Privacy Policy

Last updated: May 2026

1. Who We Are

Flewa is a payment completion tool for freelancers and small service providers. It lets you create professional invoices in seconds, share a smart payment link, and collect payments from clients — all in one place.

Flewa is operated by [Company Name], [Country].

If you have any questions about this policy or how we handle your data, contact us at [Contact Email].

2. What Information We Collect

We collect only the information necessary to provide the Flewa service.

Account Information

Full name, email address, and password (stored as a one-way hash — we cannot read it).

Business Profile

Business name, email, location, website URL (optional), logo image, brand colours, letterhead header and footer.

Client Contacts

Client name, email address, phone number, and address. You enter this to address and send invoices. We do not contact your clients independently.

Invoice Data

Line items, amounts, currency, tax, discount, due dates, notes, invoice status, and timestamps.

Payment Records

Payment amounts, currency, processing fees, provider transaction references, and payout bank account details (account number, bank name and code) for settlement.

Stripe Connect

Stripe Express account ID and onboarding status. Stripe collects and verifies your identity directly during onboarding; Flewa stores only the resulting account identifier.

Device Tokens

Mobile device push token and platform (iOS / Android / web), if you allow push notifications.

Session Data

An httpOnly cookie (refreshToken, 7-day lifetime) set at login to keep you authenticated. It is not accessible to JavaScript and not used for advertising or tracking.

Email Delivery Logs

For each email Flewa sends: the recipient email address, subject line, and delivery status. Used for audit and troubleshooting.

3. What We Do NOT Collect

Payment card numbers — card processing is handled entirely by Stripe, Paystack, or Flutterwave.
Government-issued ID or KYC documents — identity verification for payouts is managed directly by Stripe.
Location or GPS data.
Browsing history, tracking pixels, or advertising identifiers.
Analytics data — we do not use Google Analytics, Mixpanel, or similar tools.

4. How We Use Your Information

Purpose	Lawful Basis (GDPR)
Provide the service — create invoices, initiate payments, send reminders	Contractual necessity
Send transactional emails	Contractual necessity
Send push notifications	Contractual necessity / Consent
Maintain email delivery logs for audit and troubleshooting	Legitimate interests
Prevent fraud and enforce rate limits	Legitimate interests
Comply with legal obligations	Legal obligation

We do not use your data for advertising or sell it to third parties.

5. Third-Party Services

Provider	Purpose	Data shared
Paystack	Payment processing (NGN, GHS, ZAR, USD)	Customer email, invoice amount, bank account details
Flutterwave	Payment processing (NGN, GHS, KES, ZAR, USD, EUR, GBP)	Same as Paystack
Stripe	Payment processing (USD, GBP, EUR, CAD, AUD)	Customer email, invoice amount
Stripe Connect	Freelancer payout account setup	Business name; identity verification handled by Stripe
Resend	Transactional email delivery	Recipient email, invoice details, PDF attachments
Cloudinary	Business logo storage	Logo image files you upload
Browserless / Puppeteer	PDF invoice rendering	Invoice HTML — processed in memory, not stored
Expo	Mobile push notifications	Device push token, notification text

Flewa does not store payment card numbers. All payment processing is governed by the respective provider's own privacy policy.

International data transfers:Where data is transferred outside your country, we rely on those providers' commitments to adequate data protection (such as Standard Contractual Clauses for transfers from the EEA/UK).

6. Cookies

Flewa uses one cookie:

refreshToken (httpOnly) — keeps you logged in, 7-day lifetime. Set on login, cleared on logout or account deletion.

No third-party, advertising, or analytics cookies are used.

7. Data Retention

Account, business, client, invoice, and payment data: retained until you delete your account.
Refresh tokens: 7 days from issue, or until logout.
Password reset tokens: 1 hour from issue.
Email delivery logs: anonymised after account deletion (your name and user ID are removed).

8. Your Rights

Access — request a copy of the data we hold about you.
Correction — update your name, email, and business information at any time in the app.
Deletion / Right to be forgotten — delete your account from Settings → Delete Account. This permanently removes your account, all businesses, clients, invoices, payment records, push tokens, and session data.
Portability — request a machine-readable export of your data by contacting us.
Restriction — ask us to pause processing while a dispute is resolved.
Objection — object to processing based on legitimate interests.
Withdraw consent — disable push notifications in your device settings at any time.

EU / UK residents (GDPR / UK GDPR):You have the right to lodge a complaint with your local supervisory authority. In the UK: the Information Commissioner's Office (ico.org.uk). In Ireland: the Data Protection Commission (dataprotection.ie).

To exercise any right, contact [Contact Email].

9. Security

Passwords are hashed with bcrypt and never stored in plain text.
All API traffic uses HTTPS / TLS.
Refresh tokens are rotated on every use.
Payment webhook signatures are verified using timing-safe comparison.

10. Children

Flewa is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from minors. Contact us at [Contact Email] if you believe a child has provided data to us.

11. Changes to This Policy

We will notify you of material changes via email or in-app notice at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

12. Contact

[Company Name]
[Address]
[Contact Email]