Privacy Policy
Last updated: May 18, 2026
1. Introduction
Duefy LLC ("we," "our," or "us") operates duefy.ai (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.
By using Duefy, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
2.1 Information you provide directly
- Account information: name, email address, company name, password
- Invoice data: invoice numbers, amounts, due dates, client names and email addresses
- Payment information: processed by Stripe; we never store full card numbers
- Communications: emails you send us, support requests
2.2 Information collected automatically
- IP address and browser type
- Pages visited and actions taken within the Service
- Device type and operating system
- Cookies and similar tracking technologies
2.3 Third-party information
If you connect via Google OAuth, we receive your name, email address, and profile picture from Google, subject to Google's Privacy Policy.
3. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the Service
- Process transactions and send payment reminders on your behalf
- Send transactional emails (account confirmations, password resets)
- Send product updates and tips (you may opt out at any time)
- Respond to support requests
- Detect and prevent fraud and abuse
- Comply with legal obligations
4. Data Sharing
We do not sell your personal data. We share data only with:
- Stripe: payment processing
- Resend: email delivery
- Anthropic / AWS: AI analysis of client email replies
- Service providers who help us operate the platform, under confidentiality obligations
- Law enforcement when required by applicable law
Analytics
We use Google Analytics 4 to understand how visitors use our website. Google Analytics collects anonymized usage data including pages visited, time on site, and general location (country/city level). IP addresses are anonymized before storage.
Google Analytics is only active on our public marketing pages. It is not loaded when you are logged into your Duefy account.
You can opt out of Google Analytics tracking using the Google Analytics Opt-out Browser Add-on.
5. Your Client's Data
When you use Duefy to send reminders, your clients' email addresses and invoice data are processed on your behalf. You are the data controller for this information; Duefy acts as a data processor. You are responsible for having a lawful basis to contact your clients and for complying with applicable laws (including CAN-SPAM, GDPR, and CASL).
6. Data Retention
We retain your data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it by law.
7. Security
We use industry-standard security measures including SSL/TLS encryption, hashed passwords (bcrypt), and access controls. However, no method of transmission over the Internet is 100% secure.
8. California Privacy Rights (CCPA)
If you are a California resident, you have the right to:
- Know what personal data we collect about you
- Request deletion of your personal data
- Opt out of the sale of your personal data (we do not sell personal data)
- Non-discrimination for exercising your rights
To exercise these rights, contact us at privacy@duefy.ai.
9. International Transfers
Your data may be processed in the United States or other countries. By using the Service, you consent to such transfers.
10. Children's Privacy
The Service is not directed to children under 16. We do not knowingly collect data from children under 16.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Continued use after changes constitutes acceptance.
12. Your Rights Under GDPR (EU/UK Users)
If you are located in the European Union or United Kingdom, you have the following rights regarding your personal data under the General Data Protection Regulation (GDPR) and UK GDPR:
Your Rights
- Right of Access — You can request a copy of all personal data we hold about you.
- Right to Rectification — You can ask us to correct inaccurate data. Most data can be updated directly in your account settings.
- Right to Erasure ("Right to be Forgotten") — You can request deletion of your personal data. Note: we may retain some data where required by law (e.g. billing records for tax purposes).
- Right to Data Portability — You can export your data at any time from Settings → Export Data.
- Right to Object — You can object to certain types of data processing, including direct marketing.
- Right to Restrict Processing — In certain circumstances, you can ask us to limit how we use your data.
Legal Basis for Processing
We process your data on the following legal bases:
- Contract — Processing necessary to provide the Duefy service you have subscribed to.
- Legitimate Interests — Improving our product, preventing fraud, and ensuring security of our systems.
- Legal Obligation — Retaining billing records as required by applicable tax laws.
Data Retention
- Active account data: retained while your account is active
- Cancelled account data: deleted after 90 days
- Billing records: retained for 7 years (legal requirement)
- API logs: deleted after 30 days
- Email logs: deleted after 12 months
Sub-processors
We use the following third-party services to provide Duefy. Each has been evaluated for GDPR compliance:
| Service | Purpose | Data Location |
|---|---|---|
| Stripe | Payment processing | USA (SCCs in place) |
| Resend | Transactional email | USA (SCCs in place) |
| Anthropic | AI features | USA (SCCs in place) |
| Google Analytics | Website analytics (public pages only) | USA (anonymized) |
| Google OAuth | Optional login method | USA (SCCs in place) |
| Twilio | SMS reminders (optional) | USA (SCCs in place) |
SCCs = Standard Contractual Clauses (EU-approved mechanism for international data transfers)
How to Exercise Your Rights
To exercise any of the above rights:
- Log in to your account and visit Settings — most requests can be handled automatically.
- For data export: Settings → Export Data
- For account deletion: Settings → Danger Zone → Delete Account
- For other requests: email privacy@duefy.ai. We will respond within 30 days as required by GDPR.
Right to Lodge a Complaint
If you believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection authority:
- EU: Your national Data Protection Authority (find yours here)
- UK: Information Commissioner's Office (ICO) — ico.org.uk
Data Controller
Duefy LLC
30 N Gould St, Ste N
Sheridan, WY 82801
United States
Email: privacy@duefy.ai
13. Contact Us
For privacy questions or to exercise your rights:
Duefy LLC
30 N Gould St, Ste N
Sheridan, WY 82801
United States
Email: privacy@duefy.ai
Website: https://duefy.ai