Privacy Policy

When Delivvo collects and uses personal data for account creation, authentication, product operations, support, billing administration, and security, Delivvo acts as a controller or business for that information.

When a freelancer or agency uses Delivvo to upload client information, share files, send contracts or invoices, and manage communications inside a project portal, Delivvo generally acts as a processor or service provider on behalf of that freelancer or agency. In that situation, the freelancer or agency decides what client data to upload, why to use it, and how long to keep it. If you are a client user and want to ask questions about project-specific data, you should first contact the freelancer or studio that invited you to the portal.

We collect different categories of personal data depending on how you use Delivvo.

Information you provide directly

If you create a Delivvo account, we may collect:

• your name
• email address
• password or authentication credentials
• business name
• profile details such as tagline, website, discipline, logo, or avatar
• plan selections, onboarding answers, and support requests

If you are invited to a client portal, we may collect:

• your name
• email address
• optional company name, phone number, or notes provided by the freelancer or by you
• information you enter into messages, approvals, remarks, uploads, contracts, or intake responses

If you contact support, request a demo, ask for a refund, or execute a DPA, we may collect the information you provide in those requests, including business contact details and correspondence records.

Project and file data

Delivvo is designed to host business workflow data. That means we may store:

We use personal data for the following purposes:

• to create, maintain, and secure user accounts
• to authenticate freelancers and invited client users
• to host project portals and display project content to authorized users
• to send transactional emails such as login links, one-time passcodes, invoice reminders, portal invites, support responses, and product notices
• to generate contracts, invoices, PDFs, signatures, and approval records
• to enforce plan limits, storage caps, and abuse-prevention controls
• to respond to support tickets, disputes, and legal requests
• to comply with applicable law, defend our rights, and maintain audit records
• to improve product quality, reliability, and security

We do not use the product data you store in Delivvo to build advertising profiles about you, and we do not sell your personal information.

Where we send marketing or broadcast emails, every such message includes an unsubscribe link, and you can opt out at any time without affecting your account. Transactional and service emails (such as login links, one-time passcodes, invoice reminders, portal invites, security notices, and support responses) are necessary to operate your account and are not subject to that unsubscribe link.

Depending on your location and the context, Delivvo relies on one or more of the following legal bases:

• Contractual necessity. We process personal data as needed to provide Delivvo, maintain accounts, operate project portals, and perform our obligations under our Terms or another contract with you.
• Legitimate interests. We process data where necessary for security, fraud prevention, service reliability, abuse prevention, product administration, and internal analytics that do not override applicable rights.
• Consent. We rely on consent where required, such as when you voluntarily provide certain optional information or where local law requires consent for particular processing.
• Legal obligation. We may process data to comply with tax, accounting, law-enforcement, court-order, sanctions, consumer-protection, or data-protection obligations.

For users in the UAE, Delivvo intends to process personal data consistently with the UAE PDPL. For users in the EU or EEA, Delivvo intends to process personal data consistently with the GDPR. For California residents, Delivvo provides the notices in this policy to satisfy applicable CCPA disclosure requirements.

Delivvo uses a small set of cookies and similar technologies to operate the service and remember user preferences. These include authentication cookies, client portal session cookies, and theme-preference cookies. At the time of this policy, Delivvo does not use analytics cookies or advertising cookies on the public product experience.

Examples of cookies or local storage values that may be used include:

• sb-access-token and sb-refresh-token for authenticated freelancer sessions
• portal_session for authenticated client portal access after OTP verification
• theme for light or dark mode preference
• delivvo_impersonate, an admin-only cookie set during an active, audited support-impersonation session in which a Delivvo administrator views an account to provide support

Development-only cookies may also exist on local or demo environments, but they are not intended for production users.

For more detail, please see our Cookie Policy.

We share personal data only where necessary to operate Delivvo, comply with law, or protect rights and safety. We may share personal data with the following categories of recipients:

• service providers and infrastructure vendors that host, authenticate, deliver email, process payments, or support the service
• professional advisers such as lawyers, auditors, or insurers where needed for legitimate business purposes
• law enforcement, regulators, courts, or other third parties when required by law or to protect Delivvo, our users, or the public
• a buyer, investor, or successor entity in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections

We do not sell personal data. We also do not share personal data for cross-context behavioral advertising as those terms are commonly used under California privacy law.

Delivvo currently relies on a limited set of subprocessors and infrastructure providers. These may include:

• Supabase for database hosting, authentication, and file storage. Delivvo's current Supabase stack is configured in the ap-southeast-1 region.
• Vercel for application hosting and content delivery, where applicable.
• Resend for transactional email delivery.
• Stripe for subscription billing only, meaning the fees you pay Delivvo for your own plan. Stripe is not used to process payments between freelancers and their clients.
• ipapi.co for IP-based currency and locale detection, and for best-effort geolocation in the contract-signing audit trail.
• Sentry for error monitoring and application performance diagnostics.

Payments that a freelancer's clients make flow through the payment gateway the freelancer connects to their own account (Stripe, PayPal, Tap, Telr, PayTabs, Checkout.com, or a manual method such as IBAN, Wise, or Payoneer). Those gateways act as independent controllers or processors of the payer's data under their own privacy notices. Delivvo is not the merchant of record, does not hold those funds, and takes no percentage of them.

Because Delivvo uses cloud providers and serves users in multiple jurisdictions, personal data may be processed in countries other than the country where the user is located. This may include the UAE, Singapore, the United States, and other locations where our providers operate.

When applicable, we take steps intended to support lawful transfers, such as using contractual commitments, vendor data-processing terms, and other safeguards appropriate to the transfer and the roles of the parties. If you are in the EU or EEA, you may contact us for additional information about relevant transfer safeguards.

We retain personal data for as long as necessary for the purposes described in this policy, including to provide the service, maintain account continuity, support the freelancer-client workflow, comply with law, resolve disputes, and enforce our agreements.

As a general rule:

• account and workspace data is kept while the account remains active
• activity-log history is retained according to the account's plan: 30 days on Starter, 1 year (365 days) on Pro, and 3 years (1095 days) on Agency
• uploaded files are retained for the life of the project and account, subject to the storage caps that apply to the account's plan
• if an account is deleted, we aim to remove associated personal data from active systems within 30 days, unless we must retain some records longer for legal, tax, fraud-prevention, or security reasons
• support records, audit trails, and limited backup copies may remain for a reasonable period where necessary for business continuity or compliance

Retention may vary depending on the nature of the data, the requests of the account owner, and the legal obligations that apply.

We use administrative, technical, and organizational measures intended to protect personal data. These measures include encrypted transport over HTTPS, access controls, role restrictions, password protection, audit logging, and security monitoring. Where supported by our infrastructure providers, data is also encrypted at rest.

No method of transmission or storage is perfectly secure. For that reason, while we work to protect personal data, we cannot guarantee absolute security. Users are also responsible for protecting account credentials, using strong passwords, and controlling access to project information on their side.

Payment gateway credentials

When a freelancer connects a payment gateway (Stripe, PayPal, Tap Payments, Telr, PayTabs, Checkout.com, or similar), the gateway's API keys, secret keys, and webhook signing secrets are encrypted at the application layer using authenticated symmetric encryption (AES-256-GCM) before they are written to our database. The decryption key lives only in the runtime service's environment configuration; it is not stored in the database, not surfaced through any administrative interface, and not retrievable through queries that bypass the runtime helper. Delivvo personnel do not have a workflow that returns plaintext gateway credentials.

The Payments feature does not cause Delivvo to process or hold any client funds. Payment instrument details (card numbers, bank-account numbers, etc.) entered by the freelancer's clients are submitted directly to the chosen gateway through that gateway's hosted UI or its embedded SDK; Delivvo does not see, store, or transmit those details. The gateway is responsible for processing them in accordance with its own privacy policy, security obligations, and PCI/applicable regulatory regime.

What Delivvo does record about a payment is limited to the metadata necessary to keep the freelancer's invoice in sync with the gateway: the freelancer to whom the payment belongs, the invoice it relates to, the gateway used, the gateway's transaction or charge identifier, the amount, currency, and resulting status (succeeded, failed, refunded, etc.) as reported by the gateway's webhook. We do not store full payment instrument numbers, CVV codes, or banking account numbers in any context.

Depending on where you live, you may have some or all of the following rights, subject to applicable conditions and exceptions:

• access personal data we hold about you
• know what categories of data we collect, the sources of that data, the purposes for using it, and the categories of recipients to whom it is disclosed
• request correction of inaccurate or incomplete personal data
• request deletion of personal data
• request restriction of processing, or object to certain processing
• withdraw consent where processing is based on consent
• request portability of personal data in a usable format
• appeal or complain to a supervisory authority or regulator, where available

If you are a California resident, you may also request information about the categories of personal information collected, disclosed for business purposes, corrected, or deleted during the previous 12 months. Delivvo does not sell personal information and does not share personal information for cross-context behavioral advertising, so there is currently no "Do Not Sell or Share" workflow specific to that activity.

Delivvo does not use sensitive personal information for purposes that would require a special California right-to-limit workflow beyond what is reasonably necessary to provide the service.

To submit a data access, correction, deletion, portability, or other privacy request, email the Support button at the bottom of any page on delivvo.io. Account holders can also download a complete copy of their account data themselves at any time from their account settings, without contacting Support, using the self-service data export. We may ask for additional information to verify identity and confirm that the requester is entitled to make the request. Where Delivvo acts only as a processor or service provider for a freelancer or agency, we may direct the request to the relevant account owner or ask you to contact them directly.

We aim to respond within the time required by applicable law. In many cases that will be within 30 days, though some requests may take longer if legally permitted and reasonably necessary.

Delivvo is designed for business use and is not directed to children. We do not knowingly collect personal data from children under 18. If you believe a child has provided personal data to Delivvo, contact us and we will take appropriate steps to investigate and, where appropriate, delete the data.

We may update this Privacy Policy from time to time to reflect product changes, legal developments, or operational requirements. If we make a material change, we will revise the "updatedAt" date and may also provide notice through the product or by email where appropriate.

For privacy requests or questions about this policy, contact the Support button at the bottom of any page on delivvo.io.