Skip to content

Privacy Policy

Last updated: March 29, 2026

Illusly ("we", "us", "our") operates the website at illusly.com and the associated web application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Service. By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored in hashed form; we never store or have access to your plaintext password)
  • Phone number (optional)
  • Profile picture (optional)
  • Timezone preference

1.2 Workspace and Business Information

When you set up a workspace, you may provide:

  • Workspace/company name, logo, and branding settings
  • Business address, phone number, email, and website
  • Tax ID or VAT number
  • Invoice, proposal, and contract configuration (numbering, payment terms, footer text)
  • Currency and date/time format preferences

1.3 Business Data You Create

Through normal use of the Service, you create and store the following categories of data:

  • Client and contact records — names, email addresses, phone numbers, mailing addresses, social media profiles, job titles, labels, and notes
  • Deals — deal names, values, pipeline stages, win probability, and associated client information
  • Projects and tasks — project details, milestones, task descriptions, statuses, priorities, assignments, and comments
  • Time tracking — time entries, durations, billable status, rates, and associated projects/tasks
  • Invoices — invoice numbers, line items, amounts, tax calculations, payment statuses, and client billing details
  • Proposals and contracts — document content, pricing tables, signature records (including signer name, timestamp, and IP address), and status history
  • Forms and submissions — form field configurations, respondent names, emails, responses, IP addresses, and browser user agent strings
  • Calendar events — event titles, descriptions, locations, attendee lists, and scheduling information
  • Email data — email content, metadata, sender/recipient information, and attachments (only when you connect an email account via OAuth)
  • Documents and notes — rich text content, file attachments, and associated metadata
  • Automations — workflow configurations, trigger conditions, execution logs, and approval records

1.4 Files and Attachments

We store files you upload, including:

  • Document attachments (up to 50 MB per file)
  • Profile pictures, workspace logos, and client logos (up to 5 MB each)
  • Scheduling page cover images
  • Form submission file uploads

Files are stored with their original filename, MIME type, and file size.

1.5 Payment Information

Payment processing is handled entirely by our payment provider, Paddle. We do not directly collect, store, or have access to your credit card number, debit card number, or bank account details. Paddle collects and processes your payment information in accordance with their own privacy policy. We receive from Paddle only: transaction identifiers, subscription status, billing dates, plan information, and transaction amounts.

1.6 Usage and Technical Data

When you access the Service, we may automatically collect:

  • IP address
  • Browser type and version
  • Operating system
  • Referring URL
  • Pages visited and features used
  • Date and time of access
  • Device identifiers

1.7 Information From Third-Party Integrations

When you connect third-party accounts (Google, Microsoft, Apple, Yahoo, or an IMAP provider), we receive:

  • OAuth access and refresh tokens (stored encrypted)
  • Calendar data (events, attendees, scheduling information)
  • Email data (messages, threads, metadata, attachments)

We only access the scopes you explicitly authorize. You can disconnect integrations at any time, which stops further data sync.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Create and manage your account and workspace
  • Process transactions and send billing-related communications
  • Send transactional emails (invitations, notifications, password resets)
  • Sync your calendar and email data with connected third-party accounts
  • Execute automations and workflows you configure
  • Generate invoices, proposals, and contracts on your behalf
  • Provide public-facing pages (shared invoices, proposals, contracts, forms, booking pages, and client portal) to your clients and contacts
  • Enforce plan limits and entitlements
  • Monitor and prevent abuse, fraud, and unauthorized access
  • Diagnose and fix technical issues
  • Improve and develop the Service
  • Respond to your inquiries and provide customer support
  • Comply with legal obligations

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

3.1 Service Providers

We use the following third-party service providers to operate the Service:

  • Neon — PostgreSQL database hosting
  • Cloudflare R2 — file storage and content delivery
  • Paddle — payment processing and subscription management
  • Resend — transactional email delivery
  • Sentry — error monitoring and crash reporting (when enabled)
  • Google, Microsoft, Apple, Yahoo — calendar and email sync (only when you connect your accounts)

Each service provider processes data only as necessary to perform its function and is contractually bound to protect your data.

3.2 Your Clients and Contacts

When you share documents (invoices, proposals, contracts, forms) via public links or a client portal, the recipients can view the content you choose to share. Signature records (signer name, timestamp, IP address) are captured when recipients sign proposals or contracts.

3.3 Team Members

If you use a workspace with multiple team members, workspace data is accessible to other members based on their assigned roles and permissions. Workspace owners and admins can manage access levels for all members.

3.4 Legal Requirements

We may disclose your information if required to do so by law, or in good faith belief that such action is necessary to:

  • Comply with a legal obligation, subpoena, or court order
  • Protect and defend our rights or property
  • Prevent or investigate possible wrongdoing in connection with the Service
  • Protect the personal safety of users of the Service or the public

3.5 Business Transfers

If we are involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

4. Data Storage and Security

4.1 Where We Store Data

Your data is stored on infrastructure provided by Neon (PostgreSQL databases) and Cloudflare R2 (S3-compatible object storage). Data may be processed and stored in data centers located in the United States or other jurisdictions where our infrastructure providers operate.

4.2 Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of sensitive credentials (OAuth tokens, integration secrets) at rest
  • Hashed and salted password storage
  • Row-level security (RLS) policies on all database tables to enforce workspace-level access isolation
  • HMAC-signed upload tokens with short expiration windows
  • Rate limiting to prevent abuse
  • Security headers (via Helmet.js)
  • CORS policies restricting cross-origin requests
  • Role-based access control within workspaces
  • Audit logging of all data changes

While we take reasonable precautions, no method of electronic storage or transmission over the internet is 100% secure. We cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

4.3 Storage Limits

File storage is subject to plan-based limits (100 MB for Free, 5 GB for Basic, 25 GB for Premium). Files exceeding these limits cannot be uploaded until storage is freed or the plan is upgraded.

5. Data Retention

5.1 Active Accounts

We retain your data for as long as your account is active or as needed to provide the Service.

5.2 After Cancellation

If you cancel your paid subscription, your data remains accessible for 30 days to allow you to export your information or reactivate. After this grace period, your data may be deleted. Workspaces on the Free plan remain active indefinitely unless manually deleted by the account owner.

5.3 Account Deletion

You may request deletion of your account and all associated data at any time by contacting us at support@illusly.com. Upon receiving a verified deletion request, we will delete your personal data and workspace data within 30 days, except where we are required to retain certain information by law (e.g., billing records for tax compliance).

5.4 Audit Logs

Activity logs (recording who changed what and when) are retained for the lifetime of the associated workspace to support accountability and compliance.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate or incomplete data
  • Deletion — request deletion of your personal data
  • Export/Portability — export your data in machine-readable formats (available within the Service under Settings)
  • Restriction — request that we restrict the processing of your data in certain circumstances
  • Objection — object to the processing of your data for certain purposes
  • Withdraw Consent — withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at support@illusly.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

7. Cookies and Tracking

The Service uses essential cookies only — specifically, session cookies required for authentication and maintaining your logged-in state. We do not use advertising cookies, marketing pixels, or third-party tracking scripts for behavioral advertising or cross-site profiling.

Our website may use basic server-side analytics to understand aggregate traffic patterns. This data is anonymized and not linked to individual user profiles.

8. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of any third-party sites you visit.

9. Children's Privacy

The Service is not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child without parental consent, we will delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@illusly.com.

10. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country. By using the Service, you consent to the transfer of your data to these countries. We take steps to ensure that your data receives an adequate level of protection in the jurisdictions in which we process it.

11. Data Processing for EEA/UK Users

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:

  • Contract performance — processing necessary to provide the Service you signed up for
  • Legitimate interests — processing necessary for our legitimate business interests (e.g., security, fraud prevention, service improvement), where those interests do not override your rights
  • Legal obligation — processing necessary to comply with applicable laws (e.g., tax record retention)
  • Consent — where you have given explicit consent (e.g., connecting third-party integrations)

12. California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Request deletion of your personal information
  • Opt out of the "sale" of personal information — we do not sell personal information
  • Non-discrimination for exercising your privacy rights

To submit a request, contact us at support@illusly.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date. For material changes that significantly affect how we process your data, we will also notify you by email or through a notice within the Service. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at: