Privacy Policy

1. Information We Collect

We collect only the information necessary to provide our services:

• Account & Profile Information: Full name, email, company name, company details, address, phone, website, logo, industry, year founded, business type, customer base size, roles, and multi-factor authentication settings.
• Client Information: Client names, emails, phone numbers, addresses, companies, notes, reminder preferences, and lifecycle stage metadata.
• Financial Documents: Invoices, estimates, receipts, expenses, payment terms, payment methods, taxes, discounts, currency, and related product/service line items.
• AI Agent & Call Data: Call recordings, transcripts, conversation summaries, sentiment analysis, call duration, outcomes, NPS scores (for feedback calls), and agent configurations.
• Document Processing: Receipt images/PDFs for AI-powered receipt scanning, invoice/estimate attachments, and generated document templates.
• Payment & Subscription Data: Billing information, subscription tier, payment history, usage metrics for AI features, and fraud-prevention signals from our payment processor.
• Communication Logs: Email delivery logs, reminder schedules, automated communication preferences, and customer opt-out status.
• Usage & Analytics: Feature usage, login times, session data, browser/device information, IP addresses, error reports, and performance metrics.
• Support Communications: Support tickets, feature requests, diagnostic snapshots you choose to share, and any correspondence with our team.
• Cookies & Tracking: Authentication tokens, session cookies, preference settings, analytics cookies, and in-app telemetry used to secure the platform.

We follow a data-minimization approach: we only collect what we need to deliver and secure the Service. Each record is scoped to your company workspace, and we do not ingest customer data into public data sets.

2. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: To provide our services and fulfill our contract with you.
• Legitimate Interests: For business operations, security, fraud prevention, and service improvement.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.
• Consent: For optional features like marketing communications and certain cookies.

3. How We Use Your Information

• To provide and improve our services, features, and user experience.
• To deliver subscription services, process payments, and manage your account.
• To enable AI-powered features (calls, receipt scanning, conversation, analytics) that you configure.
• For security, troubleshooting, analytics, and usage monitoring.
• To communicate updates, notifications, and support responses.
• To comply with legal obligations.
• To generate aggregated, de-identified insights that help us improve the platform without identifying individual users.

We never sell your personal information, and our AI partners (OpenAI, Anthropic, ElevenLabs) are contractually prohibited from using Customer Data to train their general-purpose models. They only process data to deliver the AI outputs you request, under signed data processing agreements.

4. Where Your Data Goes: Service Providers & Subprocessors

InvoicifyAI relies on trusted third-party providers ("subprocessors") to deliver secure, modern features. Your data may be processed by the following providers, solely for the operation of our platform:

• Supabase: Database, authentication, file storage, and backend processing (primary data residency: United States & European Union).
• Vercel: Web application hosting and edge infrastructure (global CDN with regional failover).
• Twilio: Telephony, SMS, and phone number management (data centers in North America & EU).
• ElevenLabs: AI voice synthesis for automated agent calls.
• OpenAI: AI conversation, analytics, and natural language processing.
• Anthropic (Claude): AI-powered receipt scanning for expenses and advanced AI features.
• Google Cloud & Workspace: Cloud hosting, email, logging, and analytics.
• Stripe: Payment processing, subscription billing, and fraud prevention.

Each provider acts as our data processor under a written data processing agreement (including Standard Contractual Clauses where required). They may only process Customer Data to help us deliver the Service, and they are prohibited from selling or repurposing your information. A current list of subprocessors and their regions is available in your workspace settings; we will notify you before adding a new subprocessor.

5. Data Retention

We retain your data only as long as necessary for the purposes described above or to meet legal obligations:

• Account Data: Retained while your subscription is active and for 30 days after cancellation so you can request supported exports (currently AI agent calls and reports) and so we can meet billing, audit, or fraud-prevention obligations.
• Business Records: Retained for up to 7 years (or longer if required by applicable tax, financial, or regulatory laws).
• Support Data: Retained for 24 months to improve support quality and resolve repeat issues.
• Usage & Analytics Data: Retained for 12 months in aggregated or pseudonymized form.
• AI Call Records & Transcripts: Retained for 90 days by default; you can delete individual recordings at any time, and we purge them within 30 days of confirmed deletion.
• Backups: Encrypted backups are overwritten on a rolling 30-day schedule—data removed from production is erased when those backups cycle out.

When you request deletion, we queue your workspace for removal from active systems within 30 days (subject to legal holds). Residual data in logs and backups will be purged automatically according to the schedules above.

6. Data Security

• All data is encrypted in transit using TLS 1.3 or higher.
• Sensitive data (including call recordings and payment metadata) is encrypted at rest using AES-256 encryption.
• We use company-based multi-tenant isolation, role-based access controls, audit logging, and least-privilege enforcement.
• We conduct regular penetration tests, vulnerability scans, and continuous monitoring.
• Our infrastructure providers maintain SOC 2 Type II and ISO 27001 certifications.

Security is a shared responsibility. You must protect account credentials, enforce multi-factor authentication where available, and limit API keys or integrations to trusted personnel. If you suspect unauthorized access, notify us immediately atsecurity@invoicifyai.com.

We monitor for unusual activity and will notify your account owner within a commercially reasonable period after confirming a security incident that impacts your data. Notifications will describe the nature of the incident, the data involved (if known), and remediation steps you can take.

7. Your Data Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your data ("right to be forgotten").
• Portability: Receive your data in a machine-readable format.
• Restriction: Limit processing of your data in certain circumstances.
• Object: Object to processing based on legitimate interests.
• Withdraw Consent: Withdraw consent for processing where applicable.

To exercise these rights, contact privacy@invoicifyai.comor submit a request through the Privacy Center in your workspace. We verify your identity (and, where allowed, your authorized agent) by confirming account ownership details before fulfilling requests. We respond within 30 days and may extend once (up to 60 days total) for complex requests, as permitted by law.

Note: Self-service exports are currently available for AI agent call logs and analytics reports. For any additional data exports, contact us and we will confirm availability or provide alternatives.

8. Cookies and Tracking Technologies

9. Data Sharing & Disclosure

• We do not sell, rent, or trade your personal data.
• We share data only with subprocessors as outlined above, for service delivery.
• Data may be disclosed to comply with laws, regulations, legal process, or enforceable government requests, subject to appropriate review.
• We may share aggregated or anonymized insights that do not identify you or your customers.
• In case of business transfer (sale/merger/acquisition), user data may be part of transferred assets, with notice provided.

10. Children's Privacy

InvoicifyAI is not intended for children under 16, and we do not knowingly collect data from minors. If we learn we have collected data from a child, we will promptly delete it.

11. International Data Transfers

Your data may be processed in Canada, the US, EU, or other countries where our providers operate. We ensure appropriate safeguards are in place for international transfers, including:

• Standard Contractual Clauses approved by the European Commission.
• Data Processing Agreements with all subprocessors.
• Adequacy decisions where applicable.

12. Compliance and Certifications

We are committed to maintaining the highest standards of data protection:

• GDPR compliant for EU residents.
• CCPA compliant for California residents.
• PIPEDA compliant for Canadian residents.
• Our infrastructure providers maintain SOC2 Type II and ISO 27001 certifications.

13. Changes to this Policy

We may update this Privacy Policy as our business or laws evolve. If we make material changes, we will notify you by posting a notice in the app, sending an email, or using another reasonable method, as required by law. The "Last Updated" date at the top reflects the most recent revision. Please review this policy periodically for updates.

14. Contact Us