Privacy Policy

Last Updated: October 23, 2025
Effective Date: October 23, 2025

1. Introduction

DueAgent Ltd ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our invoice management and payment follow-up service.

We are the data controller responsible for your personal data under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller Information

Data Controller: DueAgent Ltd

Contact Email: privacy@dueagent.com

Data Protection Officer: dpo@dueagent.com

3. Information We Collect

3.1 Account Information

  • Email address (required for account creation and communication)
  • Full name (optional, for personalization)
  • Password (hashed and never stored in plain text)
  • Subscription and billing information (via Stripe)

3.2 Client Information

  • Client names
  • Client email addresses
  • Client phone numbers (optional)
  • Business addresses (optional)

3.3 Invoice and Payment Data

  • Invoice numbers and amounts
  • Payment due dates and status
  • Transaction descriptions
  • Currency information

3.4 Usage and Technical Data

  • IP addresses (for security and fraud prevention)
  • Browser type and version
  • Device information
  • Usage patterns and preferences
  • Email engagement metrics (opens, clicks)

3.5 Third-Party Integration Data

  • Xero accounting data (when connected)
  • OAuth tokens (encrypted at rest using AES-256-GCM)

4. How We Use Your Information

4.1 Service Provision (Contract Performance)

  • Managing your account and providing customer support
  • Processing invoices and tracking payments
  • Sending automated payment reminders to your clients
  • Generating AI-powered chase emails
  • Synchronizing data with Xero (when authorized)

4.2 Legitimate Interests

  • Improving our service and user experience
  • Detecting and preventing fraud and security threats
  • Analyzing usage patterns to optimize performance
  • Sending service announcements and updates

4.3 Legal Obligations

  • Maintaining audit logs for compliance (7 years)
  • Retaining financial records as required by law
  • Responding to legal requests and court orders

4.4 Consent

  • Sending marketing communications (opt-in only)
  • Analytics and usage tracking (opt-in via cookie banner)
  • Third-party integrations beyond core service

5. Legal Basis for Processing

We process your personal data under the following legal bases as defined by GDPR:

  • Contract Performance (Article 6(1)(b)): Processing necessary to provide our service
  • Legitimate Interests (Article 6(1)(f)): Security, fraud prevention, service improvement
  • Legal Obligation (Article 6(1)(c)): Compliance with accounting and tax laws
  • Consent (Article 6(1)(a)): Marketing communications and analytics (where required)

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right to Access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this in a machine-readable format within 30 days.

Right to Rectification (Article 16)

You can correct inaccurate or incomplete personal data through your dashboard or by contacting us.

Right to Erasure (Article 17)

You can request deletion of your account and personal data. Note: We must retain certain financial records for 7 years to comply with legal obligations.

Right to Data Portability (Article 20)

You can receive your data in JSON format and transfer it to another service provider.

Right to Object (Article 21)

You can object to processing based on legitimate interests, including marketing communications and analytics tracking.

Right to Restrict Processing (Article 18)

You can request temporary suspension of data processing while we resolve disputes about accuracy or lawfulness.

Right to Withdraw Consent (Article 7(3))

You can withdraw consent at any time for marketing and analytics. This will not affect processing based on other legal bases.

Exercise Your Rights

Visit your Privacy Settings to export data, manage consents, or delete your account. For assistance, contact privacy@dueagent.com.

7. Data Sharing and Third-Party Processors

We share your data with the following trusted third-party processors under Data Processing Agreements (DPAs):

Clerk (Authentication)

Purpose: User authentication and session management

Location: United States | DPA: clerk.com/legal/dpa

Resend (Email Delivery)

Purpose: Transactional email delivery to your clients

Location: United States | DPA: resend.com/legal/dpa

Anthropic (AI Processing)

Purpose: AI-powered email generation

Location: United States | DPA: anthropic.com/legal/dpa | Zero retention policy

Render (Hosting)

Purpose: Application hosting and database services

Location: Europe (Frankfurt), United States (Oregon) | DPA: render.com/legal/dpa

Stripe (Payment Processing)

Purpose: Subscription billing and payment processing

Location: Europe, United States | DPA: stripe.com/legal/dpa

Xero (Accounting Integration)

Purpose: Accounting system integration (when you connect)

Location: Per your Xero account | Covered by your Xero agreement

International Data Transfers

Some processors are located in the United States. We use Standard Contractual Clauses (SCCs) and additional safeguards (encryption in transit and at rest) to protect your data during international transfers.

8. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

Data TypeRetention PeriodReason
Active accountsDuration of serviceContract performance
Closed accounts7 yearsLegal obligation (accounting)
Client records7 years post-deletionBusiness records requirement
Invoices and payments7 yearsTax and accounting laws
Audit logs7 years (anonymized)GDPR accountability
Web analytics90 daysPerformance optimization

9. Security Measures

We implement industry-leading security measures to protect your personal data:

  • Encryption at Rest: AES-256-GCM encryption for OAuth tokens and sensitive data
  • Encryption in Transit: TLS 1.3 for all data transmissions
  • Access Control: Role-based access with multi-factor authentication available
  • Audit Logging: Comprehensive logging of all sensitive operations
  • Security Headers: CSP, HSTS, and other security headers implemented
  • Regular Security Audits: Automated scanning and manual penetration testing
  • Data Minimization: We collect only necessary data
  • Pseudonymization: Non-sequential user IDs and anonymized audit logs

10. Cookies and Tracking

We use cookies and similar technologies for the following purposes:

Essential Cookies (Always Active)

  • Authentication and session management
  • Security and fraud prevention
  • Service functionality

Optional Cookies (Requires Consent)

  • Analytics and usage tracking (web vitals, performance monitoring)
  • User preferences and settings

You can manage your cookie preferences through the cookie banner that appears on your first visit or via your Privacy Settings.

11. Data Breach Notification

In the unlikely event of a data breach, we will:

  • Notify the relevant supervisory authority within 72 hours (GDPR Article 33)
  • Notify affected users without undue delay if there is a high risk to your rights (GDPR Article 34)
  • Provide details about the nature of the breach, affected data, and mitigation steps
  • Document all breaches in our internal breach log

12. Children's Privacy

DueAgent is a business-to-business (B2B) service not directed at children under the age of 16. We do not knowingly collect personal data from children. If we discover we have inadvertently collected such data, we will delete it immediately and notify the parent or guardian.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify you via email at least 30 days before changes take effect
  • Request your consent if required by law

We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: privacy@dueagent.com

Data Protection Officer: dpo@dueagent.com

Privacy Settings: /dashboard/settings/privacy

15. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights. For EU users, you can find your national supervisory authority at:

European Data Protection Board - Member List

© 2025 DueAgent Ltd. All rights reserved.