Privacy Policy

Account & Contact Data

• Email, name, phone: For account creation, authentication, and service communications
• Payment information: Processed securely by Stripe (our payment processor); we do not store full card details
• Organization details: Company name, address, VAT/tax numbers for invoice generation and compliance

Invoice & Business Data

• Invoices, quotes, expenses: All data you create, including line items, amounts, customer information
• Attachments: Files you upload (receipts, contracts, supporting documents)
• E-invoicing metadata: Delivery status, timestamps, network routing information

Usage & Technical Data

• Logs: IP addresses, browser type, access times, feature usage
• Performance data: Error reports, diagnostics, API usage metrics
• Security events: Login attempts, authentication events, permission changes

Legal Basis (GDPR):

• Contract: Processing necessary to provide the invoicing service you signed up for
• Legal obligation: Compliance with tax, invoicing, and record-keeping laws
• Legitimate interests: Service improvement, security monitoring, fraud prevention (balanced against your rights)
• Consent: Optional features and communications you explicitly opt into

Encryption & Security

• TLS 1.3: All data in transit is encrypted using the latest TLS standards
• AES-256: All data at rest is encrypted using bank-grade AES-256 encryption
• KMS (Key Management Service): For highly sensitive data, client-side encryption with hardware-backed key storage is available
• Two-Factor Authentication: App-based (TOTP) and email-based 2FA options
• Role-Based Access Control: Granular permissions per user and organization
• Audit Logs: Complete activity tracking for compliance and security monitoring

Hosting & Infrastructure

• EU-based hosting: All data is stored in European Union data centers with strict access controls
• Automated backups: Daily encrypted backups with 30-day retention (Free/Pro) or 90-day+ retention (Business/Enterprise)
• Regular security audits: Third-party penetration testing and vulnerability assessments
• SOC 2 Type II: Certification in progress (expected Q3 2026)

Multi-Organization Isolation

Every database query is scoped to your organization. Users in one organization cannot access data from another organization, even if they share the same email domain.

We do NOT sell your data. We only share data with trusted service providers necessary to deliver our service:

Essential Service Providers

• Storecove (E-Invoicing Networks): When you send or receive e-invoices via PEPPOL, Singapore InvoiceNow, France Chorus Pro, or other networks, your invoice data is transmitted through Storecove's infrastructure. Storecove acts as our e-invoicing access point provider. Read their privacy policy at storecove.com/privacy
• Stripe (Payment Processing): Payment information (cards, bank details) is processed by Stripe. We receive only tokenized references; we do not store full card numbers. Read Stripe's privacy policy at stripe.com/privacy
• Cloud Infrastructure: Encrypted hosting and storage with EU-based providers, under strict data processing agreements (DPAs) and GDPR-compliant Standard Contractual Clauses (SCCs)
• Email Service: Transactional emails (receipts, notifications, password resets) are sent via email infrastructure providers under DPAs

Legal Disclosures

We may disclose data when required by law (court order, subpoena, tax authority request) with appropriate legal authorization. We will notify you unless prohibited by law.

International Transfers

Data is hosted in EU data centers by default. If any data is transferred outside the European Economic Area (e.g., to sub-processors or support services), we use GDPR-approved safeguards: Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent protections. Access is limited to what is strictly necessary.

Retention by Plan

• Free & Pro Plans: Operational storage only. No long-term archival guarantee. Upon account cancellation or downgrade, you have a 30-day grace period to export your data. After 30 days, data may be permanently deleted.
• Business & Enterprise Plans: Include Archive-Vault with guaranteed 10-year retention, tamper-evident storage, and audit-ready exports. Upon cancellation, you have a 90-day export window. Extended archival available on request.
• Legal Retention: If you are subject to legal retention requirements (e.g., 7-10 years for invoices), you remain responsible for compliance on Free/Pro plans. Archive-Vault (Business/Enterprise) provides compliance-grade archival.

Your Rights (GDPR)

You have the right to:

• Access: Request a copy of all personal data we hold about you
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data (subject to legal retention obligations)
• Portability: Export your data in standard formats (JSON, CSV, PDF, UBL XML)
• Restriction: Limit how we process your data in certain circumstances
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent for optional features at any time
• Lodge a Complaint: File a complaint with your local data protection authority

To exercise your rights: Email privacy@encryptinvoice.com or dpo@encryptinvoice.com. We will respond within 30 days and may verify your identity for security.

Data Breach Notification

If a data breach occurs that affects your personal data, we will notify you without undue delay and, where required by law, within 72 hours of becoming aware. We will explain the nature of the breach, likely consequences, and mitigation steps taken.

Essential Cookies Only

We use essential cookies for:

• Authentication and session management
• Security and fraud prevention (CSRF tokens)
• Remembering your preferences (language, dark mode, timezone)

We do NOT use: Advertising cookies, tracking pixels, or third-party analytics at this time. If we introduce non-essential cookies in the future, we will provide a consent banner and update this policy.

Marketing Communications

We may send you product updates, feature announcements, and educational content if you opt in. You can unsubscribe at any time via the link in every email or by contacting support.

Children's Privacy

EncryptInvoice is a business tool not intended for users under 18. We do not knowingly collect data from children.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Significant changes will be communicated via email and prominently displayed on our platform. Continued use after changes constitutes acceptance.

Contact & Data Controller

Data Controller: EncryptInvoice SAS

Data Protection Officer: dpo@encryptinvoice.com

Privacy Inquiries: privacy@encryptinvoice.com

General Support: support@encryptinvoice.com

EU Representative: [To be designated if required]
Supervisory Authority: You may lodge complaints with your local data protection authority or the authority in our jurisdiction.