Privacy Policy

1 Information We Collect

Information You Provide

• Account data: name, email, password (stored as a secure hash — never plain text)
• Organisation data: company name, subdomain, contact details, industry, timezone, language
• Profile: display name, avatar, language and timezone preferences
• KYC documents: identity and business documents where required for verification
• Billing: company name and address for invoicing. Card details are processed by Stripe or PayPal — we never store card numbers
• Support content: ticket messages, file attachments, knowledge base articles, chat messages

Information Collected Automatically

• IP address and approximate geographic location
• Browser type, operating system, and device information
• Login timestamps, session duration, and feature usage
• Error logs and diagnostic information

Information from Third Parties

• OAuth providers (Google, Microsoft, GitHub): name, email, profile photo — only if you choose to sign in via these services
• Payment processors (Stripe, PayPal, Midtrans): transaction status and reference numbers only

2 How We Use Your Information

• Providing and maintaining the Service: account management, feature delivery, technical support
• Processing payments, generating invoices, and managing subscriptions
• Verifying identity and conducting KYC checks where required
• Communicating about your account, security, and service updates
• Sending transactional emails: password resets, account activation, invoice delivery, ticket notifications
• Enforcing our Terms of Service and detecting fraud or security threats
• Improving the Service through aggregate usage analysis (anonymised)
• Complying with legal obligations including tax and accounting requirements

Legal bases for processing: contract performance, consent, legitimate business interests, and legal compliance.

3 Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share information only with:

Service Providers (processors under contract)

• Stripe — card payment processing (PCI-DSS compliant)
• PayPal — payment processing
• Midtrans — Indonesian payment processing
• SMTP providers — email delivery (Gmail, SendGrid, Mailgun, etc.)
• Hosting providers — cloud servers and database infrastructure

Legal Requirements

We may disclose data to comply with legal obligations, protect our rights, or prevent wrongdoing, as required by applicable law.

Business Transfer

In a merger or acquisition, your data may be transferred. We will notify you before your data is subject to a different privacy policy.

4 Data Security

• PBKDF2-HMAC password hashing with 100,000 iterations — passwords never stored in plain text
• HTTPS/TLS encryption for all data in transit
• HttpOnly, Secure, SameSite=Lax cookie attributes on session tokens
• Two-Factor Authentication (TOTP) available for all users, enforceable by administrators
• Automatic account lockout after repeated failed login attempts
• IP-based rate limiting on all authentication endpoints
• Tenant data isolation — organisations cannot access each other's data
• KYC documents stored in isolated, access-controlled directories

No method of transmission or storage is 100% secure. If a breach occurs likely to affect your rights, we will notify you as required by law.

5 Data Retention

• Active account data: retained for subscription duration plus 30 days after termination
• Invoices and billing records: 7 years for tax and accounting compliance
• KYC documents: period required by applicable regulation (typically 5 years)
• Audit logs: 2 years for security and compliance
• Deleted account data: securely purged within 30 days of account closure

6 Your Rights

Depending on your jurisdiction, you may have rights to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion, subject to legal retention obligations
• Restriction — limit processing in certain circumstances
• Data Portability — receive a machine-readable copy of your data
• Object — object to processing based on legitimate interests
• Withdraw Consent — where processing is consent-based

To exercise your rights, contact: privacy@rivercodesolutions.com. We respond within 30 days after identity verification.

7 Cookies

We use only essential cookies required for the Service to function. We do not use advertising or tracking cookies.

• HELPDESKPRO_SESSION — session authentication cookie. Expires on browser close or after 60 minutes of inactivity.
• .HELPDESKAUTH — login state. Expires after 1 day (or 30 days if "Remember Me" selected).
• lang — stores preferred language. Persists for 1 year.

Blocking these cookies will prevent you from logging in as they are essential for the Service.

8 International Data Transfers

Your data may be processed on servers outside your country. We ensure appropriate safeguards are in place including standard contractual clauses where required by applicable data protection law.

9 Children's Privacy

The Service is for businesses and professionals. We do not knowingly collect data from individuals under 18. If you believe a minor has provided us with data, contact us immediately and we will delete it.

10 Changes to This Policy

We may update this policy periodically. Material changes will be notified via email or prominent in-app notice at least 14 days in advance. Continued use after changes take effect constitutes acceptance.

11 Contact Us

• Privacy enquiries: privacy@rivercodesolutions.com
• Legal notices: legal@rivercodesolutions.com
• Website: rivercodesolutions.com

DPA Data Processing Agreement

This Data Processing Agreement ("DPA") applies where the Tenant processes personal data of its customers or employees through HelpDesk Pro Plus. It forms part of the Terms of Service.

Roles

The Tenant is the Data Controller — determining purposes and means of processing Customer Data. River Code Solutions is the Data Processor — processing personal data only on Tenant's documented instructions.

The Tenant is solely responsible for: ensuring a legal basis for data processing; informing data subjects; responding to data subject requests regarding Customer Data; and compliance with applicable data protection laws.

Processor Obligations

River Code Solutions agrees to: process Customer Data only on your documented instructions; ensure persons handling data are bound by confidentiality obligations; implement the security measures described in Section 4 above; not engage new sub-processors without prior notice and opportunity to object; assist you with data subject requests to the extent technically feasible; notify you of confirmed breaches within 72 hours; and delete or return Customer Data upon termination.

Authorised Sub-Processors

• Stripe Inc. (USA) — Payment processing (PCI-DSS Level 1)
• PayPal Holdings Inc. (USA) — Alternative payment processing
• PT Midtrans (Indonesia) — Indonesian payment processing
• Email service provider — Transactional email delivery
• Cloud infrastructure provider — Hosting and database storage

We will notify you 30 days before adding or replacing sub-processors. You may object within 14 days. If we cannot accommodate a reasonable objection, you may terminate the affected subscription with a pro-rated credit.

International Transfers

Where Customer Data is transferred internationally, we ensure appropriate safeguards including Standard Contractual Clauses (SCCs) where required. Upon written request, we will provide copies of applicable SCCs.

Processing Details

• Subject matter: Provision of HelpDesk Pro Plus (ticketing, KB, chat, user management)
• Duration: Subscription term plus retention periods in Section 5 above
• Data types: Names, emails, contact details, support content, chat messages, file attachments
• Data subjects: Tenant's agents, customers, and end users