Privacy Policy

1. Who we are

Durvy ("we", "us", "our") operates the Durvy suite, including Receiptly, Invoicy, Timely, and Clienty (together, the "Services"). For privacy questions, contact us at privacy@durvy.app.

2. What data we collect

Account data

• Name and email address (provided when you sign up)
• Hashed password (if you sign up with email/password)
• OAuth identifiers (if you sign up with Google)

Content you create

• Receipt images, expense data, categories (Receiptly)
• Invoices, line items, client contact details, payment records (Invoicy)
• Time entries, project details, hourly rates (Timely)
• Client notes, contact logs, project milestones (Clienty)

Technical data

• IP address, browser type, device information (for security and debugging)
• Session cookies (to keep you signed in)
• Server logs (request paths, response codes, timestamps)

3. How we use your data

• To provide and improve the Services
• To authenticate you and protect your account
• To process payments via our payment processor (Paddle)
• To send transactional emails (invoice deliveries, reminders, account notifications)
• To respond to support requests
• To comply with legal obligations

We do not sell your data, and we do not use it for advertising or share it with third parties for marketing.

4. Third-party services

We rely on the following processors to operate the Services:

• Turso - primary database (operated by ChiselStrike, Inc.)
• Vercel - application hosting and edge compute
• Cloudflare R2 - receipt image and PDF storage
• Resend - transactional email delivery
• Paddle - payment processing and Merchant of Record
• Google Cloud Vision - OCR for receipt extraction (Receiptly only)
• Anthropic - AI parsing of OCR output (Receiptly only)
• Better Auth - self-hosted authentication library

Each processor has its own privacy policy. We share only the minimum data needed for them to provide their service.

5. Data retention

We retain your account and content for as long as your account is active. If you cancel your subscription, we keep your data accessible at the free tier so you don't lose anything. If you delete your account, we delete your data within 30 days, except for transactional records we're legally required to retain (e.g., invoices for tax purposes).

6. Your rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion (right to be forgotten)
• Export your data (CSV/PDF available from Settings in each app)
• Object to processing or withdraw consent
• Lodge a complaint with your local data protection authority

To exercise any of these, email privacy@durvy.app.

7. Cookies

We use a single first-party session cookie to keep you signed in. We do not use tracking cookies, advertising cookies, or third-party analytics that track you across sites.

8. Security

All data is transmitted over HTTPS. Passwords are hashed with industry-standard algorithms. Database access is restricted by per-user authorization on every query. We are not perfect - if you discover a security issue, please email We are not perfect - if you discover a security issue, please email security@durvy.app rather than disclosing publicly.

9. International transfers

Our infrastructure runs in the United States and European Union. By using the Services you consent to your data being processed in those jurisdictions.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email at least 30 days before they take effect.

Contact

Questions? privacy@durvy.app