Receivly — Privacy Policy

We collect two categories of data: information you give us directly, and information collected automatically when you use the platform.

Information you provide:

• Your email address, name, and business name when you create an account
• Invoice files (PDFs and images) that you upload to the platform
• Buyer names, business names, GST numbers, and contact details that you enter manually
• Your bank account details (account number and IFSC code) that you provide to enable payment collection via payment links. This information is stored securely and used solely to route payments to you and to satisfy applicable government compliance and tax reporting requirements
• Any other information you provide through forms, settings, or support requests

Information collected automatically:

• IP address and approximate location (city/region level) at login and during active sessions
• Browser type, operating system, and device type
• Pages visited, features used, and actions taken within the platform (usage logs)
• Authentication session tokens and timestamps
• API request logs, including timestamps and response codes, retained for security monitoring and rate limiting

We do not collect your precise geolocation. We do not collect your card number or CVV credentials — those are handled entirely by Dodo Payments and never pass through our systems.

A note on buyer data:

When you enter buyer names, GST numbers, and contact details into Receivly, you are sharing personal and business data of third parties with us. By doing so, you represent that you have a legitimate basis to process and share that information — for example, that it relates to a genuine commercial transaction. We process this data solely on your behalf to provide the service.

Your data is used exclusively to provide and improve the Receivly service. Specifically:

• Invoice data — parsed using AI to extract buyer details, amounts, tax breakdowns, and due dates
• Buyer data — used to calculate risk scores, track payment patterns, and generate reminders
• Bank account details — used to route incoming payments to you via payment links, and retained as required metadata for GST compliance, TDS records, and any government reporting obligations that apply to payment transactions processed through the platform
• Email address — used to send account notifications, payment reminders you trigger, and important service updates
• Usage logs and session data — used for security monitoring, debugging, rate limiting, and understanding how features are used so we can improve them
• IP address — used for authentication security, fraud prevention, and abuse detection

We do not use your data for advertising. We do not build profiles to sell or share with third parties. We do not use your data to train AI models. Invoice files processed through Google Gemini are used only for data extraction and are not used for model training by Google under their API terms.

All data is stored on Supabase (PostgreSQL) with encryption at rest. We use Row Level Security (RLS) to ensure each user can only access their own data. API routes are protected with authentication checks and rate limiting. All connections use TLS encryption in transit.

Bank account details are stored in encrypted form and access is restricted to the minimum necessary for payment processing and compliance purposes.

Third-party infrastructure:

Our platform is built on third-party services. Your data passes through or is stored on infrastructure operated by Google, Supabase, Resend, and Dodo Payments — all of whom are based outside India. This means your data is transferred internationally as part of normal platform operation. We rely on each provider's data processing commitments and standard contractual protections to ensure your data is handled appropriately.

Data breach notification:

In the event of a data breach affecting your personal information, we will notify you within 72 hours of becoming aware of it, by email to your registered address.

Retention:

We retain your data for as long as your account is active. After account deletion, your data is permanently deleted from our active systems within 30 days, except where retention is required by applicable Indian law — including obligations under the Goods and Services Tax Act, 2017, the Income Tax Act, 1961, and applicable payment and tax record-keeping regulations. Bank account metadata may be retained beyond the 30-day window specifically to satisfy these government compliance obligations. We retain only the minimum data required for the minimum legally required period, with restricted access, and delete it as soon as the obligation ceases.

Usage logs and security records are retained for up to 90 days and then deleted.

We do not sell your data. We do not share your data with advertisers. Ever.

We share data with the following third parties only as necessary to operate the service. None of them are permitted to use your data for their own commercial purposes.

Google Gemini API — Invoice PDF and image files are sent to Google's Gemini API for data extraction (reading invoice fields like buyer name, GSTIN, amounts, and tax breakdowns). Files are processed transiently — Google does not retain uploaded documents for training purposes under their API terms. Data is transferred to Google's servers outside India. Google's API data use policy.

Supabase — Our database and authentication provider. All account data, invoice records, buyer information, and bank account details are stored on Supabase's infrastructure in encrypted form. Supabase is headquartered in the United States. Supabase Privacy Policy.

Resend — Used to deliver email reminders that you send to your buyers, and transactional emails from Receivly. Resend processes email addresses and message content only as necessary for delivery. Resend Privacy Policy.

Dodo Payments — Handles subscription billing and payment link processing. When your buyers pay via a Receivly payment link, that transaction is processed by Dodo Payments. Your bank account details are shared with Dodo Payments to facilitate payment settlement to you. We never see or store card numbers or CVV credentials. Dodo Payments Privacy Policy.

We do not use analytics platforms or advertising networks. The third parties listed above are the complete list.

Access — You can view all your invoices, buyers, reminders, and account data from your Receivly dashboard at any time.

Correction — You can edit your account information, buyer details, and invoice records at any time from within the platform.

Deletion — You can delete your account and all associated data from Settings. This triggers permanent deletion within 30 days, subject to legal retention obligations described above. You can also request deletion by emailing contact@receivly.in. Note that bank account metadata may be retained beyond this window for compliance reasons as described above. You can request deletion of complete data by mailing us.

Withdraw consent — You may withdraw consent to data processing at any time by deleting your account. Withdrawal of consent means we can no longer provide the service to you.

Grievance — If you have a concern about how we handle your data, contact us at contact@receivly.in with the subject line "Privacy Concern". We will acknowledge your message within 72 hours and aim to resolve it within 30 days.

We use essential cookies only — for authentication sessions and keeping you logged in. We do not use analytics cookies, advertising cookies, tracking pixels, or any third-party marketing scripts.

The cookies we set:

• Session cookie — keeps you authenticated while you use the platform. Expires when you log out or after 30 days of inactivity.
• CSRF token — protects form submissions from cross-site request forgery attacks.

There is nothing to opt out of. If you disable all cookies, the platform will not function as authentication requires session cookies.

We may update this policy from time to time. When we make significant changes — changes that affect how we collect, use, or share your data — we will notify you by email at least 14 days before the changes take effect. Minor updates such as clarifications may be made without notice. The "Last updated" date at the top of this page always reflects the most recent revision.

Continued use of Receivly after the effective date of any changes constitutes acceptance. If you do not agree with a material change, you may delete your account before it takes effect.

For privacy-related questions, data requests, or concerns:

Email: contact@receivly.in

Subject line for data requests: "Privacy Request"

Subject line for concerns: "Privacy Concern"

We aim to respond within 3 business days (Indian working days, excluding national public holidays).

If something doesn't feel right about how we handle your data, tell us.