Privacy Policy

1. Data We Collect

We collect only the data necessary to provide our service. Here is a complete list:

1.1 Account Information

• Email address — Used for authentication, account recovery, and transactional emails (e.g., email confirmation).
• Full name — Provided during signup or in Settings. Used for display purposes only.
• Password — Hashed and managed entirely by Supabase Auth. We never store or have access to your plaintext password.
• Google OAuth token — If you sign in with Google, Supabase receives an OAuth token from Google. We do not store or access your Google password.

1.2 Bill of Exchange Document Data

When you generate a BOE, we collect the information you enter on the form:

• Party names — Drawer, drawee, and payee names.
• Financial details — Amount, currency (default USD), payment type (on demand or fixed date), and payment date.
• Location and jurisdiction — Place of payment and governing law.
• Document metadata — Date of issue, system-generated reference number, creation timestamp, save status, and expiration date.

1.3 Sensitive Tax Identifiers (TIN/EIN)

You may optionally provide Tax Identification Numbers (TIN) or Employer Identification Numbers (EIN) for the drawer, drawee, and/or payee. These fields are entirely optional — you can generate a valid BOE without them.

• Accepted formats: EIN (XX-XXXXXXX) or SSN (XXX-XX-XXXX).
• TIN/EIN values are encrypted immediately upon submission using AES-256-GCM before being written to the database. They are never stored in plaintext.
• When displayed in the application or returned by our API, TIN/EIN values are masked (e.g., ***-**-1234). The full value is only ever included in the generated PDF at the moment of creation.
• Data exports exclude TIN/EIN values entirely to prevent accidental exposure.

1.4 Payment and Subscription Data

• All payment processing is handled by Stripe, a PCI Level 1 certified payment processor. We never see, handle, or store your credit card number, CVV, or billing address.
• We store only: your Stripe customer ID, subscription ID, plan type, subscription status (active, canceled, past_due), and billing period dates.
• Charges will appear on your bank or credit card statement as "WEBMAX LABS" or "WEBMAX LABS LLC". This is the legal entity name behind BOE Generator. If you see this charge and don't recognize it, please contact us at support@webmaxlabs.com before disputing it with your bank.

1.5 Usage Data

• BOE generation counts — Monthly counters (keyed by year-month) used to enforce plan limits. We track the count only, not the content of what was generated.

1.6 Security and Audit Logs

We log security-relevant events to detect abuse and maintain system integrity. Logged events include:

• BOE generation (success and quota exceeded)
• Checkout session creation
• Account deletion requests
• Data exports
• Subscription changes (created, deleted, payment failures)
• Automated cleanup runs

Audit logs record the event type, your user ID, a resource identifier, and a timestamp. They do not record document content, TIN/EIN values, IP addresses (unless required for abuse prevention), or any personally identifiable information beyond your user ID.

1.7 What We Do NOT Collect

• We do not use cookies for tracking or advertising.
• We do not collect device fingerprints, browsing history, or behavioral analytics.
• We do not sell, rent, or share your data with data brokers or advertisers.
• We do not use your document data to train machine learning models.

2. How We Use Your Data

Your data is used exclusively to provide and maintain the BOE Generator service:

• Document generation — Your form inputs are used to generate a PDF Bill of Exchange. The document is stored in secure cloud storage linked to your account.
• Authentication — Your email and credentials are used to verify your identity and protect your account.
• Subscription management — Subscription data is used to determine your plan tier and enforce usage limits.
• Abuse prevention — Rate limiting and audit logs are used to prevent misuse of the service.
• Service communication — Your email may be used to send account-related messages (confirmation links, password resets). We do not send marketing emails.

3. Data Security

We implement multiple layers of security to protect your data:

3.1 Encryption

• In transit — All connections use HTTPS with TLS. HTTP Strict Transport Security (HSTS) is enforced with a two-year max-age and preload.
• At rest — TIN/EIN fields are encrypted using AES-256-GCM with a dedicated encryption key. Each encrypted value has a unique initialization vector (IV) and authentication tag, providing both confidentiality and tamper detection.
• Passwords — Hashed by Supabase Auth using bcrypt. We never have access to plaintext passwords.

3.2 Access Control

• Row-Level Security (RLS) — Database policies ensure every user can only read, create, and modify their own data. These policies are enforced at the database level and cannot be bypassed by application code.
• Admin access — Administrative functions (user management, subscription oversight) are restricted to accounts with an explicit admin role and enforced through database-level security functions.
• Server-only code — Sensitive operations (encryption, admin database access, audit logging) are protected with build-time import guards that prevent them from ever being included in client-side JavaScript bundles.

3.3 Rate Limiting

• BOE generation: 5 requests per minute
• Checkout: 3 requests per minute
• Account deletion: 2 requests per minute
• Data export: 2 requests per minute
• Login attempts: Locked for 60 seconds after 5 consecutive failures

3.4 Application Security

• Content Security Policy (CSP) — Strict CSP headers prevent cross-site scripting (XSS) and unauthorized script execution.
• Input validation — All user inputs are validated server-side using schema validation before processing.
• Error sanitization — Error messages returned to users and written to logs are sanitized to prevent leaking sensitive data such as database details or personal information.
• Webhook verification — Stripe webhook payloads are cryptographically verified. Duplicate events are detected and ignored.
• Timing-safe comparisons — Secret tokens (e.g., cron authorization) use constant-time comparison to prevent timing attacks.

4. Data Retention

• Unsaved BOEs — Automatically deleted 30 days after creation by an automated daily cleanup process.
• Saved BOEs — Retained until you manually delete them or until your account is removed.
• Account deletion — When you delete your account, it is immediately soft-deleted (made inaccessible). All associated data — profile, documents, generated PDFs, usage counters, and subscription records — is permanently and irreversibly deleted after a 30-day grace period. If you change your mind within those 30 days, contact us to restore your account.
• Stripe subscription — When you delete your account, any active Stripe subscription is automatically canceled before deletion proceeds.
• Audit logs — Retained for operational and security compliance purposes. Audit logs contain only event metadata (event type, user ID, timestamp), not document content.

5. Third-Party Services

We rely on the following third-party services to operate. Each processes data only as necessary to provide their specific function:

We do not share your data with any other third parties. We have no advertising partners, analytics trackers, or data brokers.

6. Your Rights

Regardless of your location, we provide the following rights to all users:

• Right to Access — You can view all data associated with your account at any time through the application. Your BOE documents, profile information, and subscription details are visible in the dashboard.
• Right to Data Portability — You can export all of your data in machine-readable JSON format from the Settings page. The export includes your profile, subscription status, all BOE records, and usage history. TIN/EIN values are excluded from exports to prevent accidental exposure of sensitive tax identifiers.
• Right to Rectification — You can update your name at any time from the Settings page. Email changes can be managed through your authentication provider.
• Right to Erasure — You can delete your account from the Settings page. This immediately makes your account inaccessible and permanently removes all data after 30 days. Active subscriptions are automatically canceled.
• Right to Restriction — If you believe your data is being processed incorrectly, contact us and we will restrict processing while we investigate.
• Right to Object — Since we only process data to provide the service you signed up for (not for profiling, marketing, or automated decision-making), there is no processing to object to beyond deleting your account.

For EU/EEA residents (GDPR): Our legal basis for processing is contract performance (providing the service you signed up for) and legitimate interest (security and abuse prevention). You have the right to lodge a complaint with your local Data Protection Authority.

For California residents (CCPA): We do not sell personal information. We do not use personal information for cross-context behavioral advertising. You have the right to know, delete, and opt out — all of which are available through the application without needing to contact us.

7. Children's Privacy

BOE Generator is not intended for use by individuals under the age of 18. We do not knowingly collect data from minors. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

8. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the service after changes constitutes acceptance of the updated policy.

9. Contact

For privacy-related inquiries, data requests, billing questions, or to exercise any of your rights, contact us at:

We will respond to all privacy and support requests within 30 days.