Privacy Policy

erps.one ("we", "us", or "our") is the data controller responsible for your personal data. If you have questions about this policy or how we process your data, please contact our Privacy team at privacy@erps.one.

We collect the following categories of personal data:

• Account data: Name, email address, password hash, company name, billing information
• Usage data: Pages visited, features used, actions performed, timestamps, IP addresses, browser and device information
• Customer data: Data you upload or enter into the Service (e.g., employee records, financial records). You control this data.
• Communications: Emails or messages you send us, support tickets
• Cookies: See our Cookie Policy for details

We use your personal data to:

• Provide, maintain, and improve the Service
• Process payments and manage your subscription
• Send transactional emails (receipts, alerts, notifications)
• Send product updates and marketing communications (with your consent)
• Detect and prevent fraud, security incidents, and abuse
• Comply with legal obligations
• Analyse aggregate usage patterns to improve the product

If you are in the European Economic Area (EEA), we process your data on these legal bases:

• Contract: Processing necessary to perform our contract with you (providing the Service)
• Legitimate interest: Security monitoring, fraud prevention, product improvement, and direct marketing to existing customers
• Consent: Marketing communications, optional cookies
• Legal obligation: Compliance with applicable laws and regulations

We retain account data for as long as your account is active. After account closure, we retain data for 30 days before deletion to allow for account recovery. Billing records are retained for 7 years to comply with financial regulations. You may request earlier deletion under your GDPR rights (see Section 8).

We share your data with the following sub-processors:

• Vercel: Hosting and content delivery (United States)
• Stripe: Payment processing (United States)
• Resend: Transactional email delivery (United States)
• Sentry: Error monitoring (United States)
• PostHog: Product analytics (United States / EU)
• Cloudflare: File storage and CDN (global)

Each processor is bound by a Data Processing Agreement. International transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission.

We implement technical and organisational measures to protect your data, including TLS 1.3 encryption in transit, AES-256 encryption at rest for sensitive fields, row-level security in the database, and strict access controls. Our security practices are designed to meet SOC 2 Type II requirements.

Depending on your location, you may have the following rights:

• Access (Art. 15 GDPR): Request a copy of your personal data
• Rectification (Art. 16): Correct inaccurate data
• Erasure (Art. 17): Request deletion of your personal data
• Portability (Art. 20): Receive your data in a machine-readable format
• Objection (Art. 21): Object to processing based on legitimate interest
• CCPA rights: California residents may opt out of the sale/sharing of personal information and request disclosure, deletion, or correction

To exercise your rights, email privacy@erps.one. We will respond within 30 days.

We use cookies and similar technologies. See our Cookie Policy for full details.

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification at least 14 days before they take effect.