← Back

Privacy Policy

Last updated: 28 April 2026 — GDPR compliant (EU Regulation 2016/679)

1. Data Controller

Reddivo SAS — company being incorporated in France
Email: hello@reddivo.io
Data protection contact: dpo@reddivo.io

2. GDPR Qualification — Respective Roles

Reddivo is a SaaS software publisher. Regarding the processing of debtor data:

  • The Creditor-User is the data controller of their debtors' personal data.
  • Reddivo acts as a data processor within the meaning of Article 28 of the GDPR.
  • A Data Processing Agreement (DPA) compliant with Article 28 of the GDPR is entered into upon registration.

3. Data Collected

We collect the following data in connection with the use of the Service:

  • Registration data: email address, company name, password (encrypted)
  • Billing data: imported PDF invoices, extracted data (amounts, dates, client/vendor names, emails)
  • Payment data: processed exclusively by Stripe, Inc. We do not store any credit card data
  • Debtor data: names, emails and information extracted from invoices, processed on behalf of the Creditor
  • Usage data: login logs, pages visited, actions performed

4. Processing of Debtor Data

Debtor data (name, email, invoiced amounts) is processed by Reddivo as a data processor, under the instructions of the Creditor-User who is the data controller.

Legal basis: legitimate interest of the Creditor (Article 6.1.f GDPR) — the collection of certain, liquid and due commercial debts constitutes a legitimate interest of the Creditor.

Debtor rights: any debtor has the following rights, to be exercised with the Creditor (data controller):

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to object (Article 21 GDPR)
  • Right to erasure (Article 17 GDPR), subject to legal retention obligations

In case of difficulty, the debtor may contact Reddivo directly at: dpo@reddivo.io

5. Legal Bases for Processing

  • Performance of contract (Article 6.1.b GDPR): provision of the Service to Users
  • Legitimate interest of the Creditor (Article 6.1.f): processing debtor data for debt collection, with due respect for the rights and freedoms of data subjects
  • Legitimate interest of Reddivo (Article 6.1.f): improvement of the Service and security, with due respect for the rights and freedoms of data subjects
  • Consent (Article 6.1.a): marketing communications

6. Sub-processors and Data Transfers

Reddivo uses the following sub-processors:

  • Supabase, Inc. (USA) — Database hosting and authentication. GDPR-compliant Standard Contractual Clauses (SCCs).
  • Vercel, Inc. (USA) — Web application hosting. GDPR-compliant SCCs.
  • Stripe, Inc. (USA) — Payment processing. PCI DSS Level 1 certified. GDPR-compliant SCCs.
  • Resend, Inc. (USA) — Transactional email delivery. GDPR-compliant SCCs.
  • Anthropic, PBC (USA) — Automatic invoice extraction (one-time processing, data not retained by Anthropic). GDPR-compliant SCCs.

Data transfers to the United States are governed by the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914) and/or the EU-US Data Privacy Framework.

7. Data Retention Periods

  • Billing data: 10 years from the end of the financial year (French accounting obligation, Article L.123-22 of the Commercial Code)
  • Reminder data: 3 years after the debt is extinguished (standard statute of limitations)
  • User account data: duration of subscription + 90 days after cancellation
  • Login logs: 12 months
  • Stripe billing data: according to Stripe's retention policy

8. Your Rights

Under the GDPR, you have the following rights:

  • Right of access: obtain a copy of your personal data
  • Right to rectification: correct inaccurate data
  • Right to erasure: request deletion of your data
  • Right to data portability: receive your data in a structured format (Excel export)
  • Right to object: object to processing on legitimate grounds
  • Right to restriction: restrict processing in certain cases

To exercise your rights: dpo@reddivo.io

You also have the right to lodge a complaint with the CNIL: www.cnil.fr

9. Security

We implement appropriate technical and organizational measures to protect your data: encryption in transit (TLS/HTTPS), encryption at rest, secure authentication, regular backups, restricted data access.

10. Cookies

The Service uses strictly necessary cookies (authentication, language preferences). No advertising or third-party tracking cookies are used.

11. Google API — Gmail Data Usage (Limited Use Compliance)

Reddivo uses the Google Gmail API strictly for sending payment reminder emails on behalf of the user, only after explicit user authorization.

Requested scope:

https://www.googleapis.com/auth/gmail.send

This scope allows sending emails on behalf of the user only when the user explicitly triggers an action within Reddivo.

Reddivo does not request any read access to Gmail. We cannot access the user's inbox, emails, drafts, attachments, or labels.

Use of Gmail data:

Gmail API data is used strictly to:

  • Send payment reminder emails from the user's Gmail account to their clients
  • Trigger email sending manually or automatically based on user-defined settings
  • Send emails only according to actions or parameters explicitly defined by the user

Reddivo does NOT:

  • We do not read user emails
  • We do not access the Gmail inbox
  • We do not modify, delete, or analyze existing emails
  • We do not access drafts, labels, or attachments
  • We do not store email content beyond what is strictly necessary for service functionality (e.g., send status, timestamps)
  • We do not use Gmail data for advertising purposes
  • We do not use Gmail data to train artificial intelligence or machine learning models
  • We do not sell or share Gmail data with third parties

Data storage and security:

  • OAuth access tokens and refresh tokens are stored securely using encryption
  • Tokens are used exclusively for sending emails via the Gmail API
  • Tokens are never shared with third parties
  • Tokens are deleted immediately when the user disconnects Gmail or deletes their Reddivo account

Google compliance (Limited Use):

Reddivo's use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including Limited Use requirements:

https://developers.google.com/terms/api-services-user-data-policy

User control and revocation:

Users can revoke access at any time:

Revoking access immediately prevents Reddivo from sending emails on behalf of the user.

OAuth data retention:

OAuth tokens are stored only while the user account is active and Gmail remains connected.

Tokens are deleted in the following cases:

  • Manual disconnection from Reddivo → immediate deletion
  • Revocation from Google → deletion within 24 hours
  • Account deletion → immediate deletion
  • Inactivity longer than 6 months → automatic deletion

12. Changes

We reserve the right to modify this policy. Users will be informed of any substantial changes by email or notification within the Service.

Terms of UseLegal NoticeDPA