Privacy Policy

Last updated: February 11, 2026

1. Introduction

Unpaid ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our automated invoice reminder service.

By using Unpaid, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, business name, phone number, and region/country.
  • Tax Information: Tax ID (ABN, VAT, EIN, etc.) for invoice compliance.
  • Integration Credentials: OAuth tokens for Xero, QuickBooks, and Stripe integrations.
  • Invoice Data: Invoice numbers, amounts, due dates, and customer information synced from your accounting software.
  • Customer Data: Your customers' names, email addresses, and contact information.

2.2 Information Collected Automatically

  • Email Engagement: Open rates, click rates, and delivery status of reminder emails.
  • Usage Data: Log data, device information, and how you interact with our service.
  • Payment Data: Transaction records when invoices are marked as paid.

3. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Unpaid service
  • Send automated payment reminder emails on your behalf
  • Generate AI-powered email content using Claude (Anthropic)
  • Calculate customer trust scores and optimize reminder timing
  • Process payments and track invoice status
  • Send you service notifications and updates
  • Improve and personalize your experience
  • Comply with legal obligations

4. Data Sharing and Third Parties

We share your data with the following third-party services:

  • Anthropic (Claude): Invoice and customer data is sent to generate personalized email content. Data is not retained by Anthropic beyond the API request.
  • Email Providers (SendGrid/Resend): Customer email addresses and email content for delivery.
  • Xero/QuickBooks/Stripe: OAuth-based data synchronization for invoice management.
  • PostgreSQL (Railway): Secure database hosting for all application data.
  • Railway/Vercel: Application hosting and deployment.

We do not sell your personal information or your customers' information to third parties.

5. Data Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit (TLS 1.3) and at rest
  • OAuth 2.0 for secure third-party integrations (no password storage)
  • JWT-based authentication with short-lived access tokens
  • Regular security audits and vulnerability assessments
  • Access controls and audit logging for all data access

6. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specifically:

  • Account data: Retained until account deletion
  • Invoice data: Retained for 7 years for legal compliance
  • Email engagement data: Retained for 2 years
  • After account deletion: Data is purged within 30 days, except where legal retention is required

7. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data
  • Portability: Export your data in a machine-readable format
  • Objection: Object to certain processing activities
  • Withdrawal: Withdraw consent where processing is based on consent

To exercise these rights, contact us at privacy@getunpaid.io.

8. Customer Email Recipients

When you use Unpaid to send payment reminders, your customers receive emails on your behalf. These recipients can:

  • Unsubscribe from automated reminders using the link in each email
  • Click "I've Paid" to update their payment status
  • Contact you directly (reply-to goes to your email)

We only retain customer email addresses and engagement data as necessary to provide the service. Customers can request data deletion by contacting privacy@getunpaid.io.

9. International Data Transfers

Your data may be processed in countries outside your residence, including the United States. We ensure appropriate safeguards are in place, including Standard Contractual Clauses where required by GDPR.

10. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies or advertising cookies.

11. Children's Privacy

Unpaid is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

  • Email: privacy@getunpaid.io
  • Website: https://getunpaid.io