Privacy Policy

1 Information We Collect

We collect information you provide directly, information generated by your use of the platform, and technical data required to operate the service.

Account & Identity Data

• Name, email address, and password (stored as a bcrypt hash — never in plain text)
• Organization name and workspace configuration
• Role assignments and permission settings
• Two-factor authentication (TOTP) secret, if enabled

Operational & Business Data

IOM is an operational platform. To provide the service, we store the business data you enter:

• Products, SKUs, variants, batch and serial numbers, and expiry dates
• Inventory levels, warehouse locations, bin assignments, and stock movements
• Sales orders, purchase orders, supplier records, and customer contacts
• Point-of-sale transactions and till activity
• Accounting entries, journal records, and integration sync logs (Xero, QuickBooks)
• Automation rules, fulfilment configurations, and reorder thresholds

Usage & Audit Data

• Action logs: every stock movement, order update, login, and setting change is timestamped and attributed to the acting user
• API request logs (endpoint, timestamp, IP address, response status)
• Browser type, device type, and operating system (for support purposes)

Payment Data

Subscription payments are processed by our payment provider. We do not store full card numbers or CVV codes. We retain billing records (amount, date, plan) for accounting and compliance purposes.

2 How We Use Your Data

We use collected data solely to operate and improve the IOM platform. Specifically:

• Provide and maintain the inventory, order management, warehouse, POS, and accounting features
• Authenticate users and enforce role-based access controls
• Deliver automated replenishment alerts, fulfillment triggers, and workflow automation
• Sync data with connected integrations (Xero, QuickBooks, Shopify, Amazon) at your direction
• Generate reports, dashboards, and analytics within your workspace
• Send transactional communications — account confirmations, password resets, billing receipts
• Investigate security incidents and enforce our Terms of Service
• Improve platform reliability, performance, and features using aggregated, de-identified metrics

3 Data Isolation

Every IOM organization operates in a fully isolated database schema with a unique prefix (e.g., iom_acmecorp_). Your inventory records, orders, customer data, and accounting entries are never commingled with another organization's data at the database level.

• No cross-tenant data access is possible by design
• Beezifi employees can only access your workspace data for support purposes with explicit authorization
• All such access is logged in our internal audit trail

4 Third-Party Sharing

We do not sell, rent, or trade your data. We share data only in the following limited circumstances:

Integration Partners (at your direction)

When you connect IOM to Xero, QuickBooks, Shopify, Amazon, or other integrations, data is transmitted to those services according to your configuration. You control what syncs and when.

Infrastructure & Service Providers

We use trusted sub-processors — hosting, database, email delivery, and payment processing providers — who are contractually required to protect your data and may not use it for their own purposes.

Legal Requirements

We may disclose data if required by law, court order, or governmental authority, or where necessary to protect the rights and safety of our users or the public.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will provide at least 30 days' notice before your data becomes subject to a different privacy policy.

5 Data Retention

• Active workspace data — retained for the life of your subscription
• Post-cancellation — workspace data is retained for 30 days after cancellation, during which you may export your data. After 30 days it is permanently deleted.
• Backups — encrypted backups are retained for up to 90 days before permanent deletion
• Audit logs — retained for 12 months within the platform; compliance-relevant records (billing, legal holds) are kept for 7 years
• Deleted records — records deleted within the platform are soft-deleted and removed from backups within 90 days

You may request early deletion at any time by contacting privacy@beezifi.com. Deletion requests are processed within 30 days.

6 Security Measures

Security is built into the platform at every layer. See our Security Policy for full technical details. Key measures include:

• Passwords hashed with bcrypt (work factor 10) — never stored in recoverable form
• All traffic encrypted in transit via HTTPS/TLS — no plaintext communication on any endpoint
• JWT-based short-lived session tokens — no persistent server-side session state
• Optional TOTP two-factor authentication per user
• Rate limiting on authentication endpoints to prevent brute-force attacks
• Security headers (CSP, HSTS, X-Frame-Options) applied on every response
• Role-based access control enforced at the API layer
• Full audit trail on every action within each workspace

7 Cookies & Local Storage

IOM does not use third-party tracking cookies or advertising cookies. We use browser localStorage to store your authentication token so you remain logged in across sessions. This data is stored only on your device and is cleared when you sign out.

• No third-party analytics scripts are embedded in the IOM application
• No advertising or re-targeting pixels are used
• Session preferences (e.g., sidebar state) may be stored locally for convenience

8 Your Rights

You have the following rights regarding your personal data. Requests can be submitted to privacy@beezifi.com and will be actioned within 30 days.

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate or incomplete personal data
• Deletion — request deletion of your personal data (subject to legal retention requirements)
• Portability — receive your data in a structured, machine-readable format (CSV or JSON)
• Restriction — request that we restrict processing of your data in certain circumstances
• Objection — object to processing where we rely on legitimate interests

Organisation administrators can export workspace data at any time from within the platform. User-level account data can be exported or deleted upon request.

9 Children's Privacy

IOM is a business operations platform intended for use by organizations and their adult employees. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected such data, please contact us immediately at privacy@beezifi.com and we will delete it promptly.

10 Policy Updates

We may update this Privacy Policy from time to time. For material changes — those affecting how your data is collected, used, or shared — we will provide at least 14 days' advance notice via email to the account's primary contact. Continued use of IOM after the effective date of any update constitutes acceptance of the revised policy.

Minor clarifications (grammar, formatting, non-substantive rewording) may be made without notice. The "Last Updated" date at the top of this page always reflects the most recent revision.

11 Contact Us

For privacy-related questions, data requests, or concerns, contact:

• Email: privacy@beezifi.com
• Response time: We aim to respond within 5 business days
• Company: Beezifi Inc.

For general support enquiries, contact support@beezifi.com.