Privacy Policy

Our Commitment to Your Privacy

At invoze, we understand that digital agencies and freelancers trust us with sensitive client and financial data. Your privacy and data security are our highest priorities. This Privacy Policy explains in detail how we collect, use, protect, and handle your information with the utmost care and transparency.

1. Information We Collect

To provide invoze's services, we collect and process the following categories of information:

1.1 Account & Authentication Information

• Email address (for authentication and service communications)
• Password (encrypted and securely hashed - we cannot see your actual password)
• Account creation date and last login information
• Subscription plan and billing status

1.2 Business, Invoice & Client Data

• Your business details (company name, address, contact information)
• Client details you enter (name, email, company name, billing address)
• Invoice data (invoice numbers, line items, amounts, dates, payment status, notes)

1.3 Technical & Usage Information

• IP address and device information (for security and fraud prevention)
• Browser type and operating system
• Pages and features used inside invoze
• Session duration and error logs

2. How We Use Your Information

Your information is used strictly for operating invoze:

• Service Delivery: Generate invoices and manage billing workflows
• Account Management: Authentication, password recovery, and subscription handling
• Customer Support: Responding to support requests when you contact us
• Security: Detecting fraud, abuse, and unauthorized access
• Product Improvement: Improving usability based on anonymized usage patterns
• Legal Compliance: Meeting applicable legal and regulatory obligations

We will never: Use your data for advertising, sell your data to third parties, or share your client information with anyone without your explicit consent.

3. Data Security and Protection

We implement industry-leading security measures to protect your data:

3.1 Technical Safeguards

• Encryption in Transit: TLS 1.3 (HTTPS)
• Encryption at Rest: Your data is encrypted in our database using AES-256 encryption
• Secure Authentication: Passwords are hashed using bcrypt with industry-standard salt rounds
• Infrastructure Security: Hosted on providers that operate SOC-2 compliant environments (Supabase, Vercel)
• Access Controls: Strict role-based access controls and principle of least privilege
• Backups: Encrypted automated backups

3.2 Organizational Safeguards

• Restricted access to production data
• Logged and monitored access
• Regular security reviews and incident response procedures

4. Data Sharing and Third-Party Services

We do not sell or rent your data. We only share data with trusted service providers who help us operate invoze:

4.1 Essential Service Providers

• Supabase: Database and authentication (PostgreSQL, encrypted storage)
• Vercel: Application hosting and CDN (enterprise-grade security)
• Resend: Transactional emails only (account notifications, contact form)

4.2 Contractual Protections

All third-party providers are:

• Bound by strict data processing agreements (DPAs)
• Required to maintain confidentiality and security
• Prohibited from using your data for their own purposes
• GDPR and SOC 2 compliant where applicable

4.3 Legal Disclosures

We may disclose your information only when required by law (e.g., valid court orders, subpoenas) or to protect our rights and safety. We will notify you of such requests unless prohibited by law.

5. Your Rights and Control

You have full control over your data. Under GDPR and other privacy laws, you have the right to:

• Access: Request a copy of all personal data we hold about you
• Rectification: Correct any inaccurate or incomplete data
• Deletion: Request deletion of your account and all associated data ("Right to be Forgotten")
• Data Portability: Export your data in a machine-readable format (JSON/CSV)
• Objection: Object to processing of your data for certain purposes
• Restriction: Request temporary restriction of data processing
• Withdraw Consent: Withdraw consent at any time (where processing is based on consent)

To exercise these rights: Email us at invozea@gmail.com with your request. We will respond within 7 days.

6. Data Retention

We retain your data only as long as necessary:

• Active Accounts: Data retained while your account is active
• Deleted Accounts: All data permanently deleted within 30 days of account deletion
• Legal Requirements: ome records may be retained if legally required
• Backups: Encrypted backups may persist for up to 90 days

7. Cookies and Tracking

We use minimal, essential cookies:

• Authentication Cookies: To keep you logged in securely (required)
• Session Cookies: To maintain your session state (required)
• Security Cookies: To prevent fraud and abuse (required)

We do NOT use: Advertising cookies, third-party tracking pixels, or analytics tools that track you across websites.

8. Children's Privacy

invoze is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it immediately.

9. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

• Notify you via email within 72 hours of discovery
• Inform relevant authorities where legally required
• Share mitigation steps and guidance

10. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. Significant changes will be communicated via:

• Email notification to your registered email address
• In-app notice
• Updated “Last Updated” date

Continued use of invoze after changes constitutes acceptance of the updated policy.

11. Compliance

This Privacy Policy is governed by applicable data protection laws and regulations relevant to invoze’s operations.