Privacy Policy
Last updated: March 13, 2026
On this page
- Introduction & Data Controller
- Data We Collect
- How We Use Your Data
- Legal Basis for Processing
- Data Sharing & Third Parties
- Sub-Processors
- International Data Transfers
- Data Retention
- Your Rights Under GDPR
- Cookies
- Security Measures
- Children's Privacy
- Changes to This Policy
- Contact Information
- Data Protection Officer
Introduction & Data Controller
[PLACEHOLDER_APP_NAME] ("we", "us", "our") operates the [PLACEHOLDER_APP_NAME] web application (the "Service"), an online invoicing platform that enables users to create, manage, send, and track professional invoices.
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service. We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws.
Data Controller:
[PLACEHOLDER_COMPANY_NAME]
[PLACEHOLDER_ADDRESS]
[PLACEHOLDER_EMAIL]
Data We Collect
We collect and process the following categories of personal data:
Account Data
When you create an account, we collect:
- Email address — Required for authentication (magic link sign-in) and account identification
- Name — Optional, provided during registration or profile setup
- Profile image — Optional, sourced from Google OAuth if you sign in with Google
- Preferred locale — Your chosen language preference (en-US, en-GB, or de-DE)
Company Information
When you set up your business profile for invoicing, you may provide:
- Company name — Your business or trading name
- Address — Street, city, postal code, and country (stored as structured data)
- Tax ID — Your tax identification number
- Registration number — Your business registration number
- Phone number — Business contact number
- Email address — Business contact email
- Bank details — Bank name, account number, IBAN, and SWIFT/BIC code (stored as structured data)
- Company logo — Uploaded image URL for use on invoices
- Default payment terms — Your preferred net payment days
You may save multiple company profiles within your account.
Client Data
When you create client records for invoicing, you may store:
- Client name — Person or company name
- Client type — Whether the client is a person or company
- Contact person — Name of the primary contact (for company clients)
- Email address — Client's email for invoice delivery
- Address — Street, city, postal code, and country (stored as structured data)
- VAT ID — Client's VAT identification number
Invoice Data
When you create invoices, we process and store:
- Invoice details — Invoice number, issue date, due date, currency, exchange rates, status (Draft, Sent, Viewed, Paid), locale, template, color palette, font pairing, custom styles, tax rate, and total amount
- Line items — Description, quantity, rate, amount, and sort order for each item
- Payment details — Payment method information and instructions (stored as structured data)
- Notes — Any custom notes added to the invoice
- PDF documents — Generated PDF files stored for download and delivery
- Delivery data — Date/time when an invoice was sent, viewed, or paid
- Status history — Record of invoice status changes with timestamps
Payment and Subscription Data
- Subscription tier — Whether you are on the Free or Paid plan
- Stripe Customer ID — A reference ID linking your account to Stripe for payment processing
- Stripe Subscription ID — A reference ID for your active subscription
- Billing period dates — Start and end dates of your current billing period
- Usage counters — Number of invoices sent in the current and previous billing periods
- Watermark preference — Whether the invoice watermark is shown (Paid users can toggle this)
Important: We do not store credit card numbers, CVV codes, or any payment card data. All payment card processing is handled entirely by Stripe (see Section 5).
Authentication and Session Data
- Session tokens — Encrypted authentication tokens with 7-day expiry
- IP address — Recorded in session data and audit logs
- User agent — Browser/device information recorded in session data and audit logs
- OAuth provider IDs — Google account identifiers used for social sign-in
- Magic link tokens — Temporary authentication tokens (10-minute expiry) sent via email
Usage and Operational Data
- Audit logs — Records of significant account actions (e.g., login, logout, invoice creation, invoice sending, payment events, subscription changes). Audit logs record user IDs, action types, target resource IDs, and metadata — no personally identifiable information (such as email addresses) is stored in audit log metadata.
- Email rate limit logs — Records of email sends per user per recipient within 24-hour windows, used to prevent abuse
- Exchange rate cache — Currency exchange rate data (not personal data)
How We Use Your Data
We process your personal data for the following purposes and lawful bases:
| Purpose | Lawful Basis (GDPR Art. 6) |
|---|---|
| Providing the invoicing service (creating, editing, sending invoices) | Contractual necessity — Art. 6(1)(b) |
| User authentication and account security | Contractual necessity — Art. 6(1)(b) |
| Processing subscription payments via Stripe | Contractual necessity — Art. 6(1)(b) |
| Sending invoices to your clients via email | Contractual necessity — Art. 6(1)(b) |
| Sending payment notifications and receipts | Contractual necessity — Art. 6(1)(b) |
| Generating and storing PDF invoices | Contractual necessity — Art. 6(1)(b) |
| Maintaining audit logs for security and accountability | Legitimate interest — Art. 6(1)(f) |
| Error monitoring and service stability | Legitimate interest — Art. 6(1)(f) |
| Preventing abuse (email rate limiting, spam prevention) | Legitimate interest — Art. 6(1)(f) |
| Usage tracking for subscription enforcement (invoice count per period) | Contractual necessity — Art. 6(1)(b) |
We do not sell, rent, or trade your personal data to third parties. We do not use your data for advertising, profiling, or automated decision-making.
Legal Basis for Processing
All data is processed and stored within the European Union:
| Service | Purpose | Location |
|---|---|---|
| Neon | PostgreSQL database — all user data, invoices, clients, company info, audit logs | Frankfurt, EU |
| Vercel | Application hosting and PDF blob storage | Frankfurt, EU (Edge network) |
| Fly.io | PDF generation via Gotenberg | Frankfurt, EU |
Your data does not leave the EU for storage purposes. For third-party processing that may involve data transfers, see Section 5.
Data Sharing & Third Parties
We share data with the following third-party service providers, each for a specific and limited purpose:
Stripe — Payment Processing
- Purpose: Processing subscription payments and managing billing
- Data shared: Your email address, name, and billing information are shared with Stripe when you subscribe to a paid plan. Stripe collects and processes payment card data directly — card details never pass through our servers.
- Data stored locally: We store only your Stripe Customer ID and Stripe Subscription ID to link your account to your Stripe billing profile.
- Compliance: Stripe is PCI DSS Level 1 certified and maintains SOC 2 Type II and ISO 27001 certifications.
- International transfers: Stripe uses Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework for any data transfers outside the EU.
Resend — Email Delivery
- Purpose: Sending transactional emails on your behalf
- Data shared: Recipient email addresses and email content, including magic link authentication emails, email verification emails, invoice delivery emails, payment notification emails, and payment receipt emails
- Data retention: Resend processes emails for delivery and maintains delivery logs per their privacy policy.
Vercel — Hosting and Storage
- Purpose: Hosting the web application and storing generated PDF files
- Data shared: All application traffic passes through Vercel's Edge network. Generated invoice PDFs are stored in Vercel Blob storage.
- Location: Frankfurt, EU
Neon — Database
- Purpose: PostgreSQL database hosting for all application data
- Data stored: All user data, invoice data, client data, company information, audit logs, session data, and email rate limit logs
- Location: Frankfurt, EU
- Security: Row-Level Security (RLS) policies enforced at the database level ensure users can only access their own data
Fly.io (Gotenberg) — PDF Generation
- Purpose: Converting invoice HTML to PDF documents
- Data shared: Invoice HTML content (containing invoice details, company information, client information, and line items) is sent to Gotenberg for PDF conversion
- Data retention: Gotenberg is stateless — no data is retained after PDF generation.
- Location: Frankfurt, EU
Sentry — Error Monitoring
- Purpose: Monitoring application errors to maintain service stability
- Data shared: Error context, stack traces, and request metadata. By design, no personally identifiable information (PII) is sent to Sentry.
- Data minimization: We configure Sentry to minimize data collection and do not intentionally transmit user email addresses, names, or invoice content.
Google — OAuth Authentication
- Purpose: Providing "Sign in with Google" as an authentication option
- Data shared: Standard OAuth authentication flow data — Google provides us with your name, email address, and profile image upon successful authentication. We do not share your InvoiceApp data with Google.
- Data received: Google account ID, email address, name, and profile image URL
Sub-Processors
The following table summarizes our sub-processors and the data they process:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe | Payments | Email, name, billing info | US (DPF + SCCs) |
| Resend | Email delivery | Recipient email, email content | EU |
| Vercel | Hosting, PDF storage | Application traffic, PDFs | Frankfurt, EU |
| Neon | Database | All application data | Frankfurt, EU |
| Fly.io/Gotenberg | PDF generation | Invoice HTML (stateless) | Frankfurt, EU |
| Sentry | Error monitoring | Error context (no PII) | US (DPF + SCCs) |
| OAuth sign-in | Auth flow data | US (DPF + SCCs) |
International Data Transfers
All primary data storage is within the European Union (Frankfurt). For services based outside the EU (Stripe, Sentry, Google), data transfers are protected by:
- EU-US Data Privacy Framework (DPF) — Upheld by the EU General Court in September 2025
- Standard Contractual Clauses (SCCs) — Additional safeguard used by all US-based sub-processors
Data Retention
We retain your data for the following periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Until account deletion | Required for service provision |
| Company information | Until account deletion | Required for invoicing |
| Client data | Until account deletion | Required for invoicing |
| Invoice data and PDFs | Until account deletion | Required for record-keeping |
| Session data | 7 days from creation | Automatic expiry for security |
| Magic link tokens | 10 minutes from creation | Automatic expiry for security |
| Audit logs | 90 days | Automatically pruned via scheduled job |
| Email rate limit logs | 24-hour rolling window | Used for abuse prevention |
| Exchange rate cache | Overwritten on refresh | Operational data only |
Upon account deletion, all your data is permanently removed from our systems (see Section 9).
Note: Invoice data may be subject to tax record retention obligations in your jurisdiction (typically 7 years in EU member states). You are responsible for maintaining your own copies of sent invoices for tax compliance purposes before deleting your account. See our Terms of Service for more information on tax compliance responsibilities.
Your Rights Under GDPR
Under the General Data Protection Regulation, you have the following rights regarding your personal data:
Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you, including the purposes of processing, categories of data, recipients, and retention periods.
Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data. You can update most of your data directly through the application (profile settings, company information, client records).
Right to Erasure (Article 17)
You have the right to request deletion of your personal data. When your account is deleted, we perform coordinated deletion across all data stores:
- Delete stored PDF files (Vercel Blob)
- Delete Stripe customer record
- Request Resend email log purging (best-effort)
- Delete all PostgreSQL data (cascading deletion of all related records)
- Request Sentry PII scrubbing (if applicable)
Gotenberg requires no deletion action as it is stateless and retains no data.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
Right to Restriction of Processing (Article 18)
You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data.
Right to Object (Article 21)
You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
Current Status of Automated Rights Fulfillment
We are actively developing automated tools for data export and account deletion (planned for a future release). Until these tools are available, you can exercise any of the above rights by contacting us at [PLACEHOLDER_PRIVACY_EMAIL]. We will respond to all requests within 30 days as required by GDPR.
Cookies
We use only essential cookies required for the Service to function. For full details, see our Cookie Policy.
Summary:
- Session cookie (
invoice_app_*): Essential for authentication. 7-day expiry, refreshed every 30 minutes. Secure flag enabled in production. - No analytics cookies, no advertising cookies, no third-party tracking cookies.
Because we use only strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive Article 5(3).
Security Measures
We implement the following technical and organizational measures to protect your data:
- Row-Level Security (RLS): PostgreSQL RLS policies ensure that database queries are scoped to the authenticated user. Users can only access their own data at the database level.
- Encrypted transport: All data in transit is encrypted using HTTPS/TLS.
- Secure cookies: Authentication cookies use the Secure flag in production, preventing transmission over unencrypted connections.
- Session management: Sessions expire after 7 days and are refreshed every 30 minutes. Admin impersonation sessions are limited to 1 hour.
- No password storage: We use passwordless authentication (magic links and Google OAuth), eliminating the risk of password database breaches.
- Audit logging: All significant actions are logged for accountability, with automatic 90-day retention and pruning.
- PCI-DSS delegation: Payment card data is handled entirely by Stripe, a PCI DSS Level 1 certified processor. No card data is stored on or transmitted through our servers.
Children's Privacy
Our Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us at [PLACEHOLDER_PRIVACY_EMAIL] and we will promptly delete the data.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last Updated" date. We encourage you to review this policy periodically.
Contact Information
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
[PLACEHOLDER_COMPANY_NAME]
[PLACEHOLDER_ADDRESS]
Email: [PLACEHOLDER_PRIVACY_EMAIL]
For complaints, you also have the right to lodge a complaint with your local data protection supervisory authority.
Data Protection Officer
For data protection inquiries, you may contact our Data Protection Officer at [PLACEHOLDER_PRIVACY_EMAIL].