Privacy Policy

1. Introduction

StayValid is an expiry tracking application that helps you manage expiry dates for documents, insurance policies, subscriptions, warranties, and licenses. This Privacy Policy explains how we collect, use, and protect your personal information when you use our service.

2. Information We Collect

We collect the following information when you use StayValid:

• Account information — your email address and password (stored as a one-way hash, never in plain text)
• Expiry data — titles, dates, categories, risk levels, notes, and reference links you enter
• Payment information — processed and stored by Stripe; we do not store your card details
• Push notification tokens — browser push subscription endpoint and keys, if you enable push notifications
• Preferences — your preferred reminder time, timezone, and notification settings
• Usage data — account creation date and subscription status
• Anonymous usage statistics — page views and feature usage events collected by our self-hosted Plausible Analytics instance, with no cookies and no personal data

3. How We Use Your Information

We use your information to:

• Authenticate your account and maintain your session
• Track and display your expiry dates
• Send you email and push notification reminders before items expire
• Process subscription payments and manage your billing
• Enable sharing of expiry information with people you choose
• Compute your Peace of Mind score based on your expiry data

4. Third-Party Services

We use the following third-party services to operate StayValid:

• Stripe — payment processing. Stripe handles all credit card data under their own Privacy Policy.
• Resend — transactional email delivery for reminders, password resets, and email verification. Your email address is shared with Resend solely to deliver these messages.
• MongoDB Atlas — cloud database hosting where your account and expiry data is stored. Data is encrypted at rest and in transit.
• Plausible Analytics — self-hosted, cookieless web analytics. Plausible collects no personal data, uses no cookies, and is fully compliant with GDPR and CCPA. All analytics data is stored on our own infrastructure. Learn more at plausible.io.

5. Cookies & Local Storage

StayValid uses a single HttpOnly cookie to manage your authentication session (refresh token). This cookie is strictly necessary for the service to function and is not used for tracking or advertising.

We use Plausible Analytics for website usage statistics. Plausible is cookieless — it does not set any cookies or use browser local storage for analytics purposes. We do not use any advertising cookies or third-party tracking cookies.

6. Data Retention

• Your data is retained for as long as your account is active.
• When you delete your account, all your data (expiries, reminders, shares, and preferences) is permanently deleted from our database.
• Payment records held by Stripe are retained according to Stripe's data retention policy.
• Transactional email logs held by Resend are retained according to their data retention policy.

7. Your Rights

Depending on your location, you may have the following rights under applicable data protection laws (including GDPR and CCPA):

• Access — you can view all your data within the application at any time
• Correction — you can edit your expiry data and preferences directly in the app
• Deletion — you can delete your account and all associated data from the app settings
• Data export — contact us by email to request an export of your data
• Objection & restriction — contact us to object to or restrict certain processing

We do not sell your personal information to third parties. We do not share your data for advertising purposes.

8. Security

We take reasonable measures to protect your data, including:

• All traffic is encrypted via HTTPS with HSTS enforced
• Passwords are hashed using bcrypt with a cost factor of 12
• Authentication tokens are stored in HttpOnly, Secure cookies
• Short-lived JWT access tokens (15 minutes) with secure refresh flow
• Per-IP rate limiting on all authentication endpoints
• Security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)

9. Children's Privacy

StayValid is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us so we can delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected on this page with an updated effective date. We encourage you to review this page periodically.

11. Contact

If you have questions about this Privacy Policy or your personal data, contact us at [email protected].