Conduitt
Back to home
Calender Pen iconLast updated February 7, 2026

Privacy Policy

Your privacy matters. This policy explains what data we collect, why, how we use it, and what rights you have.

Summary

  • We collect account details, invoice data, client data, usage data, and billing metadata.
  • We use data to operate the Service, secure accounts, process payments, and improve the product.
  • We do not sell personal data or share it for targeted advertising.
  • Payment card data is handled by our payment processor and never stored on our servers.
  • You have rights over your data, including access, correction, deletion, and portability.
  • We retain data only as long as necessary and delete it within 30 days of account deletion.

Data We Collect

We collect the following categories of personal information when you use the Service.

  • Account data: Name, email address, password hash, authentication provider details (GitHub, Google), profile photo, and account preferences.
  • Invoice data: Client names, email addresses, postal addresses, phone numbers, invoice line items, amounts, payment terms, notes, and attachments you enter.
  • Business data: Company name, registered address, tax identification numbers, logos, brand colors, bank account details for payment instructions, and digital signatures.
  • Usage data: Pages viewed, features used, clickstream data, session duration, device type, browser type and version, operating system, screen resolution, and referring URLs.
  • Technical data: IP addresses, login timestamps, API request logs, error logs, and device identifiers.
  • Billing data: Subscription plan, billing cycle, payment status, transaction IDs, and payment metadata from our payment processor. We do not store credit card numbers.
  • Communications data: Emails, support messages, feedback submissions, and any information you provide when contacting us.
  • Third-party sign-in: If you connect Google, GitHub, or another OAuth provider, we receive your name, email, and profile photo as permitted by your provider settings.

How We Collect Data

We collect data through the following methods.

  • Directly from you when you register, create invoices, configure settings, or contact support.
  • Automatically when you use the Service, through cookies, server logs, and analytics tools.
  • From third-party authentication providers when you sign in using OAuth (Google, GitHub).
  • From our payment processor when you subscribe to a paid plan.
  • From publicly available sources when verifying business information you provide.

Legal Basis for Processing

We process your personal data under the following legal bases, depending on the context.

  • Contract performance: Processing necessary to provide the Service you have subscribed to, including account management, invoice processing, and payment handling.
  • Legitimate interests: Processing necessary for our legitimate business interests, including fraud prevention, security monitoring, product improvement, and analytics, balanced against your rights and freedoms.
  • Consent: Processing based on your explicit consent, such as marketing communications. You may withdraw consent at any time.
  • Legal obligation: Processing necessary to comply with applicable laws, regulations, court orders, or government requests.

How We Use Data

We use your personal information for the following purposes.

  • Provide, operate, and maintain the Service, including processing invoices, storing client records, and delivering notifications.
  • Authenticate users, manage sessions, and prevent unauthorized access to accounts.
  • Process subscription payments and manage billing through our payment processor.
  • Detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
  • Provide customer support, respond to requests, and resolve disputes.
  • Analyze usage patterns to improve product performance, reliability, usability, and feature development.
  • Send transactional communications such as account confirmations, payment payment records, and security alerts.
  • Send product updates, feature announcements, and marketing communications (with your consent where required).
  • Comply with legal obligations, enforce our Terms, and protect the rights, property, and safety of our users and the public.
  • Generate aggregated, anonymized statistics for internal reporting and business planning.

How We Share Data

We share data only when necessary to operate the Service and for the purposes described below. We do not sell personal information and do not share data for targeted advertising.

  • We do not sell, rent, or trade personal information to third parties.
  • We do not share data with advertisers or ad networks for behavioral targeting.
  • We may disclose data when required by law, regulation, court order, or governmental request.
  • If we are involved in a merger, acquisition, or asset sale, we will provide at least 30 days' notice before personal data is transferred to the acquiring entity.

Service providers we share data with:

  • Hosting providers: Cloud infrastructure services that host the Service and store data on our behalf.
  • Payment processors: Third-party payment services that handle subscription billing and transaction processing.
  • Email delivery: Services that send transactional emails such as invoice notifications, password resets, and account alerts.
  • Analytics tools: Services that help us understand how the Service is used, identify issues, and improve the product.
  • Authentication providers: OAuth providers (Google, GitHub) that facilitate sign-in.
  • Professional advisors: Legal, accounting, and audit professionals when necessary for compliance and business operations.

Cookies and Tracking

We use cookies and similar technologies to operate the Service, maintain sessions, and understand usage patterns. You can control cookies through your browser settings, but disabling them may limit functionality.

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled without breaking core functionality.
  • Analytics cookies: Used to understand how the Service is used, track page views, and measure feature adoption. We use PostHog for product analytics.
  • Preference cookies: Store your settings and preferences such as theme, language, and layout choices.

Marketing Communications

We will only send marketing messages if you have given your consent. You can unsubscribe at any time using the link in any marketing email, or by updating your notification preferences in your account settings. Withdrawing consent does not affect transactional communications required for the Service.

Data Retention

We retain personal data only as long as necessary for the purposes described in this policy. Retention periods are determined by the nature of the data and our legal obligations.

  • Account data is retained for as long as your account is active and for 30 days after deletion to allow for account recovery.
  • Invoice and client data is retained for the duration of your subscription. You may export your data at any time.
  • Usage and analytics data is retained in identifiable form for up to 12 months, then aggregated or anonymized.
  • Billing records are retained for up to 7 years to comply with tax and accounting requirements.
  • Support communications are retained for up to 3 years after resolution.
  • Server logs and security data are retained for up to 90 days.
  • If you delete your account, we will delete your personal data within 30 days unless a longer retention period is required by law.

Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration. No system is perfectly secure, and we cannot guarantee absolute security.

  • Encryption of data in transit using TLS 1.2 or higher.
  • Encryption of sensitive data at rest in our databases.
  • Access controls and role-based permissions to limit data access to authorized personnel.
  • Regular security assessments and vulnerability scanning of our infrastructure.
  • Monitoring and logging of access to systems that contain personal data.
  • Incident response procedures for identifying, containing, and remediating security events.
  • Employee training on data protection, security awareness, and incident response.

If you choose to self-host Conduitt, you are solely responsible for your own security configuration, infrastructure hardening, and compliance with applicable data protection laws.

International Transfers

We process data primarily in the United States through our hosting providers. When personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, we ensure appropriate safeguards are in place.

  • We rely on Standard Contractual Clauses approved by the European Commission for transfers to countries without an adequacy decision.
  • We evaluate the data protection laws of the destination country and implement supplementary measures where necessary.
  • Our sub-processors maintain appropriate certifications and contractual commitments regarding data transfers.
  • By using the Service, you acknowledge that your data may be processed in the United States and other jurisdictions where our providers operate.

Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected].

  • Right to be informed about how your personal data is collected and used.
  • Right of access to obtain a copy of the personal data we hold about you.
  • Right to rectification of inaccurate or incomplete personal data.
  • Right to erasure (right to be forgotten) of your personal data in qualifying circumstances.
  • Right to restrict processing of your personal data in certain situations.
  • Right to data portability to receive your data in a structured, machine-readable format.
  • Right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent at any time where processing is based on consent.
  • Rights related to automated decision-making and profiling where applicable.

California residents have additional rights under the CCPA/CPRA, including the right to know what personal information is collected, sold, or disclosed; the right to delete personal information; the right to correct inaccurate information; the right to opt out of the sale or sharing of personal information; and the right to not be discriminated against for exercising these rights. We do not sell personal information.

We will respond to rights requests within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request. If we cannot fulfill your request, we will explain why.

Google API Services

Conduitt's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access only the minimum data necessary to provide Service features, and we do not use Google user data for advertising or other purposes beyond providing and improving the Service.

Children's Privacy

The Service is not intended for or directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, contact us immediately and we will take steps to delete that information.

Changes to This Policy

We may update this policy to reflect changes in our practices, the law, or our business. The current version is always available at conduitt.io/privacy with an updated date. We will notify you of material changes via email or in-app notification at least 30 days before they take effect.

Complaints

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority. For UK residents, you may contact the Information Commissioner's Office (ICO). For EEA residents, you may contact your national data protection authority.

Contact Us

Questions about this document?

Contact usChevron Right icon

We value your privacy

We use cookies to improve your experience, analyze traffic, and personalize content.