Privacy Policy
Last updated: [DATE]
1. Introduction
ReceivAR ("we", "us", "our") operates an accounts-receivable collections platform for professional services firms. This policy describes what data we collect, how we use it, and the third parties we share it with so that you can make informed choices about your firm's use of the service.
2. Information we collect
Account information: name, email, firm name, password (stored hashed), mailing address, and tone/escalation preferences you set in Settings.
AR data you upload: client names, contact details (when imported), invoice numbers, balances, due dates, and aging buckets — derived from the aged-receivables files you upload.
Activity you log: contact-log entries, payment records, promises, broken-promise flags, and the letters you generate or send.
Session data: a session cookie used to keep you signed in; basic server access logs (IP, timestamp, route).
What we do not collect: we do not collect payment-card information (no billing system today), and the raw AR files you upload are parsed in your browser — we do not retain the original spreadsheet on our servers.
3. How we use your data
To operate the service: authentication, displaying your AR portfolio, generating collection letters, tracking your contacts and promises, and producing your cash-flow forecast.
To communicate with you about account events (password resets, security notifications).
We do not sell your data, share it with advertisers, or use it to train AI models on your behalf or anyone else's.
4. Third-party processors
We rely on the following service providers to operate ReceivAR. Each has its own data-handling practices, which we've linked below.
- Anthropic (Claude API) — when you generate an AI letter, the prompt we send to Anthropic includes the client name, invoice numbers and amounts, aging bucket totals, prior contact log entries, broken-promise details, and your sender info. This data is processed by Anthropic to produce the letter and is governed by Anthropic's Commercial Terms and Privacy Policy. If you prefer to keep client data out of any third-party AI, choose the template-letter mode instead — it makes no external calls.
- Resend — used to send transactional email (password resets). Your email address and the message body are processed by Resend.
- Vercel — hosts the application and edge functions. Routine HTTP request metadata flows through Vercel infrastructure.
- Neon — hosts our PostgreSQL database where your account and AR data are stored.
5. Data retention
We retain your account and AR data for as long as your account is active. If you delete your account or ask us to delete your data, we will remove it from our active systems within [N] days. Some records may persist in encrypted backups for up to [N] days before they are overwritten.
6. Your rights
You can update your account information from Settings inside the app. To request a copy of your data or its deletion, email us at support@receiv-ar.com. Depending on your jurisdiction (including, e.g., GDPR or CCPA), you may have additional rights such as access, correction, portability, or objection.
7. Cookies
We use a single session cookie (receivar_session) to keep you signed in. It is HTTP-only, same-site lax, and marked Secure in production. We do not use third-party analytics or advertising cookies.
8. Security
Passwords are hashed with scrypt and a random salt. Session tokens are stored as hashes server-side. Communication is over HTTPS in production. No system is perfectly secure; please use a strong, unique password and report anything suspicious to support@receiv-ar.com.
9. Changes to this policy
If we make material changes we will notify active users by email and update the "Last updated" date above.
10. Contact
Questions about this policy? support@receiv-ar.com