Privacy Policy - DueDrop

Introduction

This Privacy Policy ("Policy") explains how Fapbric Technology Solutions ("Company," "we," "us," or "our"), operating the DueDrop service, collects, uses, shares, and protects your personal information when you use our website, application, and related services (collectively, the "Service").

By using DueDrop, you agree to the collection and use of information in accordance with this Policy. If you do not agree with this Policy, please do not use the Service.

We are committed to transparency about our data practices. This Policy is designed to help you understand exactly what data we collect, why we collect it, who we share it with, and what rights you have.

1. Information We Collect

Account Information

Information you provide when creating and managing your account:

Full name, email address, and password
Business name, phone number, and address (optional)
Profile preferences and settings
Voice Profile data (communication style preferences and writing samples you provide)

Billing Information

Subscription plan selection and billing history
Payment card and billing details are processed and stored exclusively by Stripe, our third-party payment processor; DueDrop does not store your credit card numbers or bank account details
We receive from Stripe: last four digits of your card, card brand, expiration date, billing address, and payment status

Business Data from Accounting Software

When you connect your accounting software (Xero, QuickBooks, FreshBooks) via OAuth, DueDrop establishes an authorized connection to periodically sync invoice and contact data. We access:

Invoice data: Invoice numbers, amounts, due dates, payment status, line item descriptions, and invoice history
Client/contact data: Client business names, contact names, email addresses, and phone numbers
Organization data: Your business name and basic organization details from your accounting platform

Specific OAuth scopes by provider:

Xero: accounting.transactions, accounting.contacts, accounting.settings, accounting.attachments, offline_access
QuickBooks (Intuit): com.intuit.quickbooks.accounting
FreshBooks: User profile reading, invoice reading/writing, client reading/writing

We do NOT access: bank account details, payroll information, tax filings, employee records, profit and loss statements, or any financial data beyond what is necessary to identify and track invoices. This data is synced periodically and can be manually refreshed. You may disconnect any accounting integration at any time, which revokes the OAuth connection.

Email Data

When you connect your email account via OAuth, DueDrop establishes an authorized connection to send emails from your account and read email threads for AI conversation context. We currently support Gmail, Outlook, Zoho Mail, Yahoo Mail, and custom SMTP. We access:

OAuth tokens: Encrypted credentials that authorize DueDrop to act on your behalf. Gmail uses gmail.modify, contacts.readonly, userinfo.email, and userinfo.profile scopes. Outlook uses Microsoft Graph Mail.ReadWrite and Mail.Send scopes. Other providers use equivalent minimal scopes
Email content: Sent email content (subject lines and body text) for display in your DueDrop dashboard and for AI conversation context
Email metadata: Recipient addresses, timestamps, delivery status, and message IDs
Tracking data: Email open events (via tracking pixel) and link click events (via click tracking redirects)
Contacts (Gmail only): Read-only access to contacts for recipient auto-complete suggestions

All OAuth tokens for all providers are encrypted using AES-256-GCM before storage. You may disconnect any email integration at any time, which revokes the OAuth connection and queues token deletion.

Usage and Technical Data

How you interact with the Service (features used, pages visited, actions taken)
Device information (browser type, operating system, screen resolution)
IP address and approximate geographic location
Log data, error reports, and performance metrics
Referral source (how you found DueDrop)

2. Cookies and Tracking Technologies

DueDrop uses a limited number of cookies and similar technologies. We do not use advertising or third-party marketing cookies.

Cookie/Technology	Purpose	Type	Duration
Supabase Auth Token	Authentication session management	Essential	Session / 7 days
Supabase Refresh Token	Maintains login state across sessions	Essential	30 days
User Preferences	Stores UI settings (theme, sidebar state)	Functional	1 year
Email Tracking Pixel	Detects when a reminder email is opened (1x1 transparent image)	Analytics	N/A (one-time request)
Click Tracking Redirect	Records link clicks in reminder emails before redirecting to destination	Analytics	N/A (one-time redirect)

Note: We plan to implement product analytics (PostHog) in the future. This Policy will be updated before any analytics tracking is activated. Currently, no third-party analytics cookies are in use.

3. How We Use Your Information

Service Delivery: To provide and operate DueDrop's invoice reminder automation, including syncing invoices, generating AI emails, and sending reminders
AI Email Generation: To send invoice and client context to AI providers for generating personalized payment reminder emails (see Section 4)
Email Tracking: To provide you with analytics on email opens and link clicks
Payment Processing: To process subscription payments and manage billing
Customer Support: To respond to your questions, troubleshoot issues, and provide technical assistance
Service Improvement: To analyze usage patterns, diagnose technical issues, and develop new features
Security: To detect and prevent fraud, abuse, unauthorized access, and other security threats
Legal Compliance: To comply with applicable laws, regulations, and legal processes
Communications: To send important service updates, account notifications, and (with your consent) marketing communications

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process your data based on the following legal grounds:

Purpose	Legal Basis
Service delivery (reminders, syncing, AI generation)	Performance of contract (Article 6(1)(b))
Payment processing	Performance of contract (Article 6(1)(b))
AI email generation	Performance of contract (Article 6(1)(b))
Email open and click tracking	Legitimate interest (Article 6(1)(f))
Security and fraud prevention	Legitimate interest (Article 6(1)(f))
Service improvement and analytics	Legitimate interest (Article 6(1)(f))
Marketing communications	Consent (Article 6(1)(a)) — opt-out available
Legal compliance	Legal obligation (Article 6(1)(c))

4. AI Processing Disclosure

DueDrop uses third-party AI providers to generate personalized payment reminder emails. We believe in full transparency about what data is processed by AI systems and how.

AI Providers

We use the following AI providers: OpenAI, Anthropic, and Google Gemini. The provider used may vary based on availability, performance, and feature requirements.

Data Sent to AI Providers

When generating a payment reminder email, the following data is sent to the AI provider via API:

Invoice details: Invoice number, amount due, due date, days overdue, and payment status
Client information: Client business name and contact person's name
Your information: Your name, business name, email address, and optionally your phone number
Conversation context: Snippets from previous emails in the thread (if available) to maintain conversational continuity
Voice Profile: Your custom communication style preferences (tone, formality, writing samples)
Custom instructions: Any per-invoice or per-rule notes you provide

How AI Providers Handle Your Data

We use AI provider APIs under terms that prohibit the use of your data for model training
Data is sent via encrypted API calls, processed in real-time, and not retained by AI providers beyond what is necessary for abuse monitoring (typically up to 30 days per provider policies)
DueDrop does not train its own AI models on your data
We do not sell, share, or provide your data to AI providers for any purpose other than generating the specific email content you requested

5. Email Tracking Technologies

DueDrop includes tracking technologies in emails sent through the Service to provide you with delivery and engagement analytics:

Open Tracking

A 1x1 transparent pixel image is embedded in HTML emails. When the recipient's email client loads this image, it sends a request to our servers, recording an "open" event with the timestamp. This tracking is not 100% accurate, as some email clients block image loading by default.

Click Tracking

Links in emails are routed through DueDrop's tracking server. When a recipient clicks a link, the click is recorded before the recipient is immediately redirected to the original destination URL. Mailto links and anchor links are not tracked.

Your Controls

You can disable open tracking and/or click tracking in your account settings
When tracking is disabled, emails are sent without the tracking pixel and without link wrapping
You are responsible for disclosing email tracking to recipients if required by applicable law in your jurisdiction

6. OAuth Token Handling

When you connect third-party services (Gmail, Outlook, Xero, QuickBooks, FreshBooks), DueDrop stores OAuth tokens to maintain authorized access. Here is how we protect these credentials:

Encryption at rest: All OAuth tokens are encrypted using AES-256-GCM authenticated encryption before being stored in the database
Key separation: Encryption keys are stored separately from the database and are not accessible through the application's database layer
Minimal access: Tokens are used only for the specific authorized actions you configure (e.g., sending emails, syncing invoices)
Automatic refresh: Access tokens are automatically refreshed as needed, without requiring you to re-authenticate
Revocable: You can disconnect any integration at any time through DueDrop's integrations page, which revokes the token
Deletion: All OAuth tokens are deleted upon account termination, within 30 days

7. Data Sharing and Sub-Processors

We do not sell, rent, or trade your personal information. We share your data only with the following categories of service providers ("sub-processors") as necessary to operate the Service:

Sub-Processor	Purpose	Data Shared	Location
Supabase	Database hosting and authentication	All user and application data	US (AWS)
Stripe	Payment processing	Billing information, email, name	US
OpenAI	AI email generation	Invoice, client, and user context (see Section 4)	US
Anthropic	AI email generation	Invoice, client, and user context (see Section 4)	US
Google Gemini	AI email generation	Invoice, client, and user context (see Section 4)	US
Google Gmail API	Email sending and reading	Email content, recipients, OAuth tokens	US
Microsoft Graph API	Outlook/Microsoft 365 email sending and reading	Email content, recipients, OAuth tokens (Mail.ReadWrite, Mail.Send scopes)	US
Zoho Mail API	Email sending and reading (if connected)	Email content, recipients, OAuth tokens	Various (global)
Yahoo Mail API	Email sending and reading (if connected)	Email content, recipients, OAuth tokens	US
Xero	Accounting data sync	OAuth tokens; invoice data is read from Xero	Various (global)
QuickBooks (Intuit)	Accounting data sync	OAuth tokens; invoice data is read from QuickBooks	US
FreshBooks	Accounting data sync	OAuth tokens; invoice data is read from FreshBooks	Canada/US

Other Disclosure

Legal Requirements: We may disclose information if required by law, subpoena, court order, or governmental request, or to protect our rights, safety, or the safety of our users
Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity, subject to the same privacy protections described in this Policy
With Your Consent: We may share information with third parties when you explicitly consent to such sharing

8. Data Security

We implement industry-standard security measures to protect your data:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
Encryption at Rest: Data stored in our database is encrypted at rest using AES-256 encryption
Token Encryption: OAuth tokens and other sensitive credentials are encrypted using AES-256-GCM authenticated encryption with randomly generated initialization vectors and separate key storage
Row-Level Security: Our database (Supabase/PostgreSQL) enforces row-level security policies, ensuring users can only access their own data
Access Controls: Strict access controls with the principle of least privilege for all team members
Regular Security Reviews: We conduct regular security assessments of our systems and code
Encrypted Backups: Database backups are encrypted and stored securely
Breach Notification: In the event of a data breach affecting your personal information, we commit to notifying affected users within 72 hours of becoming aware of the breach, in accordance with GDPR and applicable law

While we take every reasonable precaution to protect your data, no method of electronic transmission or storage is 100% secure. We continuously monitor and improve our security practices.

9. Data Retention

We retain your data only for as long as necessary to provide the Service and fulfill the purposes described in this Policy. Our specific retention periods are:

Data Type	Retention Period
Active account data	Duration of your account
Email history and sending logs	3 months
Invoice sync logs	3 months
Activity and usage logs	6 months
Webhook delivery logs	1 month
Administrative audit trail	12 months
Cancelled/terminated account data	Deleted within 30 days of termination
Encrypted backup data	Up to 90 days after account deletion
Billing and tax records	Up to 7 years (as required by tax law)

After the retention period expires, data is permanently deleted through automated cleanup processes. You may request earlier deletion of your data by contacting us (subject to legal retention requirements).

10. Your Rights and Controls

Depending on your location, you may have the following rights regarding your personal information:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate or incomplete personal data
Deletion: Request deletion of your personal data (subject to legal retention requirements)
Portability: Request a copy of your data in a structured, machine-readable format
Restriction: Request that we restrict the processing of your personal data in certain circumstances
Objection: Object to processing of your personal data based on legitimate interest
Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time (this does not affect the lawfulness of processing before withdrawal)
Opt-Out: Unsubscribe from marketing communications at any time using the link in any marketing email or by contacting us

To exercise any of these rights, contact us at privacy@duedrop.app. We will respond to your request within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.

11. Information for EEA, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) or equivalent local laws:

Your Additional Rights

Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe we are processing your personal data unlawfully
Right not to be subject to automated decision-making: DueDrop does not make automated decisions with legal or similarly significant effects on you. While the Service automates email sending based on rules you configure, this automation is under your control and can be modified or disabled at any time. AI-generated email content can be reviewed before sending

Legal Bases for Processing

See Section 3 above for a detailed table of processing purposes and their corresponding legal bases under GDPR Article 6.

International Data Transfers

DueDrop is operated from and processes data primarily in the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States. We ensure appropriate safeguards for such transfers through:

Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable
Contractual data protection obligations with all sub-processors
Technical and organizational security measures as described in Section 8

Contact for Privacy Inquiries

For GDPR-related inquiries or to exercise your rights, contact us at privacy@duedrop.app. We will respond within 30 days of receiving your request.

12. Information for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Categories of Personal Information Collected

Identifiers: Name, email address, IP address, account ID
Commercial information: Subscription records, billing history, invoice data from connected accounting software
Internet/electronic activity: Browsing activity on our Service, feature usage, email tracking data
Professional information: Business name, business email, job-related contact details
Inferences: Communication style preferences derived from Voice Profile settings you provide

Your CCPA Rights

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, completing a transaction)
Right to Correct: You have the right to request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: DueDrop does NOT sell your personal information and does NOT share your personal information for cross-context behavioral advertising. No opt-out is necessary because we do not engage in these practices
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

How to Exercise Your Rights

To submit a CCPA request, contact us at privacy@duedrop.app. You may also designate an authorized agent to make a request on your behalf; the agent must provide proof of authorization. We will verify your identity before processing any request.

13. Google API Services User Data Policy Compliance

DueDrop's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

DueDrop only uses access to Google user data to provide and improve the Service's email sending and reading functionality as described in this Policy
DueDrop does not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising
DueDrop does not allow humans to read your Google user data unless: (a) you provide affirmative consent for specific messages (e.g., for customer support debugging), (b) it is necessary for security purposes (investigating abuse or security incidents), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations
DueDrop does not transfer Google user data to third parties except: (a) as necessary to provide the Service (e.g., AI email generation via API), (b) as necessary for security purposes, (c) to comply with applicable law, or (d) as part of a merger or acquisition (with the same data protections)
DueDrop stores Google OAuth tokens encrypted at rest (AES-256-GCM) and uses them only for the authorized scopes you approved during the OAuth consent flow

14. International Data Transfers

DueDrop is headquartered in and operates primarily from the United States. Our database infrastructure is hosted on AWS in the United States via Supabase. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data processing agreements with all sub-processors that include appropriate data protection provisions
Technical and organizational security measures to protect your data during and after transfer

By using the Service, you acknowledge that your data will be processed in the United States, which may have different data protection laws than your country of residence.

15. Children's Privacy

DueDrop is a business-to-business service and is not designed for or directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@duedrop.app.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Sending an email to the address associated with your account
Displaying a prominent notice within the Service
Updating the "Last updated" date at the top of this Policy

For material changes, we will provide at least 30 days' notice before the changes take effect. Your continued use of DueDrop after the updated Policy becomes effective constitutes your acceptance of the changes. If you do not agree to the updated Policy, you should stop using the Service and may terminate your account.

17. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us:

Privacy Inquiries: privacy@duedrop.app
General Legal: legal@duedrop.app
Company: Fapbric Technology Solutions
Address: 285 West Wieuca Road Unit #5219, Atlanta, GA 30342

We aim to respond to all privacy-related inquiries within 30 days.