Client Portal Privacy Notice
Rayserr Solutions — Client Portal Privacy Notice
Last updated: 2026-07-04 · Version 1.2
1. Who we are (data controller)
Rayserr Solutions ("we", "us", "our") is the data controller for personal data you provide through our website and client portal at rayserrsolutions.com.
- Privacy contact / data-protection point of contact: privacy@rayserrsolutions.com
- For EU/UK data subjects, this address is the channel for all privacy requests and inquiries described in Section 6.
2. Scope of this notice
This notice explains how we handle personal data collected when you purchase HR services at checkout and use the client portal (to track orders, deposits/payments, and project status). You sign in to the portal either with an email address and password (which you set yourself via a one-time invitation link) or by choosing "Continue with Google." This notice covers only the data the portal actually collects — we do not collect data categories beyond those listed in Section 3.
3. What we collect, why, our legal basis, and how long we keep it
| Data category | What it includes | Purpose | Legal basis (GDPR) | Retention |
|---|---|---|---|---|
| Identity & contact | Name, email address | Create and operate your account; deliver the services you purchase; send account and service emails | Performance of a contract (Art. 6(1)(b)); legitimate interest in account security (Art. 6(1)(f)) | Kept while your account is active. Auto-anonymized after 24 months of inactivity. |
| Authentication credentials | Your password (stored only as a salted cryptographic hash — never in plain text); or, if you use "Continue with Google," the Google account identifier and basic profile (email, name) Google returns to us | Let you sign in securely and protect your account | Performance of a contract (providing the login you requested, Art. 6(1)(b)); legitimate interest in securing access (Art. 6(1)(f)) | Kept while your account is active; removed/anonymized when the account is deleted or anonymized. |
| Order & payment status | Order/cart contents, deposit/payment status, and Stripe payment references. We do not store full card numbers — card data is handled directly by Stripe (see Section 4). | Process your purchase and deposit; show order/payment status; meet accounting/tax obligations | Performance of a contract (Art. 6(1)(b)); legal obligation for financial records (Art. 6(1)(c)) | Account-linked status: with your account (24-mo inactivity backstop). Financial/transaction records retained 7 years to meet legal and tax obligations, decoupled from your identity (retained in anonymized/pseudonymized form where your account is anonymized). |
| Project / service status | Project status, service-request details you provide | Deliver and track the HR services you engaged us for; show status in the portal | Performance of a contract (Art. 6(1)(b)); legitimate interest in account/status management (Art. 6(1)(f)) | Kept while your account is active; auto-anonymized after 24 months of inactivity. |
| Session | A strictly-necessary session cookie set when you sign in | Keep you signed in for your session | Performance of a contract (Art. 6(1)(b)); legitimate interest in securing access (Art. 6(1)(f)) | The session cookie lasts for your session / until you sign out. |
4. Sub-processors (who else processes your data)
We share personal data only with the service providers needed to run the portal. Each is engaged under a Data Processing Agreement (DPA) tracked in RAYAAAA-76.
| Sub-processor | Role | Data involved |
|---|---|---|
| Stripe | Payment processing | Handles your payment/card details directly and returns payment status + references to us. We never receive or store full card numbers. |
| Hostinger | Hosting & database (PostgreSQL) | Hosts the portal and stores the account, authentication, order/payment-status, and project data described in Section 3 (encrypted in transit; server/database secured at rest). |
| Google LLC | Optional "Continue with Google" sign-in (OAuth) | If you choose Google sign-in, Google authenticates you and shares your email and basic profile (name) with us. Governed by Google's own privacy policy. |
| Transactional email provider (Google Workspace / SMTP) [finalize vendor + DPA link from RAYAAAA-76 / RAYAAAA-153] | Sending account, invitation, and service/enquiry emails | Your email address and the contents of those emails. |
We do not sell or share your personal data for advertising, and we do not use third-party advertising or tracking cookies.
5. Cookies & session
We use a single strictly-necessary session cookie, set when you sign in (with your password or via Google), to keep you signed in. This cookie is required to provide the portal and is not used for analytics, advertising, or cross-site tracking. Because it is strictly necessary, it does not require consent under the ePrivacy Directive. If you sign in with Google, Google may set its own cookies during authentication under Google's privacy policy. We do not operate a cookie-consent banner because we set no non-essential cookies of our own.
6. Your rights
If you are in the EU/UK (GDPR), you have the right to: access your data; correct (rectify) it; erase it ("right to be forgotten"); restrict or object to processing; data portability; and to withdraw consent where processing is based on consent. You may also lodge a complaint with your local data-protection supervisory authority (in the UK, the ICO).
If you are a California resident (CCPA/CPRA), you have the right to: know/access the personal information we collect; delete it; correct it; and opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information, and we will not discriminate against you for exercising your rights.
How to exercise your rights: email privacy@rayserrsolutions.com. We will verify your identity (using your account email) and respond within the timeframes required by applicable law (generally 1 month under GDPR; 45 days under CCPA, extendable as the law allows). Note that we may retain financial/transaction records for the 7-year period described in Section 3 even after an erasure request, in anonymized/pseudonymized form, to meet our legal obligations.
7. International transfers
Our hosting and sub-processors may process data outside your country (e.g., the United States, in the case of Stripe and Google). Where required, transfers of EU/UK personal data rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum / IDTA), as reflected in the relevant sub-processor DPAs in RAYAAAA-76. [Confirm transfer mechanism per sub-processor during outside-counsel review.]
8. Security
Data is encrypted in transit (HTTPS/TLS) and passwords are stored only as salted cryptographic hashes. The database and server are secured at rest (see RAYAAAA-76 for the encryption verification and breach-response runbook). We restrict access to personal data to those who need it to operate the service.
9. Changes to this notice
We may update this notice as our services or legal obligations change. We will post the updated version at this page and revise the "Last updated" date.
10. Contact
Questions or requests: privacy@rayserrsolutions.com.