Privacy Policy
Last updated: 6/13/2026
Invotify ("we", "us", or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our invoicing platform and related services (the "Service"). We fully comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. By using our Service, you acknowledge that you have read and understood this Privacy Policy.
1. Data Controller Information
Invotify acts as the Data Controller for the personal data we collect through our Service. This means we determine the purposes and means of processing your personal data. For any privacy-related inquiries, you can contact our Data Protection Officer at privacy@invotify.com. We take our data protection responsibilities seriously and have implemented appropriate technical and organizational measures to ensure compliance with applicable data protection laws.
2. Personal Data We Collect
We collect the following categories of personal data: ACCOUNT DATA: Email address, name, password (encrypted), and authentication tokens when you create an account. BUSINESS PROFILE DATA: Business name, address, phone number, tax identification number (VAT/Tax ID), and business logo that you provide in your profile. CUSTOMER DATA: Names, email addresses, phone numbers, and addresses of your customers that you enter into the Service for invoicing purposes. DOCUMENT DATA: Invoices, quotes, and related business documents you create, including line items, amounts, dates, and payment terms. BILLING DATA: Payment information processed by our payment provider Stripe - we do not store complete credit card numbers on our servers. USAGE DATA: IP addresses, browser type, device information, pages visited, features used, and interaction patterns to improve our Service.
3. Legal Basis for Processing (GDPR)
Under the GDPR, we process your personal data based on the following legal grounds: CONTRACT PERFORMANCE (Article 6(1)(b)): Processing necessary to provide our Service to you, including account management, invoice generation, document storage, and customer support. LEGITIMATE INTERESTS (Article 6(1)(f)): Processing for our legitimate business interests, such as improving our Service, preventing fraud, ensuring security, and conducting analytics - where these interests do not override your fundamental rights. LEGAL OBLIGATION (Article 6(1)(c)): Processing required to comply with applicable laws, such as tax regulations, anti-money laundering laws, and responding to lawful requests from authorities. CONSENT (Article 6(1)(a)): Where required, we obtain your explicit consent for specific activities, such as marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
4. How We Use Your Data
We use your personal data for these specific purposes: SERVICE DELIVERY: To create and manage your account, generate invoices and quotes, store your business documents, process transactions, and provide customer support. BILLING AND PAYMENTS: To process subscription payments through Stripe, send payment receipts, and manage your billing history. COMMUNICATION: To send essential transactional emails (invoice delivery, payment confirmations, account notifications), service announcements, and security alerts. SERVICE IMPROVEMENT: To analyze usage patterns, identify and fix bugs, develop new features, and enhance user experience. SECURITY: To detect and prevent fraud, unauthorized access, abuse, and other security threats to protect you and our Service. LEGAL COMPLIANCE: To comply with tax laws, respond to valid legal requests, and enforce our Terms of Service. IMPORTANT: We do NOT sell your personal data to third parties. We do NOT use your data for automated decision-making or profiling that produces legal effects concerning you.
5. Data Sharing and Third Parties
We share your personal data only with carefully selected third parties, all bound by strict data protection agreements: SERVICE PROVIDERS: Supabase (database hosting with EU region option), Vercel (application hosting), Stripe (PCI DSS compliant payment processing), and SMTP providers for email delivery. AUTHENTICATION PROVIDERS: Google and Apple if you choose social login - only authentication data is shared. These providers have their own privacy policies. PROFESSIONAL ADVISORS: Lawyers, accountants, and auditors when necessary for legal compliance or business purposes, under confidentiality obligations. LEGAL REQUIREMENTS: Government authorities, law enforcement, or courts when required by valid legal process or to protect our legal rights. BUSINESS TRANSFERS: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity with prior notice to you. All third-party providers are vetted for their data protection practices and required to maintain appropriate security measures.
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside of your country of residence. We ensure appropriate safeguards: FOR EEA/UK USERS: When transferring data outside the European Economic Area, we rely on: (a) European Commission adequacy decisions; (b) Standard Contractual Clauses (SCCs) approved by the European Commission; or (c) other lawful transfer mechanisms. Our primary database infrastructure uses Supabase with EU region options available. FOR ALL USERS: We ensure that any international transfers are made with appropriate safeguards to protect your rights. You may request a copy of the specific safeguards used by contacting privacy@invotify.com.
7. Data Retention
We retain your personal data only as long as necessary: ACTIVE ACCOUNTS: Data is retained for the duration of your account plus a reasonable period afterward for backup and legal purposes. AFTER ACCOUNT DELETION: Upon your deletion request, we remove personal data from active systems within 30 days. Backups are purged within 90 days. LEGAL REQUIREMENTS: Certain data may be retained longer if required by law (e.g., tax records for 7 years, legal proceedings) or for legitimate business purposes. ANONYMIZED DATA: We may retain anonymized, aggregated data indefinitely for analytics and service improvement - this data cannot identify you. You can request immediate deletion of your data through your account settings or by contacting us.
8. Your GDPR Rights
Under the GDPR, you have these rights regarding your personal data: RIGHT OF ACCESS (Article 15): Request a copy of all personal data we hold about you, provided in a machine-readable format within 30 days. RIGHT TO RECTIFICATION (Article 16): Correct inaccurate or incomplete personal data through your account settings or by contacting us. RIGHT TO ERASURE (Article 17): Request deletion of your personal data ("right to be forgotten"). We will comply unless we have legitimate grounds to retain it. RIGHT TO RESTRICT PROCESSING (Article 18): Request that we limit how we use your data in certain circumstances. RIGHT TO DATA PORTABILITY (Article 20): Export your data in structured, commonly used formats (JSON, CSV). Available in Settings > Privacy & Data. RIGHT TO OBJECT (Article 21): Object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds. RIGHT TO WITHDRAW CONSENT: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing. RIGHT TO LODGE A COMPLAINT: File a complaint with your local data protection authority if unsatisfied with our handling of your data. To exercise these rights: Visit Settings > Privacy & Data in your account, or email privacy@invotify.com. We respond within 30 days.
9. Data Security
We implement comprehensive technical and organizational security measures: ENCRYPTION: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Your passwords are hashed using industry-standard algorithms. AUTHENTICATION: We support secure authentication including OAuth 2.0 with Google and Apple. We encourage strong passwords and offer session management. ACCESS CONTROL: Role-based access controls and principle of least privilege for our team. Access to personal data is logged and monitored. INFRASTRUCTURE: Our services run on SOC 2 compliant infrastructure with regular security audits, vulnerability assessments, and penetration testing. INCIDENT RESPONSE: We maintain documented incident response procedures. In case of a data breach affecting your rights, we will notify you and relevant authorities within 72 hours as required by GDPR. EMPLOYEE PRACTICES: Our team receives regular data protection and security training. All employees are bound by confidentiality obligations. While we implement extensive measures, no system is 100% secure. We encourage you to use strong passwords and protect your account credentials.
10. Cookies and Tracking
We use minimal, privacy-respecting cookies: ESSENTIAL COOKIES: Required for the Service to function (authentication, security, preferences). These cannot be disabled. PREFERENCE COOKIES: Store your settings like language and theme preferences. We do NOT use: advertising or marketing cookies, third-party tracking pixels, cross-site tracking, or sell data to advertisers. We use privacy-focused analytics that do not track you across websites. You can manage cookie preferences through your browser settings, but blocking essential cookies may affect functionality.
11. Children's Privacy
The Service is designed for business users and is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@invotify.com. We will promptly delete such information from our systems.
12. California Privacy Rights (CCPA)
California residents have additional rights under the California Consumer Privacy Act (CCPA): RIGHT TO KNOW: Request information about categories and specific pieces of personal information collected, sources, purposes, and third parties we share with. RIGHT TO DELETE: Request deletion of personal information, subject to legal exceptions. RIGHT TO OPT-OUT OF SALE: We do NOT sell personal information. If this ever changes, we will provide a clear opt-out. RIGHT TO NON-DISCRIMINATION: We will not discriminate against you for exercising CCPA rights. To exercise these rights, contact privacy@invotify.com with subject "CCPA Request" or call our support line.
13. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other reasons. We will notify you of material changes by: (a) posting the updated policy with a new "Last Updated" date; (b) sending an email to your registered address; and/or (c) displaying a prominent notice in the Service. We encourage you to review this policy periodically. Continued use after changes become effective constitutes acceptance of the updated policy. If you disagree with changes, you should stop using the Service.
14. Contact Us
For questions, concerns, or to exercise your rights: General Privacy Inquiries: privacy@invotify.com | Data Protection Officer: dpo@invotify.com | Legal Matters: legal@invotify.com | General Support: support@invotify.com. We aim to respond within 30 days. If unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
Questions? Email support@invotify.com