Privacy Policy — Vasulify

What we collect

Account information: your name, email address, and password (stored as a bcrypt hash — we never see your plain password).
Invoice and estimate data: invoice numbers, amounts, due dates, line items, notes, and status that you create.
Client data: names, email addresses, and contact details you add for your clients.
Usage analytics: page visits, feature clicks, and user journeys via PostHog (EU Cloud) and Google Analytics 4, to help us improve the product.
Email open tracking: when a client opens an automated follow-up email, we record the timestamp to help you know when they read it.
Public invoice views: when a client opens a public invoice link (/i/token), we record the first-view timestamp.
Payment records: if a client pays through a linked payment page, we store the payment amount and date (we do not handle card data).

To operate your account and provide the Vasulify invoice automation service.
To send automated follow-up emails to your clients on your behalf via SendGrid.
To display your invoice history, client list, estimate pipeline, and payment analytics.
To improve the product based on anonymised, aggregated usage patterns.
To process your subscription via Dodo Payments and maintain your billing status.

We do not sell your personal data or your clients' data to any third party.
We do not use your data to serve you advertising.
We do not share your invoice or client data with anyone except services directly required to operate (email delivery, payments).
We do not store or process payment card numbers — all card handling is done by Dodo Payments or Stripe on their own platforms.

SendGrid — email delivery service used to send invoice reminders and transactional emails to your clients. Data processed: recipient email, name, and invoice details needed to compose the email. Provider: Twilio SendGrid (US). Privacy policy: https://www.twilio.com/legal/privacy
PostHog (EU Cloud) — product analytics. We collect page views, feature usage, and user journey events. Data is associated with your account email for the purposes of understanding how features are used. Data is hosted on PostHog's EU infrastructure. You can opt out by disabling JavaScript. Provider: PostHog Inc. Privacy policy: https://posthog.com/privacy
Google Analytics 4 — web analytics. We collect anonymised page views and session data. IP addresses are anonymised. Provider: Google LLC. Privacy policy: https://policies.google.com/privacy
Dodo Payments — subscription billing. When you subscribe, you are redirected to Dodo Payments' checkout. We receive a confirmation webhook with your subscription ID. We do not see or store your card details. Provider: Dodo Payments Inc. Privacy policy: https://dodopayments.com/privacy
Azure SQL (Microsoft) — your data is stored in a Microsoft Azure SQL database in a secure data centre. Provider: Microsoft Corporation. Privacy policy: https://privacy.microsoft.com

PostHog: we track which pages you visit, which buttons you click, and which features you use. This helps us prioritise improvements. Data is hosted on PostHog EU Cloud (eu.i.posthog.com). We use person profiles only for identified users (i.e. after you sign in). Retention: 12 months.
Google Analytics 4: we track page views, session duration, and device type. Google Analytics data is anonymised and aggregated. We do not share individual-level data with Google for advertising. Retention: 14 months.
Both services use first-party cookies set on vasulify.com. No cross-site advertising cookies are used.

Your data is stored in a secured Azure SQL Server database with TLS encryption in transit and at-rest encryption.
Passwords are hashed using ASP.NET Core Identity (PBKDF2 with HMAC-SHA256). We cannot recover your password.
HTTPS is enforced for all connections. We set Strict-Transport-Security, X-Frame-Options, and Content-Security-Policy headers.
We take reasonable precautions to protect your data, but no system is 100% secure.

When you share a public invoice link (/i/token), anyone with that link can view the invoice.
The link contains only the invoice details — it does not expose your account, other invoices, or your clients' full contact records.
We record the first time a client views the link so you can see when they opened it.
Share links only with intended recipients.

Right to access: you can request a copy of all personal data we hold about you — email [email protected].
Right to deletion: you can delete your account and all associated data from Settings → Security → Delete Account, or by emailing [email protected].
Right to correction: update your name, business details, and contact info from the Settings page at any time.
Right to portability: email [email protected] to request a data export.
Right to object: you may opt out of analytics by disabling JavaScript or using a browser content blocker.
Requests are responded to within 30 days in accordance with applicable data protection law.

Authentication cookie: keeps you signed in (HttpOnly, Secure, SameSite=Strict).
Anti-forgery cookie: protects forms against CSRF attacks (HttpOnly, Secure).
PostHog cookie (ph_*): used by PostHog to track sessions and identify returning users. Set on your first page visit.
Google Analytics cookies (_ga, _gid): used by Google Analytics to distinguish users and sessions.
No advertising or third-party tracking cookies are set.