Privacy Policy
Effective Date: March 3, 2026
Last Updated: March 3, 2026
1. Who We Are
NSuite Solo ("NSuite," "we," "us," or "our") is a business management software platform built for independent, solo service-based business operators — including mobile detailers, hair studio owners, photographers, and similar professionals. NSuite Solo is operated by Core Axis Holdings, LLC, a Colorado, USA company located at 3351 S Field St, Lakewood, Colorado 80227.
We are the data controller for information you provide directly to us when creating and managing your NSuite account and business profile.
We act as a data processor (or "service provider" under CCPA) for personal data that business owners ("Operators") input about their own customers ("End Clients") while using the platform. In that capacity, we process End Client data on behalf of the Operator, who remains the data controller for their clients' information.
Questions about this Privacy Policy may be directed to: legal@nsuitesolo.com
2. Scope of This Policy
This Privacy Policy describes how NSuite Solo collects, uses, stores, shares, and protects personal information in connection with our web application, API, and all related services (collectively, the "Service").
This Policy covers two distinct groups of people:
- Operators: Business owners who register for NSuite Solo accounts, subscribe to a plan, and use the platform to run their business.
- End Clients: The individual customers of Operators whose contact details, appointments, invoices, and related records are managed within the platform on the Operator's behalf.
If you are an End Client whose information appears in NSuite Solo, your information is processed at the direction of the Operator. For privacy questions about data an Operator holds about you, we recommend contacting the Operator directly.
3. Information We Collect
3.1 Information You Provide — Operators
When you register for and use NSuite Solo, we collect the following directly from you:
| Category | Data Points | When Collected |
|---|---|---|
| Account Identity | First name, middle name, last name | Registration |
| Contact | Email address, phone number (E.164 format) | Registration |
| Credentials | Password (stored as a bcrypt hash; plaintext is never retained) | Registration |
| Business Profile | Business name, description, business phone number | Onboarding |
| Business Address | Street address (line 1 & 2), city, state (2-letter), postal code, country | Onboarding |
| Geolocation | Business latitude and longitude coordinates | Onboarding (optional) |
| Email Preferences | Custom email "from" display name, custom reply-to email address | Settings (Starter/Pro plans only) |
| Stripe Identifiers | Stripe Customer ID, Stripe Subscription ID, Stripe Connect Account ID | Generated by Stripe; stored as opaque reference IDs |
Password Security: Passwords are hashed using bcrypt with 12 salt rounds before storage. The plaintext password is never logged, stored, or transmitted. The password hash is never returned in any API response.
3.2 Information Operators Provide About End Clients
| Category | Data Points |
|---|---|
| Identity | First name, middle name, last name |
| Contact | Email address, phone number |
| Appointment Records | Scheduled start/end times, service type, appointment status |
| Appointment Address | Street address, city, state, postal code, country of the service location |
| Invoice Records | Invoice status, line items, subtotal, total, currency, issue date, due date, payment date |
| Staff Notes | Free-form text notes authored by the Operator or authorized staff |
| Activity Log | Audit trail of actions taken with associated timestamps and actor identification |
3.3 Information Collected Automatically
| Category | Data Points | Purpose |
|---|---|---|
| Authentication Token | JSON Web Token (JWT) stored as an access_token cookie | Authentication and session management |
| Server Logs | Structured application logs via the Pino logging library | Operations, debugging, security monitoring |
With your consent, we use Google Analytics 4 (GA4) to collect anonymous, aggregate usage data including page views, session duration, device type, browser, country, and navigation paths. We do not collect names, email addresses, or other personally identifiable information via GA4. IP addresses are anonymised before storage. Data retention is set to 14 months.
We do not use session recording, heatmapping, Meta Pixel, Mixpanel, Hotjar, or advertising profiling technologies.
4. Cookies and Browser Storage
For a detailed description of every cookie and storage item used, please see our Cookie Policy.
In summary: we set one strictly necessary first-party cookie — access_token — required for authentication. With your consent, we also set Google Analytics 4 analytics cookies. We do not use advertising cookies or cross-site tracking cookies. When you access a public invoice payment page, Stripe's JavaScript library sets Stripe-operated cookies for fraud prevention.
5. How We Use Your Information
5.1 Service Delivery (Performance of Contract)
- Authenticating your identity on login; maintaining your logged-in session
- Providing all platform features: client management, appointment scheduling, invoicing, inventory management
- Processing subscription payments via Stripe
- Enabling End Client invoice payments via Stripe Connect
- Sending transactional emails (invoice delivery, payment receipts, low-stock alerts)
- Computing and collecting platform application fees on invoice payments
5.2 Account Support and Security
- Enabling password reset through time-limited, single-use reset tokens
- Rate-limiting API requests (100 requests per 60 seconds) to protect availability
- Responding to support inquiries
5.3 Legal and Financial Compliance
- Retaining invoice and payment records for financial reporting and audit purposes, consistent with applicable record-keeping requirements (including IRS Section 6001, which requires retention of financial records for a minimum of seven years)
- Maintaining an audit log for transaction integrity and dispute resolution
- Responding to lawful legal requests, court orders, and regulatory demands
We do not use your personal information for targeted advertising or advertising profiling, selling or renting data to third parties, or automated decision-making or profiling with legal effect.
6. Payment Processing and Financial Data
We do not store, transmit, or have access to your payment card numbers, expiration dates, or CVV codes. All payment card data is collected directly by Stripe's infrastructure.
For subscription payments, you are redirected to a Stripe-hosted Checkout page. For invoice payments, payment data is entered into Stripe's PaymentElement iframe, which communicates directly with Stripe. No payment card data passes through NSuite Solo's servers at any point.
Stripe, Inc. is our payment processor and acts as a sub-processor for payment data. Stripe's use of your information is governed by Stripe's Privacy Policy.
7. Email Communications
NSuite Solo sends the following transactional emails on behalf of Operators: invoice delivery (to End Client), payment receipt (to End Client and Operator), and low-inventory alerts (to Operator only). These emails are delivered via Resend in production.
Every commercial email includes a one-click unsubscribe link in compliance with CAN-SPAM and CASL requirements. NSuite Solo does not send marketing or promotional emails.
8. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| User account (Operator) | Until erasure request is processed (30-day grace period) | Contractual necessity |
| Business profile | Until erasure request processed | Contractual necessity |
| Client records (End Clients) | Until Operator or End Client erasure request is processed | Operator direction |
| Invoice and payment records | Minimum 7 years from payment date | IRS Section 6001 / financial record-keeping compliance |
| Staff notes | Hard deleted upon user erasure | No ongoing legal basis after erasure |
| Activity / audit log | Retained indefinitely in anonymized form; PII anonymized to [REDACTED] on erasure | Audit integrity |
| Email queue (outbox) | Email body HTML nullified immediately after successful delivery; metadata retained 90 days | Operational necessity |
| Password reset tokens | Deleted immediately upon use or expiry (1-hour window) | Security hygiene |
| Public invoice tokens | Expire and become inaccessible 90 days after invoice is sent | Data minimization |
9. Your Privacy Rights
Irrespective of your location, you may request access, correction, or lodge a complaint by contacting legal@nsuitesolo.com.
9.1 California Residents (CCPA / CPRA)
California residents have the right to know, delete, correct, and opt out of sale of their personal information. We do not sell, rent, or share personal information with third parties for monetary consideration or cross-context behavioral advertising. No opt-out of sale is necessary.
9.2 EU/EEA Residents (GDPR)
If you are located in the European Economic Area, you have rights under GDPR including: access (Art. 15), rectification (Art. 16), erasure / right to be forgotten (Art. 17 — subject to the 7-year invoice retention exception), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and withdrawal of consent. You also have the right to lodge a complaint with your local supervisory authority (see edpb.europa.eu).
GDPR Erasure Limitations: Invoice and payment records are retained for seven years under Article 17(3)(b). Activity log entries are anonymized (not deleted) to preserve audit integrity.
9.3 Submitting a Privacy Request
Submit requests to legal@nsuitesolo.com. We will acknowledge within 5 business days and respond substantively within 30 calendar days.
10. Data Sharing and Third-Party Sub-Processors
We do not sell, rent, or trade personal information. We share data only as follows:
| Sub-Processor | Purpose | Data Shared | Location | Safeguard |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription billing, Connect payouts | Business owner email and name; Stripe identifiers | USA | Standard Contractual Clauses |
| Resend | Transactional email delivery | Recipient email address, full rendered email body | USA | Standard Contractual Clauses |
| Google LLC | Analytics (Google Analytics 4 / Google Tag Manager) — only when consent is granted | Anonymised page URLs, referrer, device signals, session data. No names or email addresses are transmitted. | USA | Standard Contractual Clauses / Google Ads Data Processing Terms |
No other third-party services receive personal data from NSuite Solo as part of normal platform operations.
11. Data Security
We implement the following technical and organizational security measures:
- Password hashing: bcrypt with 12 salt rounds; plaintext passwords never stored or logged
- Authentication cookies: HttpOnly, Secure (production), SameSite=Lax; inaccessible to client-side JavaScript
- HTTPS: All production traffic encrypted in transit via TLS
- Rate limiting: API requests limited to 100 per 60-second window per client
- Payment card data isolation: No card data stored or transited through NSuite servers; fully delegated to Stripe
- Webhook signature verification: All Stripe webhooks verified via HMAC signature
- Input validation: All API inputs validated and sanitized; undeclared fields stripped via whitelist
12. Children's Privacy
NSuite Solo is designed for use by adult business operators and their adult clients. We do not knowingly collect personal information from children under the age of 13 (or 16 in the EU/EEA). If you believe we have inadvertently collected data from a minor, please contact legal@nsuitesolo.com immediately.
13. Cross-Border Data Transfers
NSuite Solo is operated from the United States. If you are accessing the Service from outside the United States — including from the EU/EEA — your information will be transferred to and processed in the United States.
NSuite Solo does not specifically target residents of the European Union or European Economic Area. The Service is operated from the United States, and your information will be transferred to and processed in the United States. If you are located in a jurisdiction with cross-border data transfer restrictions and have questions about how your information is handled, please contact us at legal@nsuitesolo.com.
Google Analytics 4 transfer: Google LLC is established in the United States. When analytics cookies are accepted, anonymised usage data is transferred to Google's servers in the USA. This transfer is safeguarded by Standard Contractual Clauses (SCCs) as set out in Google's Data Processing Amendment.
14. Governing Law
This Privacy Policy is governed by the laws of Colorado, without regard to conflict of laws principles. Any disputes shall be resolved in accordance with our Terms of Service.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this document and notify you by email. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.
16. Contact Us
Core Axis Holdings, LLCAttn: Privacy
3351 S Field St, Lakewood, Colorado 80227
Email: legal@nsuitesolo.com