Privacy Policy
Last updated: May 28, 2026
This Privacy Policy describes how Nile Raza, sole proprietor (doing business as PayOwed) (“we,” “us,” or “our”) collects, uses, stores, processes, and shares (“processes”) your personal information when you use our services (“Services”), including when you visit https://payowed.com, use the PayOwed application, or engage with us in any related way (including marketing or events).
If you do not agree with our practices, please do not use our Services. Questions or concerns can be sent to privacy@payowed.com.
Summary of key points
- What information do we collect?
- How do we process your information?
- What legal bases do we rely on?
- When and with whom do we share your information?
- Do we use cookies and similar technologies?
- How do we handle social logins?
- Is your information transferred internationally?
- How long do we keep your information?
- How do we keep your information safe?
- Do we collect information from minors?
- What are your privacy rights?
- Controls for Do-Not-Track features
- Do United States residents have specific privacy rights?
- Do we make updates to this notice?
- How can you contact us about this notice?
- How can you review, update, or delete your data?
1. What information do we collect?
Personal information you provide
We collect personal information you provide when you register, configure your account, upload invoice or client data, or contact us. This includes:
- Names
- Email addresses
- Phone numbers
- Mailing addresses
- Contact preferences
- Authentication data (managed by Clerk, our authentication provider — we do not store passwords)
The application also collects the following data you provide as part of using the service:
- Invoice data: client names, client email addresses, client phone numbers, client industry, invoice numbers, amounts, currencies, issue dates, due dates, paid dates, payment status, line items, reminder history, and dispute or promise-to-pay responses submitted through the client portal.
- Business profile information: business name, sender display name, business address, payment terms, late fee policy, default currency, and timezone.
- User preferences: notification settings, SMS reminder preferences, PDF attachment preferences, active email provider selection.
- Bank deposit information: bank name, account holder name, routing number, account number, and reference memo, entered by you and stored for inclusion in outgoing reminder emails. See Section 9 for how this data is handled.
- Payment and subscription references: Stripe customer IDs, subscription IDs, price IDs, Connect account IDs, PayPal merchant IDs and email addresses. Full payment card numbers are not stored by PayOwed and are handled exclusively by Stripe or PayPal.
- Integration tokens: OAuth access tokens, refresh tokens, expiry timestamps, account identifiers, and connected email addresses for Gmail, Outlook, QuickBooks, Xero, and PayPal.
- Email templates: custom reminder email content created or modified by you.
- Webhook configuration: webhook URLs, signing secrets, and historical delivery payloads.
- Third-party client data: personal information about your clients, processed on your behalf in our role as a data processor under GDPR.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.
Sensitive personal information
Bank account and routing numbers are classified as sensitive personal information under California privacy law. We collect this data only when you choose to enable bank deposit instructions and only for the purpose of including it in your outgoing reminder emails. We do not collect special category data under GDPR Article 9 (such as health, biometric, or racial information).
Payment data
We collect data necessary to process your subscription payment. All payment card data is handled and stored by our payment processors. You can find their privacy notices here: Stripe and PayPal.
Information automatically collected
When you use the Services, we automatically collect:
- Log and usage data: IP address, browser type, operating system, language preferences, referring URLs, pages viewed, actions taken, and timestamps.
- Device data: device type, hardware model, ISP, and system configuration.
- Audit and security logs: we record authenticated user actions including logins, invoice operations, settings changes, and dispute responses, together with the originating IP address and user agent. These logs are used for security monitoring, incident investigation, and demonstrating compliance with our terms.
- Email engagement data: a 1×1 tracking pixel embedded in outgoing reminder emails records the timestamp at which the recipient opened the email. No IP address or user agent is logged from email opens.
- Email delivery status: we record whether reminder emails delivered successfully, bounced, or generated complaints, derived from feedback provided by Gmail, Outlook, or our transactional email provider.
- SMS opt-out records: phone numbers that have replied STOP to an SMS reminder are stored permanently to prevent further messages from being sent.
Like many businesses, we also collect information through cookies and similar technologies. You can find out more in our Cookie Policy.
Derived information
We compute the following derived data from invoice and payment history:
- Reliability and risk scores: for each client tracked in your account, we compute payment reliability scores, average days late, and risk tiers based on the client's historical payment behavior. These scores are used internally to recommend reminder cadence intensity. They are not exposed to your clients.
Google API services
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use the Gmail API only to send invoice reminder emails on your behalf, with the minimum scope necessary.
2. How do we process your information?
We process your information for the following purposes:
- Account creation and authentication: manage user accounts via Clerk.
- Service delivery: provide the invoice reminder, payment tracking, and integration features you sign up for.
- Send automated reminder emails on your behalf: send invoice reminder emails from your connected email account (Gmail or Outlook) to your clients, according to the schedule and templates you configure.
- Send SMS reminders: when enabled by you and consented to by your client, send SMS payment reminders via Twilio.
- Automated risk scoring: compute payment reliability scores for clients based on historical payment data, and use these scores to recommend reminder cadence intensity. You can override the recommended cadence at any time from the invoice or client view.
- User support: respond to inquiries and resolve issues with the Services.
- Administrative communications: notify you of changes to terms, policies, or service availability.
- Security and fraud prevention: monitor activity, detect abuse, and protect the platform.
- Audit logging: record authenticated actions for security and compliance.
- Service improvement: analyze usage patterns to improve features.
- Vital interests: we may process your information when necessary to protect an individual's vital interest, such as to prevent harm.
- Legal compliance: comply with legal obligations and enforce our terms.
3. What legal bases do we rely on?
If you are in the EU, UK, or Switzerland
The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the legal bases we rely on. We may rely on the following:
- Consent: for processing where you have given specific permission. You can withdraw consent at any time.
- Performance of a contract: for processing necessary to deliver the Services you signed up for.
- Legitimate interests: for security monitoring, fraud prevention, abuse detection, service improvement, analyzing how the Services are used, and demonstrating compliance with our terms.
- Legal obligations: for processing required to comply with applicable law, cooperation with law enforcement, or to exercise or defend legal rights.
- Vital interests: where necessary to protect your or another person's vital interests.
If you are in Canada
We rely on your express or implied consent under PIPEDA. In limited circumstances permitted by law, we may process your information without consent, including:
- If collection is clearly in your interests and consent cannot be obtained in a timely way;
- For investigations, fraud detection, and prevention;
- For business transactions, provided certain conditions are met;
- If contained in a witness statement and necessary to assess, process, or settle an insurance claim;
- For identifying injured, ill, or deceased persons and communicating with next of kin;
- If we have reasonable grounds to believe an individual has been, is, or may be a victim of financial abuse;
- If it is reasonable to expect that collection with consent would compromise the availability or accuracy of the information, and the collection is reasonable for purposes related to investigating a breach of an agreement or contravention of law;
- If disclosure is required to comply with a subpoena, warrant, court order, or rules of court relating to the production of records;
- If the information was produced in the course of an individual's employment, business, or profession and the collection is consistent with the purposes for which it was produced;
- If the collection is solely for journalistic, artistic, or literary purposes;
- If the information is publicly available and specified by regulations.
4. When and with whom do we share your information?
We share information with the following third-party service providers, each of which has access only to the data needed to perform its function under contract with us. We do not sell or rent your personal information.
| Function | Provider | Privacy policy |
|---|---|---|
| Authentication | Clerk | clerk.com/legal/privacy |
| Hosting | Vercel | vercel.com/legal/privacy-policy |
| Database | Supabase | supabase.com/privacy |
| Error monitoring | Sentry | sentry.io/privacy |
| Rate limiting, caching & real-time events | Upstash | upstash.com/trust/privacy |
| Product analytics (consent-gated client-side; legitimate interest server-side) | PostHog | posthog.com/privacy |
| Transactional email | Resend | resend.com/legal/privacy-policy |
| SMS delivery | Twilio | twilio.com/legal/privacy |
| Payment processing | Stripe | stripe.com/privacy |
| Payment processing | PayPal | paypal.com/legalhub/privacy |
| Email integration | Google (Gmail API) | policies.google.com/privacy |
| Email integration | Microsoft (Outlook) | privacy.microsoft.com |
| Accounting integration | Intuit (QuickBooks) | intuit.com/privacy |
| Accounting integration | Xero | xero.com/legal/privacy |
PostHog (analytics): Client-side analytics (page views, UI interactions) are only active if you consent via the cookie banner. Server-side product analytics events (e.g., “invoice_created,” “plan_changed”) are captured using your internal user ID under our legitimate interest in product improvement (GDPR Art. 6(1)(f)). These server-side events contain no email addresses, client data, or invoice contents — only event names and non-PII metadata such as currency, amount, and step index. You can request deletion of your PostHog data at any time by deleting your account, which removes all associated analytics events. You can revoke client-side analytics consent at any time in your cookie settings.
Stripe (payments): We attach metadata to Stripe Customer objects including internal user identifiers (such as your PayOwed user ID) so we can correlate Stripe events back to your account. We do not attach email content or client data to Stripe objects.
Sentry (error monitoring): When an error occurs, we send anonymized error context to Sentry. IP addresses, email addresses, OAuth tokens, session cookies, authorization headers, and monetary amounts are stripped before transmission.
Upstash (caching): We use Upstash for rate limiting, consent caching, and real-time dashboard event delivery. Cached data may include client names and invoice event summaries. All entries auto-expire (typically 5 minutes for events, 60 seconds for other caches). No long-term data retention occurs in Redis.
We have contracts in place with our service providers designed to safeguard your personal information. They cannot use your personal information except as instructed by us, and they may not share it with any other organization.
We may also share information in the following situations:
- Business transfers: in connection with a merger, sale of assets, financing, or acquisition of all or part of the business.
- Legal requirements: when required to comply with a subpoena, court order, or other legal process.
- To protect rights: when necessary to enforce our terms, protect our rights, or protect the safety of users.
5. Do we use cookies and similar technologies?
We use cookies and a small number of similar technologies to operate the Services. We do not use cookies for advertising, retargeting, or behavioral tracking. We use PostHog for product analytics as disclosed in Section 4 above; client-side analytics cookies are only set if you opt in via the cookie banner.
Cookies set directly by PayOwed:
gmail_oauth_state— short-lived (10 minutes), used to prevent CSRF attacks during the Gmail authorization flow.onboarding_complete— one year, indicates whether you have completed initial onboarding.owner_bypass— one year, used internally for testing.
In addition, our authentication provider Clerk sets session cookies required for you to remain signed in.
We also use browser localStorage and sessionStorage for functional purposes only — for example, to remember the prefilled values when you start a new invoice, or to detect your timezone during signup. None of this data is transmitted to third parties.
Reminder emails sent on your behalf contain a 1×1 tracking pixel that records the timestamp when the email is opened, so you can see whether your client viewed the message. No IP address or other identifying information is recorded from email opens.
For full details, see our Cookie Policy.
6. How do we handle social logins?
You can register or log in to PayOwed using your Google account, through our authentication provider Clerk. When you do, we receive your name, email address, and profile information from Google. We use this information only to create and maintain your PayOwed account. We do not access your Google contacts, calendar, drive, or other Google services as part of authentication.
We will use the information we receive only for the purposes that are described in this Privacy Policy or that are otherwise made clear to you. Please note that we do not control, and are not responsible for, other uses of your personal information by Google. We recommend that you review their privacy policy to understand how they collect, use, and share your personal information.
Separately, you may connect your Gmail account to send invoice reminders. This is a distinct authorization that requests only the gmail.send scope and is described in Section 1.
7. Is your information transferred internationally?
Our servers are located in the United States. Some of our service providers operate in other countries:
- United States: Vercel, Supabase, Clerk, Stripe, Sentry, Resend, Twilio, Upstash, Intuit.
- New Zealand and Australia: Xero (headquartered in Wellington, with regional processing).
Regardless of your location, your information may be transferred to, stored by, and processed by us and our third-party service providers in any of these jurisdictions.
If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, these countries may not have data protection laws as comprehensive as those in your jurisdiction. We have implemented measures to protect your personal information, including by using the European Commission's Standard Contractual Clauses for transfers between us and our third-party providers. These clauses require all recipients to protect personal information originating from the EEA or UK in accordance with European data protection laws. Copies of our Standard Contractual Clauses can be provided upon request. A Data Processing Agreement (DPA) under GDPR Article 28, governing our processing of personal data on your behalf, is also available upon request by contacting us at the address below.
8. How long do we keep your information?
We retain your personal information for as long as your account is active. When you delete your account, we delete or anonymize your data, except where we are required to retain it for legal, accounting, or tax reasons.
If your account remains inactive — no sign-in for three years — we will delete or anonymize your personal data, except where we are required to retain it for legal, accounting, or tax reasons.
Specific retention exceptions:
- Email bounce records: retained for 30 days, then automatically deleted.
- Reminder email contents: the full body of every sent reminder email is retained for the life of your account so you can review what was sent. Deleted with your account.
- Webhook delivery payloads: retained for the life of your account for debugging and audit purposes. Deleted with your account.
- SMS opt-out records: phone numbers that have opted out of SMS are retained indefinitely to honor the opt-out, even after account deletion.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because the information has been stored in backup archives), we will securely store it and isolate it from any further processing until deletion is possible.
9. How do we keep your information safe?
We use the following technical and organizational measures to protect your data:
- Encryption in transit: all connections to PayOwed are protected by TLS.
- Encryption at rest: our database (Supabase) provides AES-256 encryption at rest.
- Authentication: all authentication is handled by Clerk, which provides multi-factor authentication, session management, and bot protection.
- Secrets management: all API keys, OAuth secrets, and webhook signing keys are stored in environment variables and never exposed to the client.
- CSRF protection: origin checking on all state-changing requests.
- Rate limiting: sliding-window rate limiting on public endpoints to prevent abuse.
- Webhook signature verification: incoming webhooks from Stripe and other providers are verified before processing.
- Audit logging: all authenticated actions are logged with IP address and user agent for security review.
No internet-based service can be guaranteed 100% secure. While we work to protect your data, you transmit information to and from the Services at your own risk. You should access the Services only within a secure environment.
If you choose to enable the bank deposit instructions feature, the bank account number you enter is included in the body of outgoing reminder emails sent to your clients, as configured by you. You are responsible for the accuracy of this information and for the decision to share it with your clients in this manner.
10. Do we collect information from minors?
The Services are not directed to anyone under 18 years of age (or the equivalent age of majority in your jurisdiction). We do not knowingly collect personal information from minors, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 years old, or that you are the parent or guardian of a minor and consent to that minor's use of the Services. If we learn that we have collected information from a person under 18, we will deactivate the account and take reasonable measures to delete the data. If you become aware that a child has provided us with personal information, contact us at privacy@payowed.com.
11. What are your privacy rights?
Depending on where you live, you may have the following rights regarding your personal information:
- The right to access and obtain a copy of your data
- The right to correct inaccuracies
- The right to request deletion
- The right to restrict or object to processing
- The right to data portability
- The right to withdraw consent
- The right not to be subject to solely automated decision-making with legal or similarly significant effects
The easiest way to exercise these rights is at your account settings page, where you can export your data, update your information, or delete your account. You can also contact us at privacy@payowed.com. We will consider and act upon any request in accordance with applicable data protection laws.
Withdrawing your consent
If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us at privacy@payowed.com. Withdrawal will not affect the lawfulness of processing before the withdrawal, nor will it affect processing conducted in reliance on lawful grounds other than consent.
Account information
To review or change information in your account, or to terminate your account, you can log in to your account settings or contact us. Upon a request to terminate your account, we will deactivate or delete your account and information from our active databases. We may retain some information to prevent fraud, troubleshoot problems, assist with investigations, enforce our legal terms, or comply with legal requirements.
Cookies and similar technologies
Most web browsers accept cookies by default. You can usually configure your browser to remove or reject cookies. Doing so may affect certain features of the Services. For more details, see our Cookie Policy.
Automated processing
As described in Section 2, we compute risk scores for the clients tracked in your account and use those scores to recommend reminder cadences. These recommendations do not produce legal or similarly significant effects on the clients themselves, since they only affect the timing and tone of reminder emails sent by you. You retain full control and can manually override any recommended cadence at any time from the invoice or client view in your dashboard.
Right to lodge a complaint
If you are in the EEA or UK and you believe we are unlawfully processing your personal information, you have the right to complain to your Member State data protection authority or the UK Information Commissioner's Office.
If you are in Switzerland, you may contact the Federal Data Protection and Information Commissioner.
12. Controls for Do-Not-Track features
Most web browsers and some mobile operating systems include a Do-Not-Track (DNT) feature you can activate to signal your privacy preference. Because no uniform technology standard for recognizing and implementing DNT signals has been finalized, we do not currently respond to DNT browser signals. If a standard is adopted that we are required to follow, we will update this Policy accordingly.
California law requires us to inform you how we respond to DNT signals. Because there currently is no industry or legal standard for honoring DNT signals, we do not respond to them at this time.
13. Do United States residents have specific privacy rights?
If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you have specific rights under your state's data protection law.
Categories of personal information we collect
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Name, email, IP address, account name | Yes |
| B. Personal information under California Customer Records statute | Name, contact information, financial information | Yes |
| C. Protected classification characteristics | Age, race, gender | No |
| D. Commercial information | Transaction information, invoice and payment history | Yes |
| E. Biometric information | Fingerprints, voiceprints | No |
| F. Internet or network activity | Browsing history, interaction logs | Yes |
| G. Geolocation data | Device location | No |
| H. Audio, electronic, sensory information | Recordings, images | No |
| I. Professional or employment information | Business contact details, business name | Yes |
| J. Education information | Student records | No |
| K. Inferences | Profiles or summaries derived from collected data, including client payment reliability scores | Yes |
| L. Sensitive personal information | Bank account and routing numbers (when you enable bank deposit instructions) | Yes |
We may also collect other personal information outside these categories through interactions with us in person, online, by phone, or by mail in the context of receiving customer support, participating in surveys, or facilitating the delivery of our Services and responding to your inquiries.
We retain each category of personal information for as long as your account is active.
Sources of personal information
The sources of personal information are described in Section 1.
How we use and share personal information
The purposes for which we use your information are described in Section 2. The third parties with whom we share information are described in Section 4.
Will your information be shared with anyone else?
We may disclose your personal information with our service providers under written contract. We may use your personal information for our own business purposes, such as undertaking internal research for technological development and demonstration. This is not considered “selling” of your personal information.
We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. We have disclosed the following categories of personal information to third parties for a business or commercial purpose in the preceding twelve (12) months:
- Category A — Identifiers
- Category B — Personal information under California Customer Records statute
- Category D — Commercial information
- Category F — Internet or network activity information
- Category I — Professional or employment-related information
The categories of third parties to whom we disclosed personal information for a business or commercial purpose are listed in Section 4.
Your rights
You have the following rights under most US state data protection laws, subject to limitations under applicable law:
- Right to know whether we are processing your personal data
- Right to access your personal data
- Right to correct inaccuracies in your personal data
- Right to request deletion of your personal data
- Right to obtain a copy of personal data you previously shared with us
- Right to non-discrimination for exercising your rights
- Right to opt out of processing for targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects (we do not engage in any of these activities)
Depending on the state where you live, you may also have the following rights:
- Right to access the categories of personal data being processed (Minnesota)
- Right to obtain a list of the categories of third parties to which we have disclosed personal data (California, Delaware, Maryland)
- Right to obtain a list of specific third parties to which we have disclosed personal data (Minnesota, Oregon)
- Right to obtain a list of third parties to which we have sold personal data (Connecticut)
- Right to review, understand, question, and (where you live) correct how personal data has been profiled (Connecticut, Minnesota)
- Right to limit use and disclosure of sensitive personal information (California)
- Right to opt out of the collection of sensitive data and personal data collected through the operation of a voice or facial recognition feature (Florida)
How to exercise your rights
To exercise these rights, you can visit your account settings page, email us at privacy@payowed.com, or use the contact form.
Authorized agents
Under certain US state data protection laws, you can designate an authorized agent to make a request on your behalf. We may deny a request from an authorized agent that does not submit proof of authorization to act on your behalf in accordance with applicable laws.
Request verification
Upon receiving your request, we will need to verify your identity to confirm you are the same person about whom we have information. We will only use personal information provided in your request to verify your identity or authority. If we cannot verify your identity from information already maintained, we may request additional information for verification or fraud prevention purposes.
If you submit the request through an authorized agent, we may need to collect additional information to verify your identity, and the agent will need to provide written and signed permission from you to submit the request on your behalf.
Appeals
Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at privacy@payowed.com. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If your appeal is denied, you may submit a complaint to your state attorney general.
California “Shine the Light” law
California Civil Code Section 1798.83, also known as the “Shine the Light” law, permits California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes, and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, contact us at privacy@payowed.com.
14. Do we make updates to this notice?
We will update this Policy as needed to stay compliant with applicable law and to reflect changes to our practices. The updated version will be indicated by the “Last updated” date at the top. For material changes, we will notify you by posting a prominent notice or by sending you a direct notification.
15. How can you contact us about this notice?
If you have questions or comments about this Policy, contact us at:
Nile Raza, sole proprietor (d/b/a PayOwed)
PO Box 92
Fortville, IN 46040
United States
Email: privacy@payowed.com
16. How can you review, update, or delete the data we collect from you?
You can review, update, export, or delete your personal information at your account settings page, or by contacting us at privacy@payowed.com.