We do not sell your personal data. We do not use your data for advertising. We collect only what we need to provide the service.
1. Who we are
InvoiceFlow Ltd ("InvoiceFlow", "we", "us", or "our") is a company registered in England and Wales. We operate the InvoiceFlow platform — an invoicing and billing tool for small businesses and freelancers — available at invoiceflow.app and through our web application.
For the purposes of UK GDPR and the Data Protection Act 2018, InvoiceFlow Ltd is the Data Controller for the personal data described in this policy.
If you have any questions about this policy or how we handle your data, contact our Data Protection contact at: privacy@invoiceflow.app
2. Data we collect
We collect the following categories of data when you use InvoiceFlow:
- Account data: your full name, business name, email address, and password (stored as a hashed value — we never store plaintext passwords).
- Billing data: the last four digits of your payment card, card expiry month and year, and billing postcode. We do not store full card numbers — payment processing is handled by our payment processor (Stripe). Full card details are transmitted directly to Stripe and never touch our servers.
- Business data: information you enter about your business (address, VAT number, logo, brand colours) and about your customers (names, email addresses, addresses, payment records).
- Invoice data: invoices, line items, payment statuses, and notes you create within the platform.
- Usage data: pages visited, features used, browser type, operating system, and approximate location derived from your IP address. We use this to understand how the product is used and to improve it.
- Communications: if you contact our support team, we retain records of those communications.
3. How we use your data
We use the data we collect to:
- Provide and operate the InvoiceFlow service, including creating your account, storing your invoices, and sending invoices on your behalf.
- Process payments and manage your subscription, including billing, renewals, and receipts.
- Send transactional emails such as account welcome messages, subscription confirmations, payment receipts, and invoice delivery notifications.
- Provide customer support and respond to enquiries.
- Detect, investigate, and prevent fraudulent transactions or misuse of the platform.
- Comply with legal obligations, including tax and accounting requirements.
- Improve the product through aggregated, anonymised analysis of usage patterns.
We will not use your personal data for any purpose other than those listed above without your explicit consent.
4. Legal basis for processing
Under UK GDPR, we process your personal data on the following lawful bases:
- Contract performance (Article 6(1)(b)): processing your account data, billing data, and invoice data is necessary to fulfil our contractual obligations to you as a subscriber.
- Legitimate interests (Article 6(1)(f)): we process usage data to improve the platform and detect fraud. These interests are not outweighed by your fundamental rights and freedoms.
- Legal obligation (Article 6(1)(c)): we may be required to retain certain financial or transaction records to comply with UK tax law and other regulations.
- Consent (Article 6(1)(a)): where we send optional marketing communications, we will obtain your explicit consent first. You can withdraw this consent at any time.
5. How long we keep your data
We retain your personal data for as long as your account is active. If you close your account:
- Your account data and invoice data are deleted within 30 days of account closure, unless we are legally required to retain them longer.
- Billing records (transaction history, invoices issued to you) are retained for seven years to comply with UK HMRC requirements.
- Support communications are retained for two years after the conversation closes.
- Anonymised, aggregated usage data may be retained indefinitely as it contains no personal information.
6. Who we share data with
We do not sell your data to third parties. We may share data with the following categories of trusted sub-processors, each of whom is bound by data processing agreements:
- Stripe: payment processing. Stripe processes card details directly and is PCI DSS Level 1 certified. See Stripe's Privacy Policy.
- Amazon Web Services (AWS): cloud infrastructure. Our servers and databases are hosted in AWS data centres in the UK and EU.
- Postmark / SendGrid: transactional email delivery (invoice emails, account notifications).
- Sentry: error monitoring and crash reporting. Error reports may include device type and browser version but are anonymised before processing.
We may also disclose data if required by law, court order, or a legitimate request from a regulatory authority.
7. Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access: you can request a copy of the personal data we hold about you.
- Right to rectification: you can ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): you can request deletion of your personal data, subject to any legal retention obligations we have.
- Right to restriction: you can ask us to restrict processing of your data in certain circumstances.
- Right to data portability: you can request a machine-readable export of your data (invoices, customer list, account details) at any time from within the app under Settings.
- Right to object: you can object to processing carried out on the basis of legitimate interests.
- Right to withdraw consent: where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at privacy@invoiceflow.app. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies
We use cookies and similar technologies. For full details of the cookies we set and how to manage them, please read our Cookie Policy.
In summary: we use strictly necessary cookies to keep you logged in and to maintain your session. We use analytics cookies (which can be disabled) to understand product usage. We do not use advertising cookies.
9. Security
We take the security of your data seriously. Our platform uses TLS encryption for all data in transit, and data at rest is encrypted using AES-256. Passwords are hashed using bcrypt and are never stored in recoverable form. Access to production systems is restricted to authorised personnel only and protected by multi-factor authentication.
If you believe your account has been compromised or you have identified a security vulnerability, please contact us immediately at security@invoiceflow.app.
For any questions relating to this Privacy Policy or your personal data:
We aim to respond to all data-related enquiries within 5 working days and will always respond within the 30-day statutory period.