DuePay.
PrivacyTermsSign in

Privacy Policy

Last updated: 2 May 2026

1. Who we are

DuePay is an outsourced invoicing and payment collection service for UK builders, provided by Elegant Haven Ltd, a company registered in England and Wales under company number 15385522, with registered office at 44 Broadway, Stratford, London, E15 1XH (“we”, “us”, “our”). We trade under the name “DuePay” and operate the website and progressive web app at duepay.co.uk.

Builders hand their invoices to us and we send them to their clients, follow up by SMS, email and phone, and collect payment on the builder’s behalf. To deliver this service we necessarily process personal data of the builder’s clients.

For UK GDPR and the Data Protection Act 2018, Elegant Haven Ltd is the data controller for personal data about our account holders (“builders”). For personal data about a builder’s own clients that we process in order to issue invoices, follow up, and collect payment on the builder’s behalf, the builder is the data controller and Elegant Haven Ltd (trading as DuePay) acts as a data processor for them (see section 5).

Contact: office@duepay.co.uk

2. What personal data we collect

Account data

  • Full name
  • Email address
  • Password, if you chose email/password sign-up (stored only as a hash; we never see it in clear text)
  • Profile photo and basic Google profile information (if you sign in with Google)
  • Uploaded avatar image (optional)

Business data

  • Company or trading name
  • Phone number
  • Trading address (optional)
  • Business size, invoice volume, and other onboarding preferences you give us

Client data (entered by you, the builder)

  • The names, email addresses, phone numbers, and project details of your own customers
  • Project descriptions, payment schedules, and invoice line items you create

Payment data

  • Card payment processing runs through Stripe Connect (for client-to-builder payments) and Stripe Billing (for our platform fee). Stripe holds all card credentials — card numbers, CVC, and full bank account credentials are never stored by us. We only receive identifiers (e.g. Stripe account ID, customer ID, payment intent ID, payout status) needed to reconcile transactions.
  • For builders who onboard with Stripe, identity and business verification data is collected directly by Stripe.
  • For builders who choose to receive payments by bank transfer (BACS), we store the builder's UK sort code (6 digits) and account number (8 digits) so that we can display these on the invoices we send to your clients. These are receive-only details — we never use them to initiate payments, debits, or transfers. They are stored in our UK-hosted database (Supabase, eu-west-2 region) which is encrypted at rest at the storage layer, with access restricted by role-based permissions and audit logging.
  • A snapshot of these BACS details is also recorded against each invoice at the time of issue, so the invoice's payment information is preserved even if the builder later changes their bank details.

Device and usage data

  • Firebase Cloud Messaging (FCM) push tokens, platform (iOS / Android / web), and device metadata required to deliver notifications you've asked for. Push notifications on iOS devices are delivered via Apple's APNs (Apple Push Notification service), which we access through Firebase Cloud Messaging.
  • Log data (IP address, browser/device type, pages visited, timestamps) for security, abuse prevention, and debugging.

Cookies and local storage

  • Authentication cookies set by our auth provider (Supabase) to keep you signed in.
  • Strictly necessary cookies for security, fraud prevention, and session management.
  • PWA local storage and service worker caches for offline support and performance.

We do not use advertising cookies or third-party analytics cookies that profile you across sites. Because we use only strictly necessary cookies, we do not require a cookie consent banner under the UK Privacy and Electronic Communications Regulations (PECR).

Sensitive data we do not collect

We do not collect health data, biometric data, precise location data (beyond IP-based country and region), government identifier data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or sexual orientation data. Financial data we hold is limited to invoice amounts, payment status, and transaction identifiers. Full card credentials (card numbers, CVC) are never stored by DuePay — these are held by Stripe. Where the builder chooses BACS (UK bank transfer) as a payment method, we store the builder's own UK sort code and account number for invoice display only; these are not used to initiate payments and are stored in an access-restricted, UK-hosted database with disk-level encryption at rest.

3. How we collect personal data

  • Directly from you when you sign up, complete onboarding, create clients and invoices, or contact us.
  • From Google, if you choose “Sign in with Google” (name, email, profile picture, verified email flag).
  • From Stripe, during Stripe Connect onboarding and throughout payment processing.
  • From your device, when you grant notification permission (FCM token, platform).
  • Automatically, via standard server logs when you use the Service.

4. Why we process your data and our legal basis (UK GDPR)

PurposeLegal basis
Creating and running your accountContract (Article 6(1)(b))
Delivering the core Service: invoices, reminders, payment collectionContract
Processing payments via Stripe ConnectContract
Keeping the Service secure, preventing fraud and abuseLegitimate interests (Article 6(1)(f))
Improving the Service (aggregated, non-identifying usage patterns)Legitimate interests
Sending push notifications (invoice paid, client reminders, etc.)Consent (Article 6(1)(a)) — revocable anytime in device settings
Complying with UK legal obligations (tax, accounting, fraud reporting)Legal obligation (Article 6(1)(c))

5. Builders as data controllers for client data

When you use DuePay to record your own customers and projects, you are the data controller for that information and we are your processor. You must:

  • Have a lawful basis under UK GDPR for entering your clients' personal data.
  • Tell your clients, in your own privacy notice, that you use DuePay to manage invoicing.
  • Only use the Service for lawful purposes and not enter third-party data you have no right to hold.

We will process your client data only on your documented instructions (using the Service counts as instructions) and in line with this Privacy Policy. If you require a formal Data Processing Addendum (for example, to satisfy your own compliance obligations), contact us at office@duepay.co.uk.

6. Who we share data with

We share data only with service providers who help us run the Service, and only to the extent necessary.

ProviderPurposeLocation
SupabaseApplication database, authentication, file storageeu-west-2 (London, UK)
Stripe (including Stripe Connect)Payment processing, payouts, Stripe's own verificationUK / EU / US
Google (Sign-In / OAuth)Authenticating users who choose Google sign-inUS
Google Firebase Cloud MessagingDelivering push notificationsUS
Hosting and CDN providers (e.g. Vercel)Serving the website and PWAUS / global edge

International transfers. Some providers process data outside the UK. Data transferred to US-based providers (Stripe, Google Firebase, Vercel) is protected by Standard Contractual Clauses with the UK Addendum, and, where applicable, by the UK extension to the EU-US Data Privacy Framework. We do not transfer personal data to any country without an appropriate UK-recognised safeguard in place.

We do not sell personal data and we do not share it with third parties for their own marketing.

We may disclose data if required to do so by law, court order, or to protect our rights, users, or the public.

7. How long we keep data

  • Active accounts: for as long as you use the Service.
  • Account identity data (name, avatar, profile, contact details) after account closure: deleted or anonymised within 30 days.
  • Invoice, payment, and financial records: retained for six years after the relevant financial year to meet HMRC and UK tax obligations, even if your account is closed. These records may be anonymised or redacted where possible.
  • Support correspondence: up to two years.
  • Security logs: up to 12 months.

8. Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”), subject to legal retention requirements.
  • Restrict or object to certain processing.
  • Data portability — receive your data in a common, machine-readable format.
  • Withdraw consent where we rely on consent (e.g. turn off push notifications).
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.

We are not required to appoint a Data Protection Officer under UK GDPR. For all data protection enquiries, including exercising any of the rights above, email office@duepay.co.uk. We will respond within one month.

9. Managing your data within DuePay

Within the DuePay app and web account, you can at any time:

  • Update your name, email, business details, and contact information via Settings.
  • Manage notification preferences, including disabling push notifications.
  • View, edit, or delete clients, projects, and invoices you have created.
  • Export your invoices as PDFs.
  • Update or remove your saved payment method.
  • Delete your account directly via Settings (see Section 10 for what happens to your data after deletion).

You do not need to email us to perform any of these actions — they are available directly in your account.

10. Deleting your account

You can delete your account at any time directly within the DuePay app and web account, via Settings → Account → Delete Account. The in-app deletion flow will permanently remove your account, and you will receive a confirmation email when deletion is complete.

Alternatively, you can request deletion by emailing office@duepay.co.uk from your registered email address.

Once you delete your account:

  • We will delete your account data within 30 days
  • Records we are required to retain under UK law (for example, invoice and payment records under HMRC requirements — see Section 7) will be retained but anonymised or redacted where possible
  • We will instruct Stripe to close any Connect account you created through us
  • Active subscriptions or pending platform fees will be settled before deletion completes

11. Security

We use industry-standard measures including TLS in transit, encryption at rest for our database, strict role-based access controls, and audit logging. No system is perfectly secure, but we work hard to protect your information.

Data breaches. If we suffer a breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours where required, and we will notify affected users without undue delay where the risk is high.

12. Children

DuePay is intended exclusively for adults aged 18 or over operating as professional builders, tradespeople, or business owners. We do not market to, design for, or knowingly collect personal data from anyone under 18. If we discover that we have collected data from a person under 18, we will delete it immediately. If you believe a child has provided personal data to us, please contact office@duepay.co.uk and we will delete it without delay.

13. Changes to this policy

We may update this Privacy Policy as the Service evolves. The “Last updated” date at the top will always reflect the current version. Material changes will be communicated by email or in-app notice before they take effect.

14. Contact

Elegant Haven Ltd (trading as DuePay)
44 Broadway, Stratford, London, E15 1XH
Email: office@duepay.co.uk
Website: duepay.co.uk

Questions? Email office@duepay.co.uk