Tofu Apps Privacy Policy

Effective Date: May 11, 2026

You can see our previous Privacy Policy here.

INTRODUCTION AND SCOPE

This Privacy Policy (“Privacy Policy”) is delivered on behalf of GetPaid Inc. (“GetPaid,” “we”, “us”, and “our”) and governs the Personal Data (as defined below) and other data collected from or processed about you when you use the Tofu applications (“App”) and Web Services (“Web”), (each individually referred to as a “Service”, and collectively referred to as the “Services”), including by downloading, installing, registering with, accessing or otherwise using the Apps and Web (collectively referred to herein as “Use”).

We provide this Privacy Policy to explain our practices for collecting, using, processing, and disclosing the Personal Data and other data we process about users (“users”, “you”, or “your”, as applicable), and to tell you about the rights you may have in relation to your Personal Data and choices you may be able to make in relation to it.

By Personal Data we mean (i) information that is associated with an identified or identifiable natural person, and (ii) protected as personal data under applicable data protection laws.

All Tofu Services. This Privacy Policy applies to all Tofu applications operated by GetPaid Inc., including:

Tofu Invoice Maker iOS and Android,
Tofu Expense: Receipt Tracker,
Tofu Accounting & Bookkeeping,
Tofu Mileage: Tracking Miles,
Tap to Pay, POS System,
Tofu Field Service Software,
Tofu Field Service for Workers iOS and Android,
Tofu Web application available at https://tofu.com and https://app.tofu.com.

Most Tofu Apps operate independently and do not share user data or account information with each other. However, if this is enabled by the functionality of a specific App or the Web, a unified account may be used. When you create or use such a unified account, the same login credentials can grant access to all Tofu Apps and the Web. In this case, personal data and other information collected through your account may be shared and synchronized across these applications to support authentication, subscription verification, and seamless access to the full suite of services.

Please note that the web version of Invoice Maker and any other Tofu web interfaces may collect or process data differently from the mobile applications due to differences in functionality, browser technologies, and available features.

Accepting this Privacy Policy. Please read this Privacy Policy carefully to understand our privacy practices. We also encourage you to get acquainted with our Terms of Use to understand how we provide services to you.

By accepting this Privacy Policy, you acknowledge that you understand and agree to the processing of your Personal Data and other information as described in this Privacy Policy.

If you do not wish to have your data processed in accordance with this Privacy Policy, please refrain from using the Tofu Apps and Web.

Questions? If you have any questions about this Privacy Policy or Services, please contact us at support@tofu.com. For additional contact information, please see Section 14: How to Contact Us, EEA/UK Representative, and Data Protection Officer.

U.S. State Supplements:

This Privacy Policy is designed to comply with data privacy laws across the United States, including:

California Consumer Privacy Act (CCPA),
Colorado Privacy Act (CPA),
Connecticut Data Privacy Act (CTDPA),
Virginia Consumer Data Protection Act (VCDPA),
Texas Data Privacy and Security Act (TDPSA),
Tennessee Consumer Privacy Act (TCPA),
Oregon Consumer Privacy Act (OCPA) and other applicable state laws.

If you are a resident of California, please see our California Notice at Collection and Privacy Notice, which provides detailed information about your rights and additional disclosures specific to California.

If you are a resident of Colorado, Connecticut, Virginia, Texas, Oregon, Tennessee, or any other U.S. state with privacy laws, please see our U.S. State Privacy Supplement (Non-California). The rights granted to you under these laws are also outlined in this Privacy Policy. These include:

The right to access, correct, delete, or receive a copy of your personal data.
The right to opt out of the sale or sharing of your personal data, targeted advertising, and profiling with legal or significant effects.

1. PERSONAL DATA WE COLLECT AND HOW WE COLLECT IT‍
‍
We may collect Personal Data from and about you:

Directly from you when you provide it to us.
Automatically when you Use the Services. Information collected automatically may include Usage details and internet protocol (“IP”) addresses.
From third parties, for example, our service providers, partners and vendors.

‍
2. PERSONAL DATA YOU PROVIDE TO US DIRECTLY‍
‍
You may provide Personal Data to us directly, or to service providers that act on our behalf, when you Use the Services (Tofu Apps or Web). Depending on which Service you use and how you interact with the Services, we may collect different categories of Personal Data to provide the applicable features and services.

Business Information. When you create or manage your business profile, you may provide the business name, first and last name of a contact person, contact email, phone number, address, tax numbers, type of business and other business profile data. This information may relate to your own business or to you personally if you are doing business as an individual.

Client Information. When you create client records to issue invoices or estimates, you may provide clients’ names (first and last name or business name), emails, phone numbers, signatures, and addresses (if needed). These details (specifically, clients’ names and emails) are essential for the core functionality of the Services; without this information, it would be impossible to create and share an invoice. Please note that providing your clients’ phone numbers and physical addresses is optional; you may add them using the Services functionality if you wish.

When you generate invoices or estimates, you may use previously saved or manually entered client and business contact information, such as business name, first and last name of a contact person, contact email, phone number, and address.
Authentication Data. When you create or access your personal account:
- If using Google - we may collect your name and email address via Google’s authentication gateway (API).
- If using Apple - we may collect your name and email address, depending on your Apple ID sharing preferences.
- If using email - you provide your email address and verify it via a one-time password sent to your inbox.
- These credentials are stored in the cloud services via your phone or browser to maintain your account and profile.

Please note that not all authentication methods are available on all platforms or in all Tofu Apps and Web.

Stripe connected account. If you choose to enable payment processing through the Tofu Apps or the Web, you may use a Stripe Connected Account. When setting up this account, you will be asked to provide personal information such as your name, date of birth, address, Social Security Number (or other national identifiers), tax information, and business details:
- All information required for the creation and verification of a Stripe Connected Account is entered directly into Stripe’s interface.
- We do not collect, store, access, or process the verification data you submit to Stripe.
- Stripe independently collects and processes this information in accordance with its own Privacy Policy.
- We do not control Stripe’s verification procedures and we do not receive copies of the documents or identifiers you submit.
- After you provide the required information, Stripe conducts its own verification process. During this period, the Tofu App or the Web may display a status such as “pending verification.”
- If Stripe determines that additional information is required (for example, missing documents or data), Stripe notifies us (alert) only that additional information is needed, we do not receive the missing data itself.
- Once Stripe has completed its verification and activated the account, we receive a notification that the account has been successfully verified so that the payment features can be enabled, but we still do not access any of the underlying verification data.
- Stripe acts as a separate data controller for all verification-related personal data.
- We process only minimal metadata about your account (meaning, whether verification is pending, incomplete, or approved) in order to enable functionality within the App and Web.
Photos and documents that you upload to the Services. When you generate invoices or estimates you may (if supported by the App’s functionality) upload any of the documents, files, images or other data from Photo Library, Cloud Services, or that you create, scan, edit, or otherwise share using the Services. If you grant us permission to access your camera or your device’s photo library, we will process the photos you select to upload to the Servicesto provide features of the app that you choose to use.
If you contact us or communicate with us, we will collect and receive records and copies of your correspondence with us and contact details that you have provided us while making your inquiries (such as your name, postal addresses, email addresses and phone numbers or any other identifier by which you may be contacted). We retain correspondence only as long as necessary to respond to your inquiry and to comply with legal or regulatory requirements.
Sensitive data. We do not intentionally use or process sensitive data beyond what is necessary to provide the core functionality of the app. Sensitive data may include, but is not limited to:
- Personally Identifiable Information (PII), such as names, addresses, phone numbers, or financial information.
- Medical, biometric, or other confidential information.
Sensitive information is provided solely at the user’s discretion and under their control.

In cases where sensitive data is uploaded unintentionally:
- We do not knowingly collect or process any sensitive personal data except to the extent strictly necessary to provide you with the Service you have requested.
- We do not analyze the content you upload; therefore, we cannot actively monitor or identify sensitive data within your uploads.
If we become aware that sensitive data has been uploaded unintentionally, we will make reasonable efforts to delete it promptly, where technically feasible.
‍
Please note we rely on you to avoid uploading sensitive personal data (such as health information, biometric data, or data revealing racial or ethnic origin) unless it is strictly necessary for your use of the Service. By uploading documents, you acknowledge that the decision to include sensitive information is yours, and we are not liable for any sensitive data uploaded voluntarily, without request or consent.
‍
When you upload documents, files or images that contain personal data of third parties, including biometric, medical or financial information, you act as the data controller for such third-party data. We process this information solely on your behalf and strictly for the purpose of providing the service. You are solely responsible for ensuring that you have a lawful basis (such as consent) to upload, store or process such information.
‍
We do not use any sensitive data for analytics, AI processing, profiling, automated decision-making, advertising, or any secondary purpose. Any sensitive information uploaded is processed only temporarily and only as necessary to provide the specific user-initiated functionality (for instance, attaching an image to an invoice). We do not perform facial recognition, biometric identification, or medical analysis of uploaded content.

3. PERSONAL DATA AND OTHER DATA WE COLLECT AUTOMATICALLY‍

When you Use a Service, we or third parties we permit to do so, may automatically collect certain information, including Personal Data, from you (this is subject to your consent where this is required by law). The information collected from you automatically when you Use a Tofu App or Web may include:

Account and Authentication Data. When you create or log into a unified account (for example, using email, Apple ID, or other supported login methods), we collect identifiers such as your name, email address, authentication tokens, and subscription status. This data enables single sign-on (SSO) and unified access across all Tofu Services (if applicable).
Log file information. Log file information is automatically reported by your browser each time you make a request to access (ie, visit) a Web or App. It can also be provided when the content of the Web or App is downloaded to your browser or device. When you use Services, our servers automatically record certain log file information, including your web request, IP address, browser type, referring / exit pages and URLs, number of clicks and how you interact with links on the Services, domain names, landing pages, pages viewed, and other such information. We may also collect similar information from emails sent to our Users which then help us track which emails are opened and which links are clicked by recipients. The information allows for more accurate reporting and improvement of our services.

Subscription and device data. Information related to your subscription and device used for technical authorization.
Marketing and cookies data. Collected through cookies and analytics services integrated into the app.
Device information. Information about your mobile device and internet connection, including your IP address, the device’s unique device identifier, device model, operating system and version, mobile network information, device type and device language.

App and country information. Information regarding the version of the app that you are using and the country version of the app store from which you downloaded the App.
Geolocation data. The state or country associated with your IP address, start and end points of trips, GPS-based mileage logs, route segments and timestamps.
In-app events. When you use an App of ours, analytics tools automatically record your activity information (tutorial steps, levelling up, payments, in-app purchases, custom events, progression events, method of limiting the processing of user data).
Session recordings and interaction data. We may use behavioral analytics tools (such as Microsoft Clarity) to record interactions with the Web, including mouse movements, clicks, scrolls and pages viewed. Sensitive form inputs are masked by default and not transmitted in clear text. This information is used solely to diagnose usability issues and improve the Services.
Usage details. Details of your Use of Services, including frequency of Use, areas and features of the application that you access and information regarding engagement with particular features of the app.
Invoice and Payment Data. We may collect and store invoice-related information, including invoice number and metadata (issue date, due date, etc.), recipient name and email, item descriptions, and total amounts due or paid. This data is collected solely for the purpose of generating and managing invoices, providing you with transaction records, and fulfilling our legal and contractual obligations (e.g., tax reporting and accounting).
Details about your in-app purchases. For example, details regarding the time you made certain purchases.
Third-party emails. Email addresses of third parties provided for document signing or sharing.
Permissions for Camera, Photos and videos, Files. After you grant us the relevant permission, we may have technical access to your camera that is required to be able to scan documents via the Tofu App or Web and/or to take photos you want to add to your documents. Additionally, if you try to upload any image, photo, logo or file from your Photo Library/Gallery or Files to the Tofu App or Web, the relevant technical access of the Tofu App or Web to your Photos and videos or Files is required. The technical access you provide to your Photos and videos (either limited or full), Files is necessary for us solely to enable you to upload photos, images, files from your device to the Tofu App or Web, use them to create and edit documents in the Tofu App or Web, i.e. to operate the Tofu App or Web Services and provide you with the Tofu App or Web functionality. You can manage, change access permissions to your Camera, Photos and videos, Files at any time via the Settings app on your device.
Payments. When enabling payment processing, you may integrate with Stripe. You may initiate the creation of a Stripe account, which opens in a web interface embedded in the App. The payment account details are stored by Stripe, not by us. Payment links or QR codes may be generated and shared to facilitate client payments.
(If you have provided your consent) IDFA or Android Advertising ID, whichever is applicable to your device. If you want to disable the collection of IDFA and/or Android Advertising ID by an App, please follow the instructions below.
‍
If you use an iOS device:
‍
- Go to Privacy settings to see a list of apps that request to track your activity. On iPhone or iPad, go to Settings > Privacy > Tracking.
- Tap to turn off or turn on permission to track for the App.

We and third parties may use cookies, Software Development Kits (SDKs), and other tracking technologies to automatically collect the Personal Data and other data set forth above. For more information regarding our use of these technologies, please see Section 6: Cookies, Software Development Kits, and Other Tracking Technologies.
‍

4. THE PURPOSES AND OUR LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA

We may use your Personal Data and other data for a variety of purposes depending on the category of Personal Data and the way you Use and interact with the Tofu App, or Web, including the following:

To present to you and others with the Tofu App, or Web, and its contents and any other information, products or services that you request from us, including to provide various features of the App or Web, and its functionality. We do so to provide you with the services according to our contractual obligation.
To carry out our obligations and enforce our rights arising from any contracts entered into between you and us in relation to the App or Web (e.g., the Terms of Use). This is for the performance of our contract with you and for our legitimate interests in performing and enforcing our contracts with you.
To provide you with customer and technical support, investigate your concerns, respond to your inquiries and to monitor and improve our responses to your and other users’ inquiries in relation to the App or Web. It is our legitimate interest to provide you with high-quality support.
To communicate with you, such as to notify you about changes to the App, or Web, or any products or services we offer or provide through the App, or Web, including by sending you technical notices, notices about your account/subscription, including expiration and renewal notices, updates, security alerts and support and administrative messages, which we may send through an in-app or a push notification (you may opt-out of push notifications by changing the settings on your mobile device). It is our contractual obligation to keep you informed about your subscription and your account and otherwise in our legitimate interests of keeping you informed about your App, or Web, account.

To conduct research, analytics and monitor performance and other metrics regarding the App, or Web, and your Use of the App or Web. This may include data regarding the total number of users of our app, traffic, and demographic patterns related to the use of our app. Where this data is collected through the technologies described in Section 6: Cookies, Software Development Kits, and Other Tracking Technologies and where required by law, we rely on your consent; otherwise, it is our legitimate interest to conduct analytics as it helps us understand our business metrics and improve our product.
To improve, test, and monitor the effectiveness of the App and Web. It is our legitimate interest to conduct such analyses to understand our product and business metrics.
To provide personalized content and information to you in relation to the App or Web, and so that we, and third parties on which we rely, can advertise to you. This may include using your Personal Data to build advertising audiences that we believe are similar to our user base, serving online ads to you, or engaging in other forms of advertising. Where required by law, we rely on your consent to engage in such activities and/or offer you the opportunity to opt-out. Please see Section 3: Personal Data and Other Data We Collect Automatically and Section 6: Cookies, Software Development Kits, and Other Tracking Technologies for more information.
To send marketing and promotional communications to you, such as via email, push notification or in-app messaging either with your consent or as otherwise permitted by law. We may use your own contact details (such as the email address associated with your account or business profile) to inform you about Tofu products, features, updates, offers, or surveys. We do not use email addresses of third parties that you add into the Tofu Apps or Web (for example, your clients’ or contractors’ emails) for our own marketing purposes. In some cases, where permitted by applicable law, we may send service-related or B2B communications to generic business email addresses (for example, info@company.com), and recipients may opt out at any time. Please see Section 8: Your Choices About Our Communications With You for more information.
In any other way as we may describe when you provide the information or otherwise at your direction or with your consent.
As permitted or required by law, including for auditing, fraud and security monitoring purposes.
We may use automated decision-making technologies, including profiling, to improve App, and Web, functionality, provide personalized content, and optimize advertising. For example, automated profiling may be used to recommend features based on your usage patterns.
You have the right to:
- Request more information about any automated decision-making processes,
- Object to profiling that significantly affects you, and
- Request human intervention in cases where automated decisions impact your rights under applicable laws.
- Where processing is based on legitimate interest, we ensure that our interests do not override your fundamental rights and freedoms. You may object to such processing at any time by contacting us at support@tofu.com.

5. TO WHOM WE DISCLOSE DATA

List of Service Providers (Subprocessors)

We may disclose your Personal Data, and other data and collected information to trusted third-party organizations such as contractors, business partners, service providers, third-party analytics providers and advertising partners that we use to support our business operations and who assist us in providing Services.

For transparency, below is a non-exhaustive list of our third-party service providers (“subprocessors”) who may process Personal Data or other data on our behalf, the purpose of their processing, and the categories of data involved:

Name	Country	Purpose of Processing	Categories of Data Processed
Google Cloud Platform (GCP) See here Terms of Service	USA	Cloud hosting, storage, infrastructure	Account data, business data, invoice/expense data, uploaded documents, analytics metadata
MongoDB Atlas See here Terms of Service	USA / EU	Database hosting	Account data, client data, financial records, app usage data
Amplitude See here Terms of Service	USA	Product analytics	Usage events, device info, IP address, feature interactions
AppsFlyer See here Terms of Use	Israel / USA	Attribution, campaign measurement	Advertising identifiers (IDFA/GAID), device info, install events
Firebase (Google) See here Terms of Service	USA	Analytics, crash reporting, push notifications	Device identifiers, IP address, crash logs, usage events, notification tokens
Appfigures See here Terms of Use	USA	App performance analytics	Aggregated install and revenue metrics
Facebook Pixel See here Terms and Policies	USA	Advertising analytics (if marketing enabled)	Device identifiers, advertising IDs, event tracking
Google Ads See here Terms and Conditions	USA	Advertising attribution	Device identifiers, IP address, analytics event metadata
Twilio SendGrid See here Terms of Service	USA	Transactional email delivery	Sender/recipient email, subject lines, message metadata
Brevo (Sendinblue) See here Terms and Conditions	France	Email delivery and marketing	Recipient email, subject lines, message metadata
Microsoft Clarity See here Terms of Use	USA	Behavioral analytics	Device and browser data; identifiers; behavioral data; interaction data
Stripe See here Terms of Use	USA	Payment processing	Payment metadata, invoice identifiers, transaction status (no full card numbers stored by us) Please read paragraph below.

Payments and Data Processing. We do not collect, store, or directly process sensitive payment details such as credit card numbers, expiration dates, or CVV codes. All payment transactions are securely processed by third-party payment providers, including Stripe and Apple Pay.

When making a payment, your payment information (such as card details, billing address, and other financial data) is provided directly to the relevant payment provider and is processed and stored by them in accordance with their own privacy policies and terms of service. We do not access or retain any sensitive payment information submitted through these payment forms.

While payment details are processed exclusively by these providers, we may receive and process limited transaction-related metadata, such as transaction IDs, payment status, or other non-sensitive identifiers. This information is used solely for purposes such as order confirmation, fraud prevention, service continuity, and compliance with applicable legal or regulatory requirements.

For users who enable payment-processing features (Stripe Connected Accounts), we share only minimal account-status information with Stripe (for example, whether verification is pending or completed). Any verification data, including identity documents or national identifiers, is submitted directly by users to Stripe and is not accessible to us.

Our processors (Apple Pay, Stripe) certify PCI DSS compliance.

For more information, please review Stripe Privacy Policy and Stripe Connected Account Agreement, as well as Apple Pay & Privacy.

We encourage you to view the privacy policies of Apple Pay and Stripe for comprehensive details on how your sensitive payment data is managed. For questions or further assistance, please contact our Support team at support@tofu.com.

We may disclose your Personal Data in the event that we or any of our affiliates, subsidiaries or lines of business is merged, acquired, divested, financed, sold, disposed of or dissolved, including in the course of a transaction like a merger, divestiture, restructuring, reorganization, acquisition, bankruptcy, dissolution, or liquidation. In such cases, your Personal Data and any other collected information may be among the items sold, transferred, or otherwise disclosed as part of that transaction or proceeding.
We may disclose your Personal Data in response to legal requests and for purposes of preventing harm. We may access, preserve and share your information in response to a legal (like a search warrant, court order or subpoena), government or regulatory request if we have a good faith belief that the law requires us to do so. This may include responding to legal, government or regulatory requests from jurisdictions where we have a good faith belief that the response is required by law in that jurisdiction, affects users in that jurisdiction, and is consistent with internationally recognized standards. We may also access, preserve and share information when we have a good faith belief it is necessary to: (i) detect, prevent and address fraud and other illegal activity; (ii) protect ourselves, you and others, including as part of investigations; and (iii) prevent death or imminent bodily harm. Information we receive about you may be accessed, processed and retained for an extended period of time when it is the subject of a legal request or obligation, governmental investigation, or investigations concerning possible violations of our terms or policies, or otherwise to prevent harm.

Some of the third-party service providers and partners we share data with are located outside the EU/UK. Section 11: Cross-Border Data Transfers explains the safeguards we have in place to protect your personal data during international transfers.

6. COOKIES, SOFTWARE DEVELOPMENT KITS, AND OTHER TRACKING TECHNOLOGIES

Analytics providers. When you Use an App, or the Web, we and our service providers, vendors, and partners, including third parties, may use technologies to collect or receive certain information about you and/or your Use of the App or Web. We also use third-party analytics tools like Google Firebase, AppsFlyer, and others to help us measure traffic and usage trends for the App or Web and for other purposes. Such analytics tools collect information via third-party SDKs incorporated into the App or Web, which includes information about features of the App or Web you visit or Use, your actions and interaction with the App or Web, and information about your subscription. Such information may be used to provide content, advertising, or functionality or to measure and analyze ad performance on the App or Web or other websites or platforms. Third parties may also use such information for their own purposes. For the avoidance of doubt, we do not use Image Data for advertising purposes.

Consumption Information. If we receive a refund request for an in-app purchase, we may provide Apple with information about your in-app purchase activity.

This data may include:

Account Tenure: the duration of your account's existence;
App Account Token: an anonymous account identifier used for the transaction;
Consumption Status: the extent to which the in-app purchase was used or consumed;
Delivery Status: confirmation of whether the purchased content was successfully delivered;
Lifetime Dollars Purchased: the total amount spent on in-app purchases in our app, in USD;
Lifetime Dollars Refunded: the total amount refunded to you for in-app purchases, in USD;
Platform: the platform where the in-app purchase was consumed;
Play Time: the total time spent using our app;
Sample Content Provided: whether a free trial or sample of the in-app purchase was available before purchase;
User Status: the current status of your account.

We process this data solely to assist Apple in evaluating refund requests, ensuring compliance with applicable laws and regulations, including GDPR and CCPA. Users can withdraw their consent to this processing at any time through the app settings or by contacting us.

Users can withdraw their consent to this processing at any time by adjusting the app settings:
Open the App > Go to Settings > Analytics > Toggle Off "Share consumption information".

For further assistance or to withdraw consent directly, users can also contact us via support@tofu.com.

Your Choices. Most browsers and devices are configured to accept cookies and similar tracking technologies automatically. You may be able to set your browser and device options so to limit such technologies. You can visit the Digital Advertising Alliance (“DAA”) Web choices tool at www.aboutads.info to learn more about this interest-based advertising and how to opt out of this kind of advertising by companies participating in the DAA self-regulatory program, and http://www.aboutads.info/appchoices for information on the DAA’s mobile app opt-out program. You can also opt out of receiving interest-based ads from members of the Network Advertising Initiative (“NAI”) by visiting the NAI consumer opt-out page at http://optout.networkadvertising.org/?c=1#!/. Opting out of receiving interest-based ads does not mean that you will no longer receive ads from us, but rather that the ads will not be tailored to your perceived interests.

For users in the European Economic Area, United Kingdom and United States. You can opt out from processing of Personal Data via cookies, SDKs and other tracking technologies by clicking sending a request to support@tofu.com.

You may find that some parts of the App, or Web, may not function properly if you have refused certain tracking technologies, and you should be aware that disabling certain tracking technologies may prevent you from accessing some of our content. Your choices are typically device and browser-specific.

We honor Global Privacy Control (GPC) signals as required by U.S. and international privacy laws. GPC is a browser or device setting that allows you to control the sale or sharing of your personal data. If GPC is enabled on your device, we will process it as a valid opt-out request under applicable laws. For more information on enabling GPC, please visit globalprivacycontrol.org.

7. YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA

Access, modification, correction and erasure. You can send us an email at support@tofu.com to request access to, modification, correction, update, erasure or portability of any Personal Data that you have provided to us and that we have about you. You can also request deletion of your account inside the app, both for iOS and Android users. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

EEA/UK individuals. Individuals in the European Economic Area (“EEA”) and the United Kingdom (“UK”) have certain statutory rights in relation to their Personal Data including under the General Data Protection Regulation (Regulation (EU) 2016/679) (“EEA GDPR”) and the UK version of the EEA GDPR (“UK GDPR”) (collectively, the “GDPR”), including the rights specified below. You can exercise these rights by contacting us (for contact information, please see Section 14: How to Contact Us, EEA/UK Representative, and Data Protection Officer). We will do our best to accommodate your request or objection but please note that not all rights are absolute.

Access to your Personal Data. You have a right to request information about whether we have any Personal Data about you, and to receive a copy of such Personal Data.
Rectification of your Personal Data. You are responsible for ensuring the accuracy of your Personal Data that you provide to us. Inaccurate information may affect your experience when Using Invoice Maker features and our ability to contact you as described in this Privacy Policy. If you believe that your Personal Data is incomplete or inaccurate, you have a right to contact us and ask us to correct such Personal Data.
Restriction of processing. You also have the right to demand restriction of processing of your Personal Data, for example, if you contest the accuracy of the Personal Data which inaccuracy is verified by us.
Erasure of your Personal Data. In certain circumstances, you may ask us to erase your Personal Data. Please be aware that erasing some Personal Data may affect your ability to Use Invoice Maker.
Right to portability of your Personal Data. In certain circumstances, you have the right to request us to receive any Personal Data you provided us in a structured, commonly used and machine-readable format. You may further ask us to give that Personal Data to another party.
Right to object to processing or otherwise using your Personal Data. You have the right to object at any time to the processing of your Personal Data where such processing is based on our legitimate interests, including the processing of your Personal Data for direct marketing purposes. Please note that this right does not apply to processing that is necessary for the performance of a contract between you and us (such as providing the core functionality of the Service). However, objecting to certain processing carried out based on legitimate interests, such as security, fraud prevention, or service improvement, may affect our ability to provide some features or services.

Right to withdraw your consent at any time. Where you may have provided your consent to the processing of your Personal Data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. The withdrawal of your consent does not affect the lawfulness of the processing based on your consent before its withdrawal.
Right to lodge a complaint with a supervisory authority. Subject to the GDPR, you have the right to lodge a complaint with a local data protection authority in the country of your residence, where you work or where an alleged infringement of the applicable data protection law took place. Please see a list of EU member states’ supervisory authority here, and the UK’s supervisory authority (ICO) here.

Please keep in mind that in case of a vague request to exercise any of the aforementioned rights we may engage with you in a dialogue to ask for more details if so needed to complete your request. In case this is impossible, we reserve the right to refuse granting your request.

Following the provisions of the applicable law, we might also ask you to prove your identity (for example, by requesting your username or some other proof of your identity) in order for you to invoke the mentioned rights. This is made to ensure that no right of third parties is violated by your request, and the mentioned rights are exercised by an actual Personal Data subject or an authorized person.

Your obligations as an independent data controller

If you use the Services to collect, store, or process Personal Data of third parties — including your clients' names, email addresses, or other contact details — you may act as an independent data controller with respect to such data under applicable data protection laws.

In this case we act as a Data Processor and we process third-party email addresses and other contact details solely on your behalf for the purpose of providing the Services you initiate (such as delivering invoices, estimates, payment links, or related notifications).

In that capacity, you are solely responsible for ensuring that your processing of such Personal Data complies with all applicable legal requirements, that you have a lawful basis, including obtaining any necessary consents and responding to data subject requests.

You may use Personal Data received through the Services only for the purposes of completing transactions and communications initiated through the Services, and not for unsolicited commercial messages or any other unauthorized purposes.

Without the explicit consent of the relevant individual, you may not add them to any mailing list or otherwise use their Personal Data beyond the scope of the Services. If you are located in, or process data of individuals in, the EEA, UK, or Switzerland, you bear independent responsibility as a data controller under GDPR / UK GDPR for complying with your obligations, including providing your own privacy notice to data subjects and handling any data subject requests directed to you.

We do not use third-party email addresses entered by you for our own direct marketing campaigns.

Prohibited Content and User Responsibility

By using the Services, you agree not to upload any illegal, harmful, or unlawful content, including but not limited to:

Personal Data of third parties without their consent,
Sensitive personal data of third parties, such as medical, financial, or biometric data, unless you have explicit consent,
Infringing content, including but not limited to copyrighted material, trademark violations, or any content that breaches intellectual property rights,
Defamatory or offensive material, including hate speech, threats, or discriminatory content,
Pornographic, sexually explicit, or obscene content,
Fraudulent or deceptive content, such as phishing attempts, scams, or misleading information.
And other types of information that could be considered illegal.

We do not independently verify the lawfulness of your use of third-party data and accept no responsibility or liability for your failure to comply with applicable legal obligations regarding such data. You remain solely responsible for the lawful processing of any third-party data you submit to the app.

Uploading such content is done at your own risk and responsibility. You are solely responsible for ensuring that the documents you upload do not contain illegal or unlawful material or content you do not have the right to share.

In the event that we detect unlawful content in the documents uploaded by users, we reserve the right to report such content to the relevant authorities for further investigation. This may include providing user-uploaded content or other relevant information to law enforcement or other regulatory bodies, as required by law.

We do not bear responsibility for any legal consequences arising from the uploading of prohibited content.

Manage your privacy rights. To enhance your experience, we provide in-app tools to manage your privacy rights, such as:

Accessing your personal data,
Deleting your account and associated data,
Managing consent for tracking and analytics technologies.

For additional assistance, contact us at support@tofu.com.

Requests related to personal or other data. If you are an individual in the EEA or UK, we will respond to your requests without undue delay and at the latest within one month from the date we receive your request. If your request is complex or if we receive a large number of requests, we may extend this period by an additional two months. In such cases, we will inform you of the extension and the reasons for the delay within the initial one-month period.

In any other case, we will process your requests related to personal data within 45 days from the date we receive them. If additional time is required due to complexity or volume of requests, we may extend this period by an additional 45 days. In such cases, we will notify you within the initial 45-day period.

You may submit your request by contacting us at support@tofu.com or through the app’s privacy settings.

‍8. YOUR CHOICES ABOUT OUR COMMUNICATIONS WITH YOU

Necessary communications. If you are using an App or the Web you may receive electronic communications from us (e.g., by posting in-app notices in Invoice Maker, push notifications or emails). These communications are necessary, and you cannot opt out of receiving them, as they are required to perform our contract with you and/or are sent based on our legitimate interest in providing and maintaining the Services. Such communications may include, but are not limited to: information related to your subscription and purchases (including invoices and payment confirmations), account and settings, usage and balance notifications, service updates, technical and security notices, and updates to our Privacy Policy or Terms of Use.

Communications related to the functionality of the App. Our Apps, and Web, allow users to send emails containing invoices, estimates, payment requests, or archive files either to themselves or to third parties. Email delivery is always initiated manually by the user within the app, or Web, interface.

Third-Party Recipients. If you choose to enter and use the email address of a third party (e.g., to send an invoice or estimate), you are solely responsible for ensuring that you have obtained the necessary consent from that person, as required by applicable data protection laws. We do not verify or validate the ownership of recipient email addresses entered by users.

OTP Delivery. For authentication purposes, we may send you a One-Time Password (OTP) via email. These emails are also processed via the providers mentioned above and initiated only by user request (e.g., during login or identity verification).

Marketing & Promotional Emails. We may use the email address associated with your account or business profile to send you marketing and promotional communications about Tofu products, including product tips, promotional offers, and announcements of new features, where permitted by applicable law.

For users located in the European Economic Area (“EEA”) and the United Kingdom, we will send such communications only where you have provided your explicit consent, in accordance with applicable data protection and ePrivacy laws. For users located outside the EEA and the UK, including the United States, we may send marketing communications based on our legitimate interests, where permitted by applicable law.

You can opt out of receiving marketing communications at any time by using the unsubscribe link included in our messages or by contacting us at support@tofu.com. Such withdrawal will not affect the lawfulness of communications sent prior to your withdrawal.

We do not send marketing emails to third-party email addresses that you enter into the Tofu Apps or Web on behalf of your own clients, contractors, or other contacts. Those addresses are used only to deliver user-initiated communications such as invoices, estimates, or payment requests.

In some cases, where permitted by applicable law, we may send informational or B2B communications to generic business email addresses (such as info@company.com).

If you opt out of marketing communications, you will be removed from our marketing communications list. However, this will not affect your receipt of non-marketing, service-related or transactional emails, which are necessary for account administration and your use of Tofu.

We do not use your precise location data for marketing purposes without your explicit consent.

Push Notifications. If you wish to opt-out of push notifications, you can do so through your mobile device settings by tapping “Settings” -> “Notifications” -> Choose the App -> press the toggle to allow or forbid push notifications from the app.

‍9. DATA SECURITY

We use reasonable and appropriate information security safeguards to help keep your Personal Data and other data secure and, in an effort, to protect it from accidental loss and unauthorized access, use, alteration and disclosure. We implement appropriate technical and organizational measures to protect your personal data, including encryption, secure servers, access controls, and regular security testing. We also require our third-party service providers to maintain equivalent safeguards.

Unfortunately, the transmission of information via the internet is not completely secure. Although we take measures to do our best to protect your Personal Data, we cannot guarantee the security of the collected information transmitted to or through the Tofu App and/or Web, or an absolute guarantee that such information may not be accessed, disclosed, altered, or destroyed.
Any transmission of your Personal Data is at your own risk. We are not responsible for the circumvention of security measures contained in the Tofu App and Web. Please understand that there is no ideal technology or measure to maintain 100% security.

The safety and security of your information also depends on you. For instance, we are not responsible for how you choose to share the photos or other information processed in your Invoice Maker account, such as via social media services. We are not responsible for the functionality, privacy, or security measures of any other organization.

In the event of a personal data breach, we have procedures to promptly assess, contain, and remediate the breach. Where required by law, we will notify the relevant data protection authorities and affected users in accordance with GDPR and applicable laws.

If you believe your data has been compromised, please contact us immediately at support@tofu.com.

‍10. DATA RETENTION

We retain Personal Data and other data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law (e.g. for tax, accounting, or legal compliance).

Specific retention periods include:

User account data. Retained until the user deletes their account.
Payment and transactional data. Retained for seven (7) years for compliance with financial and tax regulations.
Uploaded and created documents. Retained for as long as needed to provide the requested services. Documents can be deleted at any time from within the app. Once deleted, they are permanently removed from our servers.
Analytics and usage data. Retained in anonymized form for business purposes.

You may request account deletion by contacting support@tofu.com or using the in-app functionality.

Even if we delete some or all your Personal Data and other data, we may continue to retain and use anonymized data previously collected that can no longer be used for personal identification.

‍11. CROSS-BORDER DATA TRANSFERS

Tofu is a global platform. To operate our Services, your Personal Data may be transferred, stored, and processed in jurisdictions outside of your country of residence, primarily in the United States. Data protection laws in these countries may differ from the laws of your country of residence.

We use third-party service providers that operate global networks of data centers for hosting and infrastructure purposes. As a result, the processing of your Personal Data may be carried out in various locations, which is a necessary part of providing the Services to you.

Where required under the EEA GDPR, in case of transfers of personal data from the EEA to countries outside the EEA, where we cannot rely on adequacy decisions adopted by the European Commission (for more information, please see here) we ensure appropriate safeguards are in place to guarantee the continued protection of your personal data, particularly by signing the Standard Contractual Clauses of the European Commission (article 46(2)(c) GDPR). For more information on these Standard Contractual Clauses, please see here.

Where required under the UK GDPR, in case of transfers of personal data to countries outside the United Kingdom, we ensure appropriate safeguards are in place to guarantee the continued protection of your personal data, particularly by signing the UK Addendum to the EU Standard Contractual Clauses or the UK International Data Transfer Agreement, whichever is more appropriate in the given situation. For more information on UK Addendum and the UK International Data Transfer Agreement, please see here. We may also guarantee the protection of your personal data by relying on adequacy decisions adopted or approved by the authorities in the United Kingdom.

For questions about cross-border transfers or to obtain a copy of the relevant safeguards, please contact us at support@tofu.com. For our EEA/UK representative and Data Protection Officer details, see Section 14.

‍12. CHILDREN’S PRIVACY

General age limitation. The Tofu Apps and Web are not intended for or directed at children under 13, and we do not knowingly collect or solicit any information from anyone under the age of 13 or knowingly allow such persons to Use the Tofu Apps and Web. If you are under 13, do not: (i) Use or provide any information in the Tofu App or Web, or through any of its features, or (ii) provide any information about yourself to us, including your name, address, telephone number or email address. If you are a parent or guardian and believe we have collected information from your child who is under the age of 13, please contact us at support@tofu.com.

If we discover that we have collected data from a child under the applicable age without verifiable parental consent, we will promptly delete that information and take steps to prevent further access to the Tofu Apps and Web.

Age limitation for EEA and/or UK individuals. You must be at least 16 years old in order to Use the Tofu Apps or Web. We do not allow Use of the Tofu Apps or Web, by EEA and/or UK individuals younger than 16 years old. If you are aware of anyone younger than 16 Using the Tofu Apps or Web, please contact us (for contact information, please see Section 14: How to Contact Us, EEA/UK Representative, and Data Protection Officer), and we will take the required steps to delete the information provided by such persons.

‍
13. THIRD-PARTY WEBSITES AND SERVICES

‍We are not responsible for the practices employed by any websites or services linked to or from the App, including the information or content contained within them. Where we have a link to a website or service, linked to or from the App, we encourage you to read the privacy policy stated on that website or service before providing information on or through it.

14. HOW TO CONTACT US, EEA/UK REPRESENTATIVE, AND DATA PROTECTION OFFICER
‍

General contact details. If you have any questions about this Privacy Policy or the App, please contact us via email at support@tofu.com.

Data protection officer. If you are an individual in the EEA or the UK and you wish to exercise your rights under Section 7: Your Rights In Relation to Your Personal Data, or you have any questions about this Privacy Policy or the Services, you can contact our data protection officer via email at support@tofu.com.

15. CHANGES TO OUR PRIVACY POLICY‍

The date this Privacy Policy was last revised is indicated at the top of the page. We may modify or update this Privacy Policy from time to time. We recommend that you regularly check this section for updates. Some changes do not require your consent. However, if we determine that the changes may pose a risk to your rights and freedoms, we will ask for your consent to those changes separately from this Privacy Policy.