tareSign in

Privacy Policy

Last updated: 12 March 2026

1. Who we are

Tare ("we", "us", "our") provides a commission tracking service for teams that use HubSpot CRM. Our website is usetare.com. If you have questions about this policy, contact us at privacy@usetare.com.

2. Data we collect

We collect and process the following categories of personal data:

  • Account information — name, email address, and organisation name provided during registration or when your administrator creates your account.
  • Authentication data — hashed passwords (we never store passwords in plain text) and session identifiers.
  • HubSpot CRM data — deal records, deal owner information, and line item data synced from your connected HubSpot account via the HubSpot API. This data is used solely to calculate commissions.
  • Usage and audit data — timestamps of actions performed within the application (logins, exports, setting changes) for security and audit purposes.
  • Technical data — IP address, browser type, and device information collected automatically through server logs and session cookies.

3. How we use your data

We process personal data for the following purposes:

  • Providing and maintaining the Tare service, including calculating and displaying commission statements.
  • Authenticating users and managing access to tenant accounts.
  • Sending transactional emails (invitations, password resets, welcome messages) when configured.
  • Generating CSV exports for payroll processing at your request.
  • Maintaining audit logs for security and compliance.
  • Improving the service and resolving technical issues.

4. Legal basis for processing

We process your data on the following legal bases under the UK GDPR:

  • Contract performance — processing necessary to deliver the service your organisation has subscribed to.
  • Legitimate interests — security monitoring, fraud prevention, and service improvement.
  • Legal obligation — where we are required by law to retain certain records.

5. Data sharing

We do not sell your personal data. We share data only in the following circumstances:

  • HubSpot — we connect to HubSpot's API using OAuth to read deal and owner data from your CRM. We do not write data back to HubSpot.
  • Infrastructure providers — we use Railway for hosting and PostgreSQL database services, and Redis for background job processing. These providers process data on our behalf under data processing agreements.
  • Email provider — transactional emails are sent via Resend. Only the recipient's email address and message content are shared.
  • Legal requirements — we may disclose data if required by law, regulation, or valid legal process.

6. Data storage and security

  • Data is stored on servers provided by Railway, located in the EU/UK region.
  • All data in transit is encrypted using TLS (HTTPS).
  • Passwords are hashed using bcrypt with a cost factor of 12.
  • HubSpot OAuth tokens are encrypted at rest using AES-256-GCM.
  • All monetary values are stored as integers to ensure calculation accuracy.
  • Access to production systems is restricted and audited.

7. Data retention

  • Account data — retained for the duration of the subscription. When an account is deactivated, personal data is soft-deleted and anonymised within 30 days.
  • Commission records — retained for the duration of the subscription plus 7 years to meet financial record-keeping requirements. Records are immutable once created.
  • Audit logs — retained for 2 years from the date of the event.
  • HubSpot data — deal and owner data is retained for the duration of the HubSpot connection. Upon disconnection or app uninstall, HubSpot-sourced data is scheduled for deletion within 30 days.

8. Your rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure — request deletion of your personal data, subject to legal retention requirements.
  • Restriction — request that we limit processing of your data in certain circumstances.
  • Portability — request your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, contact us at privacy@usetare.com. We will respond within 30 days.

9. HubSpot privacy deletion

When a contact privacy deletion request is received from HubSpot, we automatically anonymise any matching owner records in our system. Personal data (name, email) is replaced with anonymised placeholders, and linked user accounts are deactivated. The underlying commission records are preserved for financial audit purposes but are no longer linked to identifiable personal data.

10. Cookies

Tare uses a single session cookie to maintain your authenticated session. This cookie is strictly necessary for the service to function and does not track you across other websites. We do not use analytics cookies, advertising cookies, or third-party tracking scripts.

11. Children

Tare is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated via email to account administrators. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact and complaints

If you have questions or concerns about this policy or our data practices, contact us at privacy@usetare.com.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.