Privacy Policy

1. Overview

Invoeze is a web-based invoice generator built for freelancers and agencies. We try to collect as little data as possible. What we do collect is used only to run the service.

This policy is written to comply with the Indian Information Technology Act, 2000 (and its 2008 amendment), the Digital Personal Data Protection Act, 2023 (DPDP Act), and the EU's General Data Protection Regulation (GDPR) for users in the European Union and United Kingdom.

2. Who we are

Invoeze is operated from India. For the purposes of the DPDP Act, we act as a Data Fiduciary; for GDPR purposes, we act as a Data Controller for account information and as a Data Processor for invoice content you create.

For any privacy-related question or request, write to privacy@invoeze.app.

3. Data we collect

We collect the following categories of data:

a. Account data

• Full name
• Email address
• Password (hashed by Supabase Auth; we never see the plaintext)

b. Invoice data

• Sender details (your business name, address, GSTIN, etc.)
• Client details you enter
• Line items, quantities, rates
• Tax configuration (GST, VAT, sales tax, TDS)
• Bank account, UPI ID, and other payment details you fill in
• Logo uploads (stored as base64 inside the invoice JSON)

c. Usage data

• Monthly download count for free-tier usage limits
• API key usage (for paid users on the developer plan)
• Subscription status

d. Authentication data

If you sign in with Google, we receive your name, email address, and profile picture from your Google OAuth profile. We do not receive your Google password.

e. Payment data

Payments are processed by PayU. We never see or store your card number, UPI PIN, CVV, or net-banking credentials. From PayU we receive only:

• Transaction ID (ours) and PayU's internal payment ID
• Transaction amount and status (success, failure, refund)
• Billing period (monthly or yearly)
• Bank reference number (for audit and reconciliation)

4. What we do NOT collect

• No third-party advertising or behavioural tracking
• No cookies beyond what is needed for session and authentication
• No tracking pixels or marketing analytics scripts
• No selling of user data to any third party, ever
• No payment credentials (handled entirely by PayU)

5. How we use your data

We use the data described above for the following purposes:

• To provide the invoice generation service
• To authenticate you and manage your account
• To process subscription payments via PayU
• To store invoice history for paid users so it's available in your dashboard
• To send transactional emails (account verification, password reset, payment receipts). These cannot be opted out of while you hold an active account
• In future, to send marketing emails, only if you explicitly opt in, and always with an unsubscribe link

Legal basis (GDPR): we process account and invoice data to perform the contract you have with us; we process payment data to comply with our legal obligations; we process marketing data on the basis of your consent.

6. Where your data is stored

• All server-side data is stored in Supabase (PostgreSQL), hosted on AWS in the Mumbai (ap-south-1) region.
• Free users:your account details and a monthly download counter are stored on our servers to enforce the free-tier limit. Invoice content (line items, client details, tax settings) stays in your browser's localStorageand is not uploaded.
• Paid users: invoice content is also saved to Supabase so you can access it from any device via your dashboard.
• Logo images are stored as base64 strings inside the invoice JSON, not as separate files in object storage.

7. Third parties we use

We use the smallest possible set of third parties needed to run the service. Each one only sees the data needed for the job they do:

We do not use any analytics tools, ad networks, tracking pixels, or session recording services.

8. Cookies & tracking

We only use cookies that are strictly necessary to run the application:

• Session cookies: keep you signed in between page loads
• Auth tokens: issued by Supabase to verify your identity on protected routes

We do not use advertising cookies, analytics cookies, or any cross-site tracking technology. You do not need to accept a cookie banner because we don't set the kind of cookies that require consent under the GDPR or DPDP Act.

9. Your rights (DPDP Act + GDPR)

Under the DPDP Act 2023 and GDPR, you have the following rights over the data we hold about you:

• Right to access: request a copy of the data we hold about you
• Right to correction: ask us to fix anything that is inaccurate or incomplete
• Right to erasure: delete your account and all associated data
• Right to withdraw consent: withdraw any consent you previously gave us, at any time
• Right to data portability: export your invoices as PDF (built into the dashboard) or request a JSON export
• Right to opt out of marketing: every marketing email will have an unsubscribe link, and you can disable it from your account settings
• Right to grievance redressal: write to our Grievance Officer at the email below; we aim to respond within 30 days

To exercise any of these rights, email privacy@invoeze.app.

10. Marketing emails

• We do not currently send marketing emails. We may introduce them in the future.
• When we do, you will need to explicitly opt in. We will not pre-tick any consent boxes.
• Every marketing email will include a one-click unsubscribe link.
• Transactional emails (account verification, password reset, payment receipts, security alerts) cannot be opted out of for active accounts, because they are required to operate the service.

11. Data retention

• Active accounts: we retain your data for as long as your account exists.
• Deleted accounts: all server-side data is permanently deleted within 30 days of your deletion request, except where we are legally required to retain certain records (for example, tax invoices for the financial year under the Income Tax Act).
• Backups: Supabase keeps encrypted database backups for up to 30 days. Deleted records are removed from backups in the normal rotation cycle.

12. International data transfers

Your data is stored in India (AWS Mumbai). If you are based in the EU or UK, this means your data is transferred outside your home jurisdiction. We rely on the GDPR's Standard Contractual Clauses with our infrastructure providers as the legal basis for these transfers, and on your consent when you create an account.

13. Children's privacy

Invoeze is a business tool and is not directed at anyone under the age of 18. We do not knowingly collect data from children. If you believe a child has signed up, please contact us and we will delete the account.

14. Security

We take reasonable technical and organisational measures to protect your data:

• All traffic is served over HTTPS (TLS 1.2 or higher)
• Passwords are hashed by Supabase Auth
• Database access is restricted via row-level security policies
• Payments are handled entirely by PayU; we never see card data
• API keys are scoped per user and revocable from the dashboard

No system is completely secure, however. If we ever experience a data breach affecting your personal data, we will notify you and the relevant authorities within 72 hours, as required by the DPDP Act and GDPR.

15. Changes to this policy

We may update this policy as the service evolves or as the law changes. Material changes will be announced by email to active users and posted on this page with a new “Last updated” date. Continued use of Invoeze after the change date means you accept the updated policy.

16. Contact us

For any privacy-related question, request, or complaint:

• Email: privacy@invoeze.app
• We aim to respond to all requests within 30 days.

If you are not satisfied with our response, you have the right to complain to the Data Protection Board of India (under the DPDP Act), or to your local Data Protection Authority if you are in the EU or UK.