Privacy Policy — Impostarz

Effective date: 2026-04-19 Last updated: 2026-04-19 Version: 1.0

1. Who we are (Data Controller)

The data controller for personal data processed through the Impostarz application (app.impostarz.com) is:

Tobio LLC ("Impostarz", "we", "us", "our") 447 Broadway, 2nd Floor, #2568 New York, NY 10013 United States Contact: hello@impostarz.com

This Privacy Policy explains what personal data we collect, why, how we use and share it, and the rights you have under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other applicable laws.

2. Personal data we collect

We collect personal data that you provide, that is generated through your use of the Service, and that we receive from third parties.

2.1 Account data

name, display name, email address, password (hashed), avatar/profile image;
authentication metadata (sign-in timestamps, IP address, device/user agent);
preferred language, onboarding status.

2.2 Organization data

organization name, logo, address, tax ID, website, contact details;
organization members, roles and module-level permissions;
pending invitations.

2.3 Customer business records

Information you enter into the Service to manage your business, including:

invoices, line items, billing details, payment status;
transactions (income and expenses), recurring transactions;
clients, leads and their contact details;
projects (budget, currency, status);
payroll runs, payroll items and team members (including bank account details where you choose to store them);
categories, vendors, payment accounts, project names;
receipts and other files you upload;
AI chat conversations, messages and attachments;
notes you add to records.

2.4 Billing data

When you subscribe to a paid plan, Stripe processes your payment and shares with us limited billing metadata (e.g. customer ID, subscription status, plan, period end, last 4 digits of card, country). We do not store your full card number or CVC.

2.5 Communications

Emails you send us and email delivery metadata (e.g. delivery, bounce, suppression events) for transactional and authentication emails sent from notify.impostarz.com.

2.6 Technical data

Standard server logs (IP address, request path, status code, timestamp, user agent) for security and debugging.

We do not use advertising cookies, analytics trackers, or behavioral profiling on the Service. See our Cookie Policy.

3. Where we get personal data

Directly from you when you register, configure your organization, enter records, upload files, contact support, or interact with the AI assistant.
From your colleagues if they invite you to an organization.
From third-party providers: Stripe (billing), Google (if you sign in with Google OAuth), email infrastructure providers (delivery events).

4. Why we use your data and legal bases (GDPR Art. 6)

Purpose	Legal basis
Create and operate your account, provide the Service features you request	Performance of a contract (Art. 6(1)(b))
Process payments, manage subscriptions, prevent fraudulent transactions	Performance of a contract and legitimate interests in fraud prevention (Art. 6(1)(b), (f))
Send transactional and account emails (verification, password reset, invoices, invitations)	Performance of a contract and legal obligation (Art. 6(1)(b), (c))
Provide and improve the AI assistant for your queries	Performance of a contract (Art. 6(1)(b))
Keep the Service secure, prevent abuse, debug issues	Legitimate interests in operating a secure service (Art. 6(1)(f))
Retain financial/accounting records (e.g. invoices, transactions) for tax and accounting compliance	Legal obligation (Art. 6(1)(c))
Respond to your inquiries and support requests	Legitimate interests and performance of a contract (Art. 6(1)(b), (f))
Comply with applicable laws and respond to lawful requests	Legal obligation (Art. 6(1)(c))

We do not rely on consent for the core operation of the Service. Where consent is required (e.g. certain optional features in the future), we will ask for it separately and you may withdraw it at any time.

5. AI assistant

When you use the in-app AI assistant, the messages, attachments and contextual data you provide are sent to our AI provider (currently the Lovable AI Gateway, which routes to underlying model providers such as Google and OpenAI) to generate a response. We do not use your AI conversations for advertising, and we do not authorize providers to use your data to train their public models beyond what is necessary to deliver the response.

Outputs are AI-generated and may be inaccurate. They are not professional advice.

6. Sub-processors and recipients

We share personal data with carefully selected third parties acting as processors on our behalf, only as needed to provide the Service:

Provider	Purpose	Location
Supabase	Hosting, database, authentication, file storage	EU / US (region-dependent)
Stripe	Payment processing, subscription billing, invoicing	US / global
Google (OAuth)	Sign-in with Google (only if you choose)	US / global
Lovable AI Gateway (with underlying model providers, e.g. Google, OpenAI)	AI assistant, receipt scanning	US / global
Email delivery provider (e.g. Resend)	Transactional and authentication emails via `notify.impostarz.com`	US / EU
Frankfurter API	Currency exchange rates (no personal data sent)	EU

We may also disclose personal data:

to professional advisors (lawyers, accountants, auditors) bound by confidentiality;
to competent authorities where legally required;
in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality.

We do not sell your personal data.

7. International transfers

Tobio LLC is established in the United States. Personal data may be transferred to and processed in the United States and other countries outside the EU/EEA and the UK. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with supplementary measures (e.g. encryption in transit, access controls). You may contact us at hello@impostarz.com to request a copy of the relevant safeguards.

8. How long we keep your data

Category	Retention
Account data (profile, organization, settings)	Kept until you delete your account or organization, then deleted within a reasonable period.
Financial and accounting records (invoices, transactions, payroll items, billing records)	Retained for 7 years after account deletion to comply with tax and accounting legal obligations. After that, they are deleted or fully anonymized.
Receipts and uploaded files	Together with their related record (typically a transaction or invoice).
AI chat conversations	Until you or your organization owner delete them, or your account is deleted.
Email delivery logs and suppression lists	Up to 24 months for deliverability and security.
Server / security logs	Typically up to 12 months.
Backups	Older copies are rotated out of backups within a reasonable retention window.

We may retain data longer where required by law, to defend legal claims, or where strictly necessary for security.

9. Your rights (GDPR / UK GDPR)

If you are in the EU/EEA or the UK (and where similar rights apply elsewhere), you have the right to:

Access the personal data we hold about you;
Rectify inaccurate or incomplete data;
Erase your data ("right to be forgotten"), subject to legal retention obligations;
Restrict processing in certain situations;
Object to processing based on our legitimate interests;
Data portability — receive your data in a structured, commonly used, machine-readable format;
Withdraw consent at any time, where processing is based on consent;
Lodge a complaint with your local data protection authority (in the EU, see https://edpb.europa.eu/about-edpb/about-edpb/members_en; in the UK, the ICO at https://ico.org.uk).

Many of these rights can be exercised directly in the app (e.g. updating your profile, deleting records, deleting your account). For anything else, contact hello@impostarz.com and we will respond within the timelines required by law (generally one month).

For users in California and other US states with applicable privacy laws (e.g. CCPA/CPRA), similar rights may apply, including the right to know, delete, correct, and the right not to be discriminated against for exercising these rights. We do not "sell" or "share" personal data for cross-context behavioral advertising.

10. Security

We implement technical and organizational measures appropriate to the risk, including:

encryption in transit (HTTPS/TLS);
hashed passwords via Supabase Auth;
row-level security (RLS) to isolate organization data at the database layer;
role-based access control and module-level permissions;
access logging and monitoring;
least-privilege access for personnel.

No system is 100% secure. If we become aware of a personal data breach affecting you, we will notify you and the relevant authorities as required by law.

11. Children

The Service is not directed to children under 18 and we do not knowingly collect personal data from them. If you believe a child has provided personal data, contact hello@impostarz.com and we will delete it.

12. Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

13. Third-party links

The Service may link to third-party websites (e.g. Stripe, Google). Their privacy practices are governed by their own policies. We encourage you to read them.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you in-app and/or by email before they take effect. The "Last updated" date at the top reflects the latest version.

15. Contact and Data Protection

If you have questions about this Privacy Policy or your personal data, please contact:

Tobio LLC — Privacy 447 Broadway, 2nd Floor, #2568 New York, NY 10013, United States Email: hello@impostarz.com

If you require a contact for GDPR matters in the EU/UK, please reach out via the email above and we will direct your request appropriately.