Privacy policy
Dunn ("we", "us") is an invoicing and payment-chasing tool for UK freelancers and small businesses, available at getdunn.co.uk and app.getdunn.co.uk. This policy explains what personal data we collect, why, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).
1. What we collect
Information you give us
- Account details — your name, email address and password (stored in hashed form; we never see your password), or your Google account identity if you sign in with Google.
- Business details — business name, address, VAT number, company number, and bank details (account name, sort code, account number) if you choose to add them, so they can appear on your invoices and reminder emails.
- Your clients' details — names, company names and email addresses of the clients you invoice, plus the invoices themselves (amounts, dates, references).
Information collected automatically
- Essential technical data — a secure session token to keep you signed in.
- Product analytics (only with your consent) — which pages and features you use, via PostHog (EU-hosted). Off by default; only enabled if you accept on the cookie banner. See our cookie policy.
Payment information
If you upgrade to a paid plan, payment is handled entirely by Stripe. We never see or store your card number. We receive confirmation of your subscription status so we can activate your plan.
2. Why we process it (lawful bases)
| Purpose | Lawful basis |
|---|---|
| Providing the service — your account, invoices, clients, and sending payment reminders you configure or trigger | Performance of a contract (our terms) |
| Processing subscription payments and maintaining billing records | Contract, and legal obligation (tax and accounting law) |
| Product analytics to improve Dunn | Consent (withdrawable at any time) |
| Service emails about your account (e.g. password resets) | Contract / legitimate interests |
| Securing the service and preventing abuse | Legitimate interests |
3. Your clients' data — an important note
When you add clients and send them invoices or payment reminders through Dunn, you are the controller of your clients' personal data, and Dunn acts as your processor: we store their details and send emails to them only on your instruction (including the automated reminder schedule you switch on). You are responsible for ensuring you have a lawful basis to contact your clients — in the ordinary course of invoicing people who owe you money, you will.
Reminder emails are sent from our domain on your behalf, with your email address as the reply-to, and only ever concern invoices you created.
4. Who we share data with
We share personal data only with the service providers needed to run Dunn, each under contract:
| Provider | Role |
|---|---|
| Supabase | Database, authentication and backend hosting |
| Netlify | Website hosting |
| Stripe | Subscription payments |
| Resend | Delivery of invoice and reminder emails |
| PostHog (EU) | Product analytics — only with your consent |
| Only if you choose "Sign in with Google" |
We do not sell personal data, and we do not share it with advertisers. We may disclose data if required by law.
Some providers process data outside the UK (for example in the EU or US). Where that happens, transfers are protected by appropriate safeguards such as the UK International Data Transfer Addendum, UK adequacy regulations, or the UK–US Data Bridge.
5. How long we keep it
Your data is kept while your account is active. If you delete your account (Settings → Delete account), your profile, clients, invoices and reminder history are permanently deleted immediately. Billing records held by Stripe are retained as required by tax law. Backups age out on a rolling basis within a short period.
6. Your rights
Under UK GDPR you have the right to access, correct, delete, or receive a copy of your personal data, to object to or restrict certain processing, and to withdraw consent (for analytics) at any time. Most of these you can do directly in the app — your details are editable in Settings, and account deletion is self-service. For anything else, email support@getdunn.co.uk and we'll respond within one month.
If you're unhappy with how we've handled your data, you can complain to the Information Commissioner's Office at ico.org.uk.
7. Security
All traffic is encrypted in transit (HTTPS). Data is stored with row-level security so each account can only ever access its own records. Passwords are hashed and never stored in plain text. Payment card details never touch our systems.
8. Changes to this policy
If we make material changes, we'll update this page and notify you by email or in the app. The date at the top shows when it was last revised.