Back to siteDelivvo
Legal

Privacy Policy

Last updated April 22, 2026

How Delivvo collects, uses, stores, and protects personal data across the product and client portals.

This Privacy Policy explains how Delivvo collects, uses, stores, shares, and protects personal data when you use our website, dashboard, private client portals, and related services. It applies to freelancers, agency users, invited client users, and visitors to delivvo.io.

This policy is written to reflect Delivvo's current product and operating model. Because Delivvo serves users in multiple regions, this policy is intended to account for the UAE Federal Decree-Law No. 45 of 2021 Regarding the Protection of Personal Data (the "UAE PDPL"), the EU General Data Protection Regulation ("GDPR"), and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA").

Scope and roles

When Delivvo collects and uses personal data for account creation, authentication, product operations, support, billing administration, and security, Delivvo acts as a controller or business for that information.

When a freelancer or agency uses Delivvo to upload client information, share files, send contracts or invoices, and manage communications inside a project portal, Delivvo generally acts as a processor or service provider on behalf of that freelancer or agency. In that situation, the freelancer or agency decides what client data to upload, why to use it, and how long to keep it. If you are a client user and want to ask questions about project-specific data, you should first contact the freelancer or studio that invited you to the portal.

Personal data we collect

We collect different categories of personal data depending on how you use Delivvo.

Information you provide directly

If you create a Delivvo account, we may collect:

  • your name
  • email address
  • password or authentication credentials
  • business name
  • profile details such as tagline, website, discipline, logo, or avatar
  • plan selections, onboarding answers, and support requests

If you are invited to a client portal, we may collect:

  • your name
  • email address
  • optional company name, phone number, or notes provided by the freelancer or by you
  • information you enter into messages, approvals, remarks, uploads, contracts, or intake responses

If you contact support, request a demo, ask for a refund, or execute a DPA, we may collect the information you provide in those requests, including business contact details and correspondence records.

Project and file data

Delivvo is designed to host business workflow data. That means we may store:

  • project titles, descriptions, deadlines, milestones, and status fields
  • client records created by freelancers
  • contracts, invoices, proposals, questionnaires, deliverables, and comments
  • files uploaded by freelancers or client users, including metadata such as file name, size, upload time, and project association
  • approval records, signature names, timestamps, and related workflow history

Billing and subscription data

Paid plans are not yet fully enabled in-product, but Delivvo is designed to support subscriptions and related billing features. When those features are active, we may collect and store:

  • plan, subscription status, trial status, renewal dates, and billing references
  • invoices, amounts, and payment status data
  • customer IDs and subscription IDs from our payment processor

We do not intentionally store full card numbers or similar raw payment credentials on our own systems. Payment information is handled by the relevant payment processor.

Technical and usage data

We automatically collect limited technical and operational data when you use Delivvo, such as:

  • IP address or approximate network information
  • browser type, device type, operating system, and language settings
  • timestamps for logins, portal access, file activity, and workflow events
  • server logs, error logs, and audit trails
  • cookie or session identifiers used to keep you signed in or remember preferences

We use this data to operate the service, maintain security, investigate abuse, and improve performance.

How we use personal data

We use personal data for the following purposes:

  • to create, maintain, and secure user accounts
  • to authenticate freelancers and invited client users
  • to host project portals and display project content to authorized users
  • to send transactional emails such as login links, one-time passcodes, invoice reminders, portal invites, support responses, and product notices
  • to generate contracts, invoices, PDFs, signatures, and approval records
  • to enforce plan limits, storage caps, and abuse-prevention controls
  • to respond to support tickets, disputes, and legal requests
  • to comply with applicable law, defend our rights, and maintain audit records
  • to improve product quality, reliability, and security

We do not use the product data you store in Delivvo to build advertising profiles about you, and we do not sell your personal information.

Legal bases for processing

Depending on your location and the context, Delivvo relies on one or more of the following legal bases:

  • Contractual necessity. We process personal data as needed to provide Delivvo, maintain accounts, operate project portals, and perform our obligations under our Terms or another contract with you.
  • Legitimate interests. We process data where necessary for security, fraud prevention, service reliability, abuse prevention, product administration, and internal analytics that do not override applicable rights.
  • Consent. We rely on consent where required, such as when you voluntarily provide certain optional information or where local law requires consent for particular processing.
  • Legal obligation. We may process data to comply with tax, accounting, law-enforcement, court-order, sanctions, consumer-protection, or data-protection obligations.

For users in the UAE, Delivvo intends to process personal data consistently with the UAE PDPL. For users in the EU or EEA, Delivvo intends to process personal data consistently with the GDPR. For California residents, Delivvo provides the notices in this policy to satisfy applicable CCPA disclosure requirements.

Cookies and similar technologies

Delivvo uses a small set of cookies and similar technologies to operate the service and remember user preferences. These include authentication cookies, client portal session cookies, and theme-preference cookies. At the time of this policy, Delivvo does not use analytics cookies or advertising cookies on the public product experience.

Examples of cookies or local storage values that may be used include:

  • sb-access-token and sb-refresh-token for authenticated freelancer sessions
  • portal_session for authenticated client portal access after OTP verification
  • theme for light or dark mode preference
  • delivvo_impersonate if an admin-only impersonation feature is enabled in the future

Development-only cookies may also exist on local or demo environments, but they are not intended for production users.

For more detail, please see our Cookie Policy.

How we share personal data

We share personal data only where necessary to operate Delivvo, comply with law, or protect rights and safety. We may share personal data with the following categories of recipients:

  • service providers and infrastructure vendors that host, authenticate, deliver email, process payments, or support the service
  • professional advisers such as lawyers, auditors, or insurers where needed for legitimate business purposes
  • law enforcement, regulators, courts, or other third parties when required by law or to protect Delivvo, our users, or the public
  • a buyer, investor, or successor entity in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections

We do not sell personal data. We also do not share personal data for cross-context behavioral advertising as those terms are commonly used under California privacy law.

Current subprocessors

Delivvo currently relies on a limited set of subprocessors and infrastructure providers. These may include:

  • Supabase for database hosting, authentication, and file storage. Delivvo's current Supabase stack is configured in the ap-southeast-1 region.
  • Vercel for application hosting and content delivery, where applicable.
  • Resend for transactional email delivery.
  • Lemon Squeezy for subscription billing and payment processing when payments are enabled.

We may update our provider list from time to time as the product evolves. If we add materially new providers that affect how data is handled, we will update this policy.

International transfers

Because Delivvo uses cloud providers and serves users in multiple jurisdictions, personal data may be processed in countries other than the country where the user is located. This may include the UAE, Singapore, the United States, and other locations where our providers operate.

When applicable, we take steps intended to support lawful transfers, such as using contractual commitments, vendor data-processing terms, and other safeguards appropriate to the transfer and the roles of the parties. If you are in the EU or EEA, you may contact us for additional information about relevant transfer safeguards.

Data retention

We retain personal data for as long as necessary for the purposes described in this policy, including to provide the service, maintain account continuity, support the freelancer-client workflow, comply with law, resolve disputes, and enforce our agreements.

As a general rule:

  • account and workspace data is kept while the account remains active
  • if an account is deleted, we aim to remove associated personal data from active systems within 30 days, unless we must retain some records longer for legal, tax, fraud-prevention, or security reasons
  • support records, audit trails, and limited backup copies may remain for a reasonable period where necessary for business continuity or compliance

Retention may vary depending on the nature of the data, the requests of the account owner, and the legal obligations that apply.

Security

We use administrative, technical, and organizational measures intended to protect personal data. These measures include encrypted transport over HTTPS, access controls, role restrictions, password protection, audit logging, and security monitoring. Where supported by our infrastructure providers, data is also encrypted at rest.

No method of transmission or storage is perfectly secure. For that reason, while we work to protect personal data, we cannot guarantee absolute security. Users are also responsible for protecting account credentials, using strong passwords, and controlling access to project information on their side.

Your privacy rights

Depending on where you live, you may have some or all of the following rights, subject to applicable conditions and exceptions:

  • access personal data we hold about you
  • know what categories of data we collect, the sources of that data, the purposes for using it, and the categories of recipients to whom it is disclosed
  • request correction of inaccurate or incomplete personal data
  • request deletion of personal data
  • request restriction of processing, or object to certain processing
  • withdraw consent where processing is based on consent
  • request portability of personal data in a usable format
  • appeal or complain to a supervisory authority or regulator, where available

If you are a California resident, you may also request information about the categories of personal information collected, disclosed for business purposes, corrected, or deleted during the previous 12 months. Delivvo does not sell personal information and does not share personal information for cross-context behavioral advertising, so there is currently no "Do Not Sell or Share" workflow specific to that activity.

Delivvo does not use sensitive personal information for purposes that would require a special California right-to-limit workflow beyond what is reasonably necessary to provide the service.

How to exercise your rights

To submit a data access, correction, deletion, portability, or other privacy request, email support@delivvo.io. We may ask for additional information to verify identity and confirm that the requester is entitled to make the request. Where Delivvo acts only as a processor or service provider for a freelancer or agency, we may direct the request to the relevant account owner or ask you to contact them directly.

We aim to respond within the time required by applicable law. In many cases that will be within 30 days, though some requests may take longer if legally permitted and reasonably necessary.

Children's data

Delivvo is designed for business use and is not directed to children. We do not knowingly collect personal data from children under 18. If you believe a child has provided personal data to Delivvo, contact us and we will take appropriate steps to investigate and, where appropriate, delete the data.

Changes to this policy

We may update this Privacy Policy from time to time to reflect product changes, legal developments, or operational requirements. If we make a material change, we will revise the "updatedAt" date and may also provide notice through the product or by email where appropriate.

Contact

For privacy requests or questions about this policy, contact support@delivvo.io.