Invoice Master Privacy Policy

Invoice Master (“we”, “us”, “our”) respects your privacy. This Privacy Policy explains what personal data we collect, why we collect it, and how we process it in accordance with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.

This policy applies to the invoicemaster.org website and the Invoice Master software-as-a-service platform (the “Service”). By using the Service, you agree to the practices described here.

We collect and process the following categories of personal data:

• Account data — name, email address, password hash, phone number, and billing address.
• Organisation & customer data — information about your business and any customer or supplier details you store within the Service.
• Usage data — anonymised log files, IP address, browser type, device identifiers, and interactions with our app pages.
• Cookies & tracking — essential first-party cookies for authentication plus analytics cookies set by Hotjar for aggregated product insights.

We use your personal data to:

• Provide, personalise, and secure the Service (Art. 6(1)(b) GDPR).
• Send service announcements, onboarding guidance, and account notices (Art. 6(1)(b)).
• Understand platform performance through analytics and improve product features (Art. 6(1)(f)).
• Detect, investigate, and prevent fraud, abuse, or security incidents (Art. 6(1)(f)).
• Comply with tax, accounting, and other legal obligations (Art. 6(1)(c)).

We engage third-party processors that help us run the Service. Each provider is bound by contractual data-processing agreements.

• Supabase Inc. (EU) — managed database, file storage, and encrypted backups.
• Stripe Payments Europe Ltd. (EU) — secure payment processing.
• Hotjar Ltd. (EU/EEA) — aggregated usage analytics and session insights.
• SendGrid / Twilio Inc. (US) — transactional email delivered under Standard Contractual Clauses.

The Service enforces TLS 1.2+ encryption in transit and AES-256 encryption at rest. Access to production systems is controlled through principle-of-least-privilege roles and multi-factor authentication for administrator accounts. Supabase provides daily encrypted backups retained for seven (7) days.

We retain account data for as long as your subscription remains active. When you delete your account, live records are removed immediately and only persist in encrypted backups for up to seven days. Invoice Master is not an archival solution, so export any business records you must keep prior to deletion.

You may exercise the following rights at any time:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete information.
• Delete your account and associated personal data.
• Request a machine-readable export of your personal data.
• Object to analytics or marketing-based processing.

To exercise your rights, contact us atsupport@invoicemaster.org.

Personal data is primarily stored within the European Economic Area. Email metadata processed by SendGrid may be transferred to the United States under Standard Contractual Clauses approved by the European Commission.

We use essential cookies to maintain session authentication and remember your preferences. Hotjar sets optional analytics cookies; you can opt out via your browser settings or the cookie banner available in the Service.

If you have questions or complaints regarding this Privacy Policy, email our support team atsupport@invoicemaster.org.

We review this Privacy Policy at least annually and whenever we introduce new processing activities. Significant updates will be announced via email or in-app notifications before they take effect, and we will revise the “Last updated” date shown above.