Client Portal Privacy Notice
Rayserr Solutions · Last updated: 2026-06-23 · Version 1.0
1. Who we are (data controller)
Rayserr Solutions (“we”, “us”, “our”) is the data controller for personal data you provide through our website and client portal at rayserrsolutions.com.
- Privacy contact / data-protection point of contact: privacy@rayserrsolutions.com
- For EU/UK data subjects, this address is the channel for all privacy requests and inquiries described in Section 6.
2. Scope of this notice
This notice explains how we handle personal data collected when you purchase HR services at checkout and use the client portal (to track orders, deposits/payments, and project status, and to sign in via a magic-link email). It covers only the data the portal actually collects — we do not collect data categories beyond those listed in Section 3.
3. What we collect, why, our legal basis, and how long we keep it
| Data category | What it includes | Purpose | Legal basis (GDPR) | Retention |
|---|---|---|---|---|
| Identity & contact | Name, email address | Create and operate your account; deliver the services you purchase; send service and sign-in (magic-link) emails | Performance of a contract (Art. 6(1)(b)); legitimate interest in account security (Art. 6(1)(f)) | Kept while your account is active. Auto-anonymized after 24 months of inactivity. |
| Order & payment status | Order/cart contents, deposit/payment status, and Stripe payment references. We do not store full card numbers — card data is handled directly by Stripe (see Section 4). | Process your purchase and deposit; show order/payment status; meet accounting/tax obligations | Performance of a contract (Art. 6(1)(b)); legal obligation for financial records (Art. 6(1)(c)) | Account-linked status: with your account (24-mo inactivity backstop). Financial/transaction records retained 7 years to meet legal and tax obligations, decoupled from your identity (retained in anonymized/pseudonymized form where your account is anonymized). |
| Project / service status | Project status, service-request details you provide | Deliver and track the HR services you engaged us for; show status in the portal | Performance of a contract (Art. 6(1)(b)); legitimate interest in account/status management (Art. 6(1)(f)) | Kept while your account is active; auto-anonymized after 24 months of inactivity. |
| Authentication & session | Magic-link sign-in token; a strictly-necessary session cookie | Let you sign in securely without a password and keep you signed in for your session | Performance of a contract (providing the login you requested, Art. 6(1)(b)); legitimate interest in securing access (Art. 6(1)(f)) | Sign-in tokens are short-lived and expire after use/timeout; the session cookie lasts for your session. |
4. Sub-processors (who else processes your data)
We share personal data only with the service providers needed to run the portal. Each is engaged under a Data Processing Agreement (DPA).
| Sub-processor | Role | Data involved |
|---|---|---|
| Stripe | Payment processing | Handles your payment/card details directly and returns payment status + references to us. We never receive or store full card numbers. |
| Render | Hosting & database (PostgreSQL) | Hosts the portal and stores the account, order/payment-status, and project data described in Section 3 (encrypted in transit; database encrypted at rest). |
| Resend DPA | Sending sign-in (magic-link) and service emails | Your email address and the contents of those emails. |
We do not sell or share your personal data for advertising, and we do not use third-party advertising or tracking cookies.
5. Cookies & the magic-link session
We use a single strictly-necessary session cookie to keep you signed in after you click your magic-link. This cookie is required to provide the portal and is not used for analytics, advertising, or cross-site tracking. Because it is strictly necessary, it does not require consent under the ePrivacy Directive. We do not currently operate a cookie-consent banner because we set no non-essential cookies.
6. Your rights
If you are in the EU/UK (GDPR), you have the right to: access your data; correct (rectify) it; erase it (“right to be forgotten”); restrict or object to processing; data portability; and to withdraw consent where processing is based on consent. You may also lodge a complaint with your local data-protection supervisory authority (in the UK, the ICO).
If you are a California resident (CCPA/CPRA), you have the right to: know/access the personal information we collect; delete it; correct it; and opt out of “sale” or “sharing” of personal information. We do not sell or share your personal information, and we will not discriminate against you for exercising your rights.
How to exercise your rights: email privacy@rayserrsolutions.com. We will verify your identity (using your account email) and respond within the timeframes required by applicable law (generally 1 month under GDPR; 45 days under CCPA, extendable as the law allows). Note that we may retain financial/transaction records for the 7-year period described in Section 3 even after an erasure request, in anonymized/pseudonymized form, to meet our legal obligations. The fastest way to erase your account is the client portal — sign in and use “Delete my account & data”.
7. International transfers
Our hosting and sub-processors may process data outside your country (e.g., the United States). Where required, transfers of EU/UK personal data rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum / IDTA), as reflected in the relevant sub-processor DPAs.
8. Security
Data is encrypted in transit (HTTPS) and the database is encrypted at rest. We restrict access to personal data to those who need it to operate the service.
9. Changes to this notice
We may update this notice as our services or legal obligations change. We will post the updated version at this page and revise the “Last updated” date.
10. Contact
Questions or requests: privacy@rayserrsolutions.com.