Privacy Policy

Last updated: March 15, 2026

1. Data Controller

InvoiceApp ("we", "us", "our") is the data controller for personal data collected through this service. Contact: privacy@invoiceapp.com.

2. Data We Collect

• Account data: email address, password (hashed, never stored in plaintext)
• Business data: business name, address, phone, logo, invoice prefix
• Invoice data: client names, emails, addresses, VAT numbers, amounts, dates, notes
• Usage data: page views, feature usage (anonymized via Vercel Analytics)
• Email tracking: we use a 1×1 pixel to detect when invoice emails are opened (IP address and user-agent recorded)
• Payment data: processed by Stripe; we store only subscription status and Stripe customer ID, never credit card numbers

3. How We Use Your Data

• Provide the invoice generation and sending service
• Send transactional emails (invoices, payment reminders)
• Track invoice delivery status (open tracking via pixel)
• Process subscription payments via Stripe
• Improve our service (anonymized usage analytics)

We do NOT: sell your data, use it for advertising, or train AI models with it.

4. Email Tracking Disclosure

Invoice emails contain a small tracking pixel (1×1 transparent image). When your client opens the email, this pixel loads from our server, recording the open event with timestamp, IP address, and user-agent. This allows you to see when invoices are viewed. Some email clients (e.g., Apple Mail Privacy Protection) may block or pre-load these pixels, which can affect accuracy.

5. Third-Party Services

• Supabase: database hosting and authentication
• Stripe: payment processing (PCI DSS Level 1 compliant)
• Resend: transactional email delivery
• Vercel: hosting and edge delivery

6. Cookies

We use essential cookies only for authentication session management. We do not use third-party advertising or tracking cookies. If analytics cookies are enabled in the future, we will request explicit consent.

7. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

• Access: Export all your data (Settings → Data Export)
• Rectification: Edit your account and client information anytime
• Erasure: Delete your account (Settings → Delete Account). Data is soft-deleted for 30 days, then permanently purged.
• Data Portability: Download your invoices as CSV or JSON (Settings → Data Export)
• Object: Contact us to opt out of non-essential data processing
• Restrict Processing: Contact us to suspend processing of your data

To exercise these rights, email privacy@invoiceapp.com.

8. Data Retention

• Active accounts: data retained indefinitely while account is active
• Deleted accounts: 30-day recovery period, then permanently deleted
• Invoice records: retained per applicable tax law (3-10 years depending on jurisdiction)

9. Security

All data transmitted over HTTPS (TLS 1.2+). Database encrypted at rest (AES-256). Passwords hashed with bcrypt. Row-level security ensures users can only access their own data.

10. Children

This service is not directed to users under 13 years of age.

11. Changes to This Policy

We will notify registered users by email of material changes to this policy.