Last updated: April 15, 2026
Nomse LLC ("DuePilot," "we," "us," or "our") operates the DuePilot accounts receivable automation platform. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our services.
By using DuePilot, you agree to the collection and use of information as described in this policy. If you disagree with any part of this policy, please do not use our services.
Account information: When you register, we collect your name, email address, company name, and billing information. This information is required to provide the service.
Financial data via QuickBooks: When you connect QuickBooks Online, we access your customer names, email addresses, phone numbers, company names, invoice amounts, due dates, and payment status via OAuth 2.0. We do not access or store your QuickBooks credentials. We use this data solely to identify overdue invoices and send payment reminders.
Gmail data: When you connect Gmail via Google OAuth 2.0, we request only two permissions: (1) gmail.send, used solely to send payment reminder emails to your customers from your Gmail address; and (2) userinfo.email, used during OAuth to identify which Gmail account is connected so we can display it in your settings. We do not read, scan, index, monitor, store, or access any email in your inbox, including replies. We do not use Gmail data for advertising and do not share Gmail data with any third party except as strictly necessary to send the email on your behalf.
Customer reply handling: When a customer replies to a DuePilot reminder, the reply is routed to an inbound address operated by Postmark (our email infrastructure provider) via a Reply-To header. Postmark delivers the reply content to DuePilot via a secure webhook. Replies are never read from your Gmail or Outlook inbox.
Outlook data: When you connect Microsoft Outlook via OAuth 2.0, we request only Mail.Send (send reminder emails from your Outlook address) and User.Read (identify your connected email address). We do not read or monitor your Outlook inbox.
Usage data: We collect information about how you use DuePilot, including pages visited, features used, and actions taken within the platform. This helps us improve the product.
Email event data: When collection emails are sent on your behalf, we record delivery status, open events, and click events to improve sequence effectiveness.
Customer data you provide: Contact information and communication records for your customers that you import or that DuePilot accesses via integrations.
To provide, maintain, and improve the DuePilot service
To process and send collection emails on your behalf
To generate AI-drafted email content and classify customer replies
To calculate customer payment scores and AR analytics
To send service-related communications (receipts, security alerts, product updates)
To diagnose and fix technical issues
To comply with legal obligations
We do not use your data for advertising purposes. We do not sell your data to third parties.
DuePilot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Limited use disclosure: DuePilot only uses access to Google user data to send payment reminder emails the user has configured and approved. Specifically:
We do not use Google user data for serving advertisements.
We do not allow humans to read your email content unless: (a) you have given explicit consent, (b) it is necessary for security purposes (investigating abuse), or (c) it is required by law.
We do not transfer Google user data to third parties except as necessary to provide or improve the service, as required by law, or as part of a merger/acquisition with equivalent privacy protections.
We limit our use of Google user data to the practices disclosed in this privacy policy.
Revoking access: You can disconnect Gmail at any time from DuePilot Settings → Integrations. You can also revoke access from your Google Account at myaccount.google.com/permissions.
We share data only with the following categories of service providers, all of whom are bound by data processing agreements:
Supabase — database hosting and authentication
Anthropic — AI model API for email drafting and reply classification
OpenAI — AI model API (used for specific classification tasks)
Google, Gmail OAuth and Google Workspace email sending (limited to sending reminders from the user’s Gmail address)
Microsoft, Outlook OAuth and Microsoft 365 email sending (limited to sending reminders from the user’s Outlook address)
Postmark — fallback transactional email delivery
Stripe — payment processing and payment link generation
PostHog — anonymized product analytics
We may disclose your information if required by law, court order, or to protect the rights, property, or safety of DuePilot, our customers, or the public.
Active accounts: We retain your data for the duration of your active subscription, plus any legally required retention period.
Canceled accounts: Upon cancellation, we retain your data for 90 days to allow for reactivation or data export. After 90 days, all data is permanently deleted from our systems and backups.
Immediate deletion: You may request immediate deletion of your account and all associated data at any time by emailing privacy@duepilot.ai. Deletion is typically completed within 7 business days.
Depending on your location, you may have the following rights regarding your personal data:
Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate personal data
Deletion: Request deletion of your personal data
Portability: Request an export of your data in a machine-readable format
Opt-out: Opt out of certain types of processing (e.g., analytics)
To exercise any of these rights, email privacy@duepilot.ai. We respond to all requests within 30 days. California residents have additional rights under the CCPA.
TLS 1.2+ encryption for all data in transit.
AES-256-GCM encryption at rest for all OAuth tokens (QuickBooks, Gmail, Outlook).
Row Level Security (RLS) on all database tables, enforcing organization-level data isolation.
Authentication middleware protecting all API endpoints with rate limiting.
Security headers on all responses (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).
No plaintext credentials stored — all secrets are encrypted before database storage.
We use essential cookies for session management and preferences. We use PostHog for anonymized product analytics. We do not use advertising cookies. For details, see our Cookie Policy at /cookies.
We may update this Privacy Policy from time to time. We will notify you of significant changes by email and by posting the updated policy on this page with a new "Last updated" date. Your continued use of DuePilot after changes are posted constitutes your acceptance of the updated policy.
For privacy-related questions, data requests, or concerns:
Email: privacy@duepilot.ai
Nomse LLC, San Francisco, CA