Privacy Policy

1. Introduction

Paidflo ("we", "us", or "our") operates paidflo.com (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Service.

We are committed to protecting your privacy and handling your data transparently and responsibly. Please read this policy carefully.

By using the Service, you agree to the collection and use of your information as described in this Privacy Policy.

2. Data Controller

Paidflo operates as the data controller for personal data collected through the Service, operating under the laws of the Hong Kong Special Administrative Region. For privacy-related enquiries, contact us at support@paidflo.com.

3. Information We Collect

3.1 Information You Provide Directly

Account information

• Name, email address, and password when you register
• Business name, address, phone number, and logo when you set up your profile
• Tax ID or VAT number if you choose to add it

Invoice data

• Client names, email addresses, and billing addresses
• Invoice items, descriptions, amounts, and tax rates
• Payment details and notes you add to invoices

Payment information

• We do not store your credit card or payment details. All payment processing is handled by Paddle, our payment processor. See Section 7 for details.

Communications

• Messages you send to our support team

3.2 Information Collected Automatically

Usage data

• Pages visited, features used, and actions taken within the Service
• Invoice creation counts, send events, and other feature interactions

Technical data

• IP address, browser type and version, operating system
• Device type and screen resolution
• Referring URL and exit pages
• Session timestamps and duration

Cookies and similar technologies

• Authentication cookies to keep you logged in (session management)
• Preference cookies to remember your settings
• We do not use third-party advertising or tracking cookies

See Section 9 for our full Cookie Policy.

3.3 Invoice Open Tracking (Tracking Pixel)

When you send an invoice to a client using Paidflo, the invoice email contains a tracking pixel — a 1×1 transparent image — that allows us to detect when the email has been opened. When your client opens the email, the following data is recorded:

• Date and time the email was opened
• Approximate IP address of the email client
• User agent (email client and device information)

Important limitations: Some email clients, including Apple Mail with Mail Privacy Protection enabled, may block or pre-load tracking pixels, which can result in inaccurate open data. We disclose this limitation clearly in our Help Center.

Your clients are not required to consent to tracking as the tracking pixel is a standard industry practice for email open detection. However, you are responsible for ensuring your use of this feature complies with applicable laws in your clients' jurisdictions.

4. How We Use Your Information

We use the information we collect to:

We do not sell your personal data to third parties. We do not use your data for advertising purposes.

5. Information We Share

We share your information only in the following circumstances:

5.1 Service Providers

We share data with trusted third-party service providers who help us operate the Service:

All service providers are contractually required to handle your data in accordance with applicable data protection laws and only for the purposes we specify.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests from public authorities (such as a court or government agency).

5.3 Business Transfers

If Paidflo is involved in a merger, acquisition, or sale of all or part of its assets, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your data becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your information for other purposes with your explicit consent.

6. Your Client Data

When you use Paidflo to create invoices and send them to your clients, you are responsible for the personal data of your clients that you enter into the Service. In this context:

• You are the data controller for your clients' personal data
• We are the data processor acting on your instructions

You are responsible for ensuring you have the right to collect and process your clients' personal data, and that your use of the Service complies with applicable data protection laws in the jurisdictions where your clients are located.

We process your clients' data only to provide the Service to you (sending invoices, tracking opens, sending payment reminders) and do not use your clients' data for any other purpose.

7. Payment Data

All payment processing is handled by Paddle (paddle.com), who acts as the Merchant of Record for all transactions. When you purchase a Paidflo subscription:

• Your payment details (credit card number, billing address) are collected and stored by Paddle, not by Paidflo
• Paddle is responsible for the security and compliance of all payment data
• We receive only confirmation of successful payment and your subscription status from Paddle

Please refer to Paddle's Privacy Policy at paddle.com/privacy for details on how Paddle handles your payment information.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with the Service.

When you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or tax compliance purposes.

9. Cookie Policy

9.1 What Are Cookies

Cookies are small text files stored on your device by your browser. We use cookies to operate the Service and improve your experience.

9.2 Cookies We Use

9.3 What We Don't Use

We do not use:

• Advertising or targeting cookies
• Third-party tracking cookies
• Social media tracking pixels

9.4 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in and using the Service.

10. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:

How to Exercise Your Rights

To exercise any of these rights, contact us at support@paidflo.com. We will respond within 30 days. We may need to verify your identity before processing your request.

Data Export

You can export all your invoice data at any time from your account settings (Settings → Export Data). This is available to all users regardless of plan.

Account Deletion

You can delete your account at any time from your account settings (Settings → Delete Account). Deletion permanently removes your data within 30 days.

11. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States and Hong Kong. These countries may have different data protection laws.

Where we transfer data outside the EEA or UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Other legally recognised transfer mechanisms

Our primary infrastructure providers (Supabase, Vercel) maintain appropriate certifications and data processing agreements.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:

• All data is encrypted in transit using TLS (HTTPS)
• All data is encrypted at rest
• Database access is controlled by Row Level Security (RLS) policies
• Authentication is handled by Supabase Auth with industry-standard practices
• Access to production systems is restricted to authorised personnel only
• We use Sentry for error monitoring, with personally identifiable information filtered from error reports

No method of transmission over the internet or electronic storage is 100% secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security.

13. Children's Privacy

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@paidflo.com and we will take steps to delete it.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of your personal information.

We do not sell your personal information. To exercise your rights, contact us at support@paidflo.com.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Sending an email to the address associated with your account
• Posting a prominent notice on the Service

We will provide at least 14 days' notice before changes take effect. The “Last updated” date at the top of this policy reflects the date of the most recent revision. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.

16. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@paidflo.com

Website: paidflo.com

We aim to respond to all privacy-related enquiries within 5 business days.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction. In Hong Kong, this is the Office of the Privacy Commissioner for Personal Data (PCPD) at pcpd.org.hk. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, contact your local data protection authority.