Privacy Policy

Last updated: February 2026

1. Introduction

Southax LLC (“we”, “us”, or “our”) operates the CapySays platform. This Privacy Policy explains what data we collect, how we use it, how we protect it, and your rights regarding your personal information. We are committed to protecting the privacy of our users and the individuals whose data is processed through the Service.

2. Data Controller vs. Data Processor

CapySays operates in two distinct roles depending on the type of data being processed:

  • Data Processor: For organization feedback data and staff member data, the organization that uses CapySays is the data controller. CapySays processes this data solely on behalf of and under the instructions of the organization.
  • Data Controller: For account registration data, billing information, and platform analytics, CapySays (Southax LLC) is the independent data controller. We determine the purposes and means of processing this data to operate and improve the Service.

3. What We Collect

Account Data

When you create an account, we collect:

  • Email address (used as your login identifier)
  • Name
  • Organization name
  • Signup role
  • Password hash (stored using Argon2, an industry-leading hashing algorithm; we never store your plaintext password)
  • Demo account flag and account timestamps

Staff Member Data

Organizations may store the following data about their staff members through the Service:

  • Name
  • Email address (optional)
  • Phone number (optional)
  • Bio and profile picture
  • Social media links
  • Speciality and notes
  • Performance feedback derived from feedback submissions linked to the staff member

Feedback Data

Feedback submitted through the Service is anonymous and consists of:

  • Structured ratings (dimension/value pairs)
  • Submission timestamps

We do not collect the following from feedback respondents: IP addresses, user agent strings, browser fingerprints, free-text comments, or demographic data.

Payment Data

We store a Stripe customer ID and subscription ID to manage your subscription. Credit card numbers and other sensitive payment details are never stored on our servers; they are handled entirely by Stripe.

Technical Logs

Standard web server logs are maintained at the infrastructure level for operational and security purposes.

4. How We Use Data

We use the data we collect to:

  • Provide, operate, and maintain the Service
  • Process payments and manage subscriptions
  • Send transactional emails (account confirmations, password resets, billing notifications)
  • Maintain platform integrity and security
  • Generate anonymized, aggregated insights and industry benchmarks

5. Data Sharing

We do not sell your data. We share data only with essential subprocessors required to operate the Service:

  • DigitalOcean — hosting and infrastructure (NYC region, United States)
  • Stripe — payment processing
  • Email provider — transactional email delivery

We may also disclose data if required by law, regulation, or valid legal process.

6. Data Retention

  • Feedback data: Retained per plan tier — Free: 30 days, Pro: 365 days, Business: 730 days
  • Account data: Retained until the user requests deletion, followed by a 30-day grace period before permanent removal
  • Audit logs: Retained for 3 years for compliance and security purposes

7. Data Export

Organizations on eligible plans can export their feedback data and staff data through the Service’s built-in export functionality. We recommend exporting your data before requesting account deletion.

8. Data Deletion

You may request deletion of your account and associated data at any time by contacting us. Upon receiving a deletion request, your account enters a 30-day grace period during which you may cancel the request. After the grace period, all account data is permanently deleted and cannot be recovered.

9. Security

We employ the following security measures to protect your data:

  • All connections are encrypted via HTTPS with HSTS enforcement
  • Passwords are hashed using Argon2
  • Data at rest is encrypted via DigitalOcean managed database encryption (AES-256)
  • Access to production systems is restricted and audited

10. Cookies

We use essential cookies only:

  • Session cookie — maintains your authenticated login session (HttpOnly, Secure)
  • CSRF token — protects against cross-site request forgery attacks (HttpOnly, Secure)

We do not use analytics, tracking, advertising, or third-party cookies. The feedback collector uses localStorage and IndexedDB (browser storage APIs, not cookies) for device configuration and offline queuing.

For full details, see our Cookie Policy.

11. Children

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such data, we will take steps to delete it promptly.

12. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete personal data
  • Delete your account and associated personal data
  • Export your data in a portable format (on eligible plans)

To exercise any of these rights, please contact us at contact@capysays.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. We encourage you to review this page periodically. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

14. Contact

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at contact@capysays.com.