Privacy Policy - DueDrop

Introduction

This Privacy Policy ("Policy") explains how Fapbric Technology Solutions ("Company," "we," "us," or "our"), operating the DueDrop service, collects, uses, shares, and protects your personal information when you use our website, application, and related services (collectively, the "Service").

By using DueDrop, you agree to the collection and use of information in accordance with this Policy. If you do not agree with this Policy, please do not use the Service.

We are committed to transparency about our data practices. This Policy is designed to help you understand exactly what data we collect, why we collect it, who we share it with, and what rights you have.

Data Controller and Data Processor Roles

For your personal data: Fapbric Technology Solutions is the data controller. We determine how and why your account information, usage data, and billing information are processed.

For your clients' data: When you use DueDrop to manage invoices and send payment reminders to your clients, you are the data controller for your clients' personal data (such as their names, email addresses, and invoice details). DueDrop acts as a data processor on your behalf, processing this data only as necessary to provide the Service. You are responsible for ensuring you have a lawful basis to share your clients' data with DueDrop and to send them communications.

If you require a formal Data Processing Agreement ("DPA"), please contact us at hello@duedropin.com.

1. Information We Collect

Account Information

Information you provide when creating and managing your account:

Full name, email address, and password
Business name, phone number, and address (optional)
Profile preferences and settings
Voice Profile data (communication style preferences and writing samples you provide)

Billing Information

Subscription plan selection and billing history
Payment card and billing details are processed and stored exclusively by Stripe, our third-party payment processor; DueDrop does not store your credit card numbers or bank account details
We receive from Stripe: last four digits of your card, card brand, expiration date, billing address, and payment status

Business Data from Accounting Software

When you connect your accounting software (Xero, QuickBooks, FreshBooks) via OAuth, DueDrop establishes an authorized connection to periodically sync invoice and contact data. We access:

Invoice data: Invoice numbers, amounts, due dates, payment status, line item descriptions, and invoice history
Client/contact data: Client business names, contact names, email addresses, and phone numbers
Organization data: Your business name and basic organization details from your accounting platform

Specific OAuth scopes by provider:

Xero: accounting.transactions, accounting.contacts, accounting.settings, accounting.attachments, offline_access
QuickBooks (Intuit): com.intuit.quickbooks.accounting
FreshBooks: User profile reading, invoice reading/writing, client reading/writing

We do NOT access: bank account details, payroll information, tax filings, employee records, profit and loss statements, or any financial data beyond what is necessary to identify and track invoices. This data is synced periodically and can be manually refreshed. You may disconnect any accounting integration at any time, which revokes the OAuth connection.

Email Data

When you connect your email account via OAuth, DueDrop establishes an authorized connection to send emails from your account and read email threads for AI conversation context. We currently support Gmail, Outlook, Zoho Mail, Yahoo Mail, and custom SMTP. We access:

OAuth tokens: Encrypted credentials that authorize DueDrop to act on your behalf. Gmail uses gmail.readonly, gmail.send, and userinfo.email scopes. Outlook uses Microsoft Graph Mail.ReadWrite and Mail.Send scopes. Other providers use equivalent minimal scopes
Email content: Sent email content (subject lines and body text) for display in your DueDrop dashboard and for AI conversation context
Email metadata: Recipient addresses, timestamps, delivery status, and message IDs
Tracking data: Email open events (via tracking pixel) and link click events (via click tracking redirects)
Contacts (Gmail only): Read-only access to contacts for recipient auto-complete suggestions

All OAuth tokens for all providers are encrypted using AES-256-GCM before storage. You may disconnect any email integration at any time, which revokes the OAuth connection and queues token deletion.

Usage and Technical Data

How you interact with the Service (features used, pages visited, actions taken)
Device information (browser type, operating system, screen resolution)
IP address and approximate geographic location
Log data, error reports, and performance metrics
Referral source (how you found DueDrop)

2. Cookies and Tracking Technologies

DueDrop uses a limited number of cookies and similar technologies. We do not use advertising or third-party marketing cookies.

Cookie/Technology	Purpose	Type	Duration
Supabase Auth Token	Authentication session management	Essential	Session / 7 days
Supabase Refresh Token	Maintains login state across sessions	Essential	30 days
User Preferences	Stores UI settings (theme, sidebar state)	Functional	1 year
Email Tracking Pixel	Detects when a reminder email is opened (1x1 transparent image)	Analytics	N/A (one-time request)
Click Tracking Redirect	Records link clicks in reminder emails before redirecting to destination	Analytics	N/A (one-time redirect)

Note: We plan to implement product analytics (PostHog) in the future. This Policy will be updated before any analytics tracking is activated. Currently, no third-party analytics cookies are in use.

Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, DueDrop does not currently respond to DNT browser signals. However, as noted above, we do not use third-party advertising or marketing tracking cookies. You can control cookie behavior through your browser settings, and you can disable email tracking features (open tracking and click tracking) in your DueDrop account settings.

3. How We Use Your Information

Service Delivery: To provide and operate DueDrop's invoice reminder automation, including syncing invoices, generating AI emails, and sending reminders
AI Email Generation: To send invoice and client context to AI providers for generating personalized payment reminder emails (see Section 4)
Email Tracking: To provide you with analytics on email opens and link clicks
Payment Processing: To process subscription payments and manage billing
Customer Support: To respond to your questions, troubleshoot issues, and provide technical assistance
Service Improvement: To analyze usage patterns, diagnose technical issues, and develop new features
Security: To detect and prevent fraud, abuse, unauthorized access, and other security threats
Legal Compliance: To comply with applicable laws, regulations, and legal processes
Communications: To send important service updates, account notifications, and (with your consent) marketing communications

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process your data based on the following legal grounds:

Purpose	Legal Basis
Service delivery (reminders, syncing, AI generation)	Performance of contract (Article 6(1)(b))
Payment processing	Performance of contract (Article 6(1)(b))
AI email generation	Performance of contract (Article 6(1)(b))
Email open and click tracking	Legitimate interest (Article 6(1)(f))
Security and fraud prevention	Legitimate interest (Article 6(1)(f))
Service improvement and analytics	Legitimate interest (Article 6(1)(f))
Marketing communications	Consent (Article 6(1)(a)) — opt-out available
Legal compliance	Legal obligation (Article 6(1)(c))

4. AI Processing Disclosure

DueDrop uses third-party AI providers to generate personalized payment reminder emails. We believe in full transparency about what data is processed by AI systems and how.

AI Providers

We use the following AI providers: OpenAI, Anthropic, and Google Gemini. The provider used may vary based on availability, performance, and feature requirements.

Data Sent to AI Providers

When generating a payment reminder email, the following data is sent to the AI provider via API:

Invoice details: Invoice number, amount due, due date, days overdue, and payment status
Client information: Client business name and contact person's name
Your information: Your name, business name, email address, and optionally your phone number
Conversation context: Snippets from previous emails in the thread (if available) to maintain conversational continuity
Voice Profile: Your custom communication style preferences (tone, formality, writing samples)
Custom instructions: Any per-invoice or per-rule notes you provide

How AI Providers Handle Your Data

We use AI provider APIs under terms that prohibit the use of your data for model training
Data is sent via encrypted API calls, processed in real-time, and not retained by AI providers beyond what is necessary for abuse monitoring (typically up to 30 days per provider policies)
DueDrop does not train its own AI models on your data
We do not sell, share, or provide your data to AI providers for any purpose other than generating the specific email content you requested

5. Email Tracking Technologies

DueDrop includes tracking technologies in emails sent through the Service to provide you with delivery and engagement analytics:

Open Tracking

A 1x1 transparent pixel image is embedded in HTML emails. When the recipient's email client loads this image, it sends a request to our servers, recording an "open" event with the timestamp. This tracking is not 100% accurate, as some email clients block image loading by default.

Click Tracking

Links in emails are routed through DueDrop's tracking server. When a recipient clicks a link, the click is recorded before the recipient is immediately redirected to the original destination URL. Mailto links and anchor links are not tracked.

Your Controls

You can disable open tracking and/or click tracking in your account settings
When tracking is disabled, emails are sent without the tracking pixel and without link wrapping
You are responsible for disclosing email tracking to recipients if required by applicable law in your jurisdiction

6. OAuth Token Handling

When you connect third-party services (Gmail, Outlook, Xero, QuickBooks, FreshBooks), DueDrop stores OAuth tokens to maintain authorized access. Here is how we protect these credentials:

Encryption at rest: All OAuth tokens are encrypted using AES-256-GCM authenticated encryption before being stored in the database
Key separation: Encryption keys are stored separately from the database and are not accessible through the application's database layer
Minimal access: Tokens are used only for the specific authorized actions you configure (e.g., sending emails, syncing invoices)
Automatic refresh: Access tokens are automatically refreshed as needed, without requiring you to re-authenticate
Revocable: You can disconnect any integration at any time through DueDrop's integrations page, which revokes the token
Deletion: All OAuth tokens are deleted upon account termination, within 30 days

7. Data Sharing and Sub-Processors

We do not sell, rent, or trade your personal information. We share your data only with the following categories of service providers ("sub-processors") as necessary to operate the Service:

Sub-Processor	Purpose	Data Shared	Location
Supabase	Database hosting and authentication	All user and application data	US (AWS)
Stripe	Payment processing	Billing information, email, name	US
OpenAI	AI email generation	Invoice, client, and user context (see Section 4)	US
Anthropic	AI email generation	Invoice, client, and user context (see Section 4)	US
Google Gemini	AI email generation	Invoice, client, and user context (see Section 4)	US
Google Gmail API	Email sending and reading	Email content, recipients, OAuth tokens	US
Microsoft Graph API	Outlook/Microsoft 365 email sending and reading	Email content, recipients, OAuth tokens (Mail.ReadWrite, Mail.Send scopes)	US
Zoho Mail API	Email sending and reading (if connected)	Email content, recipients, OAuth tokens	Various (global)
Yahoo Mail API	Email sending and reading (if connected)	Email content, recipients, OAuth tokens	US
Xero	Accounting data sync	OAuth tokens; invoice data is read from Xero	Various (global)
QuickBooks (Intuit)	Accounting data sync	OAuth tokens; invoice data is read from QuickBooks	US
FreshBooks	Accounting data sync	OAuth tokens; invoice data is read from FreshBooks	Canada/US

Other Disclosure

Legal Requirements: We may disclose information if required by law, subpoena, court order, or governmental request, or to protect our rights, safety, or the safety of our users
Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity, subject to the same privacy protections described in this Policy
With Your Consent: We may share information with third parties when you explicitly consent to such sharing

8. Data Security

We implement industry-standard security measures to protect your data:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
Encryption at Rest: Data stored in our database is encrypted at rest using AES-256 encryption
Token Encryption: OAuth tokens and other sensitive credentials are encrypted using AES-256-GCM authenticated encryption with randomly generated initialization vectors and separate key storage
Row-Level Security: Our database (Supabase/PostgreSQL) enforces row-level security policies, ensuring users can only access their own data
Access Controls: Strict access controls with the principle of least privilege for all team members
Regular Security Reviews: We conduct regular security assessments of our systems and code
Encrypted Backups: Database backups are encrypted and stored securely
Breach Notification: In the event of a data breach affecting your personal information, we commit to notifying affected users within 72 hours of becoming aware of the breach, in accordance with GDPR and applicable law

While we take every reasonable precaution to protect your data, no method of electronic transmission or storage is 100% secure. We continuously monitor and improve our security practices.

9. Data Retention

We retain your data only for as long as necessary to provide the Service and fulfill the purposes described in this Policy. Our specific retention periods are:

Data Type	Retention Period
Active account data	Duration of your account
Email history and sending logs	3 months
Invoice sync logs	3 months
Activity and usage logs	6 months
Webhook delivery logs	1 month
Administrative audit trail	12 months
Cancelled/terminated account data	Deleted within 30 days of termination
Encrypted backup data	Up to 90 days after account deletion
Billing and tax records	Up to 7 years (as required by tax law)

After the retention period expires, data is permanently deleted through automated cleanup processes. You may request earlier deletion of your data by contacting us (subject to legal retention requirements).

10. Your Rights and Controls

Depending on your location, you may have the following rights regarding your personal information:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate or incomplete personal data
Deletion: Request deletion of your personal data (subject to legal retention requirements)
Portability: Request a copy of your data in a structured, machine-readable format
Restriction: Request that we restrict the processing of your personal data in certain circumstances
Objection: Object to processing of your personal data based on legitimate interest
Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time (this does not affect the lawfulness of processing before withdrawal)
Opt-Out: Unsubscribe from marketing communications at any time using the link in any marketing email or by contacting us

To exercise any of these rights, contact us at hello@duedropin.com. We will respond to your request within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.

11. Information for EEA, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) or equivalent local laws:

Your Additional Rights

Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe we are processing your personal data unlawfully
Right not to be subject to automated decision-making: DueDrop does not make automated decisions with legal or similarly significant effects on you. While the Service automates email sending based on rules you configure, this automation is under your control and can be modified or disabled at any time. AI-generated email content can be reviewed before sending

Legal Bases for Processing

See Section 3 above for a detailed table of processing purposes and their corresponding legal bases under GDPR Article 6.

International Data Transfers

DueDrop is operated from and processes data primarily in the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States. We ensure appropriate safeguards for such transfers through:

Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable
Contractual data protection obligations with all sub-processors
Technical and organizational security measures as described in Section 8

Contact for Privacy Inquiries

For GDPR-related inquiries or to exercise your rights, contact us at hello@duedropin.com. We will respond within 30 days of receiving your request.

12. Information for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Categories of Personal Information Collected

Identifiers: Name, email address, IP address, account ID
Commercial information: Subscription records, billing history, invoice data from connected accounting software
Internet/electronic activity: Browsing activity on our Service, feature usage, email tracking data
Professional information: Business name, business email, job-related contact details
Inferences: Communication style preferences derived from Voice Profile settings you provide

Your CCPA Rights

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, completing a transaction)
Right to Correct: You have the right to request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: DueDrop does NOT sell your personal information and does NOT share your personal information for cross-context behavioral advertising. No opt-out is necessary because we do not engage in these practices
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Sensitive Personal Information

Under the CPRA, "sensitive personal information" includes categories such as Social Security numbers, financial account details, precise geolocation, and certain other data. DueDrop does not collect or process sensitive personal information as defined by the CPRA, with the following limited exception: we process account login credentials (email and password) solely for account authentication purposes. We do not use sensitive personal information for any purpose beyond what is necessary to provide the Service.

How to Exercise Your Rights

To submit a CCPA request, contact us at hello@duedropin.com. You may also designate an authorized agent to make a request on your behalf; the agent must provide proof of authorization. We will verify your identity before processing any request.

13. Information for Residents of Other US States

In addition to California, several other US states have enacted comprehensive privacy laws that may grant you additional rights. If you reside in any of the following states, this section applies to you:

Covered States

Virginia — Virginia Consumer Data Protection Act (VCDPA)
Colorado — Colorado Privacy Act (CPA)
Connecticut — Connecticut Data Privacy Act (CTDPA)
Utah — Utah Consumer Privacy Act (UCPA)
Texas — Texas Data Privacy and Security Act (TDPSA)
Oregon — Oregon Consumer Privacy Act (OCPA)
Montana — Montana Consumer Data Privacy Act (MCDPA)
Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island — and other states with enacted comprehensive privacy laws

Your Rights Under These Laws

While the specifics vary by state, these laws generally provide you with rights similar to those described in our CCPA section above, including:

Right to Access: Confirm whether we are processing your personal data and access a copy of that data
Right to Correct: Request correction of inaccurate personal data
Right to Delete: Request deletion of your personal data, subject to certain exceptions
Right to Data Portability: Obtain a copy of your personal data in a portable, readily usable format
Right to Opt Out: Opt out of the sale of personal data, targeted advertising, and certain profiling. DueDrop does not sell personal data, engage in targeted advertising, or profile users for decisions that produce legal or similarly significant effects

How to Exercise Your Rights

To exercise any privacy rights available under your state's law, contact us at hello@duedropin.com. We will respond within the timeframe required by your state's law (typically 45 days, with extensions where permitted). If we decline your request, you may have the right to appeal; instructions for appealing will be provided with our response.

14. Google API Services User Data Policy Compliance

DueDrop's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

DueDrop only uses access to Google user data to provide and improve the Service's email sending and reading functionality as described in this Policy
DueDrop does not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising
DueDrop does not allow humans to read your Google user data unless: (a) you provide affirmative consent for specific messages (e.g., for customer support debugging), (b) it is necessary for security purposes (investigating abuse or security incidents), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations
DueDrop does not transfer Google user data to third parties except: (a) as necessary to provide the Service (e.g., AI email generation via API), (b) as necessary for security purposes, (c) to comply with applicable law, or (d) as part of a merger or acquisition (with the same data protections)
DueDrop stores Google OAuth tokens encrypted at rest (AES-256-GCM) and uses them only for the authorized scopes you approved during the OAuth consent flow

AI/ML Model Training Restriction

DueDrop does not use data obtained through Google Workspace APIs to create, train, or improve generalized artificial intelligence or machine learning models. This restriction applies to:

Raw data obtained from Google API scopes (including email content, contacts, and metadata)
Data aggregated, anonymized, or derived from Google API scopes
Any foundational or generalized AI/ML model development

While DueDrop uses third-party AI providers (OpenAI, Anthropic, Google Gemini) to generate payment reminder emails, Google user data sent to these providers is processed only for the specific, user-initiated email generation request and is not retained by AI providers for model training purposes. DueDrop uses these AI provider APIs under terms that explicitly prohibit the use of input data for model training. DueDrop does not train its own AI or ML models on any data, including Google user data.

The use of raw or derived user data received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

15. International Data Transfers

DueDrop is headquartered in and operates primarily from the United States. Our database infrastructure is hosted on AWS in the United States via Supabase. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on:

EU-US Data Privacy Framework (DPF): Where applicable, we rely on sub-processors that have self-certified under the EU-US Data Privacy Framework, the UK Extension to the DPF, and/or the Swiss-US Data Privacy Framework, as recognized by the European Commission and UK government as providing adequate data protection
Standard Contractual Clauses (SCCs): We incorporate SCCs approved by the European Commission into our data processing agreements with sub-processors that do not participate in the DPF
UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA or UK Addendum to EU SCCs where required
Contractual data protection obligations with all sub-processors
Technical and organizational security measures as described in Section 8

By using the Service, you acknowledge that your data will be processed in the United States, which may have different data protection laws than your country of residence. We continuously monitor legal developments regarding international data transfers and will update our transfer mechanisms as needed to ensure compliance.

16. Third-Party Links and Services

The Service may contain links to third-party websites, services, or resources that are not owned or controlled by us. This includes links within payment reminder emails that direct recipients to your own websites or payment portals. We are not responsible for the privacy practices, content, or security of any third-party websites or services.

We encourage you to review the privacy policies of any third-party services you access through or in connection with DueDrop. Our inclusion of links to third-party services does not imply endorsement of their privacy practices.

17. Children's Privacy

DueDrop is a business-to-business service and is not designed for or directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that a person under 18 has provided us with personal information, we will take steps to delete such information promptly. If you believe someone under 18 has provided us with personal information, please contact us at hello@duedropin.com.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Sending an email to the address associated with your account
Displaying a prominent notice within the Service
Updating the "Last updated" date at the top of this Policy

For material changes, we will provide at least 30 days' notice before the changes take effect. Your continued use of DueDrop after the updated Policy becomes effective constitutes your acceptance of the changes. If you do not agree to the updated Policy, you should stop using the Service and may terminate your account.

19. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us:

Email: hello@duedropin.com
Company: Fapbric Technology Solutions
Address: 285 West Wieuca Road Unit #5219, Atlanta, GA 30342

We aim to respond to all privacy-related inquiries within 30 days. For security vulnerabilities or data breach reports, please contact hello@duedropin.com and we will respond as quickly as possible.