Privacy & security
Clear data handling for client handoffs.
This page is a practical product privacy overview, not legal advice. It is designed around GDPR principles like transparency, data minimisation, limited retention, and clear data subject request routes.
What is processed
Project names, client names and emails, uploaded files, approval notes, invoice status, access-code sessions, and a small activity log for handoff events.
Why it is processed
To deliver files, protect client actions, record approval proof, support payment status, and help freelancers see whether a handoff was opened or completed.
Retention
Access codes expire after 10 minutes. Secure sessions now last 7 days by default. Expired codes and sessions can be cleaned automatically by the database cleanup function.
Subprocessors
Supabase stores app data and private files, Resend sends email, Stripe handles payment checkout, and the hosting provider serves the web app.
Security controls
Files are private and opened through short-lived signed URLs. Secure handoffs can require an email code before the client can even view files or approval details.
Data requests
Clients can ask the freelancer who sent the handoff for access, correction, or deletion. The app keeps that request visible from the client room and privacy page.