Privacy Policy

Rich in Thought LLC ("Rich in Thought," "we," "us") operates the VITAL Suite dashboard product (the "Service") at vitalsuite.richinthought.com. This Privacy Policy explains what information we collect, how we use and protect it, and the choices you have.

This policy is written to be understood, not to be clever. If anything below is unclear, email us at info@richinthought.com and we will answer plainly.

1. Information we collect

We collect three categories of information:

1.1 Account information you give us

• Name, email address, and company affiliation when you create an account or when one is created on your behalf by a Rich in Thought advisor.
• Hashed password and time-based one-time-password (TOTP) secret for two-factor authentication.
• Billing information you provide to Stripe when you subscribe (processed by Stripe; we do not store full card numbers).

1.2 Integration data you authorize us to read

When you connect a third-party service such as QuickBooks Online or Gusto, we receive only the scopes you approve during that service's OAuth consent screen. Our integrations are read-only by design — we never request write scopes and we do not modify data in your connected services. Current integrations and the data we read:

• QuickBooks Online — company identity, profit and loss reports, balance sheet reports, cash flow reports (monthly aggregates).
• Gusto — company identity, employee roster (names, hire dates, terminations, compensation, department), processed payroll run totals (gross pay, net pay, employer taxes, benefits).

1.3 Usage information

• Log data about requests to the Service (IP address, user agent, timestamps, response status) for security monitoring and abuse detection.
• Operational telemetry about sync runs and API rate-limit events, scoped to your company.

2. How we use your information

We use the information above to:

• Provide the Service — authenticate you, render your dashboard, run the nightly and on-demand data syncs, send security and service-related notifications.
• Protect the Service and our customers — detect abuse, enforce rate limits, investigate security incidents, satisfy legal requests.
• Improve the Service — analyze aggregated usage patterns to prioritize features. Individual customer data is not used for marketing or sold to third parties.

We do not sell your personal information or your integration data to any third party. We do not share it with advertisers or data brokers.

3. Sub-processors

We rely on the following sub-processors to operate the Service. Each has its own privacy and security posture that you can review at the linked pages:

• Railway — application hosting (containers, TLS termination). SOC 2 Type 2 attested. (Privacy Policy)
• Supabase — managed PostgreSQL database, authentication, storage. SOC 2 Type 2 attested. (Privacy Policy)
• Intuit (QuickBooks Online) — source of your financial data when you connect QBO. (Privacy Policy)
• Gusto — source of your payroll and roster data when you connect Gusto. (Privacy Policy)
• Google Workspace — email and internal document storage. (Privacy Policy)
• Stripe — payment processing. (Privacy Policy)

We review each sub-processor at least annually and after any publicly-disclosed security incident.

4. Where we store your data

All production systems run on AWS-hosted infrastructure in United States regions, managed by Railway (compute) and Supabase (database). We do not operate our own data centers.

5. International data transfers

If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States. For transfers subject to European or UK data protection law, we rely on the Standard Contractual Clauses published by the European Commission and, where applicable, the UK International Data Transfer Addendum.

6. How we protect your data

• Encryption in transit: All customer-facing traffic uses HTTPS with TLS 1.3. Internal service-to-service calls use TLS 1.2 or higher. HTTP Strict Transport Security is enabled.
• Encryption at rest: OAuth access and refresh tokens are encrypted with Fernet (AES-128-CBC with HMAC-SHA256 authenticated encryption) before being stored. The underlying database volumes are encrypted with AES-256 by our cloud provider.
• Access control: Tenant isolation is enforced at both the application layer and the database layer via PostgreSQL Row-Level Security policies scoped to your company identifier. Encrypted credential columns are readable only by our service role, never by a user-session query.
• Authentication: Passwords hashed with bcrypt. Two-factor authentication via TOTP is required for every login.
• Monitoring: Structured logs on every request; anomaly review and rate-limit enforcement on authentication endpoints.

Additional detail on our security controls is available in our Security Posture document on request at security@richinthought.com.

7. Data retention and destruction

We retain customer data for the duration of your subscription plus 90 days after cancellation for recovery and audit purposes.

On subscription termination or upon your explicit deletion request:

1. OAuth tokens connecting the Service to QuickBooks Online, Gusto, and any other integration are marked revoked immediately.
2. Your customer data rows are hard-deleted from all canonical and integration-specific tables within 30 days.
3. We confirm the deletion in writing to your registered email address.

Database backups are retained for 30 days and then purged. Audit logs are retained for one year. Security incident records are retained per applicable regulations.

8. Your rights

Depending on your location, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct inaccurate or incomplete information.
• Deletion — request that we delete your personal information (subject to legal retention obligations).
• Portability — receive your data in a structured, commonly-used, machine-readable format.
• Objection and restriction — object to or ask us to restrict certain processing.
• Consent withdrawal — where we rely on your consent, you may withdraw it at any time.
• Complaint — you may lodge a complaint with your local data protection authority.

To exercise any of these rights, email info@richinthought.com. We will respond within 30 days.

9. Consent and choice

You give us consent to read integration data (QuickBooks, Gusto) at the moment you click Authorize on each service's OAuth consent screen. You can revoke that consent at any time by disconnecting the integration from your Settings page; the revocation also takes effect with the source system immediately.

10. Data breach notification

If we confirm a breach affecting your personal information, we will notify you within 72 hours of confirmation in line with GDPR Article 33. Notification will describe the data exposed, the timeline, our remediation steps, and any action we recommend on your part. Our full incident response procedure is summarized in our Security Posture document.

11. Children's privacy

The Service is designed for businesses, not individual consumers. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided personal information to us, email info@richinthought.com and we will delete it.

12. Changes to this policy

We may update this policy to reflect changes to our practices, the Service, or applicable law. Material changes will be announced via email to your registered address. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

Questions about this policy:

• General: info@richinthought.com
• Security and data subject requests: security@richinthought.com
• Mail: Rich in Thought LLC, Montana, United States