Privacy Policy

Folyo is a cloud-based invoicing platform for Canadian freelancers and contractors, operated from Quebec, Canada. References to "Folyo", "we", "us", or "our" in this policy refer to the Folyo service and its operator.

Our designated Privacy Officer, also referred to in Quebec as the person responsible for the protection of personal information (personne responsable de la protection des renseignements personnels), can be reached at: privacy@folyo.ca

Information you provide directly:

• Account information: name, email address, password (hashed — never stored in plain text)
• Business information: business name, address, phone number, website, GST/HST, QST, and PST registration numbers, and logo
• Client information: names, email addresses, phone numbers, and mailing addresses of your clients, as entered by you
• Invoice and financial data: line items, amounts, currency, payment status, and payment method preferences
• Contract content: the text of contracts you create and send, and e-signature records (signee name, IP address, timestamp) collected when your clients sign

Some information collected through Folyo may be business contact information, such as a business name, work email address, business address, or business phone number. We still handle this information responsibly and use it only for the purposes described in this policy.

Information collected automatically:

• Usage data: pages visited, actions taken, timestamps, and session identifiers — used to operate and improve the product
• Error data: application errors and stack traces captured by Sentry to diagnose bugs
• Server logs: IP addresses, browser type, and request metadata retained in standard web server logs

We use your personal information solely to:

• Create and maintain your account
• Generate, store, and deliver invoices, quotes, and contracts on your behalf
• Send transactional emails (invoice delivery, account verification, password reset, payment notifications)
• Process payments via Stripe when your clients pay by card
• Provide customer support
• Detect and prevent fraud and abuse
• Comply with legal obligations
• Improve and develop new features (using aggregated, anonymized analytics)

We do not sell your personal information or your clients' personal information to any third party. We do not use your data for advertising.

Automated decisions. Folyo applies automated logic to your account, including late fee calculations, invoice status updates (e.g., marking invoices overdue), and enforcement of plan limits. These decisions are based on your account data and the rules you configure. You may contact us to review any automated outcome.

We do not share your personal information except in the following limited circumstances:

Service providers. We share data with trusted third parties who process it on our behalf, under contractual obligations to keep it confidential and use it only as directed:

• Stripe (USA) — payment processing and merchant identity verification. Subject to Stripe's Privacy Policy.
• Resend (USA) — transactional email delivery. Your clients' email addresses are transmitted to Resend solely to deliver invoices and documents you send.
• Neon (USA, AWS US East 1) — managed Postgres database hosting. Your data is stored on Neon servers encrypted at rest.
• Vercel (USA) — application hosting and serverless infrastructure. Processes requests on Vercel's global edge network.
• Sentry (USA) — error monitoring. Error reports may include partial request data; we configure Sentry to minimize personal data in reports.
• Cloudflare (USA) — DNS, DDoS protection, and bot mitigation. Traffic to folyo.ca passes through Cloudflare's network.

Cross-border transfers. All service providers listed above are located in the United States. By using Folyo, your personal information is transferred to and processed in the United States. Please be aware that US privacy laws may differ from Canadian privacy laws and may not offer the same level of protection. These transfers are made under contractual obligations requiring our service providers to protect your data.

Before transferring personal information outside Quebec, Folyo assesses the privacy risks associated with the transfer and requires service providers to protect personal information through contractual safeguards, consistent with the requirements of Quebec's Act Respecting the Protection of Personal Information in the Private Sector.

Client data. When you enter information about your clients into Folyo, you determine what information is collected and how it is used for your business purposes. You are responsible for ensuring that you have the authority or consent required to provide that information to Folyo. Folyo processes client information on your behalf as a service provider to operate the platform and provide the services you request.

Legal requirements. We may disclose your information if required to do so by law, regulation, or a valid government order, or to protect the rights, property, or safety of Folyo, our users, or the public.

Business transfer. If Folyo is acquired or merged, your information may be transferred to the successor entity. We will notify you by email before your data is subject to a different privacy policy.

When your clients pay invoices by card, payments are processed directly by Stripe. Folyo never sees or stores full card numbers. Stripe may collect and retain billing information, identity verification data, and transaction records in accordance with its own privacy policy at stripe.com/privacy.

If you connect a Stripe Express account to receive card payments, Stripe's Connected Account Agreement and privacy terms apply to your account and the processing of funds to your bank account.

We send transactional emails essential to the service (account verification, password reset, invoice delivery, payment confirmations). These are not marketing emails and cannot be opted out of while your account is active.

We do not send newsletters or promotional emails without your explicit consent. If we introduce optional marketing communications in the future, you will be able to opt out at any time. Any such emails will include our name and contact information and a functional unsubscribe mechanism, as required by Canada's Anti-Spam Legislation (CASL).

Folyo uses session cookies to keep you logged in and to maintain your application state. These are strictly necessary for the service to function.

We store your theme preference (dark/light mode) in your browser's localStorage. We do not use advertising cookies or third-party tracking pixels.

We use Vercel Analytics to collect anonymous page view counts and performance metrics. No personal data, no cross-site tracking, and no data is shared with third parties. No consent banner is required because no cookies or personal information are collected.

Your data is stored on servers operated by Neon (AWS US East 1) and Vercel. Data in transit is encrypted using TLS 1.2 or higher. Passwords are hashed using industry-standard algorithms (bcrypt). Database backups use continuous point-in-time recovery (Neon), allowing restoration to any point in the recent past.

We implement reasonable technical and organizational safeguards to protect your information, but no system is completely secure. In the event of a breach affecting your personal information that poses a risk of significant harm, we will notify the applicable privacy commissioner within 72 hours of becoming aware of the breach and will notify affected users as soon as practicable thereafter.

We retain your account and business data for as long as your account is active. If you delete your account, your personal information and business data are purged within 30 days, except where we are required by law to retain certain records (for example, transaction records for tax purposes).

Server logs and error reports are retained for up to 90 days.

Under PIPEDA and Quebec's Law 25, you have the right to:

• Access — request a copy of the personal information we hold about you
• Correction — ask us to correct inaccurate or incomplete information
• Data portability — export your data (invoices, clients, etc.) from the Settings page at any time
• Deletion — request that we delete your account and personal information
• Withdraw consent — where processing is based on consent, you may withdraw it at any time, though this may affect your ability to use the service

To exercise any of these rights, email privacy@folyo.ca. We will respond within 30 days.

Third-party client data. Folyo stores personal information about your clients on your behalf. Your clients may contact you directly to request access, correction, or deletion of their information. You may also contact us at privacy@folyo.ca to help facilitate such requests.

If you are unsatisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca, or with the Commission d'accès à l'information du Québec at cai.quebec.ca.

Folyo is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has created an account, contact us at privacy@folyo.ca and we will delete the account promptly.

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 14 days before the changes take effect. The current version is always available at folyo.ca/privacy.

Privacy questions, access requests, or concerns:

hello@folyo.ca
Folyo · Quebec, Canada