Privacy Policy
How InvoiceBoard collects, uses, and protects your personal data.
Your privacy is important to us. This Privacy Policy explains how InvoiceBoard ("we", "us", or "our") collects, uses, and protects your personal data when you use our platform ("Service"). Please read this policy carefully.
1. Who We Are (Data Controller)
InvoiceBoard is the data controller responsible for your personal data. If you have questions about this policy or wish to exercise your rights, please contact us at support@invoiceboard.com.
2. Data We Collect
We may collect and process the following categories of personal data:
- Account Data: Name, email address, and password (or OAuth tokens from Google).
- Business Data: Company name, address, tax ID, logo, and other details you add to your business profiles.
- Client Data: Client names, email addresses, phone numbers, postal addresses, and other contact details you enter to generate invoices.
- Invoice & Document Data: Line items, pricing, payment terms, notes, and other content you enter into invoices and quotes.
- Payment Data: Billing information processed through Stripe. We do not store your full card details — these are handled directly and securely by Stripe.
- Usage Data: Log data, IP addresses, browser type, and interaction events used to improve the Service.
- AI Assistant Messages: Messages you send to the AI Assistant within the platform (see Section 5).
We do not knowingly collect sensitive personal data (e.g., health, racial, or political data) and we do not direct our Service at children under 16.
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal grounds under GDPR Article 6:
| Data Category | Legal Basis |
|---|---|
| Account & authentication data | Performance of a contract (Art. 6(1)(b)) |
| Business & invoice data | Performance of a contract (Art. 6(1)(b)) |
| Payment data | Performance of a contract (Art. 6(1)(b)) |
| Usage analytics & logs | Legitimate interests — operating and improving the Service (Art. 6(1)(f)) |
| AI Assistant messages | Consent you provide by using the AI feature (Art. 6(1)(a)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
4. How We Use Your Data
We use your data to:
- Provide, operate, and maintain the Service.
- Process payments and manage your subscription.
- Generate invoices, quotes, and related documents based on your inputs.
- Power the AI Assistant to help you create and manage invoices.
- Send transactional emails (invoice deliveries, account notifications, overdue reminders).
- Improve the performance, reliability, and security of the platform.
- Comply with legal and regulatory obligations.
We do not sell your personal data. We do not use your data for advertising.
5. AI Features & Data Processing
InvoiceBoard includes an AI Assistant powered by large language models — currently provided by OpenAI. Please be aware of the following:
- When you interact with the AI Assistant, your messages and any business or client context you provide may be transmitted to OpenAI's API for processing.
- Do not share highly sensitive personal data (e.g., full payment card numbers, government identification numbers, passwords) in the AI chat.
- AI-generated outputs — including drafted invoices, suggested line items, and client details — are suggestions only. You are solely responsible for reviewing and verifying all AI output before use.
- InvoiceBoard does not use your data to train AI models. OpenAI processes data as our sub-processor under a Data Processing Agreement, and does not use API data to train its models by default. See OpenAI's Privacy Policy for more information.
6. Third-Party Service Providers (Sub-Processors)
We share data with trusted sub-processors to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database & file storage | All user, invoice, and document data |
| OpenAI | AI Assistant | Chat messages, invoice context |
| Stripe | Payment processing | Billing and subscription information — see Stripe's Privacy Policy |
| Resend | Transactional email | Email addresses, invoice content |
| Upstash | Background job scheduling | Invoice metadata for reminders & recurrence |
| OAuth sign-in (optional) | Name and email address (on sign-in only) | |
| Vercel | Application hosting & edge compute | Request metadata |
All sub-processors are required to handle data securely and only for the purposes we specify.
7. International Data Transfers
Some of our sub-processors (including OpenAI, Stripe, and Vercel) are based in the United States. Transfers of personal data outside the EEA or UK are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent appropriate safeguards as required by applicable data protection law.
8. Data Retention
We retain your personal data for as long as necessary to provide the Service or as required by law:
- Account data: Retained while your account is active and for up to 30 days following a deletion request.
- Invoice and business data: Retained for the duration of your account and deleted within 30 days of account closure.
- Usage and security logs: Retained for up to 12 months.
- Payment records: Retained for up to 7 years to comply with financial and tax regulations.
You may request deletion of your data at any time (see Section 9).
9. Your Rights (GDPR & UK GDPR)
If you are in the EEA or United Kingdom, you have the following rights under applicable data protection law:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data, subject to legal retention obligations.
- Right to Restriction of Processing: Request that we limit how we process your data in certain circumstances.
- Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
- Right to Object: Object to processing based on legitimate interests or for direct marketing.
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: File a complaint with your local supervisory authority (e.g., the ICO in the UK, the CNIL in France, or the relevant EU DPA in your country).
To exercise any of these rights, contact us at support@invoiceboard.com. We will respond within 30 days.
10. Data Security
We implement technical and organisational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest (AES-256 via Supabase).
- Row-level security on the database — all data is scoped to your team and inaccessible to other users.
- Access controls, strong authentication (OAuth, magic links, OTP), and session management.
- Regular security monitoring.
No method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately.
11. Cookies
We use minimal, essential cookies required for authentication and session management. We do not use tracking or advertising cookies. You can manage cookies through your browser settings, although disabling essential cookies may affect the functionality of the Service.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice on the platform at least 14 days before changes take effect. Continued use of the Service after that date constitutes your acceptance of the updated policy.
13. Contact Us
For questions, concerns, or to exercise your rights under this policy:
Website: invoiceboard.com
Email: support@invoiceboard.com
Last updated: May 28, 2026