Hoitsu | Ruby on Rails MVPs - Your Product in Days

Information We Collect

We collect personal information that you voluntarily provide when you submit the contact form, sign up for an account, purchase a product, or otherwise reach out to us.

We also capture technical information about how you interact with our site to maintain performance, detect issues, and improve the product.

Contact details such as your name, email address, company, and the project description you share with us.
Account and purchase information when you sign up for a SaaS product or buy a digital product, including order history, plan or subscription details, and billing information processed by our payment provider Stripe. We do not store full payment card numbers on our servers.
Operational data such as IP address, browser type, device information, language, time zone, and pages visited, collected through our hosting infrastructure and analytics tools.
Cookie and tracking data when you consent to optional analytics (see Cookies and Tracking below), including pseudonymous identifiers, session recordings, page interactions, and aggregated behavioural metrics collected by Microsoft Clarity and Google Tag Manager.
Email metadata (delivery status, timestamps) generated when we send or receive messages via our email partner Resend.
Communications you choose to send us, including support requests, feedback, and content you share during a consulting engagement.

How We Use Your Information

We use the information we collect strictly to operate, deliver, and improve our services.

Communicating with you about your request or project.
Scheduling consultations and preparing statements of work.
Providing access to SaaS products and digital products you have purchased, processing payments, and sending receipts, invoices, and service-related notifications.
Analyzing aggregate traffic patterns (with your consent for non-essential analytics) to improve our content and performance.
Preventing abuse, detecting fraud, troubleshooting issues, and keeping our systems secure.
Complying with tax, accounting, and other legal obligations.

Cookies and Tracking

We use cookies and similar technologies in two categories: (a) essential cookies, which are strictly necessary for the site and your account to function and do not require consent, and (b) analytics cookies, which help us understand how visitors use the site and which we load only after you grant consent.

Our analytics stack currently includes Google Tag Manager (which loads the providers below) and Microsoft Clarity, which collects session recordings and aggregated interaction metrics. You can grant, refuse, or withdraw consent at any time through the cookie preferences link in the footer of our site. Refusing or withdrawing consent will not block access to our site or services.

Where required by law, we will not place non-essential cookies until you actively opt in.

Legal Basis (EU/UK/EEA)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under the GDPR / UK GDPR:

Performance of a contract (Art. 6(1)(b)) — to deliver SaaS subscriptions, digital products, consulting services, and pre-contractual steps you request.
Legitimate interests (Art. 6(1)(f)) — to maintain site security, prevent fraud, analyse aggregate use, and operate our business; balanced against your rights and freedoms.
Consent (Art. 6(1)(a)) — for non-essential cookies, analytics, and any optional marketing communications. You may withdraw consent at any time without affecting prior processing.
Legal obligation (Art. 6(1)(c)) — to retain tax, accounting, and transactional records and to respond to lawful requests from authorities.

How We Share Your Data

We do not sell or rent personal data, and we do not share it for cross-context behavioural advertising. We only share information with trusted subprocessors that help us operate, or when required by law.

Infrastructure providers (hosting, CDN, and security) and our transactional email partner Resend, who process data on our behalf under contractual safeguards.
Our payment processor Stripe, which handles checkout, billing, and subscription management for SaaS and digital product purchases under its own privacy and security terms.
Our analytics providers (Google Tag Manager, Microsoft Clarity) only when you have consented to non-essential cookies.
Professional advisors such as legal or accounting partners when necessary to comply with obligations.
Authorities if we are legally compelled to disclose information to protect rights, safety, or comply with regulations.
A successor entity in connection with a merger, acquisition, financing, or sale of assets, in which case we will require any successor to honour this policy.
A complete list of subprocessors is published on our Subprocessors page.

International Data Transfers

Hoitsu LLC is based in the United States. When we transfer personal data from the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions to the United States or other countries, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and, where applicable, the participation of our processors (Stripe, Google, Microsoft) in the EU-U.S. Data Privacy Framework.

You may request a copy of the safeguards in place by contacting us at [email protected].

Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy or as required by law.

Contact requests and related correspondence: up to 18 months to support follow-up conversations.
Account, order, and billing records: as long as the account is active plus a period required for tax, accounting, and legal obligations (typically up to seven years for transactional records under US and EU tax law).
Cookie and analytics data: up to 13 months for Clarity session data; aggregated, non-identifying analytics may be retained for longer.
Email logs: up to 12 months by Resend on our behalf.
Backups: encrypted backups are retained on a rolling 30-day cycle.

Security and Breach Notification

We take reasonable technical and organizational measures to protect personal data, including encrypted transport (HTTPS), access controls, vendor due diligence, secrets management, and regular review of our practices.

If we become aware of a personal data breach likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law, and notify affected users without undue delay.

While no method of transmission is perfectly secure, we limit access to personal data to personnel and partners who need it.

Your Rights

Depending on your location, you may have the following rights regarding your personal data. We will respond to verifiable requests within the timeframe required by applicable law (typically 30 days under GDPR; 45 days under CCPA).

Access: request a copy of the personal data we hold about you.
Correction: ask us to update inaccurate or incomplete data.
Deletion: ask us to delete your personal data, subject to legal retention requirements.
Restriction or objection: limit or object to certain processing, especially processing based on legitimate interests.
Portability: receive your data in a structured, commonly used, machine-readable format.
Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
Non-discrimination: we will not deny service, charge different prices, or provide a different level of quality because you exercised a privacy right.
Appeal (Virginia, Colorado, Connecticut, Texas, Utah, Oregon, and other applicable US states): if we deny your request, you may appeal by replying to our response or writing to [email protected]; if we deny your appeal, you may contact your state attorney general.
Complaint: lodge a complaint with your local data protection or consumer-protection authority (for example, the relevant EU Data Protection Authority, the UK ICO, the California Privacy Protection Agency, Mexico's INAI, Colombia's SIC, or your state attorney general).
Automated decisions: we do not engage in solely automated decision-making that produces legal or similarly significant effects on you.

California and Other US State Privacy Rights

Under the California Consumer Privacy Act (CCPA/CPRA) and similar laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other US states, residents have specific rights to know, delete, correct, and limit certain uses of their personal information.

Categories of personal information we collect are described in "Information We Collect" above. We do not sell personal information and do not share it for cross-context behavioural advertising. We do not knowingly process "sensitive personal information" beyond payment data, which is handled by Stripe.

To exercise any right under these laws, email [email protected]. We will verify your request using the email address associated with your account or inquiry. You may use an authorized agent.

Children's Privacy

Our services are not directed to children under 16 (or under 13 in the United States). We do not knowingly collect personal data from children under these ages. If you believe a child has provided us personal information, contact [email protected] and we will delete it.

EU/UK Representative

Hoitsu LLC is not established in the EU or UK. To the extent we are required under GDPR Art. 27 or UK GDPR Art. 27 to appoint a representative, we will publish their contact details on this page. In the meantime, EU/UK residents may contact us directly at [email protected] regarding any privacy matter.

Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. If we make material changes (for example, new categories of data, new purposes, or changes to your rights), we will provide reasonable advance notice — for example, by email if you have an account with us, or by a prominent notice on this site.