Flow Invoicer
Legal · Effective 15 May 2026

Privacy Policy

This Privacy Policy describes how DDM Technology ("DDM", "we", "us") collects, uses, and shares personal information when you use the Flow Invoicer software-as-a-service product (the "Service") available at https://ddmflow.com.

Flow Invoicer is operated from South Africa. We process personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA). Where your jurisdiction provides additional rights (e.g. GDPR, CCPA), we honour those to the extent reasonably practical.

1. Information we collect

When you create an account and use the Service, we collect:

  • Account information — your name, email address, password (hashed), and business name.
  • Business data you enter — clients, items, invoices, quotes, payments, expenses, banking details for your business profile.
  • Payment information — we do not store full card numbers. Card payments are processed by Paystack; we store only a tokenised reference, the card brand (e.g. Visa), and the last 4 digits for display.
  • Usage data — IP address, browser, device type, pages visited, actions taken. Used to keep the Service secure and improve it.
  • Cookies — see Section 7.

2. How we use your information

  • To provide, maintain, and improve the Service
  • To process subscription payments and renewals via Paystack
  • To send invoices and quotes on your behalf to your customers via Resend
  • To respond to support requests
  • To detect, prevent, and address fraud, abuse, and technical issues
  • To comply with legal obligations

3. AI features and your data

When you use the in-app AI Assistant (Pro plan), your messages and the relevant slice of your workspace data (clients, items, invoices) are sent to Anthropic Claude via the Vercel AI Gateway to generate responses. We do not train any AI model on your data, and our AI providers are contractually bound to the same data-handling standards.

4. Sharing your information

We share information only with the following categories of sub-processors:

  • Supabase — primary database (hosted in Frankfurt, EU)
  • Vercel — application hosting and AI Gateway
  • Resend — transactional email delivery
  • Paystack — subscription payment processing
  • Anthropic — Claude AI model (for the AI Assistant feature only)

We do not sell, rent, or trade your personal information to third parties. We may disclose information when required by law, court order, or to protect rights and safety.

5. Data retention

We retain your account data for as long as you have an active subscription. If you cancel, we retain your data for 30 days to allow re-activation, then permanently delete it. You can request earlier deletion at any time via support@ddmtech.co.za.

6. Your rights under POPIA

You have the right to:

  • Access the personal information we hold about you (export available from Settings → Account)
  • Correct any inaccurate information
  • Request deletion of your information
  • Object to processing for direct marketing (we don't do direct marketing without consent, but the right is yours regardless)
  • Lodge a complaint with the Information Regulator of South Africa at inforeg@justice.gov.za

7. Cookies

We use a small number of cookies, all of which are strictly necessary:

  • Session cookie (Supabase Auth) — keeps you signed in
  • Theme preference — remembers your light/dark mode choice

We do not use third-party analytics or advertising cookies. We do not track you across other websites.

8. International transfers

Our infrastructure providers (Supabase, Vercel, Resend, Anthropic) may process data outside South Africa. We rely on standard contractual safeguards published by these providers for cross-border transfers.

9. Children

Flow Invoicer is a business tool not directed at individuals under 18. We do not knowingly collect data from children.

10. Changes to this policy

We may update this policy from time to time. Material changes will be flagged in-app or by email. The effective date at the top of this page shows when the policy was last updated.

11. Contact us

Questions about this Privacy Policy? Email support@ddmtech.co.za. For information-related complaints we cannot resolve, you may also contact the Information Regulator of South Africa.