Privacy Policy

Last Updated: November 2025
Effective Date: November 2025

1. Introduction

OPTFLOW AI LIMITED, trading as Due Agent ("we", "our", or "us"), is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our professional automated billing notification and payment reminder service.

We are a UK-based company and the data controller responsible for your personal data under the General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.

Data Location: All personal data is processed and stored exclusively within the European Union (United Kingdom and EU regions) to ensure full GDPR compliance.

2. Data Controller Information

Legal Entity: OPTFLOW AI LIMITED

Trading Name: Due Agent

Company Number: 14990157

Registered Office: 43 Fairfoot Road, London, England, E3 4EG

Jurisdiction: United Kingdom

Contact Email: privacy@dueagent.com

Data Protection Officer: dpo@dueagent.com

3. Information We Collect

3.1 Account Information

Email address (required for account creation, service communications, and transactional notifications)
Full name (optional, for personalisation)
Password (hashed and never stored in plain text)
Subscription and billing information (via Stripe)
Physical mailing address (optional, for billing purposes)

3.2 Client Information

Client names
Client email addresses (collected when you add clients to send payment reminders on your behalf)
Client phone numbers (optional)
Business addresses (optional)

3.3 Invoice and Payment Data

Invoice numbers and amounts
Payment due dates and status
Transaction descriptions
Currency information

3.4 Usage and Technical Data

IP addresses (for security and fraud prevention)
Browser type and version
Device information
Usage patterns and preferences
Email engagement metrics (opens, clicks, bounces, complaints) for both transactional and marketing emails
Email delivery status and error codes
Suppression list data (invalid addresses, unsubscribes, complaints)

3.5 Third-Party Integration Data

Xero accounting data (when connected)
OAuth tokens (encrypted at rest using AES-256-GCM)

4. How We Use Your Information

4.1 Service Provision (Contract Performance)

Managing your account and providing customer support
Processing invoices and tracking payments
Sending automated payment reminders to your clients via transactional email (cannot be opted out as essential to service)
Generating AI-powered billing notification emails
Synchronising data with Xero (when authorised)
Processing email bounces, complaints, and maintaining suppression lists to ensure delivery quality

4.2 Legitimate Interests

Improving our service and user experience
Detecting and preventing fraud and security threats
Analysing usage patterns to optimise performance
Sending service announcements and updates

4.3 Legal Obligations

Maintaining audit logs for compliance (7 years)
Retaining financial records as required by law
Responding to legal requests and court orders

4.4 Consent

Sending marketing communications (opt-in only)
Analytics and usage tracking (opt-in via cookie banner)
Third-party integrations beyond core service

5. Legal Basis for Processing

We process your personal data under the following legal bases as defined by GDPR:

Contract Performance (Article 6(1)(b)): Processing necessary to provide our service
Legitimate Interests (Article 6(1)(f)): Security, fraud prevention, service improvement
Legal Obligation (Article 6(1)(c)): Compliance with accounting and tax laws
Consent (Article 6(1)(a)): Marketing communications and analytics (where required)

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right to Access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this in a machine-readable format within one month of your request (which may be extended by a further two months for complex requests, as permitted by UK GDPR Article 12).

Right to Rectification (Article 16)

You can correct inaccurate or incomplete personal data through your dashboard or by contacting us.

Right to Erasure (Article 17)

You can request deletion of your account and personal data. Note: We must retain certain financial records for 7 years to comply with legal obligations.

Right to Data Portability (Article 20)

You can receive your data in JSON format and transfer it to another service provider.

Right to Object (Article 21)

You can object to processing based on legitimate interests, including marketing communications and analytics tracking.

Right to Restrict Processing (Article 18)

You can request temporary suspension of data processing while we resolve disputes about accuracy or lawfulness.

Right to Withdraw Consent (Article 7(3))

You can withdraw consent at any time for marketing and analytics. This will not affect processing based on other legal bases.

Exercise Your Rights

Visit your Privacy Settings to export data, manage consents, or delete your account. For assistance, contact privacy@dueagent.com.

7. Data Sharing and Third-Party Processors

We share your data with the following trusted third-party processors under Data Processing Agreements (DPAs):

Stack Auth + NeonDB (Authentication)

Purpose: User authentication and session management

Location: European Union (London, eu-west-2) | EU Data Storage | DPA: Available upon request

AWS SES (Email Delivery Infrastructure)

Purpose: Email delivery infrastructure for both transactional and marketing communications

Email Types Processed:

Transactional Emails: Payment reminders, invoice notifications, account alerts, password resets, subscription confirmations, service updates (cannot be opted out)
Marketing Emails: Product updates, promotional content, newsletters (opt-in only, unsubscribe available)

Bounce & Complaint Handling: AWS SES automatically processes email bounces (hard and soft) and spam complaints. Invalid email addresses are added to our suppression list to prevent future sending attempts. Complaint data is retained for abuse prevention and sender reputation management.

Location: European Union (London, eu-west-2) | GDPR Compliant | DPA: Available at aws.amazon.com/compliance/gdpr-center

Google Vertex AI (AI Processing)

Purpose: AI-powered email generation

Location: European Union (Belgium, europe-west1) | GDPR Compliant | Data Retention: Configurable retention policy | DPA: Available at cloud.google.com/terms/data-processing-addendum

Upstash Redis (Background Processing & Caching)

Purpose: Background job processing, workflow orchestration, and serverless caching

Location: European Union (Frankfurt, eu-central-1) | GDPR Compliant | DPA: Available at upstash.com/trust/dpa

Vercel (Hosting Platform)

Purpose: Application hosting and CDN services

Location: European Union regions configured | Transfer Mechanism: Standard Contractual Clauses | DPA: Available at vercel.com/legal/dpa

Stripe (Payment Processing)

Purpose: Subscription billing and payment processing

Location: Europe, United States | Transfer Mechanism: EU-US Data Privacy Framework certified | DPA: Available at stripe.com/legal/dpa

Xero & QuickBooks (Accounting Integration)

Purpose: Accounting system integration (when you connect)

Location: Per your Xero/QuickBooks account configuration | Covered by your provider agreement

International Data Transfers (GDPR Chapter V)

The majority of our core processing infrastructure is located within the European Union to ensure full GDPR compliance and data sovereignty. All authentication, email delivery, AI processing, and background job processing occurs exclusively within EU regions (London, eu-west-2 and Belgium, europe-west1).

Where we use processors that operate internationally (such as Stripe for payments or Vercel for hosting), we ensure that all international data transfers comply with GDPR Chapter V requirements through appropriate safeguards:

Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision 2021/914)
EU-US Data Privacy Framework certification for US-based processors (where applicable)
UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs for UK GDPR compliance
Additional technical safeguards including encryption in transit (TLS 1.3) and at rest (AES-256-GCM)
Regular transfer impact assessments (TIAs) to evaluate risks in third countries
Contractual obligations for sub-processors to maintain equivalent protections
Right to object to transfers where alternative EU-based services are available

We continuously monitor legal developments regarding international data transfers, including guidance from the European Data Protection Board (EDPB) and decisions from the Court of Justice of the European Union (CJEU), to ensure ongoing compliance.

You have the right to request copies of the safeguards we have in place for international transfers, including our Standard Contractual Clauses and transfer impact assessments, by contacting privacy@dueagent.com.

UK GDPR Compliance Note

As a UK-based data controller, we comply with UK GDPR requirements for international data transfers. We rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs where appropriate.

8. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

Data Type	Retention Period	Reason
Active accounts	Duration of service	Contract performance
Closed accounts	7 years	Legal obligation (accounting)
Client records	7 years post-deletion	Business records requirement
Invoices and payments	7 years	Tax and accounting laws
Audit logs	7 years (anonymized)	GDPR accountability
Web analytics	90 days	Performance optimization
Email engagement metrics	90 days (aggregated)	Email deliverability optimization
Email bounce/complaint data	2 years	Sender reputation and anti-spam compliance
Suppression list (unsubscribes)	Indefinite	Legal obligation (must honour opt-outs permanently)

Email Data Retention Note

Email addresses on our suppression list (due to unsubscribes, bounces, or complaints) are retained indefinitely to ensure we never send unwanted emails. This is a legal requirement under anti-spam regulations. You can request removal from the suppression list by contacting privacy@dueagent.com, but we must verify the request to prevent abuse.

9. Security Measures

We implement industry-leading technical and organisational security measures to protect your personal data in accordance with GDPR Article 32:

Encryption at Rest: AES-256-GCM encryption for OAuth tokens and sensitive data
Encryption in Transit: TLS 1.3 for all data transmissions
Access Control: Role-based access control (RBAC) with multi-factor authentication available
Audit Logging: Comprehensive logging of all sensitive operations with tamper-evident storage
Security Headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and other security headers
Regular Security Audits: Automated vulnerability scanning and periodic manual penetration testing
Data Minimisation: We collect only data that is adequate, relevant, and necessary for the purposes
Pseudonymisation: Non-sequential user IDs and anonymised audit logs where appropriate
Incident Response: Documented procedures for detecting, investigating, and responding to security incidents
Staff Training: Regular data protection and security awareness training for all personnel

Privacy by Design and Default

In accordance with GDPR Article 25, we implement data protection principles by design and by default. This means we build privacy considerations into our systems from the ground up, ensuring that only necessary data is processed, with appropriate security measures, and that privacy settings are set to the most protective level by default.

10. Your Responsibilities as a Data Controller

When you use Due Agent to send payment reminders to your clients, you act as the data controller for your clients' personal data, and we act as your data processor. You are responsible for:

Ensuring you have a lawful basis to process your clients' personal data
Obtaining necessary consents from your clients for email communications
Complying with the Privacy and Electronic Communications Regulations (PECR)
Informing your clients about your use of Due Agent in your privacy policy
Responding to data subject access requests from your clients
Ensuring accuracy and appropriateness of data you upload to our service

A Data Processing Agreement (DPA) is available in your account settings, which sets out the terms under which we process your clients' data on your behalf, in accordance with GDPR Article 28.

Important Legal Requirement

You must have appropriate legal grounds (such as contract performance or legitimate interest) to send payment reminders to your clients. Ensure your own terms of business and privacy policy cover the use of automated payment reminder services.

11. Cookies and Tracking

We use cookies and similar technologies for the following purposes:

Essential Cookies (Always Active)

Authentication and session management
Security and fraud prevention
Service functionality

Optional Cookies (Requires Consent)

Analytics and usage tracking (web vitals, performance monitoring)
User preferences and settings

You can manage your cookie preferences through the cookie banner that appears on your first visit or via your Privacy Settings.

Cookie Retention Periods

Session cookies: Expire when you close your browser
Authentication cookies: 30 days (or until logout)
Preference cookies: 1 year
Analytics cookies: 90 days (if consented)

11a. Email Communications and Anti-Spam Compliance

11a.1 How We Collect Email Addresses

We collect email addresses through the following legitimate methods:

Your Account Email: Provided directly by you during account registration for service delivery and account management
Client Email Addresses: Provided by you when you add clients to your Due Agent account for the purpose of sending payment reminders on your behalf. You act as the data controller for these addresses and must have appropriate legal grounds to provide them to us.
Xero/QuickBooks Integration: Imported automatically when you connect your accounting software (with your explicit authorization)
Marketing List: Only collected with explicit opt-in consent via signup forms, account settings, or webinar registrations that clearly indicate you will receive marketing communications

We never: Purchase email lists, scrape email addresses from websites, use harvested addresses, or send to addresses obtained without explicit permission or legitimate business relationship.

11a.2 Types of Emails We Send

Transactional Emails (Cannot Opt Out)

These emails are essential to our service and cannot be opted out of while you maintain an active account:

Payment reminders sent to your clients on your behalf
Invoice notifications and payment confirmations
Account security alerts and password reset requests
Subscription and billing notifications
Service announcements affecting your account functionality
Responses to your support requests

Legal Basis: Contract Performance (GDPR Article 6(1)(b)) - these emails are necessary to provide the service you requested.

Marketing Emails (Opt-In Only)

We will only send you marketing communications if you have explicitly opted in. Marketing communications may include:

Product updates and new feature announcements
Educational content and best practices for payment collection
Special offers and promotional information
Industry insights and relevant news
Surveys and feedback requests

Legal Basis: Consent (GDPR Article 6(1)(a)) and compliance with the Privacy and Electronic Communications Regulations (PECR) 2003.

11a.3 Unsubscribe and Opt-Out Mechanisms

Every marketing email includes a clear and conspicuous unsubscribe link in the footer. You can unsubscribe from marketing communications at any time by:

Clicking the "unsubscribe" link in any marketing email (processed within 10 business days as required by CAN-SPAM)
Adjusting your preferences in your Account Settings
Contacting us at privacy@dueagent.com
Replying to any marketing email with "UNSUBSCRIBE" in the subject line

Once you unsubscribe, your email address is added to our permanent suppression list and you will not receive further marketing emails. Unsubscribe requests are processed within 10 business days.

11a.4 Anti-Spam Compliance

We comply with international anti-spam regulations including:

CAN-SPAM Act (United States): Clear identification of commercial emails, accurate header information, physical postal address in all emails, honour opt-out requests within 10 business days
GDPR (European Union): Explicit consent required before sending marketing emails, clear purpose disclosure, right to withdraw consent
PECR (United Kingdom): Opt-in consent for electronic marketing, clear identification of sender, easy opt-out mechanism
CASL (Canada): Express consent for commercial electronic messages, identification of sender, unsubscribe mechanism in every message

Company Contact Information

As required by CAN-SPAM and other anti-spam regulations, our physical postal address appears in all marketing emails:

OPTFLOW AI LIMITED (trading as Due Agent)
43 Fairfoot Road, London, England, E3 4EG
Company Number: 14990157
Email: privacy@dueagent.com

11a.5 Bounce and Complaint Management

We actively monitor and manage email deliverability to maintain our sender reputation and comply with anti-spam best practices:

Hard Bounces: Email addresses that permanently fail delivery (invalid, non-existent domains) are immediately added to our suppression list
Soft Bounces: Temporary delivery failures (full inbox, server issues) are retried according to best practices, then suppressed after repeated failures
Spam Complaints: When a recipient marks an email as spam, their address is immediately and permanently added to our suppression list
Feedback Loops: We participate in ISP feedback loops to receive complaint notifications and honour unsubscribe requests
Suppression List: Maintained indefinitely to prevent sending to addresses that have bounced, complained, or unsubscribed

For Users Sending Payment Reminders

When you use Due Agent to send payment reminders to your clients, you are responsible for ensuring you have appropriate legal grounds to contact them (typically contract performance or legitimate interest). We recommend including unsubscribe options in your own terms of business. Our bounce and complaint data helps you maintain clean contact lists and comply with anti-spam requirements. See Section 10 for your responsibilities as a data controller.

12. Data Breach Notification

In the unlikely event of a data breach, we will:

Notify the relevant supervisory authority within 72 hours (GDPR Article 33)
Notify affected users without undue delay if there is a high risk to your rights (GDPR Article 34)
Provide details about the nature of the breach, affected data, and mitigation steps
Document all breaches in our internal breach log

13. Automated Decision-Making and Profiling

We use AI technology (Google Vertex AI) to generate personalised email content for payment reminders. This processing does not constitute automated decision-making as defined by GDPR Article 22, as:

You retain full control over the email content before it is sent
The AI assists with drafting, but does not make legal or financial decisions
No decisions are made that produce legal effects or similarly significantly affect you
You can review, modify, or reject any AI-generated content

We do not engage in profiling activities that would produce legal effects or similarly significantly affect data subjects. Our usage analytics are aggregated and anonymised for service improvement purposes only.

In accordance with GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you. Our service design ensures human oversight of all material decisions.

14. Children's Privacy

Due Agent is a business-to-business (B2B) service not directed at children under the age of 16. We do not knowingly collect personal data from children. If we discover we have inadvertently collected such data, we will delete it immediately and notify the parent or guardian.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Notify you via email at least 30 days before changes take effect
Request your consent if required by law

We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: privacy@dueagent.com

Data Protection Officer: dpo@dueagent.com

Privacy Settings: /dashboard/settings/privacy

17. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

UK Users

Information Commissioner's Office (ICO)

Website: ico.org.uk

Helpline: 0303 123 1113

EU Users

Contact your national supervisory authority:

European Data Protection Board - Member List

Legal Disclaimer: This is a template for informational purposes. Whilst we have endeavoured to ensure accuracy and compliance with applicable regulations, you should consult with a qualified solicitor for legal advice specific to your situation.

Privacy Policy

Last Updated: November 2025
Effective Date: November 2025

1. Introduction

We are a UK-based company and the data controller responsible for your personal data under the General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.

Data Location: All personal data is processed and stored exclusively within the European Union (United Kingdom and EU regions) to ensure full GDPR compliance.

2. Data Controller Information

Legal Entity: OPTFLOW AI LIMITED

Trading Name: Due Agent

Company Number: 14990157

Registered Office: 43 Fairfoot Road, London, England, E3 4EG

Jurisdiction: United Kingdom

Contact Email: privacy@dueagent.com

Data Protection Officer: dpo@dueagent.com

3. Information We Collect

3.1 Account Information

Email address (required for account creation, service communications, and transactional notifications)
Full name (optional, for personalisation)
Password (hashed and never stored in plain text)
Subscription and billing information (via Stripe)
Physical mailing address (optional, for billing purposes)

3.2 Client Information

Client names
Client email addresses (collected when you add clients to send payment reminders on your behalf)
Client phone numbers (optional)
Business addresses (optional)

3.3 Invoice and Payment Data

Invoice numbers and amounts
Payment due dates and status
Transaction descriptions
Currency information

3.4 Usage and Technical Data

IP addresses (for security and fraud prevention)
Browser type and version
Device information
Usage patterns and preferences
Email engagement metrics (opens, clicks, bounces, complaints) for both transactional and marketing emails
Email delivery status and error codes
Suppression list data (invalid addresses, unsubscribes, complaints)

3.5 Third-Party Integration Data

Xero accounting data (when connected)
OAuth tokens (encrypted at rest using AES-256-GCM)

4. How We Use Your Information

4.1 Service Provision (Contract Performance)

Managing your account and providing customer support
Processing invoices and tracking payments
Sending automated payment reminders to your clients via transactional email (cannot be opted out as essential to service)
Generating AI-powered billing notification emails
Synchronising data with Xero (when authorised)
Processing email bounces, complaints, and maintaining suppression lists to ensure delivery quality

4.2 Legitimate Interests

Improving our service and user experience
Detecting and preventing fraud and security threats
Analysing usage patterns to optimise performance
Sending service announcements and updates

4.3 Legal Obligations

Maintaining audit logs for compliance (7 years)
Retaining financial records as required by law
Responding to legal requests and court orders

4.4 Consent

Sending marketing communications (opt-in only)
Analytics and usage tracking (opt-in via cookie banner)
Third-party integrations beyond core service

5. Legal Basis for Processing

We process your personal data under the following legal bases as defined by GDPR:

Contract Performance (Article 6(1)(b)): Processing necessary to provide our service
Legitimate Interests (Article 6(1)(f)): Security, fraud prevention, service improvement
Legal Obligation (Article 6(1)(c)): Compliance with accounting and tax laws
Consent (Article 6(1)(a)): Marketing communications and analytics (where required)

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right to Access (Article 15)

Right to Rectification (Article 16)

You can correct inaccurate or incomplete personal data through your dashboard or by contacting us.

Right to Erasure (Article 17)

You can request deletion of your account and personal data. Note: We must retain certain financial records for 7 years to comply with legal obligations.

Right to Data Portability (Article 20)

You can receive your data in JSON format and transfer it to another service provider.

Right to Object (Article 21)

You can object to processing based on legitimate interests, including marketing communications and analytics tracking.

Right to Restrict Processing (Article 18)

You can request temporary suspension of data processing while we resolve disputes about accuracy or lawfulness.

Right to Withdraw Consent (Article 7(3))

You can withdraw consent at any time for marketing and analytics. This will not affect processing based on other legal bases.

Exercise Your Rights

Visit your Privacy Settings to export data, manage consents, or delete your account. For assistance, contact privacy@dueagent.com.

7. Data Sharing and Third-Party Processors

We share your data with the following trusted third-party processors under Data Processing Agreements (DPAs):

Stack Auth + NeonDB (Authentication)

Purpose: User authentication and session management

Location: European Union (London, eu-west-2) | EU Data Storage | DPA: Available upon request

AWS SES (Email Delivery Infrastructure)

Purpose: Email delivery infrastructure for both transactional and marketing communications

Email Types Processed:

Transactional Emails: Payment reminders, invoice notifications, account alerts, password resets, subscription confirmations, service updates (cannot be opted out)
Marketing Emails: Product updates, promotional content, newsletters (opt-in only, unsubscribe available)

Location: European Union (London, eu-west-2) | GDPR Compliant | DPA: Available at aws.amazon.com/compliance/gdpr-center

Google Vertex AI (AI Processing)

Purpose: AI-powered email generation

Location: European Union (Belgium, europe-west1) | GDPR Compliant | Data Retention: Configurable retention policy | DPA: Available at cloud.google.com/terms/data-processing-addendum

Upstash Redis (Background Processing & Caching)

Purpose: Background job processing, workflow orchestration, and serverless caching

Location: European Union (Frankfurt, eu-central-1) | GDPR Compliant | DPA: Available at upstash.com/trust/dpa

Vercel (Hosting Platform)

Purpose: Application hosting and CDN services

Location: European Union regions configured | Transfer Mechanism: Standard Contractual Clauses | DPA: Available at vercel.com/legal/dpa

Stripe (Payment Processing)

Purpose: Subscription billing and payment processing

Location: Europe, United States | Transfer Mechanism: EU-US Data Privacy Framework certified | DPA: Available at stripe.com/legal/dpa

Xero & QuickBooks (Accounting Integration)

Purpose: Accounting system integration (when you connect)

Location: Per your Xero/QuickBooks account configuration | Covered by your provider agreement

International Data Transfers (GDPR Chapter V)

Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision 2021/914)
EU-US Data Privacy Framework certification for US-based processors (where applicable)
UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs for UK GDPR compliance
Additional technical safeguards including encryption in transit (TLS 1.3) and at rest (AES-256-GCM)
Regular transfer impact assessments (TIAs) to evaluate risks in third countries
Contractual obligations for sub-processors to maintain equivalent protections
Right to object to transfers where alternative EU-based services are available

UK GDPR Compliance Note

8. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

Data Type	Retention Period	Reason
Active accounts	Duration of service	Contract performance
Closed accounts	7 years	Legal obligation (accounting)
Client records	7 years post-deletion	Business records requirement
Invoices and payments	7 years	Tax and accounting laws
Audit logs	7 years (anonymized)	GDPR accountability
Web analytics	90 days	Performance optimization
Email engagement metrics	90 days (aggregated)	Email deliverability optimization
Email bounce/complaint data	2 years	Sender reputation and anti-spam compliance
Suppression list (unsubscribes)	Indefinite	Legal obligation (must honour opt-outs permanently)

Email Data Retention Note

9. Security Measures

We implement industry-leading technical and organisational security measures to protect your personal data in accordance with GDPR Article 32:

Encryption at Rest: AES-256-GCM encryption for OAuth tokens and sensitive data
Encryption in Transit: TLS 1.3 for all data transmissions
Access Control: Role-based access control (RBAC) with multi-factor authentication available
Audit Logging: Comprehensive logging of all sensitive operations with tamper-evident storage
Security Headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and other security headers
Regular Security Audits: Automated vulnerability scanning and periodic manual penetration testing
Data Minimisation: We collect only data that is adequate, relevant, and necessary for the purposes
Pseudonymisation: Non-sequential user IDs and anonymised audit logs where appropriate
Incident Response: Documented procedures for detecting, investigating, and responding to security incidents
Staff Training: Regular data protection and security awareness training for all personnel

Privacy by Design and Default

10. Your Responsibilities as a Data Controller

When you use Due Agent to send payment reminders to your clients, you act as the data controller for your clients' personal data, and we act as your data processor. You are responsible for:

Ensuring you have a lawful basis to process your clients' personal data
Obtaining necessary consents from your clients for email communications
Complying with the Privacy and Electronic Communications Regulations (PECR)
Informing your clients about your use of Due Agent in your privacy policy
Responding to data subject access requests from your clients
Ensuring accuracy and appropriateness of data you upload to our service

A Data Processing Agreement (DPA) is available in your account settings, which sets out the terms under which we process your clients' data on your behalf, in accordance with GDPR Article 28.

Important Legal Requirement

11. Cookies and Tracking

We use cookies and similar technologies for the following purposes:

Essential Cookies (Always Active)

Authentication and session management
Security and fraud prevention
Service functionality

Optional Cookies (Requires Consent)

Analytics and usage tracking (web vitals, performance monitoring)
User preferences and settings

You can manage your cookie preferences through the cookie banner that appears on your first visit or via your Privacy Settings.

Cookie Retention Periods

Session cookies: Expire when you close your browser
Authentication cookies: 30 days (or until logout)
Preference cookies: 1 year
Analytics cookies: 90 days (if consented)

11a. Email Communications and Anti-Spam Compliance

11a.1 How We Collect Email Addresses

We collect email addresses through the following legitimate methods:

Your Account Email: Provided directly by you during account registration for service delivery and account management
Client Email Addresses: Provided by you when you add clients to your Due Agent account for the purpose of sending payment reminders on your behalf. You act as the data controller for these addresses and must have appropriate legal grounds to provide them to us.
Xero/QuickBooks Integration: Imported automatically when you connect your accounting software (with your explicit authorization)
Marketing List: Only collected with explicit opt-in consent via signup forms, account settings, or webinar registrations that clearly indicate you will receive marketing communications

We never: Purchase email lists, scrape email addresses from websites, use harvested addresses, or send to addresses obtained without explicit permission or legitimate business relationship.

11a.2 Types of Emails We Send

Transactional Emails (Cannot Opt Out)

These emails are essential to our service and cannot be opted out of while you maintain an active account:

Payment reminders sent to your clients on your behalf
Invoice notifications and payment confirmations
Account security alerts and password reset requests
Subscription and billing notifications
Service announcements affecting your account functionality
Responses to your support requests

Legal Basis: Contract Performance (GDPR Article 6(1)(b)) - these emails are necessary to provide the service you requested.

Marketing Emails (Opt-In Only)

We will only send you marketing communications if you have explicitly opted in. Marketing communications may include:

Product updates and new feature announcements
Educational content and best practices for payment collection
Special offers and promotional information
Industry insights and relevant news
Surveys and feedback requests

Legal Basis: Consent (GDPR Article 6(1)(a)) and compliance with the Privacy and Electronic Communications Regulations (PECR) 2003.

11a.3 Unsubscribe and Opt-Out Mechanisms

Every marketing email includes a clear and conspicuous unsubscribe link in the footer. You can unsubscribe from marketing communications at any time by:

Clicking the "unsubscribe" link in any marketing email (processed within 10 business days as required by CAN-SPAM)
Adjusting your preferences in your Account Settings
Contacting us at privacy@dueagent.com
Replying to any marketing email with "UNSUBSCRIBE" in the subject line

Once you unsubscribe, your email address is added to our permanent suppression list and you will not receive further marketing emails. Unsubscribe requests are processed within 10 business days.

11a.4 Anti-Spam Compliance

We comply with international anti-spam regulations including:

CAN-SPAM Act (United States): Clear identification of commercial emails, accurate header information, physical postal address in all emails, honour opt-out requests within 10 business days
GDPR (European Union): Explicit consent required before sending marketing emails, clear purpose disclosure, right to withdraw consent
PECR (United Kingdom): Opt-in consent for electronic marketing, clear identification of sender, easy opt-out mechanism
CASL (Canada): Express consent for commercial electronic messages, identification of sender, unsubscribe mechanism in every message

Company Contact Information

As required by CAN-SPAM and other anti-spam regulations, our physical postal address appears in all marketing emails:

OPTFLOW AI LIMITED (trading as Due Agent)
43 Fairfoot Road, London, England, E3 4EG
Company Number: 14990157
Email: privacy@dueagent.com

11a.5 Bounce and Complaint Management

We actively monitor and manage email deliverability to maintain our sender reputation and comply with anti-spam best practices:

Hard Bounces: Email addresses that permanently fail delivery (invalid, non-existent domains) are immediately added to our suppression list
Soft Bounces: Temporary delivery failures (full inbox, server issues) are retried according to best practices, then suppressed after repeated failures
Spam Complaints: When a recipient marks an email as spam, their address is immediately and permanently added to our suppression list
Feedback Loops: We participate in ISP feedback loops to receive complaint notifications and honour unsubscribe requests
Suppression List: Maintained indefinitely to prevent sending to addresses that have bounced, complained, or unsubscribed

For Users Sending Payment Reminders

12. Data Breach Notification

In the unlikely event of a data breach, we will:

Notify the relevant supervisory authority within 72 hours (GDPR Article 33)
Notify affected users without undue delay if there is a high risk to your rights (GDPR Article 34)
Provide details about the nature of the breach, affected data, and mitigation steps
Document all breaches in our internal breach log

13. Automated Decision-Making and Profiling

We use AI technology (Google Vertex AI) to generate personalised email content for payment reminders. This processing does not constitute automated decision-making as defined by GDPR Article 22, as:

You retain full control over the email content before it is sent
The AI assists with drafting, but does not make legal or financial decisions
No decisions are made that produce legal effects or similarly significantly affect you
You can review, modify, or reject any AI-generated content

14. Children's Privacy

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Notify you via email at least 30 days before changes take effect
Request your consent if required by law

We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: privacy@dueagent.com

Data Protection Officer: dpo@dueagent.com

Privacy Settings: /dashboard/settings/privacy

17. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

UK Users

Information Commissioner's Office (ICO)

Website: ico.org.uk

Helpline: 0303 123 1113

EU Users

Contact your national supervisory authority:

European Data Protection Board - Member List