DueForce logo
DueForceAutomatic AI-Driven overdue invoice follow-up for law firms

Last Updated: March 2026

Effective Date: March 2026

Privacy Policy

This Privacy Policy explains how Completely Offensively LLC, a Pennsylvania limited liability company, doing business as DueForce ("DueForce", "we", "our", "us") collects, uses, and protects information in connection with the DueForce application ("Service"). The Service is offered to businesses (law firms and legal professionals) throughout the United States (all 50 states and the District of Columbia), not to consumers for household purposes. We designed this policy to align as closely as practicable with the patchwork of U.S. state comprehensive privacy laws (including the California Consumer Privacy Act as amended by the CPRA and similar statutes in other states) and, where relevant, laws such as the EU/UK GDPR. This document does not constitute legal advice. DueForce is designed for attorneys and law firms who manage sensitive client and invoice relationships.

1. Who we are (U.S. business)

For U.S. purposes, the business responsible for this Privacy Policy is Completely Offensively LLC (d/b/a DueForce), formed in the Commonwealth of Pennsylvania. We market and provide the Service nationwide; formation in Pennsylvania does not limit where our customers may be located. For GDPR-style laws, the same entity may be described as a "controller" of personal data. For questions or privacy requests, use the contact information in section 13. If applicable law requires a mailing address, you may request it at the same contact email.

YOUR DATA IS NEVER SOLD.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not rent, trade, or otherwise monetize personal data in any form. These practices are prohibited under our internal policies regardless of whether applicable law requires it. DueForce generates revenue solely through subscription fees paid by law firm subscribers. Our business model does not depend on and is not supported by the sale or commercial exploitation of personal data.

2. Information we collect

We may collect the following categories of information:

  • Account information: email address, name (if provided), and password (hashed and never stored in plain text).
  • Billing information: limited Stripe identifiers and subscription status (e.g., whether you have an active Pro subscription). Full payment card details are processed and stored by Stripe and are never stored on DueForce servers.
  • Firm profile and email branding: law firm name, billing reply-to email address, law firm mailing address (required before automated reminder and demand-letter email sends), optional attorney name and title, optional payment link URL, and optional firm logo image (stored via our file storage provider) that you provide to configure how outbound emails appear and where client replies are directed.
  • Client and invoice data: business contact details for your clients, invoice amounts, due dates, reminder schedules, uploaded invoice-related files (such as PDFs) that you provide, and related fields you enter into the Service.
  • Confidentiality flags, audit logs, and email delivery records: when you enable confidential labeling, DueForce stores a confidentiality flag associated with your invoice. We store reminder and demand-letter activity logs (including status, timestamps, and communication metadata such as recipient addresses and message identifiers). We also store email delivery and engagement records (for example sent, delivered, opened, or bounced status and related timestamps) when our email provider reports those events to us. We do not rely on storing full archival copies of every outbound email body in our database for routine operation; substantive content is primarily transmitted through the email provider at send time.
  • Usage data: log data, device information, approximate location inferred from IP address, and interactions with the Service. This may include access logs for security and troubleshooting.
  • Communications with DueForce: messages you send to us (for example support requests) and transactional system emails such as password resets. Automated invoice reminders and demand letters initiated through the Service are processed as described under firm profile, client and invoice data, and audit/delivery records above—not as a separate "full email archive" product feature unless we explicitly offer export or logging of specific fields in the app.

Sensitive data. DueForce does not intentionally collect sensitive personal data as defined under applicable state privacy laws — including but not limited to precise geolocation, racial or ethnic origin, religious beliefs, mental or physical health data, biometric identifiers, sexual orientation or gender identity, citizenship or immigration status, genetic data, or financial account numbers. The Service is designed exclusively for business-to-business use by law firms and attorneys managing invoice and billing workflows. We do not use any personal data for automated profiling or decision-making that produces legal or similarly significant effects on individuals. If you believe you have inadvertently submitted sensitive personal data to the Service, please contact admin@dueforce.ai and we will take appropriate action.

Data about third-party recipients of automated communications. When law firm subscribers use DueForce to send automated invoice reminders and demand letters, those emails are delivered to the law firm's clients — third parties who are not DueForce account holders and are not directly subject to this Privacy Policy. We may receive delivery and engagement data about those outbound emails from our email infrastructure provider, including whether a message was delivered, opened, or bounced, based on industry-standard email tracking technology embedded in outbound messages. This data is associated with the sending firm's account and is visible only to that firm within their DueForce dashboard. DueForce does not use this engagement data to build advertising profiles, to contact third-party recipients directly, or for any purpose other than providing delivery and engagement status information to the sending law firm. Law firm subscribers are solely responsible for ensuring their use of DueForce — including automated communications sent to their clients — complies with all applicable laws, professional responsibility rules, bar association guidelines, and ethical obligations, including any obligations related to notice, consent, or disclosure of email tracking technologies to their clients.

3. How we use information

We use the information we collect for the following purposes:

  • To provide, operate, and maintain the Service.
  • To authenticate users, secure accounts, and prevent fraud or abuse.
  • To send automated invoice reminders and other communications that you configure, including applying your firm display name, reply-to, and (where applicable) a BCC copy to your configured billing address so your firm retains a record of sends.
  • To record email delivery and engagement status reported by our email infrastructure (for example delivered, opened, or bounced) so you can review activity in the Service.
  • To respect firm-controlled contact preferences you configure in the Service (for example, suppressing reminders for a client email when you enable that option).
  • To handle billing, subscription management, and related customer support.
  • To maintain audit logs for reminder and demand-letter activity so you can keep internal records and investigate communication status.
  • To monitor performance, improve features, and develop new functionality.
  • To comply with legal obligations and enforce our Terms of Service.

4. Legal bases for processing (GDPR)

Where GDPR or similar laws apply, we process your personal data on one or more of the following legal bases:

  • Performance of a contract: to provide the Service and fulfill our agreement with you.
  • Legitimate interests: to operate, secure, and improve the Service in a way that does not override your rights and freedoms.
  • Consent: where required, for example for certain marketing communications. You may withdraw consent at any time.
  • Legal obligation: to comply with applicable laws and regulations.

5. Data sharing and processors

We do not sell your personal data. We may share data with trusted service providers who act as processors and help us deliver the Service, such as:

  • Cloud hosting and database providers (e.g., Supabase, Vercel).
  • Payment processors (e.g., Stripe) for subscriptions and billing.
  • Email delivery infrastructure (e.g., Resend) for sending transactional mail, including invoice reminders and demand letters. That provider processes message content, headers, and recipient addresses as necessary to deliver email and may send DueForce signed webhook events (for example delivery or engagement notifications) that we use to update status in the Service.
  • Object storage for optional firm logo uploads associated with your account.
  • Analytics or logging providers for performance monitoring and security.

These providers are bound by contractual obligations and only process data on our instructions.

6. International transfers

Due to the nature of cloud infrastructure, your data may be processed in countries outside your own. Where required, we use appropriate safeguards such as standard contractual clauses or equivalent mechanisms to help protect your data.

7. Data retention

We retain personal data for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. When data is no longer needed for those purposes, we delete or anonymize it in line with the schedules below. Longer retention may apply where we are required by law or to resolve disputes.

  • Email delivery and engagement records (`email_tracking`): we automatically delete rows older than twenty-four (24) months from creation, via a scheduled server process.
  • Reminder activity logs (`reminder_logs`) and demand-letter activity logs (`demand_letter_logs`): we automatically delete rows older than seven (7) years from creation, via the same scheduled process (aligned with common professional recordkeeping horizons).
  • Account and workspace data (profile, invoices, clients, firm branding, preferences): retained while your account is active. You may permanently delete your account from Account settings; that removes DueForce-held application data tied to your user as described in section 8. Payment and billing records may be retained by our payment processor under its own retention rules.
  • Optional exports: you may export relevant logs from the application for your own records where the Service offers that capability.

8. Your rights

Depending on your location, you may have some or all of the following rights in relation to your personal data:

  • Self-service account deletion: signed-in users may permanently close their account from the Account page in the app by confirming the on-screen phrase. This deletes your auth profile and removes DueForce application data associated with your user (including invoices, clients, firm profile fields, and related logs and preferences subject to database rules). Third-party systems (for example Stripe for billing, or email providers that already received messages) may retain their own records under their policies.
  • Other requests (access, correction, portability, objections, or questions): contact us at admin@dueforce.ai. We will respond in line with applicable law.
  • Right to access and obtain a copy of your data.
  • Right to rectification of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") in certain circumstances.
  • Right to restrict or object to processing in certain circumstances.
  • Right to data portability where technically feasible.
  • Right to withdraw consent where processing is based on consent.
  • Right to lodge a complaint with a supervisory authority or relevant regulator in your jurisdiction.

Opt-Out Requests and Global Privacy Control. Residents of states that provide opt-out rights may submit requests via email at admin@dueforce.ai. DueForce does not sell personal data and does not use personal data for cross-context behavioral advertising, so the practical scope of opt-out rights as applied to our Service is limited. We do not currently recognize the Global Privacy Control (GPC) browser signal as an opt-out mechanism, as we do not engage in the data sales or targeted advertising to which GPC signals apply. If your state's law requires us to honor GPC signals in connection with our processing, contact us and we will respond consistent with applicable law.

Response Timeframes. We will respond to verifiable privacy requests within 45 days of receipt. Where permitted by law, we may extend this period by an additional 45 days with written notice to you. If we cannot fulfill a request in whole or in part, we will explain why within the same timeframe. If your state provides a right to appeal our decision, you may submit an appeal to admin@dueforce.ai with the subject line "Privacy Request Appeal" and we will respond within 60 days of receiving your appeal.

Appeals. If we deny your privacy request in whole or in part, you may appeal our decision by emailing admin@dueforce.ai with the subject line "Privacy Appeal" within 30 days of receiving our denial. We will review your appeal and respond within 60 days. If your appeal is denied and your state provides the right to lodge a complaint with a state regulatory authority, we will provide you with information about how to do so upon request. We will not discriminate against you for exercising any privacy rights available to you under applicable law.

9. Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13 in a manner subject to the U.S. Children's Online Privacy Protection Act (COPPA). The Service is also not directed to children under 16; if you believe someone under 16 has provided us with personal information, please contact us so we can take appropriate action.

10. Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration. These include HTTPS/TLS in transit, encryption at rest in our database layer, and database access controls using Row Level Security (RLS). We apply best-effort rate limiting on sensitive API routes to reduce abuse. Inbound webhooks from our email provider are verified using a shared signing secret so that forged delivery events are rejected. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Data Protection Assessments. Where required by applicable state law, we conduct or maintain data protection assessments for processing activities that present heightened risk to individuals, such as processing sensitive personal data or engaging in activities subject to assessment requirements under state privacy statutes including those in Virginia, Colorado, Connecticut, Texas, Indiana, Kentucky, and similar jurisdictions. These assessments are conducted internally and help us evaluate and mitigate privacy risks associated with our Service. For more information contact us at admin@dueforce.ai.

11. U.S. state privacy notices (all states, including California)

Because we offer the Service to law firms and legal professionals across the United States, personal information about users and their contacts may be collected in or relate to any state. A growing number of states have enacted comprehensive privacy laws; requirements differ, and many apply only when statutory thresholds or scope tests are met (for example based on revenue, data volume, or business activities). Whether a specific statute applies to DueForce at a given time is a legal determination. Regardless, we strive to describe our practices accurately and to honor valid requests from residents of states that grant privacy rights, consistent with applicable law.

California residents (CCPA/CPRA). The categories of personal information we collect are generally those described in section 2 (for example identifiers such as name and email, commercial information such as subscription status, professional or firm information, client and invoice data you upload, internet or network activity such as usage and security logs, and inferences drawn from the above). We collect personal information directly from you, automatically when you use the Service, and from service providers (for example payment and email delivery status). We use and disclose personal information for the business and commercial purposes described in sections 3 and 5. We do not sell personal information and we do not share personal information for cross-context behavioral advertising as those terms are used under the CCPA/CPRA.

Your California privacy rights. Subject to applicable exceptions, California residents may have the right to request access to certain personal information we hold about them, to request deletion or correction, and to limit certain uses of sensitive personal information where those rights apply. We will not discriminate against you for exercising these rights. You may submit requests by emailing admin@dueforce.ai. We may need to verify your request. You may designate an authorized agent to make a request on your behalf where the law allows; we may require proof of authorization. Account holders may also delete their DueForce account and associated application data as described in section 8.

Texas residents (TRAIGA). DueForce uses automated AI systems to deliver invoice reminders and demand letters on behalf of law firm subscribers, as described in section 3. Under the Texas Responsible AI Governance Act (TRAIGA, HB 149), DueForce discloses that these automated systems operate solely for professional invoice follow-up purposes in commercial attorney-client billing contexts. DueForce does not use AI systems with the intent to discriminate against any protected class, manipulate recipient behavior toward harm, or infringe on any constitutional right. Payer assessments are internal tools available only to the subscriber-attorney and are not shared with or used adversely against any recipient. Texas residents with questions or concerns regarding DueForce's AI systems may contact us at admin@dueforce.ai.

Rhode Island residents (RIDTPPA). The Rhode Island Data Transparency and Privacy Protection Act, effective January 1, 2026, may apply to our processing of personal data relating to Rhode Island residents. Subject to applicable thresholds and exceptions, Rhode Island residents may have rights to access, correct, delete, obtain a portable copy of, and opt out of certain uses of their personal data. To submit a privacy request, email us at admin@dueforce.ai. We will respond consistent with the RIDTPPA and will provide information about how to appeal a denied request or contact the Rhode Island Attorney General if applicable.

Indiana residents (INCDPA). The Indiana Consumer Data Protection Act, effective January 1, 2026, may apply to our processing of personal data relating to Indiana residents. Subject to applicable thresholds and exceptions, Indiana residents may have rights to access, correct, delete, obtain a portable copy of, and opt out of certain uses of their personal data. To submit a privacy request, email us at admin@dueforce.ai.

Kentucky residents (KCDPA). The Kentucky Consumer Data Protection Act, effective January 1, 2026, may apply to our processing of personal data relating to Kentucky residents. Subject to applicable thresholds and exceptions, Kentucky residents may have rights to access, correct, delete, obtain a portable copy of, and opt out of certain uses of their personal data. To submit a privacy request, email us at admin@dueforce.ai.

Residents of all other states. If you are a resident of any U.S. state that provides rights regarding access, correction, deletion, portability, opt-out of certain processing, appeals, or similar remedies — and those rights apply to our processing — please contact us at admin@dueforce.ai. We will respond consistent with applicable law, including verification and appeal procedures your state requires. We actively monitor changes in state privacy law and update this Policy as new obligations become effective.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice, such as by posting an updated version in the app or sending an email. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

13. Contact

If you have questions, requests, or concerns about this Privacy Policy or our data practices, please contact us at:

Email: admin@dueforce.ai