Privacy Policy

InvoiceGen is operated by Syfer Ltd (“we”, “our”, “us”), a company registered in England and Wales (Company No. 15438102), with registered office at 124 City Road, London EC1V 2NX, United Kingdom. We provide invoicing software as a service to customers worldwide.

For the purposes of UK GDPR and the EU General Data Protection Regulation (GDPR), Syfer Ltd is the data controller for personal data we collect through this website and our service.

You can contact our Data Protection Officer (DPO) at privacy@invoicegent.com or by post at the address above, marked “For the DPO”.

EU representative (Article 27 GDPR): In compliance with Article 27 GDPR, our EU representative is: EU Rep Services OÜ, Tornimäe 5, 10145 Tallinn, Estonia. Contact: eu-rep@invoicegent.com.

• Account data — email address, name, password hash (managed by Supabase Auth).
• Billing data — subscription plan, billing email, last four digits of payment method (handled by Stripe; we never see or store full card numbers).
• Workspace data — invoices, clients, products, expenses, company details you create in the app.
• Usage data — pages visited, features used, error reports, IP address, browser type, device type, timestamps.
• Email delivery data — when you send an invoice to a client, we log the send event, recipient, and delivery status.
• Cookies and similar tracking — see Section 6 for full details.

• To provide and operate the service (create, send, track invoices).
• To process payments via Stripe.
• To send transactional emails (invoice delivery, payment confirmations, account notifications).
• To prevent abuse, fraud, and security incidents.
• To improve the product via aggregated, anonymized analytics (only with your consent).
• To comply with legal obligations (tax records, AML, accounting law).
• To respond to your support requests.

We do not sell your personal data, ever. We do not run third-party advertising trackers, and we do not share data with data brokers.

We process your personal data under the following legal bases:

• Contract (Art. 6(1)(b)) — to provide the invoicing service you signed up for.
• Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, debugging, product improvement through aggregated analytics.
• Legal obligation (Art. 6(1)(c)) — tax, accounting, and anti-money-laundering law.
• Consent (Art. 6(1)(a)) — non-essential cookies/analytics and marketing communications. You can withdraw consent at any time without affecting the lawfulness of prior processing.

We share data with the following sub-processors, all bound by written data processing agreements compliant with GDPR Article 28. Some sub-processors may process data outside the EEA/UK; in those cases we rely on the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum.

• Supabase — database and authentication (US + EU regions available; we use EU-Frankfurt by default for new accounts).
• Stripe Payments Europe Ltd — payment processing (EU + US, PCI-DSS Level 1).
• Resend — transactional email delivery (US).
• Vercel Inc. — hosting and edge network (US + EU regions; data processing addendum in place).
• Google Cloud (Gmail API) — only if you explicitly connect your Gmail account to send invoices from your own address.

Where transfers occur to a country without an adequacy decision, we use SCCs (Module 1 Controller-to-Controller or Module 2 Controller-to-Processor as applicable). You can request a copy of the safeguards we have in place by emailing our DPO.

We use a small number of cookies and similar technologies. You will see a cookie banner on your first visit, and you can change your preferences at any time using the “Cookie Settings” link in our footer.

• Essential cookies — authentication (Supabase session token), CSRF protection, load balancing. These are strictly necessary for the service to function and cannot be disabled. Legal basis: Art. 6(1)(b) / 6(1)(f).
• Analytics cookies — Vercel Analytics and Speed Insights for anonymous usage statistics (page views, performance metrics). No personally identifying data is collected. Legal basis: Art. 6(1)(a) — consent, obtained via the cookie banner. We do not load analytics scripts until you opt in.
• Marketing cookies — currently we do not use any marketing or advertising cookies. This category is reserved for potential future use (e.g. retargeting) and remains disabled by default.

We respect the “Global Privacy Control” (GPC) signal. If your browser sends GPC, we treat it as a do-not-sell/share/track signal and automatically reject non-essential cookies for that session.

• Account data — kept while your account is active. Deleted within 30 days of account closure, except where retention is required by law.
• Invoice and client data — kept while your account is active. You can delete individual records at any time. Bulk export and full account deletion are available from Settings.
• Billing records — 7 years (HMRC / accounting law requirement).
• Backups — 30 days rolling, then permanently deleted.
• Server logs — 90 days, then aggregated/anonymized.

Under GDPR, UK GDPR, and other applicable privacy laws, you have the right to:

• Access the personal data we hold about you (Art. 15).
• Rectify inaccurate or incomplete data (Art. 16).
• Erase your data, also known as the “right to be forgotten” (Art. 17).
• Restrict processing in certain circumstances (Art. 18).
• Data portability — receive your data in a structured, commonly used, machine-readable format (Art. 20). Available today as a one-click JSON/CSV export from Settings.
• Object to processing based on legitimate interest or for direct marketing (Art. 21).
• Withdraw consent at any time, without retroactive effect (Art. 7(3)).
• Not be subject to a decision based solely on automated processing (Art. 22).
• Lodge a complaint with your local data protection authority:
  • UK: Information Commissioner’s Office (ICO) — ico.org.uk
  • EU: your national supervisory authority — list at edpb.europa.eu

To exercise any of these rights, email privacy@invoicegent.com. We respond within 30 days (or 60 days for complex requests, with an explanation of the delay). We will not charge for the request unless it is manifestly unfounded or excessive.

We take the security of your data seriously. All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to production data is limited to authorized personnel with audit logging, hardware security keys, and mandatory security training. We run quarterly security reviews and continuously monitor for vulnerabilities and dependency updates.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of it, in line with GDPR Article 33 and 34.

InvoiceGen is not directed at children under 16 (or such higher age as your country requires for valid consent to data processing, typically 13–16). We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact our DPO and we will delete it.

We may update this policy from time to time. We will notify you of material changes by email and via an in-app banner at least 30 days before they take effect, so you have time to review and, where required, re-consent. The latest version is always at this URL with an updated “Last updated” date.

Syfer Ltd
124 City Road, London EC1V 2NX, United Kingdom
Company No. 15438102
Data Protection Officer: privacy@invoicegent.com

EU Representative (Art. 27 GDPR)
EU Rep Services OÜ
Tornimäe 5, 10145 Tallinn, Estonia
eu-rep@invoicegent.com