Privacy Policy

Introduction

Invoicx ("we", "us", "our"), is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our invoicing service (the "Service").

This policy applies to all users of invoicx.com and our related services.

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

• Name and email address
• Password (encrypted)
• Company name and business information
• Billing address
• Phone number (optional)

Invoice Data:

• Client names and contact information
• Invoice details (amounts, dates, descriptions)
• Custom branding (logos, colors)
• Notes and attachments

Payment Information:

• Subscription payment details are processed by Stripe
• We do NOT store your credit card details
• Stripe provides us with limited payment information (last 4 digits, expiry date, payment status)

Communications:

• Support requests and correspondence
• Feedback and survey responses
• Email communications preferences

1.2 Information Collected Automatically

Usage Data:

• IP address
• Browser type and version
• Device information
• Operating system
• Pages visited and time spent
• Features used
• Login times and frequency

Cookies and Tracking:

• As described in our Cookie Policy above
• Session identifiers
• Analytics data

1.3 Information from Third Parties

We may receive information from:

• Stripe: Payment status and transaction information
• Email service providers: Email delivery status (opened, bounced)
• Authentication providers: If you sign up using third-party authentication

2. How We Use Your Information

We use your personal data for the following purposes:

2.1 Service Provision (Legal Basis: Contract Performance - Article 6(1)(b) GDPR)

• Creating and managing your account
• Providing invoice creation and management tools
• Sending invoices and reminders on your behalf
• Storing and organizing your data
• Processing your subscription payments
• Providing customer support

2.2 Service Improvement (Legal Basis: Legitimate Interest - Article 6(1)(f) GDPR)

• Understanding how users interact with our Service
• Identifying bugs and technical issues
• Developing new features
• Improving user experience
• Conducting analytics and research

2.3 Communication (Legal Basis: Consent or Legitimate Interest)

• Sending service updates and announcements
• Responding to support requests
• Sending marketing communications (with your consent)
• Notifying you of changes to our terms or policies

2.4 Security and Fraud Prevention (Legal Basis: Legitimate Interest - Article 6(1)(f) GDPR)

• Detecting and preventing fraud
• Protecting against security threats
• Enforcing our Terms and Conditions
• Complying with legal obligations

2.5 Legal Compliance (Legal Basis: Legal Obligation - Article 6(1)(c) GDPR)

• Complying with UK and EU data protection laws
• Responding to legal requests
• Maintaining records for tax and accounting purposes

3. Data Processing and Sub-Processors

As a Data Processor for your invoice data, we use the following sub-processors:

3.1 Supabase (Database Hosting)

• Purpose: Storing and managing all application data
• Data Location: EU/UK data centers
• Data Processed: All Customer Data including invoices and client information
• Security: Encryption at rest and in transit
• Website: https://supabase.com
• Privacy Policy: https://supabase.com/privacy

3.2 Postmark (Email Delivery)

• Purpose: Sending invoice emails and system notifications
• Data Processed: Email addresses, invoice content, email metadata
• Security: TLS encryption, DKIM/SPF authentication
• Website: https://postmarkapp.com
• Privacy Policy: https://postmarkapp.com/privacy-policy

3.3 Stripe (Payment Processing)

• Purpose: Processing subscription payments only
• Data Processed: Payment card details, billing information, transaction data
• Security: PCI-DSS Level 1 compliant
• Website: https://stripe.com
• Privacy Policy: https://stripe.com/privacy

We maintain a current list of all sub-processors at invoicx.com/subprocessors and will notify you of any changes at least 30 days in advance.

4. Data Sharing and Disclosure

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.

We may share your information only in the following circumstances:

4.1 With Your Consent

When you explicitly authorize us to share your information.

4.2 Service Providers

With the sub-processors listed above, under strict contractual obligations.

4.3 Legal Requirements

When required by law, legal process, or government request:

• Court orders or subpoenas
• Law enforcement requests
• Legal proceedings
• Protection of rights and safety

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new entity, subject to the same privacy protections.

4.5 Aggregated Data

We may share anonymized, aggregated data that cannot identify you for:

• Industry research
• Service improvement
• Marketing purposes

5. Data Security

We implement appropriate technical and organizational measures to protect your data:

5.1 Technical Measures

• Encryption in transit: TLS 1.2+ for all data transmission
• Encryption at rest: AES-256 encryption for stored data
• Password security: Bcrypt hashing with salt
• Access controls: Role-based access limitations
• Network security: Firewalls and intrusion detection
• Regular security audits: Vulnerability assessments and penetration testing

5.2 Organizational Measures

• Employee training on data protection
• Confidentiality agreements with all staff
• Access limited to need-to-know basis
• Regular security policy reviews
• Incident response procedures

5.3 Data Breach Response

In the event of a data breach:

• We will notify affected users within 72 hours
• We will notify the ICO as required by law
• We will provide details of the breach and mitigation steps
• We will assist users in protecting their accounts

6. Data Retention

We retain your personal data only for as long as necessary:

6.1 Active Accounts

• Data is retained while your account is active
• You can export your data at any time

6.2 Cancelled Accounts

• Data is retained for 90 days after cancellation for recovery purposes
• After 90 days, all data is permanently deleted
• Backups are retained for an additional 30 days, then permanently deleted

6.3 Legal Requirements

Some data may be retained longer to comply with:

• Accounting and tax requirements (up to 7 years)
• Legal obligations
• Resolution of disputes

6.4 Marketing Communications

If you unsubscribe from marketing emails, we retain your email address to ensure we don't contact you again.

7. Your Rights Under GDPR

Under UK GDPR and EU GDPR, you have the following rights:

7.1 Right of Access

Request a copy of your personal data we hold.

How to exercise: Email support@invoicx.com or use the "Export Data" feature in your account settings.

7.2 Right to Rectification

Correct inaccurate or incomplete personal data.

How to exercise: Update your account settings or contact support@invoicx.com.

7.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data.

How to exercise: Delete your account in account settings or contact support@invoicx.com.

7.4 Right to Restriction of Processing

Request that we limit how we use your data.

How to exercise: Contact support@invoicx.com with your specific request.

7.5 Right to Data Portability

Receive your data in a structured, machine-readable format.

How to exercise: Use the "Export Data" feature or contact support@invoicx.com.

7.6 Right to Object

Object to processing based on legitimate interests.

How to exercise: Contact dpo@invoicx.com with your objection.

7.7 Right to Withdraw Consent

Withdraw consent for processing at any time (where processing is based on consent).

How to exercise: Adjust settings in your account or contact support@invoicx.com.

7.8 Right to Lodge a Complaint

You have the right to complain to the ICO:

• Website: https://ico.org.uk/make-a-complaint/
• Telephone: 0303 123 1113

Response Time: We will respond to your request within 30 days. If we need more time, we'll let you know why and when you can expect a response.

8. International Data Transfers

Your data is primarily stored within the EU/UK. Where data is transferred internationally:

• We use Standard Contractual Clauses (SCCs) approved by the European Commission
• We ensure adequate protection under UK and EU law
• We maintain a list of international transfers at invoicx.com/data-transfers

9. Children's Privacy

Invoicx is not intended for individuals under 18. We do not knowingly collect data from children. If you believe we have collected information from someone under 18, contact us immediately at support@invoicx.com.

10. Marketing Communications

10.1 What We Send

With your consent, we may send:

• Product updates and new features
• Tips and best practices
• Special offers and promotions
• Company news and blog posts

10.2 How to Opt-Out

• Click "Unsubscribe" in any marketing email
• Adjust preferences in your account settings
• Contact support@invoicx.com

Note: You will still receive transactional emails (account notifications, invoices, security alerts) even if you opt out of marketing.

11. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to read their privacy policies.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do:

• We'll post the new policy on this page
• We'll update the "Last Updated" date
• We'll notify you by email for material changes
• We'll provide at least 30 days' notice for significant changes

Your continued use after changes constitutes acceptance of the updated policy.