Privacy Policy
Last updated: March 24, 2026
Horizontes LLC ("Company," "we," "us," or "our"), a Puerto Rico limited liability company, operates the DocGen platform at docgen.tigerteampr.com (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service.
1. Information We Collect
1.1 Account Information
When you register, we collect:
- Full name
- Email address
- Password (stored as an Argon2id hash; we never store plaintext passwords)
- Organization name
1.2 Case Data (Claimant Information)
To generate SSA filing packets, you enter claimant data that may include:
- Identifiers: Social Security number (SSN), full name, date of birth
- Contact information: Address, phone number
- Medical information: Disability descriptions, medical provider details, treatment history
- Financial information: Bank account and routing numbers (for direct deposit forms)
- Employment information: Work history, employer details
Encryption: Sensitive fields (SSN, bank account numbers, routing numbers) are encrypted at rest using Fernet symmetric encryption with HKDF-derived per-tenant keys. The encrypted data can only be decrypted with both the master encryption key and your organization's unique identifier.
1.3 Usage Data
We automatically collect:
- IP address (logged for security audit purposes)
- Document generation events (timestamp, document type, success/failure)
- API access logs (endpoint, method, response status, duration)
1.4 Billing Information
Payment information (credit card numbers, billing addresses) is collected and processed by our billing provider, Polar.sh. We do not store your payment card details on our servers. We receive and store only your billing customer ID, subscription status, and invoice history from Polar.sh.
2. How We Use Your Information
We use your information to:
- Generate SSA disability benefits filing packets as requested
- Authenticate your identity and enforce access controls
- Process billing and manage your subscription
- Maintain audit logs for security and compliance
- Send transactional emails (password reset, invitations, billing notices)
- Detect and prevent unauthorized access or data breaches
We do not use your data for advertising, profiling, or any purpose unrelated to providing the Service.
3. How We Protect Your Information
- Encryption at rest: Sensitive PII fields are encrypted using Fernet symmetric encryption with per-tenant HKDF key derivation.
- Encryption in transit: All connections use TLS 1.2+.
- Tenant isolation: PostgreSQL Row-Level Security (RLS) with FORCE ensures each organization can only access its own data, enforced at the database level.
- Access control: Role-based access control (owner, admin, member) with principle of least privilege.
- Password security: Passwords are hashed with Argon2id following NIST SP 800-63B guidelines, with an 8-character minimum and common password blocklist.
- Audit trail: All data access, modifications, and authentication events are logged.
- Automated security probes: Daily cross-tenant isolation verification ensures RLS policies are functioning correctly.
4. Data Retention
| Data Type | Retention Period | Rationale |
|---|---|---|
| Case data (database records) | Duration of account + 30 days | CCPA compliance; deleted upon account closure |
| Generated document files | Configurable (default 24h local; permanent on cloud plans) | Service operation; re-generation available on demand |
| Account and billing data | Duration of account + 7 years | Tax and financial records retention |
| Audit logs | 5 years | CCPA cybersecurity audit rule minimum |
| Soft-deleted cases | 90-day recovery window | User recovery period before permanent deletion |
| Webhook/billing events | 90 days | Payment dispute resolution and debugging |
| Expired authentication tokens | 30 days post-expiry | Security forensics |
5. Data Sharing and Subprocessors
We do not sell your personal information. We share data only with the following service providers who process data on our behalf:
| Subprocessor | Purpose | Data Shared |
|---|---|---|
| Polar.sh | Payment processing and billing | Billing customer ID, usage metrics, subscription events |
| Cloudflare R2 | Document storage | Generated document files (encrypted at rest) |
| Resend | Transactional email delivery | Email address, email content (invites, password resets) |
| Hostinger | Infrastructure hosting | All Service data resides on Hostinger VPS infrastructure |
We may also disclose your information if required by law, court order, or governmental request, or to protect the rights, property, or safety of Horizontes LLC, our users, or the public.
6. Your Rights Under the CCPA
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal retention obligations).
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
- Right to Data Portability: Organization owners may request a data export via the API or by contacting support@tigerteampr.com.
How to Exercise Your Rights
Submit a Data Subject Access Request (DSAR) by emailing support@tigerteampr.com with the subject line "DSAR Request." We will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days, as required by the CCPA.
For immediate data access, organization owners may use the data export API endpoint or contact support@tigerteampr.com to receive a complete copy of their organization's data.
7. Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information.
8. Data Breach Notification
In the event of a data breach that compromises the security of your personal information, we will notify affected users and applicable regulatory authorities in accordance with the CCPA and other applicable laws. Notification will be provided without unreasonable delay.
9. International Data Transfers
The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.
11. Contact Us
For privacy-related questions, DSAR requests, or concerns about your data:
- Email: support@tigerteampr.com
- Entity: Horizontes LLC, Puerto Rico