLC acts as the data controller under GDPR and UK GDPR. California residents — this Policy addresses your rights under CCPA/CPRA. Brazil residents — this Policy addresses your rights under LGPD.

1. Introduction & Scope

RCLOUD LABS LLC ("Company," "we," "us," "our") operates a portfolio of cloud-based software products. This Privacy Policy ("Policy") describes how we collect, use, store, share, and protect personal information in connection with our Services.

This Policy applies to: all visitors to our websites; all registered users and subscribers of any RCLOUD LABS LLC product; individuals interacting with us via email, social login, or support channels; and individuals whose personal data is stored or processed through the Service by one of our users ("End Clients").

By using the Service, you acknowledge that you have read and understood this Policy.

2. Data Controller Information

RCLOUD LABS LLC
California, United States

Purpose	Contact
All Inquiries (Privacy, Support, Legal)	[email protected]

We do not currently have a designated Data Protection Officer (DPO). All privacy inquiries should be directed to [email protected].

3. Information We Collect

3.1 Information You Provide Directly

Category	Examples
Account & Identity	Name, email address, profile picture
Business Details	Company name, business type, phone number
Billing Information	Name and billing address; payment card details are processed and stored by Stripe — never stored on our servers
Support & Communications	Messages, attachments, and contact details submitted to our support team
Preferences	Notification settings, language, timezone

3.2 Information Collected Automatically

Category	Examples
Device & Browser	Browser type, OS, device type, screen resolution
Network & Location	IP address, approximate geolocation (city/country via IPinfo.io)
Usage & Analytics	Pages visited, features used, click patterns, session duration, referral source
Cookies & Identifiers	Session tokens, authentication cookies, analytics identifiers
Log Data	Server logs, error reports, timestamps, API request logs

3.3 Information from Third-Party Integrations

When you connect a third-party service, we receive data only as necessary to deliver that integration's functionality.

Integration	Data We Receive
Google Sign-In	Name, email address, profile picture (authentication only)
IPinfo.io	City and country inferred from IP address
Additional Integrations	As described within the product and at the time of authorization

We never store third-party service passwords. Access is granted via scoped OAuth 2.0 tokens that you can revoke at any time.

3.4 Information from Other Sources

We may receive information from business partners, co-marketing partners, or public sources where permitted by applicable law.

3.5 End-Client Data

Where users of the Service store information about their own clients or contacts, we collect and process that data solely as a data processor acting on the user's instructions.

Category	Examples
Identity & Contact	Name, email address, phone number
Transaction & Engagement	Payment status, due dates, account balances, activity history
Communication Preferences	Opt-out status, communication history

End-Client Data is used exclusively to deliver the Service features configured by the user. We do not use End-Client Data for our own marketing, profiling, or analytics purposes. If you are an End Client and wish to access, correct, or delete your data, contact us at [email protected].

4. Legal Basis for Processing (GDPR & UK GDPR)

Legal Basis	When We Use It
Contractual Necessity (Art. 6(1)(b))	Account creation, core Service features, payment processing, transactional emails
Legitimate Interests (Art. 6(1)(f))	Service security, fraud prevention, debugging, analytics, UX improvement
Consent (Art. 6(1)(a))	Marketing emails, analytics cookies, advertising pixels, optional integrations
Legal Obligation (Art. 6(1)(c))	Responding to lawful government or court requests
Legitimate Interests — as Processor	Processing End-Client Data on behalf of users who act as data controllers, strictly as instructed by those users

Where we rely on consent, you may withdraw it at any time by contacting [email protected] or using in-app settings.

5. How We Use Your Information

Service Delivery

Create and manage your account and subscriptions.
Authenticate you via direct login or social login (Google and other supported providers).
Deliver the core features and functionality of the Service.
Process payments and manage billing via Stripe.
Send transactional emails (confirmations, alerts, invoices).
Send authorized communications to users' clients or contacts on users' behalf, as configured and directed by the user.

Service Improvement & Analytics

Analyze aggregated usage patterns to improve features.
Debug errors and fix issues using log data.
Conduct A/B testing and feature rollouts.

Security & Fraud Prevention

Detect, prevent, and respond to security incidents.
Verify identity and monitor for suspicious activity or policy violations.

Communication

Respond to support requests and inquiries.
Send product updates and security notices (transactional — always on).
Send newsletters and marketing communications (with consent; opt-out available at any time).

Legal & Compliance

Comply with applicable laws, regulations, and legal processes.
Enforce our Terms and protect the rights, safety, and property of RCLOUD LABS LLC, users, and the public.

6. How We Share Your Information

We do not sell your personal data. We share your information only as follows:

6.1 Service Providers & Subprocessors

Subprocessor	Role	Data Shared
Stripe, Inc.	Payment processing	Billing name, address, email
Google LLC	Cloud hosting, analytics, OAuth	Usage data, account email
Amazon Web Services	Cloud infrastructure & hosting	All data hosted in cloud environment
Resend	Transactional email delivery	Email address, name of recipient
MailerLite	Marketing email delivery	Email address, name, opt-in status
IPinfo.io	Geolocation lookup	IP address

All subprocessors are contractually bound to handle data securely and only as instructed by us.

6.2 Business Transfers

If RCLOUD LABS LLC is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

6.3 Legal & Regulatory Disclosure

We may disclose your information if required by law, court order, or subpoena, or if reasonably necessary to comply with applicable law, protect safety, prevent fraud, or protect RCLOUD LABS LLC's legal rights.

6.4 With Your Consent

We share information with third parties when you have given us explicit consent to do so.

6.5 Aggregated & Anonymized Data

We may share aggregated or de-identified data (which cannot reasonably identify you) with third parties for research, analytics, or marketing purposes.

7. International Data Transfers

RCLOUD LABS LLC is based in the United States. If you access the Service from the EEA, UK, Switzerland, or other regions with data transfer restrictions, your personal data will be transferred to and processed in the United States.

We ensure compliance through:

Standard Contractual Clauses (SCCs): For GDPR-regulated transfers to third parties.
Adequacy Decisions: Where recognized by the European Commission.
UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom.

To request a copy of applicable transfer mechanisms, contact us at [email protected].

8. Data Retention & Deletion

Data Type	Retention Period
Account & profile data	Duration of account + 90 days after deletion
Transaction & billing records	7 years (legal/tax obligation)
Usage & analytics logs	Up to 24 months, then aggregated or deleted
Support correspondence	3 years after ticket closure
Integration OAuth tokens	Until you revoke integration access
End-Client Data	Duration of user's account + 90 days after account deletion
Marketing consent records	Duration of relationship + 3 years

Account Deletion: Request deletion of your account and personal data at any time by emailing [email protected]. We will process your request within 30 days.

9. Security Measures

We implement commercially reasonable technical and organizational security measures, including:

Encryption in Transit: TLS 1.2 or higher for all data in transit.
Encryption at Rest: Industry-standard encryption for stored data.
Access Controls: Role-based, need-to-know access for RCLOUD LABS LLC personnel.
OAuth 2.0: All third-party integrations use minimum-scope OAuth tokens; we never store third-party passwords.
MFA: Multi-factor authentication is available and encouraged for all accounts.
Monitoring & Logging: Continuous monitoring for security incidents with audit logging.
Vendor Security: Contractual security requirements for all subprocessors.

In the event of a data breach posing a high risk to your rights, we will notify you and relevant supervisory authorities within the timeframes required by applicable law (e.g., 72 hours under GDPR).

10. Cookies & Tracking Technologies

Cookie Type	Purpose	Examples
Essential / Strictly Necessary	Authentication, session management, security	Session cookies, CSRF tokens
Functional / Preference	Remember your settings and preferences	Language, timezone, UI preferences
Analytics & Performance	Understand usage patterns and improve features	Google Analytics
Advertising & Marketing	Personalized ads and campaign measurement	Meta Pixel, LinkedIn Insight Tag

We use Google Analytics with IP anonymization enabled. We may use tracking pixels from Meta (Facebook), LinkedIn, and similar platforms to measure advertising effectiveness.

Managing Cookies: Adjust your browser to refuse or delete cookies. Blocking essential cookies will impair core functionality. Where required by law (e.g., EU/UK), we display a consent banner. Google Analytics Opt-out · NAI Opt-Out · Your Online Choices (EU).

11. Your Rights

11.1 Rights Under GDPR (EEA, UK, Switzerland)

Right	Description
Access	Request a copy of the personal data we hold about you
Rectification	Request correction of inaccurate or incomplete data
Erasure	Request deletion of your data ("Right to be Forgotten"), subject to legal retention obligations
Data Portability	Receive your data in a structured, machine-readable format
Restriction	Request that we limit how we process your data
Object	Object to processing based on legitimate interests or for direct marketing
Automated Decision-Making	Not to be subject to decisions based solely on automated processing with significant legal effects
Withdraw Consent	Withdraw consent at any time where processing is consent-based

To exercise GDPR rights, email [email protected]. We will respond within 30 days. EU residents may complain to their local supervisory authority at edpb.europa.eu. UK residents may contact the ICO.

11.2 Rights Under CCPA/CPRA (California Residents)

Right	Description
Right to Know	Know what personal information we collect, use, disclose, or share
Right to Delete	Request deletion of your personal information (subject to exceptions)
Right to Correct	Request correction of inaccurate personal information
Right to Opt-Out	Opt out of sale or sharing of personal information for cross-context behavioral advertising
Non-Discrimination	We will not discriminate against you for exercising CCPA rights

We do not sell personal information as defined under CCPA. To exercise CCPA rights, email [email protected]. We will respond within 45 days.

11.3 Rights Under Other Jurisdictions

Jurisdiction	Law	Rights
Canada	PIPEDA / Quebec Law 25	Access, correction, withdrawal of consent
Brazil	LGPD	Access, correction, deletion, portability, information about sharing
Australia	Privacy Act 1988	Access, correction

Contact [email protected] to exercise rights under any applicable law.

11.4 Rights of End Clients

If your personal data has been submitted to the Service by one of our users (for example, if you have received a communication from the Service on a user's behalf), you may have rights under applicable data protection law. We recommend contacting that user directly first. If you are unable to reach the user, contact us at [email protected].

12. Children's Privacy

The Service is not directed to children under 13 (or 16 in the EEA/UK, where required by applicable law). We do not knowingly collect personal information from children below the applicable age threshold. If you believe a child has provided us with personal information without parental consent, contact us at [email protected] and we will promptly delete it.

13. Links to Third-Party Websites

The Service may contain links to external websites or services not operated by RCLOUD LABS LLC. This Policy does not apply to those third-party services. We encourage you to review their privacy policies; we assume no responsibility for their practices.

14. Changes to This Privacy Policy

We may update this Policy periodically. For material changes, we will notify you via email or a prominent in-app notice before the changes take effect. Non-material changes take effect immediately upon posting. Continued use of the Service after any change takes effect constitutes acceptance of the revised Policy.

15. Contact Information

For privacy-related questions, data requests, or complaints:

RCLOUD LABS LLC
Email: [email protected]

We aim to respond to all inquiries within 5 business days. For formal GDPR or CCPA data subject requests, we respond within the statutory timeframes described in Section 11.