What Information Do We Collect?

In short: We collect information you provide directly and some information automatically when you use our Services.

How Do We Process Your Information?

In short: We process your information to deliver and improve our Services, communicate with you, and prevent fraud.

Specifically, we process your personal information to:

• Deliver our Services — generate invoices, contracts, and reports; process collection requests; authenticate your account.
• Respond to inquiries and provide support — answer your questions and resolve issues.
• Send administrative communications — service updates, policy changes, invoice confirmations, magic-link emails.
• Send marketing communications — promotional emails, if you have not opted out. You can unsubscribe at any time.
• Protect our Services — fraud monitoring, security incident detection, rate limiting.
• Analyze usage trends — understand how our Services are used so we can improve them.
• Comply with legal obligations — respond to lawful requests from authorities.

What Legal Bases Do We Rely On?

In short: We process your information only when we have a valid legal basis to do so.

If you are located in the EU, UK, or Switzerland, the GDPR requires us to state the legal basis for each processing activity:

• Consent — for marketing emails and optional features. You can withdraw consent at any time.
• Contract performance — to deliver the Services you subscribed to.
• Legitimate interests — for fraud prevention, security, product improvement, and analytics, where these interests are not outweighed by your rights.
• Legal obligation — where required to cooperate with authorities or comply with applicable law.
• Vital interests — to protect safety where necessary.

When and With Whom Do We Share Your Information?

In short: We share data with service providers who help us operate our Services. We do not sell your personal information.

We share your data with third-party service providers under written data processing agreements. They may only use your data as we instruct and are contractually required to protect it. Our current service providers are:

We may also share information in the following circumstances:

• Business transfers — in connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
• Legal requirements — when required by law, court order, or governmental authority.

AI Integrations — DUPAY Connect

In short: DUPAY Connect is an experimental feature that lets you use DUPAY tools inside AI clients. We do not store your conversation content.

DUPAY Connect is an experimental feature that allows you to use DUPAY tools — such as creating invoices — through AI clients like Claude or ChatGPT via the Model Context Protocol (MCP).

When you authorize DUPAY Connect, we generate a bearer access token that is stored on your account and used to authenticate requests from your AI client. This token expires automatically after 90 days. Invoice data you provide through an AI client is stored in Zoho CRM the same as if you had created it through your dashboard directly.

We do not store the content of your AI conversations, your prompts, or your chat history. Your AI provider processes conversation content under their own privacy policy — see anthropic.com/privacy (Claude) or openai.com/privacy (ChatGPT) as applicable. DUPAY does not send data directly to OpenAI; any data exchange occurs under your ChatGPT account agreement.

To revoke access, disconnect the connector from within your AI client's settings or email info(at)dupay.me and we will clear the token from your account. Because DUPAY Connect is experimental, its scope and data practices may evolve — we will update this section as the feature develops.

Cookies and Other Tracking Technologies

In short: We use cookies to operate our Services. You can control cookies through your browser settings.

We use cookies and similar tracking technologies to collect and store information about your use of our Services. The cookies we use are limited to those necessary to operate our Services — primarily session cookies for the DUPAY Connect authorization flow (these expire when you close your browser or complete authorization). We do not use advertising or cross-site tracking cookies. Most browsers accept cookies by default; you can change your browser settings to remove or reject cookies, though this may affect certain features of our Services.

International Transfers

In short: Your information may be transferred to and processed in the United States.

Our servers are located in the United States. If you access our Services from outside the US, your information may be transferred to, stored, and processed in the US. If you are in the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (available upon request) to ensure your information receives adequate protection.

How Long Do We Keep Your Information?

In short: We keep your information only as long as necessary for the purposes described in this notice.

We retain personal information for as long as your account is active, or as required by law. Specific retention periods:

• Account and profile data — retained while your account is active, plus 90 days after closure to allow for reactivation or dispute resolution, then deleted or anonymized.
• Invoice and contract records — retained for 7 years from creation to meet tax and accounting obligations, then deleted.
• DUPAY Connect access tokens — expire automatically after 90 days, or immediately upon revocation. Stored on your Zoho account record and cleared on expiry or revocation.
• DUPAY Connect authorization codes — one-time use, expire after 15 minutes, and are stored in memory only (not persisted to disk).
• Server logs — retained for 30 days then deleted automatically via log rotation.

When we no longer have a legitimate need to process your information, we will delete or anonymize it. If deletion is not immediately possible (for example, because data is in backup archives), we will securely isolate it from further processing until deletion can occur.

How Do We Keep Your Information Safe?

In short: We use technical and organizational security measures, but no system is 100% secure.

We implement appropriate security measures including HTTPS encryption, access controls, and API authentication to protect your personal information. Some processing — including invoice collection workflows — runs on DUPAY-managed servers in addition to the cloud service providers listed in Section 4. However, no electronic transmission over the internet can be guaranteed completely secure. Transmission of personal information to and from our Services is at your own risk; please access our Services only in a secure environment.

Do We Collect Information From Minors?

In short: No. Our Services are for users 18 and older.

We do not knowingly solicit data from or market to anyone under 18 years of age. By using our Services, you represent that you are at least 18 years old. If we learn that personal information from a user under 18 has been collected, we will deactivate the account and delete the data. Please contact us at info(at)dupay.me if you believe we have collected data from a minor.

Your Privacy Rights

In short: Depending on your location, you may have rights to access, correct, delete, or port your personal information.

Depending on applicable law, you may have the right to:

• Request access to and a copy of the personal information we hold about you
• Request correction of inaccurate data
• Request deletion of your personal information
• Restrict or object to our processing of your data
• Request portability of your data in a structured, machine-readable format
• Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, contact us at info(at)dupay.me or dupayme.com/contact-us. We will respond in accordance with applicable law.

EU/UK residents may also lodge a complaint with their local data protection authority. Swiss residents may contact the Federal Data Protection and Information Commissioner.

Opting out of marketing emails: Click the unsubscribe link in any marketing email or contact us directly. You will continue to receive service-related communications necessary for your account.

Controls for Do-Not-Track Features

Most web browsers include a Do-Not-Track ("DNT") setting. Because no uniform standard for DNT signals has been adopted, we do not currently respond to DNT signals. If a recognized standard is adopted in the future, we will update this notice accordingly.

United States Residents

In short: California, Colorado, Connecticut, and Virginia residents have specific privacy rights under state law.

Other Regions

Updates to This Notice

We may update this privacy notice from time to time. The "Last updated" date at the top of this page will reflect any changes. Material changes will be communicated by posting a notice on our website or by emailing you directly. We encourage you to review this notice periodically.

How Can You Contact Us?

How Can You Review, Update, or Delete Your Data?

Based on applicable law, you may have the right to request access to, correction of, or deletion of your personal information. Submit your request at dupayme.com/contact-us or email info(at)dupay.me.