Last updated: February 2026

Privacy Policy

Important: This policy was last reviewed in February 2026. We recommend seeking independent legal advice for your specific situation.

1. Who we are

NotPaidYet Ltd ("we", "us", "our") is a UK-registered company providing automated invoice chasing services. We are the data controller for your personal information.

Contact details:
Email: privacy@notpaidyet.com
Address: NotPaidYet Ltd, United Kingdom

2. What data we collect

We collect and process the following types of personal data:

• Account information: Your name, email address, company name, and password (encrypted)
• Invoice data: Client names, email addresses, invoice amounts, due dates, and payment status
• Email addresses: Both your business email and the email addresses of clients you wish to chase for payment
• Usage data: How you use our service, including email opens, clicks, and system interactions
• Payment information: Billing details processed securely through Stripe (we do not store full card details)

3. How we use your data

We use your personal data for the following purposes:

• Service provision: To provide our invoice chasing service, including sending automated reminder emails on your behalf
• Email sending: To send professionally-worded payment reminders to your clients via our email infrastructure (Resend)
• AI personalisation: To generate personalised email content using OpenAI's API based on invoice details and your tone preferences
• Payment processing: To process subscription payments and invoice payments via Stripe
• Analytics: To understand how our service is used and improve it
• Communication: To send service updates, respond to your enquiries, and provide customer support

4. Lawful basis for processing

We process your personal data under the following lawful bases under UK GDPR:

• Contract performance: Processing is necessary to perform our contract with you (providing invoice chasing services)
• Legitimate interests: We have a legitimate interest in improving our service, preventing fraud, and ensuring security
• Consent: Where you've given us explicit consent, such as for marketing communications or email capture on our public tools
• Legal obligation: We must retain certain financial records for tax compliance (6 years under UK law)

5. Data sharing

We share your personal data with the following third parties who act as data processors on our behalf:

• Stripe: Payment processing for subscriptions and invoice payments
• Resend: Email delivery infrastructure for sending payment reminders
• OpenAI: AI-powered email personalisation (invoice data passed as structured JSON, not free text)

We do not sell your personal data to third parties. All processors are bound by data processing agreements ensuring UK GDPR compliance.

6. International transfers

Some of our processors (notably OpenAI) are based in the United States. Data transferred outside the UK is protected by appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
• Data processing agreements requiring GDPR-equivalent protections
• Technical measures including encryption in transit and at rest

7. Data retention

We retain your personal data as follows:

• Account data: Kept while your account is active. Deleted within 30 days of account closure unless legal retention applies
• Invoice records: Retained for 6 years after creation to comply with UK tax law (HMRC requirements)
• Email logs: Kept for 12 months for deliverability monitoring and dispute resolution
• Payment records: Retained for 7 years to comply with financial regulations

You can request earlier deletion of personal data not subject to legal retention requirements (see section 9).

8. Your rights under UK GDPR

You have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Correct inaccurate or incomplete personal data
• Right to erasure: Request deletion of your personal data (subject to legal retention obligations)
• Right to portability: Receive your data in a structured, machine-readable format (CSV or JSON)
• Right to restrict processing: Limit how we use your data in certain circumstances
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time

9. How to exercise your rights

To exercise any of your rights, email us at privacy@notpaidyet.com with your request. We will respond within 30 days.

We may ask you to verify your identity before processing requests that involve access to personal data.

10. Cookies

We use essential cookies to keep you logged in and secure your session. These do not require consent under PECR as they are strictly necessary for the service to function.

For full details about cookies we use, see our Cookie Policy.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page.

If we make significant changes that affect how we process your data, we will notify you via email or through a prominent notice in our service.

12. Complaints

If you believe we have not complied with UK GDPR, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113

Disclaimer: This policy was last reviewed in February 2026. We recommend seeking independent legal advice.