InvoiceBest logoInvoiceBest
Back to Invoice Best

Invoice Best Privacy Policy

Effective Date:

Entity: PT Panca Gala Mandiri ("Invoice Best", "we", "us", "our")

Registered Address: Tangerang Selatan, Banten, Indonesia

Contact: legal@invoicebest.com

Short version: We run an AI‑powered invoicing management service. We process the personal data you give us to operate the service and support you. For your invoice recipients, we act mainly as your processor. We don’t sell personal data. We don’t train foundation models on your content unless you opt in. You can export or delete your data and contact us at legal@invoicebest.com.

1) Scope & Who We Are

This Privacy Policy explains how Invoice Best collects, uses, and shares personal data when you visit invoicebest.com, create an account, use our web app or APIs, or otherwise interact with us (collectively, the Service).

Unless stated otherwise in a separate agreement, PT Panca Gala Mandiri is the data controller for personal data about account holders and site visitors. For personal data inside your invoices and customer records, we generally act as your data processor/service provider.

2) Roles & Responsibilities

  • Controller data (we decide purposes/means): account registration info, plan/billing profile, product telemetry, support interactions, marketing preferences.
  • Processor data (we process on your instructions): invoice contents, recipient identities and contact details, your templates, uploaded files, and metadata.

If a separate Data Processing Addendum (DPA) is in place, it governs processor data. Our standard DPA is available for Enterprise and upon request.

3) Personal Data We Collect

Data you provide directly

  • Account & profile: name, email, password (hashed), organization name, roles/seats, settings.
  • Subscription & billing: plan, payment status, billing contact and address. Card/financial data is handled by our payment processors; we don’t store full card numbers.
  • Customer Content: invoice data, recipient details, line items, logos, attachments, templates, workflow rules.
  • Support & feedback: messages, tickets, survey responses, bug reports.

Data we collect automatically

  • Usage & logs: device and browser information, IP address, timestamps, page views, API calls, feature interactions, crash logs.
  • Cookies & similar tech: session cookies, authentication tokens, and analytics cookies (see §11).

Data from third parties

  • Payment processors: payment status updates, fraud signals.
  • Auth/communication providers: email delivery status, bounce/complaint data.

We do not intentionally collect special categories of personal data (e.g., health, biometric, precise location). Please do not include such data in your invoices or uploads.

4) How We Use Personal Data

  • Provide the Service: authenticate, host, generate PDFs, run workflows, send invoice reminders on your behalf, and deliver features.
  • Operate AI features: generate suggestions and insights you request, subject to §5 (AI processing).
  • Secure and maintain: monitor for abuse, ensure availability, debug issues, and back up data daily.
  • Billing & account management: manage trials, subscriptions, dunning, receipts, taxes.
  • Communicate: send transactional emails (e.g., service, billing) and, with your consent or where permitted, marketing emails (opt‑out anytime).
  • Improve the Service: aggregate/anonymize data to analyze performance and usage trends.
  • Legal & compliance: comply with law, enforce terms, and protect rights and safety.

Legal bases (EEA/UK users): contract performance, legitimate interests (e.g., security, product improvement), consent (e.g., non‑essential cookies/marketing), and legal obligations.

5) AI Processing

  • Providers. To power AI features, we may send relevant prompts and content to third‑party AI providers, including OpenAI and Google Gemini, under contractual and technical safeguards.
  • Accuracy & human review. AI outputs may be inaccurate or incomplete; you must review before use. We do not provide legal, accounting, or tax advice.
  • Training. We do not use your Customer Content to train foundation models unless you opt in. We may use aggregated, de‑identified usage signals to improve quality and safety.

6) How We Share Personal Data

We share personal data only as described below:

  • Subprocessors/Service providers: hosting, storage, backups (e.g., Supabase), email delivery, analytics, customer support, payment processing (see below), AI providers (see §5). We publish a current list at /subprocessors and may update it periodically. We provide advance notice of material changes where required (e.g., in‑app or website notice).
  • Payments: Dodo Payments (global) and Midtrans (Southeast Asia) process subscription fees. They receive billing and transaction details as needed.
  • Integrations you enable: we share data as necessary with services you choose to connect.
  • Corporate transactions: in a merger, acquisition, or asset sale, data may transfer to the successor.
  • Legal & safety: to comply with law, respond to valid legal requests, or protect rights, safety, and security.

We do not sell personal data and we do not share personal data for cross‑context behavioral advertising as defined by California law.

7) International Transfers

We operate globally and may transfer personal data to countries that may not have the same data‑protection laws as yours. Where required, we use appropriate safeguards such as the EU/UK Standard Contractual Clauses to protect transfers. You can contact us for a copy of applicable safeguards.

8) Payments & Taxes

Subscription payments are handled by Dodo Payments and Midtrans. We receive confirmation, status, and limited billing details, but not full card numbers. Taxes applicable to your subscription may be collected as required by law. We do not process payments for your outgoing invoices to your customers.

9) Data Retention & Deletion

  • Active accounts: retain for your subscription term.
  • Upon request or termination: delete or return your Customer Content; we target deletion within 30 days.
  • Backups: daily backups (e.g., via Supabase) are retained typically 35–90 days and then overwritten. Some records may be kept longer if required by law or to resolve disputes.

10) Security

  • Encryption in transit and at rest, access controls, audit logging, and regular backups.
  • Monitoring for abuse, availability, and incident response.

If we confirm a breach affecting your personal data, we will notify you without undue delay and, where required, within 72 hours, describing the nature of the incident and actions taken.

11) Cookies & Similar Technologies

  • Essential: for sign‑in and security (cannot be disabled).
  • Functional/analytics: to understand usage and improve the Service (see /subprocessors for current analytics provider).
  • Communication tokens: for email/open tracking where lawful.

You can manage cookies via your browser settings and, where available, our cookie controls. Blocking cookies may impact functionality.

12) Your Privacy Choices & Rights

Depending on your location, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing or withdraw consent.

  • EEA/UK: GDPR/UK GDPR rights apply; you may lodge complaints with your local authority.
  • California (CPRA): rights to know/access, delete, correct, and opt out of sale/share (we do not sell/share). Sensitive personal information is not used for additional purposes without notice. You may use an authorized agent.
  • Indonesia (PDP Law): rights to obtain information on processing, access/correction, deletion, withdraw consent, and object to automated decisions where applicable.

To exercise rights, email legal@invoicebest.com. We may ask for verification. For processor data (your invoice recipients), please contact the data controller (our customer) first; we will assist them per our DPA.

13) Children’s Privacy

The Service is not directed to children, and we do not knowingly collect personal data from children under 13 (or older, where local law requires). If you believe a child has provided data, contact us to delete it.

14) Marketing Communications

We may send you product and feature updates. You can opt out using unsubscribe links or by contacting us. Transactional/service messages are necessary for your account and you cannot opt out of those.

15) Data Residency

We process data globally. Unless otherwise agreed in a signed Enterprise DPA, we do not offer region‑locked storage or processing. Enterprise customers may request regional options where available.

16) Third‑Party Links & Services

The Service may link to third‑party sites or integrate with third‑party services. Their privacy practices are governed by their own policies. Please review them carefully.

17) Changes to This Policy

We may update this Policy to reflect changes in our practices or legal requirements. If changes are material, we will provide at least 30 days’ notice via email, in‑app message, or website post before they take effect.

18) Contact Us

Email: legal@invoicebest.com
Security reports: security@invoicebest.com
Mailing address: Tangerang Selatan, Banten, Indonesia

Controller: PT Panca Gala Mandiri
Subprocessors: see /subprocessors
DPA: available for Enterprise or upon request