Skip to content
MySmallBusiness

Privacy preferences

You have not made a choice yet.

Privacy Policy for MySmallBusiness

Last revised: 2026-04-25

BattleLine Productions LLC ("we", "us", "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, retain, store, and share personal and other information when you use MySmallBusiness, our web and Progressive Web App (PWA) platform that helps very small businesses track inventory, record sales, and report on what is selling.

This policy applies to:

  • the marketing website at mysmallbusiness.app,
  • the application at dashboard.mysmallbusiness.app,
  • and the API at api.mysmallbusiness.app.

1. Information We Collect

We collect information as part of delivering MySmallBusiness (the "Service") to our business customers ("Account Holders") and the people they collaborate with ("Members"). We also receive limited information about the people Account Holders sell to ("Buyers") when an Account Holder records a sale and chooses to attach a Buyer name and contact to it.

The types of information we collect include:

  • Account Information — Provided by you when you sign up via Auth0 Universal Login: name, email address, and the business name you choose. We also store the timestamp of your first sign-in.
  • Member and Invite Information — When an Owner invites a teammate, we store the invited email address and the role (Owner, Full Access, View Only) until the invite is accepted, expires, or is revoked. Tokens for invite links are random 32-byte values, not derived from email or any other personal data.
  • Business Data You Enter — Inventory (product names, prices, descriptions, images, categories, tags, variants, cost basis, low-stock thresholds), sales (line items, payment method, channel, tax, discount, notes, optional Buyer name and contact, optional notes), customer records (Buyer name, optional contact details, optional notes), and reports derived from these.
  • Buyer Information (provided by Account Holders) — When an Account Holder attaches a Buyer name and contact to a sale or saves a customer record, we store that information on their behalf as a processor. The Account Holder remains the controller of Buyer data and is responsible for the lawful basis on which they collected it.
  • Usage Analytics — Information about how the Service is used: page views, button clicks, feature usage, and errors. Analytics scripts (Google Analytics 4 and Microsoft Clarity) load only after you have accepted our cookie banner. We discretize sensitive numeric values before they reach analytics (for example, sale revenue is bucketed into ranges rather than reported as exact figures), and we do not send personal identifiers (email addresses, customer names, product names) into analytics events.
  • Payment and Subscription Information — We use Stripe to process payments. We never see, store, or transmit credit card data. From Stripe we receive: a Stripe customer ID, your subscription tier (Free or Paid), subscription status (active, past_due, canceled), and webhook events that change those values.
  • Cookies and Local Storage — We use a small number of first-party cookies and localStorage keys to operate the Service: an Auth0 in-memory session (tokens are kept only in JavaScript memory, never written to localStorage, sessionStorage, or cookies), a consent decision (msb.consent.v1), and an optional install-prompt suppression key (msb.install.dismissedAt.v1). Third-party analytics cookies are placed only after you accept the cookie banner.
  • Server Logs — Standard application server logs (request method, path, status code, latency, error messages) are retained for 7 days in AWS CloudWatch and are used to operate, secure, and debug the Service.

We do not collect special-category personal data (health, biometric, political opinion, religion, etc.) and we do not ask Account Holders to enter such data into Buyer records.

2. How We Use the Information

We use the information described above for the following purposes:

  • To deliver, maintain, and improve MySmallBusiness.
  • To authenticate you (via Auth0) and authorize what you can see and do based on your role.
  • To process payments and manage subscriptions through Stripe.
  • To enforce free-tier limits (25 items stored, 10 sales recorded per day per business).
  • To provide customer support and respond to inquiries.
  • To measure feature usage, diagnose technical issues, and improve product performance — only with your consent for non-essential analytics.
  • To communicate with Account Holders about service-critical notices (security, billing, planned outages) and, separately and only with your consent, about product updates and new features.
  • To comply with legal obligations or lawful requests from authorities.

You — the Account Holder — control the Buyer information you enter into MySmallBusiness. We do not access, use, or share Buyer data except as needed to provide the Service to you, to monitor its operational health, or to comply with the law.

3. Data Retention and Deletion

  • Active accounts. We retain your account, business, inventory, sales, customer, and member data for as long as your account is active.
  • Closed accounts. When you close your account or delete a business inside the Service, we purge the associated inventory, sales, customer, and image data. Aggregated and de-identified analytics that contain no personal identifiers may be retained.
  • Server logs. Operational logs are retained for 7 days and then expire automatically.
  • Backup snapshots. Database backup snapshots may persist for up to 35 days under our cloud provider's standard retention before being purged.
  • Stripe. Payment records (Stripe customer IDs, subscription history) are retained per Stripe's data retention policies and applicable financial-records law.
  • Right to deletion. You may request deletion of your personal information at any time by emailing the address in §12. We will action verified requests within a reasonable period and will let you know if any retention is required by law (for example, tax records).

4. Data Security

  • All traffic between your browser or device and the Service is encrypted in transit using HTTPS/TLS.
  • All data we store at rest is encrypted: DynamoDB tables use AWS-managed encryption keys; the S3 bucket holding your product images is encrypted with SSE-S3 and is private (delivered only via a CDN with origin access control).
  • Authentication uses Auth0 with industry-standard OIDC. Access tokens and refresh tokens stay in JavaScript memory only — they are never written to localStorage, sessionStorage, or cookies.
  • We do not store credit card data on our servers. Stripe Checkout and the Stripe Customer Portal are hosted by Stripe and handle all card information directly.
  • Stripe webhooks are verified by signature against a secret stored in AWS Systems Manager Parameter Store before any state changes are applied.
  • Access to production systems is restricted to the company's authorized personnel and audited.
  • Despite our reasonable safeguards, no system is perfectly secure. We cannot guarantee that unauthorized access will never occur.

5. Cookies and Analytics

  • Essential cookies and storage. A small set of first-party localStorage keys are required to operate the Service: your consent decision, an install-prompt suppression timestamp, and a session counter. These do not require consent because they only operate the Service you have asked us to provide.
  • Non-essential analytics. We use Google Analytics 4 and Microsoft Clarity to understand how MySmallBusiness is used. These tools place cookies and may collect information such as your IP address (truncated where supported), pages viewed, and session recordings (Clarity).
  • Consent gate. Analytics scripts do not load and do not place cookies unless you click "Accept" on our cookie banner. If you click "Decline," no analytics scripts load and the banner stays hidden for 90 days before re-asking.
  • Withdrawing consent. You can revoke consent at any time at https://mysmallbusiness.app/privacy (or https://dashboard.mysmallbusiness.app/account/privacy inside the App). Existing analytics cookies set in your browser are cleared on revocation; you may also clear them yourself via your browser settings.
  • No cross-site tracking. We do not embed third-party advertising networks or social-media tracking pixels.

6. Disclosure to Third Parties (Sub-processors)

We do not sell personal information. We share information only with the sub-processors below, all of whom are contractually obligated to protect your data:

Sub-processor Purpose Data shared
Amazon Web Services (US East — N. Virginia) Cloud hosting, database (DynamoDB), object storage (S3), content delivery (CloudFront), function execution (Lambda), parameter store (SSM) All Service data; encrypted at rest
Auth0 (Okta, Inc.) Authentication, OIDC token issuance Email address, name, sign-in events
Stripe, Inc. Payment processing, subscription management, hosted checkout and customer portal Email address, business name, payment method (handled by Stripe — we do not see it), Stripe customer ID, subscription status
Google LLC (Google Analytics 4) Website and product analytics Truncated IP, page-view metadata, event names, non-PII parameters — only with consent
Microsoft Corporation (Clarity) Session-replay and heatmap analytics Truncated IP, click and scroll events, masked input fields — only with consent
Cloudflare, Inc. DNS resolution Public DNS lookups
GitHub, Inc. Source control and continuous integration No customer data; engineering use only

We will update this list when we add or remove a sub-processor and notify Account Holders of material changes per §11.

We may also disclose information when legally required (court order, regulatory request, lawful subpoena) or in connection with a business transfer (merger, acquisition, reorganization, sale of assets), in which case the recipient will be bound by privacy obligations no less protective than this policy.

7. International Data Transfers

The Service is operated in the United States (AWS us-east-1, Northern Virginia). At v1 the Service is offered only in English and only with USD billing, and is intended for users in the United States and Canada. If you access the Service from outside those regions, your information will be transferred to and stored in the United States. If we extend service to additional regions in the future, we will implement the appropriate transfer mechanism (Standard Contractual Clauses, adequacy decisions, etc.) and update this policy.

8. Children's Privacy

MySmallBusiness is a business service not intended for use by minors under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us at the address in §12 and we will delete it.

9. Your Rights and Choices

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain uses, under laws such as the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and similar state and provincial laws.

Michigan residents. As of the "Last revised" date above, Michigan has not enacted a comprehensive consumer privacy statute (the Michigan Personal Data Privacy Act, SB 359, has passed the Michigan Senate but has not yet become law). Michigan does provide breach-notification rights under the Identity Theft Protection Act (see §10 below) and consumer-protection rights under the Michigan Consumer Protection Act (MCL 445.901 et seq.). Independent of any statutory requirement, we honor access, correction, export, and deletion requests from Michigan residents on the same terms we offer to residents of other states. If Michigan enacts a comprehensive privacy law, we will update this policy and our processes to comply with it.

To exercise any of these rights:

  • Access, correction, or deletion — email us at CustomerService@battlelineproductions.com. We will verify your identity using the email address on file and will respond within the time required by applicable law.
  • Account export — Account Holders can export the data on their account on request; we are working on a self-service export and it is not yet available at v1.
  • Withdraw analytics consent — visit https://mysmallbusiness.app/privacy or https://dashboard.mysmallbusiness.app/account/privacy and click "Revoke consent." This stops analytics scripts from loading on subsequent page loads and clears any analytics cookies set by us.
  • Buyer data — if you are a Buyer of an Account Holder and want your information removed from their MySmallBusiness records, please contact the Account Holder directly. We process Buyer data on their behalf and they are the controller for that data.

We will not discriminate against you for exercising any of these rights.

10. Data Breach Notification

We take data security seriously and maintain controls (encryption, access restrictions, audit logging) to protect your data. If we discover that the security of your personal information has been compromised, we will investigate, contain, and notify affected Account Holders and regulatory authorities as required by applicable law and within the timeframes those laws require.

For Michigan residents, our notification practices are aligned with the Michigan Identity Theft Protection Act (Act 452 of 2004, MCL 445.61 et seq., including MCL 445.72 — Notice of Security Breach). When required by that statute, we will provide notice without unreasonable delay; describe the breach in general terms and the type of personal information that was the subject of unauthorized access or use; generally describe what we have done to protect data from further breaches; provide a telephone number to obtain assistance or additional information; and remind notice recipients to remain vigilant for incidents of fraud and identity theft. We will also notify the consumer reporting agencies that compile and maintain files on consumers on a nationwide basis as required by MCL 445.72. For residents of other states or countries, we will provide notice and any cooperation with regulators that the law applicable to those residents requires.

Our incident response procedure is summarized in DataBreachPolicy.md in our public repository.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy at https://mysmallbusiness.app/privacy and update the "Last revised" date at the top. For material changes, Account Holders will be notified by email at the address on file at least 14 days before the change takes effect. Continued use of the Service after changes take effect indicates acceptance of the updated policy.

12. Contact Us

For questions, requests, or concerns about your privacy or this policy, please contact:

BattleLine Productions LLC Email: CustomerService@battlelineproductions.com