Privacy Policy

2. How we use your information

We use information collected through the Service exclusively to:

• — Operate invoice tracking and accounts receivable workflows
• — Synchronize data with connected accounting providers you have authorized
• — Execute payment reconciliation and dunning automation sequences
• — Manage your subscription and process billing
• — Send transactional communications (invoice reminders, payment confirmations, account notices)
• — Provide customer support and respond to your inquiries
• — Maintain platform security, detect fraud, and comply with legal obligations
• — Improve the Service through aggregated, de-identified usage analytics

We do not use your accounting data for advertising, profiling, or any purpose beyond delivering the specific features you have activated.

3. Data storage & security

Your data is stored in Supabase, a managed PostgreSQL platform with enterprise-grade security controls. We enforce the following safeguards:

• — Encryption at rest (AES-256) for all stored data
• — Encryption in transit (TLS 1.2 or higher) for all data transfers
• — Row-level security (RLS) policies restricting data access to authorized workspace operators
• — OAuth tokens stored encrypted and never exposed in plaintext
• — Multi-factor authentication enforced at the platform level
• — Access to production data limited to authorized personnel on a need-to-know basis

No security measure is perfect. In the event of a data breach affecting your personal information, we will notify affected users and, where required by GDPR Article 33, the relevant supervisory authority within 72 hours of becoming aware of the breach.

4. Third-party sharing

We share your information only with the following categories of parties:

• Accounting providers — Data is transmitted to QuickBooks, Xero, FreshBooks, or other connected providers only as authorized by you through the OAuth consent flow. We write back to your accounting system only the data you explicitly direct the Service to sync.
• Stripe— For subscription billing and payment processing. Stripe’s own privacy policy governs data it processes as the payment processor.
• Supabase — For database hosting and authentication infrastructure.
• Resend — For transactional email delivery (invoice reminders, account notices). Email content is transmitted only as needed to deliver messages you trigger.
• Legal & compliance — We may disclose information where required by law, court order, or to protect our legal rights or the safety of users.

We do not sell, rent, or broker your personal information or your accounting data to any third party for their own marketing or commercial purposes.

5. Data retention

We retain your account and business data for as long as your workspace subscription is active and for a reasonable period thereafter to allow you to export your records. Specifically:

• — Active account data is retained for the duration of your subscription
• — After cancellation, data is retained for up to 90 days to enable export
• — Upon verified deletion request, personal data is purged within 30 days, subject to legal hold obligations
• — OAuth access and refresh tokens are revoked and deleted upon integration disconnection or account deletion
• — Invoice and payment records may be retained for up to 7 years to meet applicable financial recordkeeping requirements
• — Aggregated, de-identified analytics data is retained for up to 24 months

7. Cookies & tracking

We use cookies and similar technologies to maintain your authenticated session and to support core Service functionality. Specifically:

• Session cookies — Required for authentication and to keep you signed in during a session. These expire when you close your browser or sign out.
• Persistent cookies — Used to remember workspace preferences and authentication state across sessions. You may clear these via your browser settings, which will require you to sign in again.
• Analytics — We may use privacy-respecting analytics to understand feature usage in aggregate. We do not use third-party advertising or behavioral tracking cookies.

8. CCPA & GDPR

California residents (CCPA):You have the right to know what personal information we collect and how we use it, the right to delete personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right not to be discriminated against for exercising these rights. To submit a request, email info@revenueap.com with subject line “CCPA Request.”

EEA/UK users (GDPR): Where GDPR applies, our lawful basis for processing your personal data is primarily contractual necessity (to deliver the Service you subscribed to) and legitimate interests (security and fraud prevention). You have rights of access, rectification, erasure, restriction, portability, and objection. Contact info@revenueap.com to exercise these rights. You also have the right to lodge a complaint with your local data protection authority (DPA).

9. Children’s privacy

The Service is intended for business use by adults and is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at info@revenueap.com and we will take prompt steps to delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes we will notify you via email or in-app notice at least 14 days before the changes take effect. The “Last updated” date at the top of this page indicates when the policy was last revised.

Continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes.