Privacy Policy
Last updated April 23, 2026 · Effective October 10, 2023
Summary of Key Points
Table of Contents
- What information do we collect?
- How do we process your information?
- Legal bases for processing
- When and with whom do we share?
- AI integrations (DUPAY Connect)
- Cookies and tracking technologies
- International transfers
- How long do we keep your information?
- How do we keep your information safe?
- Do we collect data from minors?
- Your privacy rights
- Do-Not-Track features
- United States residents
- Other regions
- Updates to this notice
- How to contact us
- Review, update, or delete your data
This privacy notice for DUPAY ("we," "us," or "our") describes how and why we collect, store, use, and share your information when you use our Services — including when you visit dupay.me or dupayme.com, access your customer dashboard, connect DUPAY to an AI client via DUPAY Connect, or engage with us in other ways.
What Information Do We Collect?
In short: We collect information you provide directly and some information automatically when you use our Services.
Information you provide
We collect personal information you voluntarily provide when you sign up, use our tools, or contact us. This may include:
- Names and email addresses
- Usernames and contact preferences
- Invoice and contract content you create using our tools
- Client names and email addresses you enter when creating invoices or contracts
Payment data. We collect data necessary to process your subscription payment. All payment processing and storage is handled by Stripe. See stripe.com/privacy.
Sensitive information. We do not process sensitive personal information.
Information collected automatically
When you visit or use our Services, we automatically collect certain technical information. This does not reveal your specific identity but includes:
- Log and usage data: IP address, browser type, pages visited, date/time stamps, features used, error reports.
- Device data: Device type, operating system, browser settings, ISP or mobile carrier.
- Location data: Approximate location derived from IP address.
- DUPAY Connect server logs: When you use DUPAY Connect, our server logs include a per-request identifier, your DUPAY account ID, and the invoice number generated. We do not log client names or email addresses provided in tool calls. Server logs are retained for 30 days then deleted automatically.
We also collect information through cookies and similar technologies — see Section 6.
How Do We Process Your Information?
In short: We process your information to deliver and improve our Services, communicate with you, and prevent fraud.
Specifically, we process your personal information to:
- Deliver our Services — generate invoices, contracts, and reports; process collection requests; authenticate your account.
- Respond to inquiries and provide support — answer your questions and resolve issues.
- Send administrative communications — service updates, policy changes, invoice confirmations, magic-link emails.
- Send marketing communications — promotional emails, if you have not opted out. You can unsubscribe at any time.
- Protect our Services — fraud monitoring, security incident detection, rate limiting.
- Analyze usage trends — understand how our Services are used so we can improve them.
- Comply with legal obligations — respond to lawful requests from authorities.
What Legal Bases Do We Rely On?
In short: We process your information only when we have a valid legal basis to do so.
If you are located in the EU, UK, or Switzerland, the GDPR requires us to state the legal basis for each processing activity:
- Consent — for marketing emails and optional features. You can withdraw consent at any time.
- Contract performance — to deliver the Services you subscribed to.
- Legitimate interests — for fraud prevention, security, product improvement, and analytics, where these interests are not outweighed by your rights.
- Legal obligation — where required to cooperate with authorities or comply with applicable law.
- Vital interests — to protect safety where necessary.
When and With Whom Do We Share Your Information?
In short: We share data with service providers who help us operate our Services. We do not sell your personal information.
We share your data with third-party service providers under written data processing agreements. They may only use your data as we instruct and are contractually required to protect it. Our current service providers are:
We may also share information in the following circumstances:
- Business transfers — in connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
- Legal requirements — when required by law, court order, or governmental authority.
AI Integrations — DUPAY Connect
In short: DUPAY Connect lets you use DUPAY tools inside Claude, ChatGPT, and other AI clients. We store only an authentication token — no conversation content is stored by DUPAY.
This section applies if you connect your DUPAY account to an AI client (such as Claude by Anthropic or ChatGPT by OpenAI) using DUPAY Connect.
What DUPAY Connect does
DUPAY Connect is an MCP (Model Context Protocol) server hosted at connect.dupay.me that allows AI clients to call DUPAY tools — such as creating invoices — on your behalf through natural conversation.
What data is involved in the connection
- Your email address — used to identify your DUPAY account during the authorization flow. We send a one-time magic link to your email to verify you.
- A Bearer access token — generated when you authorize the connection. Stored on your DUPAY account record in Zoho CRM. Used to authenticate tool calls from your AI client. Expires automatically after 90 days. You can revoke access at any time — see below.
- Account data used to fulfill tool calls — when the AI calls a DUPAY tool, the server reads your account details (name, email, saved payment instructions) from Zoho CRM to complete the request — the same data used when you access your dashboard directly.
- Invoice data you provide — when creating an invoice through an AI client, the client name, client email, line items, payment instructions, and any notes you provide are transmitted through the DUPAY Connect server and stored in Zoho CRM as part of the invoice record. This is the same data that would be stored if you created the invoice through your dashboard directly.
What DUPAY does NOT store
- We do not store the content of your AI conversations.
- We do not store prompts you send to your AI client.
- We do not access your AI chat history.
Your AI client's privacy policy
Your AI provider processes your conversation content under their own privacy policy. DUPAY is not responsible for how your AI client handles data. Please review your AI provider's privacy policy:
- Claude by Anthropic: anthropic.com/privacy
- ChatGPT by OpenAI: openai.com/privacy
Revoking AI access
To revoke your AI client's access to DUPAY Connect, disconnect the connector from within your AI client's settings, or email info(at)dupay.me and we will clear the access token from your account record. Future tool calls will then be rejected.
Important: Revoking AI access removes only the OAuth token that allows your AI client to call DUPAY tools. It does not delete your DUPAY account or any invoices, contracts, or client records already stored in your account. Those are governed by our general account data practices described in Sections 8 and 17.
Cookies and Other Tracking Technologies
In short: We use cookies to operate our Services. You can control cookies through your browser settings.
We use cookies and similar tracking technologies to collect and store information about your use of our Services. The cookies we use are limited to those necessary to operate our Services — primarily session cookies for the DUPAY Connect authorization flow (these expire when you close your browser or complete authorization). We do not use advertising or cross-site tracking cookies. Most browsers accept cookies by default; you can change your browser settings to remove or reject cookies, though this may affect certain features of our Services.
International Transfers
In short: Your information may be transferred to and processed in the United States.
Our servers are located in the United States. If you access our Services from outside the US, your information may be transferred to, stored, and processed in the US. If you are in the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (available upon request) to ensure your information receives adequate protection.
How Long Do We Keep Your Information?
In short: We keep your information only as long as necessary for the purposes described in this notice.
We retain personal information for as long as your account is active, or as required by law. Specific retention periods:
- Account and profile data — retained while your account is active, plus 90 days after closure to allow for reactivation or dispute resolution, then deleted or anonymized.
- Invoice and contract records — retained for 7 years from creation to meet tax and accounting obligations, then deleted.
- DUPAY Connect access tokens — expire automatically after 90 days, or immediately upon revocation. Stored on your Zoho account record and cleared on expiry or revocation.
- DUPAY Connect authorization codes — one-time use, expire after 15 minutes, and are stored in memory only (not persisted to disk).
- Server logs — retained for 30 days then deleted automatically via log rotation.
When we no longer have a legitimate need to process your information, we will delete or anonymize it. If deletion is not immediately possible (for example, because data is in backup archives), we will securely isolate it from further processing until deletion can occur.
How Do We Keep Your Information Safe?
In short: We use technical and organizational security measures, but no system is 100% secure.
We implement appropriate security measures including HTTPS encryption, access controls, and API authentication to protect your personal information. However, no electronic transmission over the internet can be guaranteed completely secure. Transmission of personal information to and from our Services is at your own risk; please access our Services only in a secure environment.
Do We Collect Information From Minors?
In short: No. Our Services are for users 18 and older.
We do not knowingly solicit data from or market to anyone under 18 years of age. By using our Services, you represent that you are at least 18 years old. If we learn that personal information from a user under 18 has been collected, we will deactivate the account and delete the data. Please contact us at info(at)dupay.me if you believe we have collected data from a minor.
Your Privacy Rights
In short: Depending on your location, you may have rights to access, correct, delete, or port your personal information.
Depending on applicable law, you may have the right to:
- Request access to and a copy of the personal information we hold about you
- Request correction of inaccurate data
- Request deletion of your personal information
- Restrict or object to our processing of your data
- Request portability of your data in a structured, machine-readable format
- Withdraw consent at any time (where processing is based on consent)
To exercise any of these rights, contact us at info(at)dupay.me or dupay.me/contact-us. We will respond in accordance with applicable law.
EU/UK residents may also lodge a complaint with their local data protection authority. Swiss residents may contact the Federal Data Protection and Information Commissioner.
Opting out of marketing emails: Click the unsubscribe link in any marketing email or contact us directly. You will continue to receive service-related communications necessary for your account.
Controls for Do-Not-Track Features
Most web browsers include a Do-Not-Track ("DNT") setting. Because no uniform standard for DNT signals has been adopted, we do not currently respond to DNT signals. If a recognized standard is adopted in the future, we will update this notice accordingly.
United States Residents
In short: California, Colorado, Connecticut, and Virginia residents have specific privacy rights under state law.
Categories of personal information collected (last 12 months)
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Name, email address, IP address, account name | Yes |
| B. Personal information (CA Customer Records statute) | Name, contact information, financial information | Yes |
| C. Protected classification characteristics | Gender, date of birth | No |
| D. Commercial information | Purchase history, transaction information | No |
| E. Biometric information | Fingerprints, voiceprints | No |
| F. Internet / network activity | Browsing history, interactions with our Services | Yes |
| G. Geolocation data | Precise device location | No |
| H–L. All other categories | Biometric, audio/visual, employment, education, inferences, sensitive | No |
We retain categories A and B for as long as your account is active; category F for as long as your account is active.
Do we sell or share your personal information?
We do not sell your personal information. We do not share personal information for cross-context behavioral advertising. We disclose personal information to service providers for business purposes as described in Section 4.
California residents — additional rights
Under the CCPA, California residents have the right to: know what personal information we collect and how we use it; request deletion of personal information; correct inaccurate personal information; opt out of the sale or sharing of personal information (not applicable — we do not sell or share); and non-discrimination for exercising privacy rights.
California residents under 18 with a registered account may request removal of publicly posted content by contacting info(at)dupay.me.
California Civil Code § 1798.83 ("Shine the Light") allows California residents to request, once per year, information about personal information disclosed to third parties for direct marketing. Contact us at info(at)dupay.me.
Colorado, Connecticut, and Virginia residents
Residents of Colorado (CPA), Connecticut (CTDPA), and Virginia (VCDPA) have the right to: access, correct, delete, and port their personal data; opt out of profiling that produces legal or significant effects; and appeal our decisions. To submit a request, email info(at)dupay.me or visit dupay.me/contact-us.
We will respond to requests within 45 days (extendable by an additional 45 days where necessary). If we decline your request, you may appeal by emailing us; we will respond to appeals within 45–60 days depending on your state.
Verification
To verify your identity when you submit a privacy request, we may ask you to provide information that matches what we have on file, or contact you through a previously verified communication method. We will only use this information for verification purposes.
Other Regions
Australia
We process personal information in accordance with Australia's Privacy Act 1988. If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with the Office of the Australian Information Commissioner.
Updates to This Notice
We may update this privacy notice from time to time. The "Last updated" date at the top of this page will reflect any changes. Material changes will be communicated by posting a notice on our website or by emailing you directly. We encourage you to review this notice periodically.
How Can You Contact Us?
DUPAY
Email: info(at)dupay.me
Web: dupay.me/contact-us
Mail: 440 N Barranca Ave, #1981, Covina, CA 91723, United States
How Can You Review, Update, or Delete Your Data?
Based on applicable law, you may have the right to request access to, correction of, or deletion of your personal information. Submit your request at dupay.me/contact-us or email info(at)dupay.me.