Back to Draw.

Privacy Policy

Last updated: 25 April 2026

What we collect

  • Account info: name, email, password (hashed), tier
  • Business data: business names, TRNs, IBANs, logos, addresses
  • Customer data: contact details you enter for your customers
  • Invoice data: line items, amounts, dates, PDFs and XMLs you generate
  • Payment data: handled by our payment processor (Stripe). We never see or store full card numbers.
  • Usage data: server logs, error reports, basic analytics

How we use it

  • To run the Service — generate invoices, send emails, store XMLs
  • To provide support when you contact us
  • To bill you correctly
  • To improve product reliability and security
  • To comply with legal obligations (e.g. tax record retention)

We do not sell your data, share it with advertisers, or use it for marketing to your customers.

Where it lives

Your data is stored on Supabase (PostgreSQL) infrastructure hosted in AWS. Files (PDFs, XMLs, logos) are in Supabase Storage. Emails are sent through Resend. Payments are processed by Stripe.

All connections use TLS encryption. Database backups are encrypted at rest.

Public share links

When you generate a "Share link" for an invoice or credit note, the document becomes accessible to anyone who has that URL — without login. The link contains a 48-character random token. You can revoke any share link at any time from the document detail page.

Third parties we use

  • Supabase — database, auth, storage
  • Vercel — application hosting
  • Stripe — payment processing
  • Resend — outbound email
  • Tesseract.js — runs entirely in your browser; no data sent to us during scans

Each of these has its own privacy policy. We've selected providers we trust with our customers' data.

Your rights

You can:

  • Access all your data via the app
  • Export it (ledger CSV, individual PDFs/XMLs)
  • Edit or delete records yourself
  • Delete your account, which removes your data within 30 days (except records we must retain for tax/legal compliance — typically 5 years for UAE VAT records)

Cookies

We use essential cookies for authentication and session management only. No tracking cookies, no advertising cookies.

Children

The Service is not intended for users under 18. We do not knowingly collect data from children.

Changes

We may update this policy from time to time. Significant changes will be notified by email.

Contact

Privacy questions? Email mroshan915@gmail.com.

Terms of ServiceHome