Puyer← Back

Privacy Policy

Last updated: March 2025

1. Introduction and data controller

Puyer ("we", "us", or "our") operates the Puyer platform and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use the Service. We are the data controller in respect of the personal data we process for the purposes of providing the Service. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data we collect

We collect and process the following categories of personal data:

  • Account and profile data: email address, name (first and last), password (stored in hashed form), company or business name, phone number, address, website, company type or industry, country, timezone, default currency, and optional company logo.
  • Invoice and business data: data you enter when creating invoices (descriptions, amounts, due dates, notes), client names and contact details (email, address, phone, company name, VAT number) that you provide for the purpose of sending invoices and receiving payments.
  • Payment-related data: we do not store your or your clients' full payment card numbers, bank account details, or card verification codes. Payment processing is carried out by Stripe. We store only references necessary to link transactions to your account (e.g. Stripe payment intent or transaction identifiers) and, where applicable, payout and fee information for your dashboard.
  • Technical and usage data: IP address, browser type and version, device information, and logs of access to the Service, where necessary for security, fraud prevention, and operation of the Service.
  • Communications: when you contact us (e.g. by email), we process the content of your messages and your contact details to respond and provide support.

3. How we use your data

We use your personal data to: provide, maintain, and improve the Service; create and manage your account; process invoices and send them to your clients by email; enable payment processing via Stripe and display payment status and payouts; send you transactional emails (e.g. magic links, reminders) and, where you have agreed, marketing or product updates; enforce our Terms of Service and prevent fraud or abuse; comply with applicable laws and respond to lawful requests; and protect the security and integrity of the Service.

4. Legal basis for processing (EEA/UK)

Where data protection laws (e.g. GDPR, UK GDPR) apply, we process your data on the following bases: (a) performance of a contract — to provide the Service you have signed up for; (b) legitimate interests — for security, fraud prevention, analytics, and improving the Service, where balanced against your rights; (c) consent — where we ask for your consent (e.g. optional marketing); (d) legal obligation — where we must retain or disclose data to comply with the law.

5. Data sharing and third parties

We share data only as necessary to operate the Service and as described here:

  • Stripe: payment processing. Card and banking data are collected and processed directly by Stripe in accordance with their privacy policy. We do not store or have access to full card numbers or bank account details.
  • Supabase: hosting, database, and authentication. Data is stored in secure environments; see Supabase's privacy and security documentation.
  • Resend (or similar): sending transactional and marketing emails. Recipient addresses and email content are processed in accordance with our instructions and the provider's terms.
  • Analytics and monitoring: we may use analytics or error-tracking tools that process limited technical or usage data; we configure these to minimise personal data where possible.

We do not sell your personal data. We may disclose data to authorities or others when required by law or to protect our rights and safety.

6. International transfers

Your data may be processed in countries outside your country of residence, including the United States and the European Economic Area. We ensure appropriate safeguards (e.g. standard contractual clauses, adequacy decisions) where required by applicable law so that your data remains protected.

7. Data retention

We retain your data for as long as your account is active and as needed to provide the Service and comply with legal, tax, or regulatory obligations. After you close your account, we may retain certain data for a limited period for legal or operational reasons (e.g. dispute resolution, audit), after which it is deleted or anonymised. You may request deletion of your data subject to our legal retention requirements.

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. This includes encryption in transit (TLS), access controls, and secure handling of credentials. Payment card data is never stored by us; it is handled entirely by Stripe in line with industry standards (e.g. PCI DSS).

9. Your rights

Depending on your location, you may have the right to: access your personal data; correct inaccurate data; request erasure ("right to be forgotten"); restrict or object to certain processing; data portability; withdraw consent where processing is based on consent; and lodge a complaint with a supervisory authority. To exercise these rights, contact us at the email below. We will respond within the timeframes required by applicable law. You can also close your account and request deletion of your data from the Service; we will process such requests in line with our retention and legal obligations.

10. Cookies and similar technologies

We use cookies and similar technologies (e.g. local storage) that are strictly necessary for the operation and security of the Service (e.g. session and authentication). We may also use analytics or functional cookies to improve the Service; where required by law, we will obtain your consent for non-essential cookies. You can control cookies through your browser settings.

11. Children

The Service is not directed at individuals under 16 (or higher age where required). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the "Last updated" date. For material changes, we may notify you by email or through the Service. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy. If you do not agree, you should stop using the Service and may close your account.

13. Contact

For any questions about this Privacy Policy, your personal data, or to exercise your rights, contact us at support@puyer.org. We will respond as soon as practicable and in any event within the periods required by applicable data protection law.

Terms of ServiceBack to home