PaymentPulse

Privacy Policy

Last updated: February 7, 2026

1. Data Controller

The data controller for personal data processed through PaymentPulse is:

Blackbox Labs SRL
B-dul Unirii nr 59, bl 59, et 5, ap 50
Focsani, Vrancea, Romania
CUI: RO33784095 | Reg. No: J/39/560/2014
Registration with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP): pending
Email: privacy@paymentpulse.io

2. Introduction

PaymentPulse ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our invoicing and payment reminder platform ("the Service"). We comply with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and Romanian data protection legislation (Law 190/2018).

3. Data We Collect

We collect the following categories of data:

  • Account data: Email address, password (hashed), company name, business address, and phone number
  • Client data: Names, email addresses, phone numbers, business details, and tax identifiers of your clients
  • Financial data: Invoice amounts, expense records, payment information, and bank transaction data (via Plaid integration)
  • Usage data: Feature usage timestamps and application interaction data stored in server logs
  • Communication data: Email reminders sent through the platform and their delivery status

4. How We Use Your Data

We use your data to:

  • Provide and maintain the Service (invoicing, reminders, reports)
  • Process payments and manage subscriptions via Stripe
  • Send transactional emails (reminders, receipts, notifications)
  • Generate financial reports and analytics for your account
  • Improve the Service through aggregated, anonymized usage analytics
  • Prevent fraud and ensure platform security
  • Comply with legal obligations (tax reporting, record-keeping)

5. Legal Basis for Processing (GDPR Article 6)

We process your data under the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for
  • Legitimate interest (Art. 6(1)(f)): Improving the Service, preventing fraud, and ensuring security
  • Consent (Art. 6(1)(a)): Marketing communications and optional analytics (you can withdraw consent at any time)
  • Legal obligation (Art. 6(1)(c)): Compliance with tax and financial regulations

6. Third-Party Processors (Subprocessors)

We share data with the following third-party processors:

  • Stripe, Inc. (USA) — Payment processing and subscription management
  • Plaid, Inc. (USA) — Bank account connections and transaction data (optional, encrypted at rest)
  • Resend, Inc. (USA) — Transactional email delivery
  • Anthropic, PBC (USA) — AI-powered message personalization (invoice data is processed but not stored by Anthropic)
  • Supabase, Inc. (USA) — Database hosting
  • Railway Corp. (USA) — Application hosting

All third-party processors are contractually bound to protect your data and process it only as instructed. For international transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) or EU adequacy decisions. A complete subprocessor list is maintained in our Data Processing Agreement.

7. Data Security

We implement industry-standard security measures including: encrypted data transmission (TLS), hashed passwords (bcrypt), encrypted bank credentials (AES-256-GCM), rate limiting, and regular security audits. Access to production data is restricted to authorized personnel only.

8. Data Retention

We retain your data for as long as your account is active. Financial records may be retained for up to 10 years as required by Romanian fiscal legislation (Law 82/1991 — Accounting Law). Upon account deletion, personal data is permanently removed within 30 days, except where legal retention requirements apply.

9. Your Rights (GDPR Articles 15-22)

Under GDPR, you have the right to:

  • Access (Art. 15): Request a copy of all personal data we hold about you
  • Rectification (Art. 16): Correct inaccurate personal data
  • Erasure (Art. 17): Request deletion of your account and personal data
  • Data portability (Art. 20): Export your data in a machine-readable format (JSON)
  • Restriction (Art. 18): Request restriction of processing in certain circumstances
  • Objection (Art. 21): Object to processing based on legitimate interest
  • Withdraw consent: Withdraw consent for optional processing at any time
  • Automated decision-making (Art. 22): Right not to be subject to a decision based solely on automated processing which produces legal effects or similarly significantly affects you

You can exercise these rights through your account settings (Settings → Privacy) or by contacting us at privacy@paymentpulse.io. We will respond within one month. This period may be extended by two further months where necessary, taking into account the complexity of the request (GDPR Art. 12(3)).

10. Cookies

PaymentPulse uses only essential cookies and local storage for authentication (JWT tokens). We do not use tracking cookies or third-party advertising cookies. For more details, see our Cookie Policy.

11. International Transfers

Some of our third-party processors (Stripe, Plaid, Anthropic, Resend, Supabase, Railway) may process data outside the European Economic Area (EEA). In such cases, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and, where applicable, supplementary measures in accordance with the EDPB recommendations.

Automated Decision-Making and Profiling (Article 22)

PaymentPulse uses algorithmic risk scoring to assess the likelihood of late payment from your clients. This score is based on payment history, invoice age, and other factors. This scoring is used for informational purposes only (displaying a risk indicator) and does not result in automated decisions that produce legal effects or similarly significant effects on any individual. You may request human review of any risk score by contacting us.

PaymentPulse also uses AI (Anthropic Claude) to generate personalized reminder message suggestions. These messages are always presented as drafts for your review and are never sent automatically without your approval.

Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority (ANSPDCP) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay via email and in-app notification, as required by GDPR Article 34. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach.

12. Children's Privacy

The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. The "Last updated" date at the top indicates the most recent revision.

14. Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with:

ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest 010336, Romania
Phone: +40 318 059 211
Website: dataprotection.ro

If you reside in another EU/EEA member state, you may also contact your local Data Protection Authority.

15. Contact

For privacy-related inquiries or to exercise your rights, contact us:

Blackbox Labs SRL
B-dul Unirii nr 59, bl 59, et 5, ap 50
Focsani, Vrancea, Romania
CUI: RO33784095 | Reg. No: J/39/560/2014
Email: privacy@paymentpulse.io