Privacy
Tash keeps only what the payment workflow needs.
Tash stores operational records needed to create invoice links, track payment attempts, send notifications, preserve ledger integrity, and support operator review.
Data Tash handles
- User, organization, membership, and role records for operator access.
- Invoice-link metadata such as customer email, invoice number, amount, currency, and status.
- Payment attempt, reservation, provider identifier, webhook, notification, audit, and ledger records.
- Manual EFT proof metadata and private object-storage keys when a client uploads proof.
Data Tash does not keep
- Tash does not store full card numbers, CVC, or card details.
- Tash does not store raw public-link tokens in the database.
- Tash does not store operator bank-login credentials or touch operator bank accounts.
- Tash does not act as the merchant of record for operator invoices.
Providers
Stripe handles card payment processing, Checkout, Connect OAuth, and payment events. Resend sends transactional emails. Railway hosts the application and database. Cloudflare manages DNS, TLS, and edge security for usetash.com. Private object storage and ClamAV handle manual evidence storage and scanning.
Retention and deletion
Ordinary account and profile data can be deleted or anonymized after account closure when no active support, dispute, audit, billing, security, or legal hold requires it. Payment and ledger records may need to be preserved for financial integrity and compliance. Manual evidence files should be deleted from private storage when they are no longer needed for verification, dispute handling, security review, or legal hold.
This page is an operational summary. The full Privacy Policy and DPA require counsel review before broad enterprise use.