Juridion LLC ("Juridion," "we," "us") operates Dun, an automated payment reminder platform for freelancers. This policy describes what data we collect, how we use it, who we share it with, and what rights you have.

Juridion LLC is the data controllerThe entity that determines the purposes and means of processing personal data. for personal information collected through getdunned.com and the Dun platform.

Contact: support@getdunned.com
Entity: Juridion LLC, New Mexico, USA

DataWhenWhyStored Where
Email addressAccount signupAuthentication, account communicationGoogle Cloud Firestore
Name (if provided)Account setupPersonalization, email sender nameFirestore
Payment info (card)Subscription checkoutProcess subscription paymentsStripe only (we never see your card number)
Invoice dataWhen you create invoicesCore service functionalityFirestore (encrypted at rest)
Client contact infoWhen you add clientsSend payment reminders on your behalfFirestore (encrypted at rest)
Connected account tokensPlatform integrationsSync invoices from Stripe, QuickBooks, etc.Firestore (encrypted)
IP addressEach requestSecurity, rate limitingServer logs (rotated, not stored long term)
Product-usage events (signup, integration connected, first invoice imported, first escalation sent)At key activation milestonesMeasure the activation funnel and improve the productGoogle Analytics 4 (keyed to your account ID)

What we do NOT collect:

  • Device fingerprints or hardware identifiers
  • Social media profiles or advertising identifiers tied to your account
  • Biometric data

We process your data under the following legal basesUnder GDPR, organizations must have a lawful basis for processing personal data, such as consent, contract performance, or legitimate interest.:

  • Contract performance: To provide the Dun service you signed up for, including sending payment reminders, syncing invoices, and managing your account.
  • Legitimate interest: To improve service reliability, prevent abuse, and ensure platform security.
  • Legal obligation: To comply with tax, accounting, and regulatory requirements.
  • Consent: For optional features like marketing emails. You can withdraw consent at any time.

We will never sell your personal data. The personal data in your Dun account, including invoices, clients, contacts, and email, is never used for advertising or profiling. Anonymous visits to our marketing website may be used to build remarketing audiences, but only with your consent. See the Cookies section for details.

We share data with the following data processorsA third party that processes personal data on behalf of the data controller, under the controller's instructions. to operate the Dun platform:

Google Cloud

Authentication (Google Sign-In), database hosting (Firestore), infrastructure (Cloud Run)

Privacy Notice

Stripe

Subscription billing, payment processing, invoice sync via Stripe Connect

Privacy Policy

Postmark

Transactional email delivery for payment reminders and account notifications

Privacy Policy

QuickBooks Online (Intuit)

Optional integration to sync invoices from your QuickBooks Online account. We request QuickBooks accounting access (com.intuit.quickbooks.accounting scope) to read invoices and customer contact details, and to record payments when you mark an invoice as partially or fully paid in Dun. You can disconnect at any time from Settings.

Privacy Statement

FreshBooks

Optional integration to sync invoices from your FreshBooks account. We access invoices and clients, and record payments when you mark an invoice as partially or fully paid in Dun. You can disconnect at any time from Settings.

Privacy Policy

Wave

Optional integration to sync invoices from your Wave account. We request read-only access to invoices and customers. Payment recording is not yet supported for Wave. You can disconnect at any time from Settings.

Privacy Policy

Xero

Optional integration to sync invoices from your Xero organisation. We request read-only accounting scopes (accounting.transactions.read and accounting.contacts.read) to read invoices and contacts. Payment recording is not yet supported for Xero (pending scope re-certification). You can disconnect at any time from Settings, which also removes the connection in Xero.

Privacy Policy

Each integration is optional and only activated when you explicitly connect your account. We request only the minimum OAuth scopes required: read access to invoices and client contact information. For QuickBooks and FreshBooks, we also record payments when you mark an invoice as partially or fully paid in Dun. Wave and Xero are currently read-only.

The Dun app (your dashboard, login, and billing pages) uses only essential cookiesCookies that are strictly necessary for the website to function. They cannot be disabled without breaking the service.:

CookiePurposeDuration
dun_sessionAuthenticate your login session7 days

On our marketing pages only (the homepage, comparison pages, integration pages, and blog), Dun uses Google Analytics 4 and the Google Ads remarketing tag to understand site traffic and build remarketing audiences. These are not used on your dashboard, login, or billing pages.

Analytics and advertising cookies on marketing pages are gated behind a cookie-consent banner using Google Consent Mode v2. Before you respond to the banner, the default state is denied for analytics and advertising storage, so no analytics or advertising cookies are set and Google receives only cookieless, modeled traffic data. If you accept, consent is updated and the relevant cookies are set. You can decline the banner at any time, and we honor recognized browser opt-out signals such as Global Privacy Control.

We are not currently running any advertising campaigns. This instrumentation exists to measure marketing-site traffic and build audiences for future use.

  • Account data: Retained while your account is active. If you delete your account, we remove your personal data from Firestore within 30 days, except where retention is required by law.
  • Stripe billing data: Retained by Stripe per their retention policy. We do not delete Stripe records as they are needed for refund processing and tax compliance.
  • Server logs: Rotated and deleted within 30 days.
  • Backups: Database backups containing your data are retained for up to 90 days for disaster recovery, then permanently deleted.

Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS 1.2+), encryption at rest (AES-256 via Google Cloud), role-based access control, and regular security updates. For full details, see our Data Processing Agreement.

  • Encryption in transit: All connections use TLS 1.2 or higher.
  • Encryption at rest: Data stored in Google Cloud Firestore is encrypted at rest using Google-managed encryption keys.
  • Access control: Access to production systems is restricted to authorized personnel with multi-factor authentication.
  • Secure authentication: Passwords are hashed with bcrypt. Google OAuth is available as an alternative.
  • Security headers: HSTS, CSP, X-Frame-Options, and other headers are enforced on all responses.

Breach Notification Procedure

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we follow this notification procedure in accordance with GDPR Article 33 and Article 34:

  • Within 72 hours: We will notify the relevant supervisory authority of the breach, providing the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken to address it.
  • Without undue delay: If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals directly by email with a clear description of the breach and recommended protective measures.
  • Data controller notification: If we are processing data on your behalf (as a data processor under the DPA), we will notify you within 72 hours so you can fulfill your own notification obligations.
  • Documentation: We will document all breaches, including facts, effects, and remedial actions taken, regardless of whether notification is required.

To report a suspected security incident, contact support@getdunned.com.

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPRGeneral Data Protection Regulation. EU regulation that gives individuals control over their personal data.:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data (right to be forgotten).
  • Portability: Receive your data in a structured, machine-readable format.
  • Restriction: Request that we limit how we process your data.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

You can exercise many of these rights directly from your account privacy settings. For other requests, email support@getdunned.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authorityA public body responsible for monitoring the application of data protection law, such as the ICO in the UK or CNIL in France..

If you are a California resident, the CCPACalifornia Consumer Privacy Act. A California state law that gives residents the right to know what personal data is collected, to delete it, and to opt out of its sale. provides you with additional rights:

  • Right to know: You can request the categories and specific pieces of personal information we have collected about you.
  • Right to delete: You can request deletion of personal information we have collected.
  • Right to opt out of sale: We do not sell personal information. Any cross-context behavioral advertising on our marketing pages occurs only with your consent, and you can opt out at any time by declining the cookie-consent banner or through recognized browser opt-out signals.
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact support@getdunned.com or use the controls in your account privacy settings.

Juridion LLC is based in the United States. Your data is processed and stored on servers located in the United States (Google Cloud, us-central1 region).

If you are located outside the United States, your data will be transferred to, and processed in, the United States. We rely on Standard Contractual ClausesLegal mechanisms approved by the European Commission for transferring personal data to countries outside the EEA. (SCCs) and other lawful transfer mechanisms provided by our data processors (Google, Stripe, Postmark) to ensure adequate protection for international transfers.

Dun is a business tool designed for freelancers and is not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, please contact us at support@getdunned.com and we will promptly delete it.

We may update this policy from time to time. When we make material changes, we will notify you by email (if you have an account) or by posting a notice on the website. The current version is always available at getdunned.com/privacy.

Continued use of Dun after changes are posted constitutes acceptance of the updated policy.

If you require a Data Processing Agreement for GDPR compliance, our standard DPA is available at getdunned.com/dpa.

If you have questions about this privacy policy or how we handle your data, contact us:

Juridion LLC
Email: support@getdunned.com
Location: New Mexico, USA

For data protection requests, please include "Privacy Request" in the subject line so we can route your email promptly.