Tactiks ("the Platform", "we", "us", "our") takes privacy seriously. This Privacy Policy applies to information we process when you register as a distributor, when your sales team uses the Platform, and when leads interact with client-facing flows.
This policy complies with:
- General Data Protection Regulation (GDPR, EU 2016/679)
- Lei Geral de Proteção de Dados (LGPD, Brazilian Law 13.709/2018)
- California Consumer Privacy Act (CCPA, as amended by CPRA)
- Personal Information Protection and Electronic Documents Act (PIPEDA, Canada)
1. Information We Collect
1.1 Account Information
- Organization name, first and last name, email address, phone number.
- A hashed password (bcrypt; we never see or store passwords in plaintext).
- If you sign in with Google, the identifier and basic profile fields Google provides.
- Your acceptance of these Terms (timestamp, IP address, version) retained for legal audit purposes only.
1.2 Operational Data You Upload
- Lead and client records (names, contact details, addresses, notes, status changes).
- Appointments, confirmations, and calendar events.
- Sales transactions, products, and any attached media.
- Communication templates and team configurations.
- Seller location data (country, city, address, postal code) when a seller provides it at registration. These fields are optional and processed under LGPD legitimate interest (Art. 6(1)(f)) / GDPR Art. 6(1)(f): a distributor may request a seller's declared location to audit territory assignments, ensure compliance with regional regulations, and investigate suspected illegality. Other sellers in the same organization never see another seller's address — only ADMIN / SUPER_ADMIN of the workspace can.
1.3 Automatically Collected Data
- Session cookies required to keep you signed in.
- Server logs (timestamp, IP address, user agent) kept for up to 90 days to detect abuse and debug incidents.
- Aggregated, anonymized usage analytics (feature adoption, error rates) for product improvement.
2. How We Use This Information
We process personal data on the following legal bases:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Service delivery | Contract (Art. 6(1)(b)) |
| Authentication & security | Legitimate interest (Art. 6(1)(f)) |
| Customer support | Contract (Art. 6(1)(b)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
Specifically, we use information to:
- Run the Platform on your behalf (rendering dashboards, dispatching reminders, syncing calendars, producing reports).
- Authenticate access, detect unauthorized activity, and audit sensitive changes to client records.
- Respond to inquiries and resolve issues you raise.
- Meet our obligations under applicable laws and respond to legally binding requests.
3. Sub-Processors
We engage sub-processors to deliver the Service across categories including infrastructure, communications, authentication, and payments. The complete and current list of sub-processors is maintained at vantaristactiks.com/sub-processors and updated whenever material changes occur.
All sub-processors are bound by data processing agreements requiring equivalent or stronger data protection standards. We will provide 30 days' advance notice before adding new ones that materially affect data processing.
4. Data Protection
We apply industry-standard safeguards to protect the data you entrust to us:
- Encryption in transit: TLS 1.3 for all traffic between your browser and our servers.
- Encryption at rest: AES-256 for sensitive fields and backups, managed by our database provider.
- Role-based access controls (RBAC): A seller sees only data scoped to their assignment; an administrator sees only data inside their organization. No data flows across organizations.
- Password hashing: bcrypt with industry-standard cost factor.
- Audit logs: Three internal audit tables record the workflow trail with who, when, and what changed: LeadChangeLog (lead-record modifications), DataAccessLog (sensitive read operations), and ActivityLog (auxiliary auditable actions such as registrations, role changes, and feature-level access events).
- Three-layer privacy contract: Database-level filters, application-level masking, and middleware role checks defend in depth against accidental disclosure.
5. We Do Not Sell Your Data
Tactiks does not sell, rent, or trade your data to third parties for their own marketing or advertising purposes. Data is shared only with sub-processors strictly required to operate the Platform (Section 3), under contracts that bind them to equivalent protections.
Under CCPA, we confirm: we do not sell personal information as defined by California law.
6. Your Rights
Depending on the laws applicable to you, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete information.
- Delete your personal information, subject to legal retention requirements.
- Export your data in a portable format (JSON or CSV).
- Object to processing based on legitimate interest.
- Withdraw consent for optional processing activities at any time.
- Lodge a complaint with your local data protection authority (ANPD in Brazil, CNIL in France, ICO in UK, etc.).
To exercise any of these rights, contact us at privacy@vantaristactiks.com. We will respond within 30 days (or sooner where required by applicable law).
If your request relates to a lead or client record rather than your own account, please route the request to the distributor that owns that record — they are the controller under most privacy laws.
7. Data Retention
We retain your data while your account is active. Specific retention periods:
| Data category | Retention period |
|---|---|
| Account information | Active + 90 days inactivity warning + 90 days deletion grace |
| Operational data (leads, citas, sales) | Active + same as account |
| Server logs | 90 days |
| Audit logs (LeadChangeLog, DataAccessLog, ActivityLog) | 2 years from event |
| Backups | 30 days rotation |
| Tax/legal records | 7 years (compliance obligation) |
After prolonged inactivity (see Terms Section 4), we will notify you and provide an opportunity to download a backup before archiving, anonymizing, or deleting records.
8. International Data Transfers
The Platform operates from servers located primarily in the United States. By using the Service, you acknowledge that your data may be transferred to and processed in jurisdictions outside your home country.
For users in the European Union, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
- Sub-processors certified under appropriate frameworks (e.g., Data Privacy Framework for US transfers when applicable).
9. Cookies and Tracking
We use only essential cookies required for the Service to function:
- Session cookies: Keep you signed in (HttpOnly, Secure).
- CSRF tokens: Protect against cross-site request forgery.
We do NOT use:
- Third-party advertising trackers.
- Social media pixels.
- Cross-site behavioral profiling.
You can control cookies through your browser settings, though disabling essential cookies will prevent the Service from functioning.
10. Children's Privacy
The Service is intended for adults operating commercial activities. We do not knowingly collect personal information from children under 13 (COPPA) or under 16 (GDPR Art. 8). If you believe we have collected data from a minor, contact privacy@vantaristactiks.com and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or the law. When we make material changes, we will:
- Notify you at the email address on file at least 14 days before the change takes effect.
- Where required by applicable law, seek your renewed express consent.
The "Last updated" date at the top of this page always reflects the current version.
12. Contact and Data Protection Officer
Questions about this policy can be sent to:
- Privacy inquiries: privacy@vantaristactiks.com
- Data Protection Officer (DPO): dpo@vantaristactiks.com
- General support: support@vantaristactiks.com
Tactiks is operated as a sole proprietorship based in the State of Illinois, United States of America. Specific street address will be provided upon legitimate legal request via legal@vantaristactiks.com.
For users in Brazil, requests under LGPD may be directed to our DPO at dpo@vantaristactiks.com.
For users in the European Union, our representative for GDPR purposes is: contact privacy@vantaristactiks.com to request designation details.