PayRelay

Last updated: March 2026

Privacy Policy

PayRelay (“we,” “us,” or “our”) provides software that automates invoice payment reminders for businesses using QuickBooks Online. This Privacy Policy explains what data we collect, why we collect it, and how we protect it. By using PayRelay, you agree to the practices described below.

1. Roles and Scope

PayRelay acts as a data controller for information you provide when creating and managing your account (your name, email, and settings). For data we process about your customers solely on your instruction — such as their names and email addresses pulled from QuickBooks — we act as a data processor on your behalf. You remain responsible for the lawfulness of processing your customers’ data.

This policy applies to users of the PayRelay web application. It does not apply to third-party services we integrate with; those services have their own privacy policies.

2. Information We Collect

Account information

When you sign up, we collect your name and email address through Clerk, our authentication provider. This is used to create and secure your account and to communicate with you about the service.

QuickBooks business data

When you connect your QuickBooks Online account via OAuth, we access and store the following:

  • Invoice records: invoice number, due date, outstanding balance, and currency
  • Customer records: customer name and billing email address
  • Business name as configured in your QuickBooks account

We access this data solely to identify invoices that require payment reminders and to compose those reminders on your behalf. We do not access payroll data, tax records, bank account information, or any other QuickBooks data beyond what is necessary to operate the service.

Settings and preferences

We store the configuration you set up in PayRelay, including your reminder schedule, business timezone, reply-to email address, and sending preferences.

Email activity data

We maintain logs of reminder emails sent through the platform, including recipient address, send timestamp, delivery status, and any error codes returned by our email provider (Postmark). We also log inbound email replies when a customer replies to a reminder. These logs are used to provide you with delivery visibility and to flag issues that require your attention.

Usage data

We may collect standard server-side request logs (IP addresses, request timestamps, error codes) for security monitoring, debugging, and service reliability purposes. We do not use behavioral analytics that track individual users across sessions.

3. How We Use Your Information

  • Service delivery: Reading your QuickBooks invoice and customer data, and sending automated payment reminder emails to your customers on your instruction.
  • Account management: Creating and maintaining your account, authenticating your sessions, and managing your subscription and billing.
  • Service reliability: Monitoring email delivery, logging errors, and alerting you when reminders fail or when a customer replies.
  • Communications: Sending transactional notifications (e.g., billing receipts, service alerts). We do not send marketing email without your consent.
  • Service improvement: Analyzing aggregate, de-identified usage patterns to improve system performance and reliability. We do not analyze individual invoice or customer data for this purpose.
  • Legal compliance: Fulfilling legal obligations or responding to lawful requests from public authorities.

We do not sell your data. We do not use your data or your customers’ data for advertising. Your customers’ email addresses are used solely to deliver the reminders you instruct us to send.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, our legal bases for processing personal data are:

  • Contract performance (Art. 6(1)(b)): Processing your account information and QuickBooks data to deliver the service you have subscribed to.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, debugging, and aggregate service analytics.
  • Legal obligation (Art. 6(1)(c)): Retaining records required by applicable law.

5. Infrastructure Providers and Sub-processors

We share data with the following providers to the minimum extent necessary to operate PayRelay. Each is bound by data processing obligations consistent with this policy.

  • Intuit (QuickBooks Online): Invoice and customer data is retrieved via Intuit’s OAuth 2.0 API. OAuth access tokens are encrypted at rest in our database. Intuit’s use of data is governed by the Intuit Privacy Statement.
  • Postmark (ActiveCampaign): All outbound reminder emails and inbound reply routing are handled by Postmark. Customer email addresses and message content are transmitted to Postmark for delivery. Postmark’s privacy policy governs their handling of this data.
  • Clerk: User authentication, identity management, and session security are provided by Clerk. Your sign-in credentials and identity information are held by Clerk under their privacy policy.
  • Render: Our application servers and database are hosted on Render’s cloud infrastructure, located in the United States. Your data is stored on Render-managed servers. Render’s privacy policy governs infrastructure-level data handling.

We do not share your data with any other third parties except as required by law, court order, or to protect our legal rights.

We may change infrastructure providers from time to time. Material changes that affect how your data is stored or processed will be communicated in advance where practicable.

6. International Data Transfers

PayRelay is operated from and stores data in the United States. If you access PayRelay from outside the United States, your data will be transferred to and processed in the US. For EEA and UK users, we rely on standard contractual clauses (SCCs) and, where applicable, adequacy decisions as the legal mechanism for cross-border data transfers. Contact us at privacy@payrelay.co for more information about applicable transfer mechanisms.

7. Data Retention

We retain your data for as long as your account is active. Upon account deletion:

  • Your account record, invoice data, customer email records, and sending history are permanently deleted from our database.
  • Your QuickBooks OAuth tokens are revoked and deleted.
  • Your identity information held by Clerk is deleted per Clerk’s account deletion process.

You may request account deletion at any time from the Settings page. We may retain certain records for longer where required by law (e.g., billing records for tax purposes). Email delivery logs held by Postmark are subject to Postmark’s own retention policy.

8. Data Security

We implement industry-standard safeguards to protect your information:

  • QuickBooks OAuth tokens are encrypted at rest using AES-256 encryption before storage.
  • All data in transit between your browser, our servers, and third-party providers is encrypted using TLS.
  • Access to production systems is restricted to authorized personnel.
  • Clerk provides secure session management with multi-factor authentication support.

No transmission over the internet or method of electronic storage is completely secure. While we take reasonable and appropriate steps to protect your data, we cannot guarantee absolute security. If we become aware of a security breach affecting your data, we will notify you in accordance with applicable law.

9. Your Rights

All users

Regardless of where you are located, you may:

  • Request access to the personal data we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your account and associated data.
  • Disconnect your QuickBooks integration at any time from within the application.

To exercise any of these rights, contact privacy@payrelay.co. We will respond within 30 days.

EEA and UK users — GDPR / UK GDPR

You have additional rights under applicable data protection law, including the right to data portability, the right to restrict processing, and the right to object to processing based on legitimate interests. You also have the right to lodge a complaint with your local supervisory authority. Contact us at privacy@payrelay.co for GDPR-related requests.

California residents — CCPA / CPRA

California residents have the right to know what personal information we collect and how it is used, the right to request deletion of personal information, the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information as defined under the CCPA. To exercise your rights, contact privacy@payrelay.co.

10. Cookies and Tracking

PayRelay uses only session cookies required for authentication, which are set by Clerk. We do not use advertising cookies, third-party tracking pixels, or cross-site analytics. We do not respond to Do Not Track signals because we do not engage in the type of cross-site tracking those signals are designed to prevent.

11. Children’s Privacy

PayRelay is a business-to-business service intended solely for adults. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has provided us with personal information, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice within the application at least 14 days before the change takes effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of PayRelay after notice constitutes acceptance of the updated policy.

13. Contact

For privacy questions, data requests, or concerns about this policy, contact us at: privacy@payrelay.co