Privacy Policy

Last updated: 21 February 2026

InvoiceAdept ("we", "us", "our") operates the InvoiceAdept web application and mobile applications for iOS and Android (collectively the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

Account information: Name, email address, and password when you create an account.

Business information: Business name, address, logo, tax identifiers, and bank details you enter into your profile.

Platform data: Invoices, quotes, customer records, payment records, and expenses you create through the Service.

Device information: When you use our mobile apps, we collect your device platform (iOS or Android) and a push notification token solely for delivering notifications. We do not collect device identifiers, location data, contacts, photos, or any other device data.

Usage analytics: We collect anonymised usage data (pages visited, features used) through PostHog to improve the Service. This data is not linked to your identity and does not include personal information.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process invoices, payments, and financial records on your behalf
  • Send transactional emails (invoice notifications, payment receipts, account verification)
  • Deliver push notifications about invoice activity, payment updates, and account events
  • Provide AI-assisted features such as natural language invoice creation
  • Monitor and prevent fraud or abuse

We do not sell, rent, or trade your personal data to third parties.

3. AI Processing

InvoiceAdept offers optional AI-powered features (e.g. creating invoices from natural language input). When you use these features, the text you enter is sent to OpenAI for processing. Only the text you explicitly submit is sent — we do not send your customer database, financial records, or any other stored data. OpenAI does not use this data for training purposes under our agreement.

4. Data Storage and Security

Your data is stored on DigitalOcean managed infrastructure in the London (LON1) region. Passwords are cryptographically hashed using bcrypt. All connections are encrypted via TLS in transit, and data is encrypted at rest. We implement industry-standard security practices including rate limiting, audit logging, and role-based access controls.

5. Third-Party Services

We share data with the following service providers only as necessary to operate the Service:

  • Stripe — payment processing (card details are handled directly by Stripe and never touch our servers)
  • Resend — transactional email delivery
  • DigitalOcean — hosting and database infrastructure
  • OpenAI — AI-assisted invoice creation (only when you use AI features)
  • PostHog — anonymised product analytics
  • Sentry — error monitoring (may include technical stack traces, never personal data)
  • Apple Push Notification service / Firebase Cloud Messaging — push notification delivery on iOS and Android

Each provider operates under their own privacy policies and data processing agreements.

6. Push Notifications

Our mobile apps request permission to send push notifications. These are used to alert you about invoice activity, payment updates, and important account events. You can disable push notifications at any time through your device settings. We store a device token to deliver notifications — this token is automatically removed when you log out. You can also delete it by uninstalling the app or revoking notification permissions.

7. Cookies and Local Storage

We use essential cookies to maintain your authenticated session. We do not use advertising or tracking cookies. Our analytics provider (PostHog) may use cookies or local storage to distinguish unique visitors — this data is anonymised and not linked to your account.

8. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data, business records, invoices, customer data, and device tokens are permanently removed within 30 days. Anonymised analytics data may be retained indefinitely as it cannot be linked back to you.

9. Your Rights

Depending on your jurisdiction (including under UK GDPR and EU GDPR), you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your account and data
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — request we limit processing of your data
  • Objection — object to processing based on legitimate interests

You can exercise most of these rights through your account settings. For any other requests, contact us at the address below.

10. International Data Transfers

Our primary infrastructure is in the United Kingdom (DigitalOcean London region). Some third-party providers (Stripe, OpenAI, PostHog, Sentry) may process data in the United States or other jurisdictions. Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including standard contractual clauses.

11. Children's Privacy

InvoiceAdept is a business invoicing and payment platform intended for use by adults. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA/UK). If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will send a notification via email or in-app message. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: [email protected]

Terms of Service|Home