Privacy Policy

Introduction

This Privacy Policy ("Policy") describes how InvoiceBest ("InvoiceBest", "we", "us") collects, uses, and shares information about you when you use our websites, products, and services (collectively, the "Services"). We aim for clarity, minimal data collection, and security by design. If you are using the Services in a personal capacity, we act as the data controller. When you use the Services on behalf of your employer or organization (for example, within a shared workspace), your organization is the data controller and we act as a data processor.

Scope & Roles

• Controller: InvoiceBest, except where your organization controls your workspace. Address and contact are provided in Contact & Complaints.
• Processor: We process customer data (e.g., invoice records, client contacts) under a Data Processing Addendum (DPA) where required. See the Annex.
• Territorial scope: We provide Services globally. This Policy applies wherever you are located, with additional disclosures for EEA/UK and California residents.

Key Definitions

• Personal Data: any information that identifies or can reasonably be linked to an individual.
• Customer Data: content you and your organization input into the Services (e.g., invoices, items, clients, notes).
• Usage Data: diagnostics, device, and event data generated by your use of the Services.
• Processing: any operation performed on Personal Data, such as collection, storage, access, or deletion.

1. Information We Collect

Information you provide

• Account details (name, email, password or SSO identifiers).
• Workspace and billing details (company name, tax IDs, billing address, plan, subscription status).
• Customer Data you enter or import (invoices, quotes/estimates, contacts, items, attachments, notes).
• Support communications and feedback.

Information collected automatically

• Usage Data (app events, feature interactions, crash logs).
• Device and connection data (browser type, OS, IP address approximated to city/region, language, time zone).
• Cookies and similar technologies (see Cookies).

Information from third parties

• Identity or authentication providers (e.g., Google, Apple) for sign‑in.
• Payment providers (e.g., Stripe) to process payments and prevent fraud.
• Email delivery providers to send transactional communications.

2. Legal Bases (EEA/UK)

We process Personal Data under the following lawful bases: (i) contract (to provide the Services you requested); (ii) legitimate interests (to secure, improve, and personalize the Services, and to prevent fraud — balanced against your rights); (iii) consent where required (e.g., certain analytics/cookies or marketing); and (iv) legal obligation (e.g., tax, accounting).

3. How We Use Information

• Provide, maintain, and secure the Services (including troubleshooting, support, and backups).
• Operate core features (invoicing, quotes/estimates, payments, reporting, exports, and integrations).
• Process transactions, manage subscriptions, detect/prevent fraud and abuse.
• Measure performance, fix bugs, and improve UX, features, and reliability.
• Comply with legal and regulatory requirements and enforce our terms.
• Communicate service updates and essential notices. We only send marketing with appropriate consent/opt‑out controls.

4. AI & Automated Processing

Our AI Assistant feature uses large language models to help you create invoices, manage customers, generate reports, and answer questions about your data. When you interact with the assistant:

• What we process: Your prompts, invoice data, customer information, and product details may be sent to OpenAI-compatible AI providers to generate responses.
• Training: We configure our AI providers with zero-retention policies. Your data is NOT used to train AI models.
• Control: The AI Assistant is entirely optional. You can choose not to use it, and all core invoicing features work independently.
• Human oversight: No legal or financial decisions are made solely by AI. The assistant generates suggestions; you remain in full control.
• Providers: We use OpenAI-compatible API endpoints. Current providers are listed in the Sub‑processors Annex.

5. Cookies & Similar Technologies

We use essential cookies for authentication, security, and core functionality. With your consent (where required), we may use non‑essential analytics to understand product usage. You can control cookies via your browser settings and in‑product preferences.

6. How We Share Information

We do not sell your Personal Data. We share information only as described below:

• Service providers / sub‑processors. We engage trusted vendors under data protection agreements (confidentiality, security, limited purpose processing) — see the Annex.
• Legal, safety, and rights protection. We may disclose information if required by law or to protect the safety, rights, or property of our users, the public, or InvoiceBest.
• Business transfers. If we are involved in a merger, acquisition, or asset sale, we will provide notice and continue to protect Personal Data consistent with this Policy.

7. Payments

Payments are processed by our payment provider (e.g., Stripe). We do not store full payment card numbers. Stripe processes payment data as an independent controller for anti‑fraud and regulatory compliance. See their privacy notice for details. Your subscription status and the last 4 digits/expiry month may be stored for receipts and account records.

8. Data Retention

We retain Personal Data for as long as necessary to provide the Services and for legitimate business or legal purposes:

• Active accounts: Customer Data is retained while your workspace is active and for 90 days after account cancellation to allow for reactivation.
• After deletion request: Upon account deletion, we begin permanent deletion within 30 days, subject to backup cycles (up to 90 days total) and legal holds.
• Legal/compliance: Billing records, tax documentation, and audit logs may be retained for 7 years to comply with accounting and tax regulations.
• Security logs: Anonymized security and fraud-prevention logs may be retained for up to 2 years.
• Early deletion: You can request immediate deletion of specific data via support, subject to legal obligations.

9. Security

We implement industry-standard security measures to protect your Personal Data:

• Data isolation: Row‑Level Security (RLS) and role‑based access controls ensure strict tenant isolation.
• Encryption: TLS 1.3 for data in transit; AES-256 encryption at rest for database storage.
• Access control: Principle of least privilege for internal staff; all access is logged and audited.
• Development practices: Secure software development lifecycle, automated security scanning, dependency vulnerability monitoring.
• Backups: Encrypted daily backups with point-in-time recovery capabilities.
• Monitoring: Real-time security monitoring, intrusion detection, and automated alerting.

Breach notification: In the unlikely event of a data breach affecting your Personal Data, we will notify you and relevant supervisory authorities within 72 hours of becoming aware, as required by applicable law. No method of transmission or storage is 100% secure, but we continuously work to strengthen our defenses.

10. International Transfers

We may transfer Personal Data internationally (for example, to the United States or the EU) where our providers operate. When required, we use approved safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and the UK Addendum. We assess provider practices to support a level of protection essentially equivalent to that under applicable law.

11. Your Rights

EEA/UK/Swiss residents

• Access, rectification, deletion, and portability of your Personal Data.
• Restriction or objection to processing where our lawful basis is legitimate interests.
• Withdraw consent at any time where processing is based on consent.
• Right to lodge a complaint with your local supervisory authority.

California residents (CCPA/CPRA)

• Right to know, correct, and delete Personal Information, and to obtain it in a portable format.
• Right to opt out of sales or sharing for cross‑context behavioral advertising. We do not sell Personal Information.
• Right to limit use of sensitive Personal Information (we only use it for necessary service purposes).
• No discrimination for exercising your rights.

Response timeline: We respond to verified data subject requests within 30 days (GDPR) or 45 days (CCPA), with possible extensions communicated in advance. To exercise your rights, contact us as described in Contact & Complaints. We may need to verify your identity and, if applicable, your authority as an authorized agent.

12. Children’s Privacy

The Services are not directed to children under 13 (or the age required by your jurisdiction). We do not knowingly collect Personal Data from children. If you believe a child has provided Personal Data, please contact us so we can delete it.

13. Do Not Track

Some browsers offer a “Do Not Track” (DNT) setting. Because there is no common standard for DNT signals, we do not currently respond to them.

14. Third‑Party Links

The Services may contain links to third‑party websites or services. We are not responsible for their content or privacy practices. Review their policies before providing Personal Data.

15. Your Account Controls

• Manage profile, security, and notifications in Settings.
• Export invoices, customers, and other records using in‑product export tools.
• Delete your workspace or request account deletion from support; we will confirm and action the request consistent with this Policy.

16. Changes to this Policy

We may update this Policy to reflect changes to our practices or legal requirements. If changes are material, we will provide advance notice by email or in‑app. The “Last updated” date at the top reflects the latest revision.

17. Contact & Complaints

If you have questions about this Policy or your data, contact us at privacy@invoicebest.com. If you are in the EEA/UK, you also have the right to complain to your local supervisory authority.

Data Controller: InvoiceBest
Email: privacy@invoicebest.com
For formal legal correspondence: legal@invoicebest.com

Note: As a recently launched service, we are in the process of establishing our registered office. For current contact information, please use the email addresses above.

Annex: Sub‑processors & Documents

We engage the following trusted third-party sub-processors to help deliver the Services. All are bound by data protection agreements:

• Hosting & Infrastructure: Supabase Inc. (database, authentication, storage, real-time features), Vercel Inc. (application hosting, CDN, edge functions).
• Payments: Stripe Inc. (payment processing, subscription management, fraud prevention). Stripe acts as an independent controller for anti-fraud purposes.
• Email Delivery: Resend Inc. (transactional emails including invoices, receipts, authentication emails).
• AI Processing: OpenAI-compatible providers for AI Assistant features (customer data processed with zero-retention policies). Specific providers may vary; current provider disclosed at invoicebest.com/legal/subprocessors.
• Analytics: Vercel Analytics (privacy-focused, no cookies, aggregated usage metrics) when enabled.

For detailed information: Data Processing Addendum (DPA) and Current Sub‑processor List.

We will provide 30 days' advance notice of new sub-processor additions via email to workspace owners. You may object to a new sub-processor; if we cannot accommodate your objection, you may terminate your subscription.

This Policy does not grant you rights that supersede any separate agreement you have with us (e.g., Enterprise DPA). In case of conflict, that agreement controls as to its subject matter.