Privacy Policy

Spartan Media LLC ("Spartan," "we," "us," or "our") operates the PayrollPro platform ("Platform"), a white-label payroll solution provided to accounting firms and their business clients. This Privacy Policy explains how we collect, use, store, and protect information when you use the Platform, including any custom-branded version hosted on a subdomain or custom domain.

By accessing or using the Platform, you agree to this Privacy Policy. If you do not agree, please do not use the Platform.

1. Information We Collect

We collect the following categories of information in the course of providing payroll services:

Employer Business Information

• Business legal name and DBA
• Employer Identification Number (EIN)
• Business address and contact information
• State withholding account numbers

Employee Personal Information

• Full legal name, address, and date of birth
• Social Security Number (SSN) — stored encrypted; see Section 3
• Tax filing status and withholding elections (W-4, NC-4)
• Compensation, pay rate, and pay frequency
• Electronic signatures on tax forms

Financial Information

• Bank account details for ACH payroll — linked via Stripe Financial Connections (OAuth-based verification). We do not receive or store raw bank account numbers; Stripe tokenizes payment methods on our behalf.
• Billing information for platform subscriptions, processed entirely by Stripe.

Payroll and Tax Filing Data

• Gross and net pay, tax withholdings, deductions, and pay period details
• Federal and state tax filings (Forms 941, 940, W-2, NC-3)

Technical and Usage Data

• IP address, browser type, and device information
• Pages viewed, features used, and session duration
• Cookies and similar technologies for authentication

Google Account Information (when you sign in with Google)

When you choose "Sign in with Google", Google shares only the following information with us via OAuth 2.0, scoped to what is necessary to create and maintain your PayrollPro account:

• Email address (email scope) — used as your unique account identifier and for transactional notifications (account verification, security alerts, password resets, payroll receipts).
• Basic profile information (profile scope) — your name and profile photo, displayed in the dashboard header so you and your firm administrators can identify your account.
• OpenID identifier (openidscope) — Google's stable per-account ID, used internally by Supabase Auth to link your sign-in across sessions without re-asking Google.

We do NOTrequest access to your Google Drive, Gmail, Calendar, Contacts, or any other Google service. We do not read, write, or sync any data from your Google account beyond the three fields above. Google account data is used solely to authenticate you and personalize the dashboard — never sold, never shared with third parties, never used for advertising or profiling. You may revoke PayrollPro's access at any time from your Google Account permissions page; revoking access deletes any cached Google profile data from our systems within 24 hours.

PayrollPro's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2. How We Use Your Information

• Payroll processing: calculating wages, taxes, and deductions; generating pay stubs; initiating ACH payments.
• Tax compliance: preparing and filing federal and state tax forms on behalf of employers.
• Account management: authenticating users, managing subscriptions, and providing customer support.
• Transactional communications: sending pay stub notifications, form completion links, and service-related emails.
• Platform improvement: analyzing usage patterns to improve functionality, performance, and security.
• Legal obligations: complying with applicable laws, regulations, and lawful requests from government authorities.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

3. How We Store and Protect Your Information

All data is stored in the United States. We employ industry-standard security measures, including:

• SSN encryption: Social Security Numbers are encrypted at rest using AES-256-GCM. Decryption occurs only in memory for authorized operations (e.g., W-2 filing) and is never logged or persisted in plaintext.
• Bank account tokenization: bank account details are tokenized by Stripe and never stored on our servers in raw form.
• Transport security: all data in transit is encrypted via TLS 1.2 or higher.
• Access control: Row-Level Security (RLS) policies ensure that each tenant can only access its own data. Administrative functions use restricted service-role credentials.
• Authentication: user authentication is managed through Supabase Auth with secure session handling.

While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

4. Third-Party Service Providers

We share information with the following third-party providers solely to operate the Platform. Each provider is contractually obligated to protect your data and use it only for the services they provide to us:

• Stripe (San Francisco, CA) — payment processing, subscription billing, and bank account verification via Financial Connections. Stripe is PCI DSS Level 1 certified.
  stripe.com/privacy
• Supabase (US region) — database hosting, authentication, and row-level security.
  supabase.com/privacy
• Vercel (San Francisco, CA) — application hosting and edge delivery.
  vercel.com/legal/privacy-policy
• Resend — transactional email delivery (pay stub notifications, form links, account alerts).
  resend.com/legal/privacy-policy

We may also disclose information if required by law, subpoena, or court order, or to protect the rights, property, or safety of Spartan Media LLC, our users, or others.

5. Data Retention

We retain personal information for as long as necessary to provide the Platform and comply with legal obligations:

• Payroll records and tax filings: retained for a minimum of four (4) years after the applicable tax year, as required by the IRS and state tax authorities.
• Account data: retained for the duration of the active subscription and for a reasonable period thereafter to allow for account reactivation or dispute resolution.
• Technical logs: retained for up to 90 days for security monitoring and debugging purposes.

When data is no longer needed, it is securely deleted or anonymized.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request deletion of your personal data, subject to legal retention requirements.
• Portability: request your data in a structured, machine-readable format.
• Objection: object to certain processing activities where applicable.

To exercise any of these rights, contact us at sales@espartan.net. We will respond within 30 days. Note that some data (e.g., tax records) cannot be deleted while legal retention periods apply.

If you are an employee whose payroll is processed through the Platform, please contact your employer or their accounting firm first, as they are the data controller for your employment information.

7. Children's Privacy

The Platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via email or an in-app notice. Your continued use of the Platform after any changes constitutes acceptance of the updated policy.

9. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: