Privacy Policy

1. Introduction

Unpaid (“we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our invoice collection automation service (the “Service”).

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, company name, and password (stored as a bcrypt hash — we never store plaintext passwords).

Accounting Data

When you connect QuickBooks Online or Xero, we access invoice data including: invoice numbers, amounts, due dates, client names, and client email addresses. This data is synced periodically to enable automated reminders.

Payment Information

Subscription payments are processed by Stripe. We do not store credit card numbers or bank account details. Stripe's handling of payment data is governed by their Privacy Policy.

Communication Data

We track email delivery status (delivered, opened, clicked, bounced) for reminders sent through the Service. SMS delivery status is tracked through Twilio. This data helps you monitor collection effectiveness.

Usage Data

We collect standard server logs including IP addresses, browser type, and pages visited to maintain and improve the Service.

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Sync invoices from your connected accounting platforms
• Send automated email and SMS reminders to your clients on your behalf
• Generate payment links for invoice collection via Stripe
• Provide analytics on reminder effectiveness and collection rates
• Process subscription payments
• Communicate with you about your account, updates, and support

4. Information Sharing

We do not sell your data. We share information only with:

• Third-party service providers that help us operate the Service: Stripe (payments), Resend (email delivery), Twilio (SMS), Neon (database hosting), and Vercel (application hosting)
• Your invoice recipients — we send reminder communications containing invoice details (amount, due date, payment link) to the client email addresses associated with your invoices
• Law enforcement if required by law, subpoena, or legal process

5. Data Storage and Security

Your data is stored in Neon PostgreSQL databases with encrypted connections (TLS). OAuth tokens for accounting platforms are stored encrypted at rest. We use industry-standard security measures including:

• HTTPS encryption for all data in transit
• Bcrypt password hashing (cost factor 12)
• Webhook signature verification (Stripe via Stripe SDK, Resend via Svix)
• CSRF protection on OAuth flows
• JWT-based session authentication

6. Data Retention

We retain your account and invoice data for as long as your account is active. If you cancel your subscription and request account deletion, we will delete your data within 30 days, except where retention is required for legal or compliance purposes.

Reminder delivery logs (open/click tracking) are retained for 12 months to provide engagement analytics.

7. Your Rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data through your account settings
• Delete your account and associated data by contacting us
• Disconnect third-party accounting integrations at any time
• Export your data upon request

8. Cookies

We use essential cookies for authentication (session tokens) and CSRF protection during OAuth flows. We do not use advertising or tracking cookies.

9. Children's Privacy

The Service is intended for business use and is not directed at individuals under 18 years of age. We do not knowingly collect data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The “Effective date” at the top of this page indicates when the policy was last revised.

11. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at hello@getunpaid.com.