Data Processing Agreement
Effective Date: July 13, 2026
Last Updated: July 13, 2026
Document Version: 2026-07-13
Availability and review
This page is a plain-language DPA framework for business customers. It becomes binding only when incorporated into an executed agreement or otherwise accepted in a manner permitted by applicable law. It is not a substitute for a negotiated DPA or qualified legal review.
1. Roles and Scope
For invoice, client, and related business information that a customer submits on behalf of its clients or other contacts, the customer generally determines the purposes of processing and HuVia Technologies LLC ("we," "us") processes that information to provide I Hate Invoicing. The customer is responsible for giving required notices and obtaining any permissions needed to provide that information to us and our providers.
We may act as an independent controller for account administration, billing, fraud prevention, security, legal compliance, support, and service analytics. Stripe and other providers may independently control information they process under their own agreements.
2. Processing Details
- Subject matter: Account, invoice, client, payment-status, support, and related service records.
- Purpose: Hosting, organizing, sending, tracking, and supporting invoices and payments, plus security and service operation.
- Data subjects: Customer account users, customers' clients, business contacts, and authorized users.
- Data types: Names, email addresses, business details, invoice content, payment status and identifiers, communications, and technical/security records.
- Special categories: The Service is not designed for regulated health, biometric, government-ID, cardholder, or other special-category data. Customers must not submit that information unless a separate written agreement and required controls are in place.
3. Processing Instructions
We will process customer content to provide and secure the Service, as documented in the Terms of Service, the Privacy Policy, this DPA, and the customer's reasonable documented instructions. We may process or disclose information when required by law, to prevent abuse, or to protect the Service and other users. If an instruction would violate applicable law or a provider's requirements, we will notify the customer where legally permitted.
4. Service Providers
We may use the following categories of providers, subject to their current terms and privacy documentation:
- Supabase for authentication and database infrastructure.
- Stripe for payment processing and connected-account services.
- Emailit for transactional and account email delivery.
- DeepSeek for AI-assisted invoice drafting and structuring when the feature is used.
- Vercel and related hosting, logging, and monitoring providers.
- Google/Gmail and other connected tools only when the customer enables the integration.
5. Security
We maintain reasonable technical and organizational measures appropriate to the Service, including TLS in transit, database access controls, row-level authorization, server-side checks, restricted production credentials, hashed authentication credentials managed by Supabase, and provider security controls. No system can be guaranteed completely secure, and provider-specific controls are governed by the provider's own agreements.
6. Rights Requests and Incidents
We will provide reasonable assistance for legally required access, correction, deletion, or restriction requests relating to customer content that we control. The customer remains responsible for responding to requests relating to its own clients and for providing instructions that are lawful.
We will notify the customer of a confirmed security incident involving customer content without undue delay after becoming aware of it, subject to legal restrictions and the availability of information. The customer is responsible for its own regulatory notifications unless the parties agree otherwise in writing.
7. Return and Deletion
At account closure or on documented request, we will delete or return customer content that we control within a reasonable operational period, unless retention is required for legal, tax, accounting, security, fraud-prevention, dispute, or enforcement purposes. Provider systems, backups, and Stripe records may follow separate retention schedules. Any deletion timeline must be confirmed against the applicable provider configuration and agreement.
8. Contact
DPA requests: hello@huvia.ai
HuVia Technologies LLC — I Hate Invoicing