Privacy Policy

When you create a Drupd account, we collect your email address and basic profile information. If you sign in with a third-party provider (Google, GitHub), we receive the name and email associated with that account.

When you use Drupd to create invoices, we store the workspace data you enter, including client names, contact details, invoice amounts, line items, dates, uploaded logos, and related billing records. If you enable invoice signatures, we also store the signer name, signature image, signed timestamp, and signing IP address.

We collect product analytics through PostHog, operational error and diagnostic data through Sentry, billing metadata from Polar, and Turnstile verification tokens on authentication forms. For signed-in users, analytics may be linked to your account identifier and basic profile fields so we can understand usage at the workspace level. We do not sell this data.

Sentry's error monitoring includes Session Replay, which records a visual reproduction of the page when an error occurs so we can diagnose the failure. Form inputs are masked, but other on-screen text — which may include client names, invoice amounts, addresses, and other workspace details visible at the time — can be captured. Session Replay only runs after you grant error-tracking consent and only when an error fires; it is never recording your session proactively.

Your data is used to provide the Drupd service: authenticating your account, creating invoices, sending emails to your clients, generating PDFs, displaying your dashboard, and managing billing and subscription state.

We also use limited technical and behavioral data to secure the service, prevent abuse, investigate failures, and improve the product. That includes anti-bot checks on auth forms, invoice-signature integrity records, analytics on product usage, and crash/error reporting.

We do not sell your personal data or invoice data. We do not run third-party ads using your workspace data, and we do not use your billing data for unrelated marketing.

Your data is stored in Supabase (PostgreSQL) in the European Union (AWS eu-west-1, Ireland), with row-level security policies ensuring you can only access your own organization's data. All data is encrypted at rest and in transit.

Passwords are never stored in plain text. Authentication is handled through Supabase Auth with industry-standard password hashing and secure session management.

We deploy on Cloudflare Workers, which means your requests are processed at the edge location nearest to you. Database connections are routed through Cloudflare Hyperdrive for connection pooling and security. Some sub-processors (PostHog, Sentry, Resend, Polar) are US-hosted; transfers from the EU/UK/Switzerland to those processors rely on the European Commission's Standard Contractual Clauses referenced in each processor's DPA.

Drupd integrates with a limited set of third-party services to provide core functionality:

Supabase for database, authentication, and file storage. Resend for transactional email delivery. Polar for subscription billing and plan management. PostHog for product analytics. Sentry for error monitoring and diagnostics. Cloudflare for hosting, CDN, edge compute, and Hyperdrive. Cloudflare Turnstile for bot and abuse prevention on auth flows.

We only send each provider the minimum data needed for that provider to do its job. Our full sub-processor list — with data categories, hosting regions, and DPA links — is at /subprocessors.

You can export your workspace data at any time from the export section in dashboard settings. The current export includes clients, invoices, invoice line items, payments, and stored PDFs.

You can delete your account from the app or by contacting us. Account deletion is final and cannot be undone — once you confirm, your login credentials are removed immediately and the related workspace records (organizations, clients, invoices, payments, recurring schedules) and their generated PDFs are marked for deletion. We retain the marked records for 30 days for compliance and audit reasons, after which a scheduled job permanently purges them. We do not provide a self-serve or support-side restore path: if there is any chance you may want this data, download the ZIP export from your account settings before deleting.

If you're based in the EU, you have rights under GDPR including the right to access, rectify, and erase your personal data. We're happy to assist with any data subject requests.

Drupd uses essential cookies required for authentication and session management. Product analytics (PostHog) and error tracking (Sentry) are loaded separately and gated on consent.

If you visit from the EU, EEA, UK, Switzerland, Brazil, or Canada, you'll see a banner on your first visit asking for explicit consent before any analytics or error tracking loads. No non-essential scripts run until you accept. You can revoke consent any time via the "Cookie preferences" link in the footer.

If you visit from the United States, we honor the Global Privacy Control (`Sec-GPC`) signal as an automatic opt-out of analytics and error tracking. You can also opt out manually from the footer.

We do not use advertising cookies or cross-site ad tracking cookies. Your consent choice is stored in a first-party cookie (`drupd_consent`) with a 12-month expiry. A detailed cookie inventory — with per-cookie purpose, duration, and owner — lives at /cookies.

We may update this policy as the product evolves. Material changes will be communicated via email to all registered users. The latest version is always available at this URL.

This policy was last updated on April 24, 2026.

If you have questions about this privacy policy or how your data is handled, reach out to us at privacy@drupd.com. We aim to respond within 48 hours.