Privacy.

PaidProof is operated by a Polish individual under działalność nierejestrowa (unregistered economic activity). Address and a Data Processing Agreement are available on request to support@paidproof.app. For data submitted by you about your clients, you remain the controller and PaidProof acts as your processor.

• Account emailUsed to sign in, recover access, and send the four lifecycle emails (welcome, trial reminder, paid receipt, cancellation).
• Workspace contentsProjects, clients, contracts, invoices, deliverable files, dispute kits, project activity. Whatever you enter or upload.
• Inbound email contentWhen you BCC your @log.paidproof.app alias on a client thread, the message and attachments are stored against the matched project as evidence.
• Billing identityLemon Squeezy holds the card and tax data; PaidProof stores only the customer ID, subscription ID, and plan.
• Product eventsPostHog captures funnel events (signup, project created, contract signed, dispute kit generated) keyed to the synthetic auth ID. Real email is not sent to PostHog.
• Error reportsSentry captures stack traces and the synthetic auth ID on failure paths. Request bodies are scrubbed.
• Ad attributionIf you arrived from a Reddit Ads click and consented to analytics cookies, Reddit Pixel records the visit and Reddit Conversion API records signup or purchase against a hashed identifier.

The primary database is Supabase Postgres in the EU (Ireland, eu-west-1). Disk is encrypted at rest. Contract bodies, signature blobs, and inbound email content are encrypted again at the application layer with AES-256-GCM before they reach the database — the key is held in the application host’s environment, not in the database. See Security for the threat model.

The third parties PaidProof hands data to, and what each one sees:

• Supabase →Database, authentication, file storage. EU (eu-west-1, Ireland)
• Vercel →Application hosting, edge runtime, logs. Global edge
• Resend →Outbound transactional and inbound email. US / EU
• Lemon Squeezy →Merchant of Record — payment, invoicing, tax. US
• Cloudflare →Domain registrar, DNS, email routing for support@. Global
• PostHog →Product analytics — event capture, session funnel. EU
• Sentry →Error and exception reporting. EU
• Reddit Ads →Conversion attribution (Pixel + Conversion API). US

• pp_initialEssential. Holds the first letter of your account email so the marketing nav can show your avatar after login. Cleared on sign-out.
• pp_utmEssential. Persists the UTM parameters from your first visit so a later signup can be attributed.
• pp_consentEssential. Records your cookie banner choice (accept or decline). Without it the banner re-appears every visit.
• Supabase auth cookiesEssential. Session and refresh tokens. Cleared on sign-out.
• PostHogOptional. Loaded only after you accept the cookie banner. Decline and PostHog never initialises.
• Reddit PixelOptional. Loaded only after you accept the cookie banner. Decline and the pixel script never loads.

Workspace data lives until you delete it or close the workspace. Account deletion drops every row tied to your workspace, with a 30-day grace window in case you change your mind. Signed contracts are immutable — deletion zeroes the row but the database trigger prevents tampering before then. The forensic audit log keeps row-deletion records for 24 hours then prunes itself; PostHog and Sentry retain on their own schedules (currently one year and 30 days respectively).

Under GDPR you can ask for access, correction, deletion, export, and restriction. Most of these are one-button already in Settings — export and close-workspace. For anything the UI doesn’t cover, mail support@paidproof.app and you’ll have a reply within 72 hours. CCPA residents get the same rights via the same channel.

PaidProof is not directed at children under 16 and we do not knowingly collect their data. If you believe a child has signed up, mail support@paidproof.app and the account will be deleted.

When this page changes, the verification date at the top changes with it. Material changes (new sub-processor, broader data collection) are announced by email to all account holders before they take effect.

Privacy questions, deletion requests, DPA signature: mail support@paidproof.app. Acknowledged within one business day, resolved within 72 hours.