Privacy Policy

We collect information you give us directly: your name, email address, and password when you create an account. If you sign in with Google, we receive your name and email from Google. We also collect information about the clients you add, the time entries you log, and the invoices you generate — this is the core data that makes Retallio work.

We automatically collect basic usage data (pages visited, features used) and technical information (browser type, IP address) to keep the service running and improve it. We do not sell any of this data.

We use your data to provide and operate Retallio: showing you your dashboard, generating invoices, powering client portals, and sending transactional emails (invoice sent, hours alerts, account verification). We may use aggregate, anonymised data to understand how people use Retallio and improve the product. We never use your client data for advertising.

When you create a client portal, your clients can view it via a unique link without logging in. The portal shows hours, time entries, and invoices for that client. You control what appears there — we simply display the data you've entered. Client portal links are not indexed by search engines, but anyone with the link can view the portal, so treat links as you would a shared document.

Your data is stored on Supabase (hosted on AWS). We use HTTPS for all data in transit and rely on Supabase's security infrastructure for data at rest. We do not store payment card details — payments are handled entirely by Stripe, who are PCI-DSS compliant. We take reasonable precautions, but no system is 100% secure. If we discover a breach that affects your data, we will notify you promptly.

We send transactional emails related to your account (verification, password reset) and your Retallio activity (invoice generated, client near hours limit). If you enable email notifications in Settings, we'll also email you when clients hit 80% or 100% of their hours. We do not send marketing newsletters unless you explicitly opt in.

Retallio uses the following third-party services: Supabase (database and authentication), Stripe (payment processing), and Resend (transactional email). Each has its own privacy policy. We share only the minimum data required for each service to function — for example, we share your email with Resend to send you emails, and your billing details with Stripe to process payments.

You can access, export, or delete your data at any time. To delete your account and all associated data, go to Settings or email us at privacy@retallio.app. We'll process deletion requests within 30 days. If you're in the EU or UK, you have additional rights under GDPR, including the right to data portability and the right to lodge a complaint with your supervisory authority.

We use a small number of essential cookies to keep you logged in and remember your session. We do not use tracking cookies or third-party advertising cookies. You can disable cookies in your browser, but this will prevent you from staying logged in.

If we make material changes to this policy, we'll notify you by email or with a notice in the app before the changes take effect. The "last updated" date at the top of this page will always reflect when it was last revised.

Questions about privacy? Email us at privacy@retallio.app. We're a small team and will respond personally.