1. What we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, work email, role, organization, hashed password, last sign-in time | Provided at provisioning or by your workspace admin |
| Operational data | Asset inventories (wells, leases, facilities), filing obligations, form payloads, validation findings, agency confirmation numbers, regulatory registrations (e.g., RRC P-5 operator number) | Entered or imported by your users |
| Audit records | Who created or changed an obligation or submission, and when — written by database triggers as part of the product's audit-trail feature | Generated by the Service |
| Technical logs | IP address, request path, status, timestamp from infrastructure request logging | Generated by hosting infrastructure |
We do not collect payment card data through the application (billing, where applicable, is invoiced), and the Service is not directed to or intended for children.
2. How we use it
- To provide the Service — generate deadlines, validate filings, render EDI output, and maintain your audit trail.
- To secure it — authenticate users, enforce per-tenant isolation, investigate suspected unauthorized access, and rate-limit abuse.
- To support you — respond to requests sent to support@smepro.app.
- To operate and improve the platform — using aggregated, de-identified metrics (such as filing counts by form type) that never identify a customer or include filing contents.
We do not use your data for advertising, do not sell or rent it, and do not train machine-learning models on your filing contents.
3. Cookies and local storage
This website sets no cookies and loads no third-party scripts, fonts, pixels, or analytics. The application uses browser storage for exactly three values, all functional:
| Key | Storage | Purpose / lifetime |
|---|---|---|
smepro_token | session storage | Your signed-in session token (12-hour expiry; cleared when the tab closes) |
smepro_user | session storage | Your display name and organization, to render the workspace header |
smepro_org / smepro_api | local storage | Workspace selection and optional API endpoint override |
4. Where your data lives
Production data is hosted on Google Cloud Platform in the us-central1 (Iowa, USA) region: the application runs on Cloud Run and data is stored in a managed Cloud SQL PostgreSQL instance with high availability and point-in-time-recovery backups. Secrets (database credentials, token-signing keys) are held in GCP Secret Manager, not in application code.
5. Sharing and subprocessors
We disclose data only:
- To subprocessors that host the Service. Currently one: Google LLC (Google Cloud Platform — compute, storage, secrets, logging), United States. We will update this page before adding subprocessors.
- At your direction. For example, EDI files the Service generates are downloaded and submitted by you; we do not transmit filings to agencies on your behalf unless separately agreed in writing.
- When required by law — in response to valid legal process, with notice to you unless legally prohibited.
- In a corporate transaction — to a successor bound by this policy.
6. Security
Highlights — the full picture is on the Security overview:
- Passwords are stored only as bcrypt hashes; credential checks run inside the database.
- Sessions are short-lived signed tokens (12-hour expiry); the tenant on every query is taken from the verified token, never from client input.
- Every tenant's rows are isolated by PostgreSQL row-level security.
- Data is encrypted in transit (TLS) and at rest (Cloud SQL default encryption).
- Changes to obligations and submissions are recorded by append-only audit triggers.
7. Retention and deletion
- Operational and audit data is retained for the life of your workspace — it is your compliance record, and regulators commonly expect filing records to be reconstructable for multiple years.
- On workspace termination, data is available for export for 30 days, then deleted from production; encrypted backups expire on their normal rolling schedule thereafter.
- Account data for individual users is deleted or anonymized when a workspace admin removes the user, except where it appears in audit records (which retain the attribution required by the audit-trail feature).
- Technical logs are retained on the infrastructure provider's standard schedule (30–90 days) for security and debugging.
- We may retain data longer where required by law or a documented legal hold.
8. Your rights
Workspace admins can manage users and export Customer Data in-product or by request. Individual users may request access to, correction of, or deletion of their personal information by emailing support@smepro.app; we respond within 30 days. Because SMEPro processes most data on behalf of your employer (the workspace owner), we may route requests about operational data to your workspace admin, as B2B data -protection frameworks contemplate. We honor applicable rights under US state privacy laws for the personal information we control.
9. Changes and contact
We will post any changes to this policy here and, for material changes, notify workspace admins by email at least 30 days in advance. Questions and requests: support@smepro.app.