Privacy Policy for InvoiceAI

Last Updated: October 23, 2025

Plain Language Summary

We collect your account info, financial data, and usage information to provide our invoicing service. We use Google Firebase for storage, Cloudinary for images, Paddle for payments, and AI services for smart features. We don't sell your data. You can export or delete your data anytime. We use cookies for essential functions and analytics.

1. Information We Collect

Account Information

  • Name, email address, business name
  • Password (encrypted, never stored in plain text)
  • Profile preferences and settings

Financial Data

  • Client details (names, addresses, emails, phone numbers)
  • Invoice information (items, amounts, tax rates, payment terms)
  • Expense records (categories, amounts, dates, descriptions)
  • Uploaded receipts and supporting documents

Usage and Technical Data

  • App interaction data (features used, time spent)
  • Device information and browser type
  • IP address and general location (country/city level)
  • Error logs and performance metrics

Cookie Data

  • Session cookies for authentication
  • Analytics cookies (Firebase Analytics) including `_ga` and `_ga_<container-id>` cookies
  • App instance ID stored in browser IndexedDB

2. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain our services
  • Generate invoices, reports, and AI insights
  • Process your subscription and handle billing
  • Send important service notifications
  • Improve our application and user experience
  • Provide customer support
  • Comply with legal obligations
  • Analyze usage patterns and app performance through Firebase Analytics

AI Processing: Your data is processed by our AI features to provide categorization, insights, and content generation. Your data is NOT used to train AI models or shared with AI providers for training purposes.

3. Data Storage and Security

Storage Infrastructure

  • Primary Database: Google Firebase (encrypted at rest and in transit)
  • File Storage: Cloudinary for receipt images (secure cloud storage)
  • Payment Data: Paddle (PCI DSS compliant - we do not store payment card details)
  • Backups: Automated daily backups with encryption
  • Geographic Location: Data stored in secure data centers (specific locations available upon request)

Security Measures

  • End-to-end encryption for sensitive financial data
  • Regular security audits and vulnerability assessments
  • Access controls and authentication protocols
  • Employee access on need-to-know basis only
  • Paddle handles all payment card data using industry-standard security

4. Third-Party Services

We use these trusted service providers:

Essential Services

  • Google Firebase: Authentication, database, hosting, analytics
  • Cloudinary: Image storage and processing
  • Google Generative AI (Gemini): AI features (data not used for training)

Payment Processing

  • Paddle: Payment processing as Merchant of Record (PCI DSS compliant)
  • Paddle stores your billing information and payment card details securely
  • We only receive transaction confirmations and basic billing info (no card details)
  • Paddle handles VAT/GST compliance for your subscription payments

Communication

  • Email Service Provider: For service notifications and support

All third parties are contractually bound to protect your data and use it only for providing services to us.

5. Data Sharing and Disclosure

We DO NOT sell your data. We may share your information only in these limited circumstances:

  • Service Providers: With trusted partners who help us operate the service (Firebase, Cloudinary, Paddle, AI services)
  • Legal Requirements: When required by law or to protect rights and safety
  • Business Transfer: In the event of a merger or acquisition (with advance notice)
  • Your Consent: When you explicitly authorize sharing

6. Your Privacy Rights

Universal Rights

  • Access: Request a copy of your data
  • Correction: Update inaccurate information
  • Deletion: Delete your account and data
  • Export: Download your data in standard formats
  • Restrict Processing: Limit how we use your data

Regional Rights

EU Users (GDPR)

  • Right to data portability
  • Right to object to processing
  • Automated decision-making opt-out
  • Right to lodge a complaint with a supervisory authority

California Users (CCPA)

  • Right to know what data is collected
  • Right to delete personal information
  • Right to opt-out of sale (though we don't sell data)
  • Right to non-discrimination

South African Users (POPIA)

  • Right to access personal information
  • Right to correction of inaccurate data
  • Right to objection and restriction

How to Exercise Your Rights

To make a data request, email us at beconnected194@gmail.com with:

  • Subject Line: "Data Request - [Type of Request]"
  • Full name and email associated with your account
  • Specific request type (access, deletion, export, etc.)
  • We will respond within 30 days (or as required by applicable law).

7. Data Retention

  • Active Accounts: Data retained while account is active
  • Cancelled Accounts: Data deleted within 30 days unless legally required to retain
  • Backups: May remain in encrypted backups for up to 90 days
  • Legal Hold: Some data may be retained longer if required by law or for dispute resolution

8. Cookies and Tracking

Cookies We Use

Essential Cookies (Always Active)

  • User authentication and sessions
  • Security and fraud prevention
  • Basic app functionality

Analytics Cookies (Firebase Analytics)

  • _ga: Distinguishes users (2 years expiry)
  • _ga_<container-id>: Persists session state (2 years expiry)
  • App Instance ID: Stored in IndexedDB to identify unique app installations
  • Used to understand how users interact with our service
  • Helps us improve features and user experience

What We DON'T Use:

  • Advertising cookies
  • Third-party tracking cookies for marketing
  • Cross-site tracking

Managing Cookies

Most browsers allow you to control cookies through settings. Note that disabling essential cookies may affect service functionality. To opt-out of analytics cookies, you can use your browser's cookie settings, install browser extensions that block analytics, or contact us to disable analytics for your account. For more information, visit Google's Cookie Usage Documentation.

9. International Transfers

Your data may be transferred to and processed in countries other than your own. We ensure adequate protection through Standard Contractual Clauses (EU), adequacy decisions where applicable, and additional safeguards as required by law. Paddle, our payment processor, operates globally and may process payment data in multiple jurisdictions while maintaining PCI DSS compliance.

10. Children's Privacy

Our service is not intended for users under 16 (or 13 in some jurisdictions). We do not knowingly collect personal information from children. If we become aware of such collection, we will delete the information immediately. If you believe we have collected information from a child, please contact us immediately at beconnected194@gmail.com.

11. Changes to This Policy

We may update this policy to reflect service changes or legal requirements. For material changes, we will provide 30 days' advance notice via email and in-app notification. Minor updates will be posted here with an updated date. We will maintain a "What's Changed" log to help you track updates.

12. Contact Us

Privacy Questions: beconnected194@gmail.com

Data Requests: Include "Data Request" in subject line

EU Representative: to be appointed

We aim to respond to all privacy inquiries within 5 business days.