Privacy Policy
Last updated: March 2026
1. Introduction
ClientDesk ("we", "our", "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard your information when you use our service.
2. Data We Collect
We collect the following types of data:
- Account information: Name, email address, and password (hashed) when you register.
- OAuth data: Email and profile information from Google if you use Google Sign-In.
- Project data: Client names, project details, files, and portal settings you create.
- Payment information: Billing details processed securely by Stripe. We do not store card numbers.
- Usage data: Browser type, pages visited, and feature usage for improving the service.
3. Lawful Basis for Processing
Under GDPR Article 6, we process your data on the following legal bases:
- Contract performance (Art. 6(1)(b)): Account data, project data, and file storage — necessary to provide the service you signed up for.
- Consent (Art. 6(1)(a)): Terms acceptance at registration and optional cookie preferences.
- Legitimate interest (Art. 6(1)(f)): Usage analytics, error monitoring, and service improvement.
- Legal obligation (Art. 6(1)(c)): Payment records and tax-related data retained as required by law.
4. How We Use Your Data
- To provide and maintain the Service
- To process payments and manage subscriptions
- To send transactional emails (welcome, password reset, portal links)
- To enforce storage and client limits per your plan
- To improve the Service based on usage patterns
- To respond to support requests
5. Third-Party Services
We use the following third-party services to operate ClientDesk:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | File storage, database hosting | Files, all database records |
| Stripe | Payment processing | Email, name, payment details |
| Resend | Transactional email delivery | Email addresses, email content |
| OAuth authentication (optional) | Email, name, profile picture | |
| Vercel | Application hosting | Request logs, IP addresses |
| Sentry | Error monitoring | Error traces, browser metadata |
Each third-party service has its own privacy policy governing their use of your data.
6. Security Measures
- Passwords are hashed using bcrypt with a cost factor of 12
- Authentication tokens are hashed with SHA-256
- Files are accessed via time-limited presigned URLs
- All data is transmitted over HTTPS/TLS
- Database access is protected with row-level security policies
7. Your Rights
Under GDPR, CCPA, and similar regulations, you have the right to:
- Access: Download a copy of all your personal data via Settings > Privacy & Data.
- Rectification: Update your account information in Settings > Profile.
- Deletion: Permanently delete your account and all associated data via Settings > Privacy & Data.
- Portability: Export your data in machine-readable JSON format via Settings > Privacy & Data.
- Opt-out: Opt out of non-essential communications at any time.
You can exercise your access, export, and deletion rights directly from your account at Settings > Privacy & Data. For any other requests, contact us at support@client-desk.io.
8. Cookies
We use essential cookies for authentication and session management. These are strictly necessary for the Service to function and cannot be disabled. We do not use tracking cookies or third-party advertising cookies.
9. Data Retention
We retain your data for as long as your account is active. When you delete your account, all associated data (profile, clients, projects, files, messages, and portal settings) is permanently deleted immediately. There is no recovery period. Payment records may be retained longer as required by applicable tax and financial regulations.
10. International Data Transfers
Our service infrastructure is hosted in the United States and European Union. If you access the Service from outside these regions, your data may be transferred internationally. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to safeguard data transfers where required by GDPR.
11. Data Processing
When freelancers use ClientDesk to manage client data, the freelancer acts as the data controller and ClientDesk acts as the data processor for that client data. Freelancers are responsible for ensuring they have appropriate legal basis to collect and process their clients' information through the platform.
12. Children's Privacy
The Service is not intended for users under the age of 16. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice within the Service. Your continued use after changes take effect constitutes acceptance.
14. Contact
For privacy-related questions or requests, contact us at support@client-desk.io.