Privacy Policy

re:invoices acts as the data controller for the personal data processed through our platform. We are responsible for ensuring your data is processed lawfully, fairly, and transparently. Our registered office address and company details are available upon request.

For all privacy-related inquiries, data protection concerns, or to exercise your rights, please contact our Data Protection Officer at: [email protected]. We respond to all privacy inquiries within 48 hours during business days.

For users in the European Union, our EU representative can be contacted for data protection matters. Contact details are available upon request for EU residents exercising their GDPR rights.

We collect: email addresses, full names, phone numbers, company names, job titles, and billing addresses. This information is provided directly by you during account creation, profile setup, or when updating your account settings.

Through our AI-powered processing, we collect: vendor information (names, addresses, contact details), customer/billing information, financial data (amounts, tax information, currencies), invoice metadata (numbers, dates, due dates), and original document files.

Our AI system processes uploaded documents to extract text, identify patterns, and structure data. This includes: original document files, extracted text content, identified entities (vendor names, amounts, dates), and metadata about the extraction process.

We automatically collect: IP addresses, browser information, device identifiers, usage patterns, workspace activity, login timestamps, and error logs. This data helps us provide, secure, and improve our services.

We process your data to fulfill our contractual obligations, including: providing the invoice management service, processing your invoices with AI, managing your account and workspace, and providing customer support. This processing is necessary for the service you've subscribed to.

We process data based on legitimate interests for: fraud prevention and security, service improvement and analytics, technical support and troubleshooting, and business communications. We balance these interests against your privacy rights.

Where required by law, we obtain your consent for: marketing communications, optional analytics and tracking, third-party integrations, and certain data processing activities. You may withdraw consent at any time through your account settings.

We process data to comply with legal requirements including: tax record keeping (7-year retention), anti-money laundering regulations, data breach notifications, and responding to lawful requests from authorities.

Our AI system (powered by AWS Lambda in US-East-1) processes your uploaded invoices to extract structured data. This includes vendor identification, amount extraction, date parsing, and line item analysis. The AI processing helps automate your invoice management workflow.

We use automated systems for: invoice categorization and tagging, overdue invoice detection (daily automated process), vendor name matching, and workspace assignment. These decisions are made to improve efficiency and accuracy.

You have the right to: request human review of AI-generated decisions, understand the logic behind automated processing, object to automated decision-making, and request manual processing of your invoices when technically feasible.

Your data is processed in: AWS US-East-1 (primary invoice processing), Supabase global infrastructure (database and authentication), and Vercel global edge network (application hosting). We implement appropriate safeguards for all international transfers.

For European users, we ensure adequate protection through: Standard Contractual Clauses (SCCs) with all processors, regular adequacy assessments, encryption in transit and at rest, and monitoring of international transfer compliance.

We are committed to providing EU-specific data storage options in the future. EU users will be notified when regional data storage becomes available, allowing you to choose your preferred data processing location.

We share data with trusted service providers: AWS (invoice processing and storage), Supabase (authentication and database), Vercel (application hosting), and payment processors. All providers are bound by strict data protection agreements.

We never sell, rent, or trade your personal data or invoice information to third parties for marketing or any other commercial purposes. Your data is only used to provide and improve our services to you.

We may disclose data when required by law, such as: responding to valid legal requests, complying with court orders, preventing fraud or security threats, and protecting our legal rights. We will notify you of such disclosures when legally permitted.

You can request a copy of all personal data we hold about you. We will provide this information in a structured, commonly used format within 30 days. This includes your profile data, invoice information, and processing records.

You have the right to correct any inaccurate or incomplete personal data. You can update most information directly through your account settings, or contact us for assistance with corrections.

You can request deletion of your personal data when: the data is no longer necessary, you withdraw consent, the data was unlawfully processed, or deletion is required for legal compliance. Some data may be retained for legal obligations.

You can request your data in a portable format and transfer it to another service. We provide data export functionality through your account settings, including structured invoice data and account information.

You can object to processing based on legitimate interests or for direct marketing. You can also request restriction of processing while disputes are resolved. Contact us to exercise these rights.

While your account is active, we retain your data to provide ongoing services. This includes your profile information, workspace data, and invoice records necessary for the functionality of your account.

Invoice data is retained for 7 years after account closure to comply with tax and business record keeping requirements. This includes the original documents, extracted data, and associated metadata.

After account deletion, we retain certain data for 90 days for security and legal purposes, then permanently delete all personal data except where required by law. You will receive confirmation of data deletion.

Technical logs and system data are retained for 12 months for security monitoring and troubleshooting. This includes IP addresses, error logs, and access records necessary for platform security.

We implement: encryption in transit (TLS 1.3) and at rest (AES-256), multi-factor authentication options, regular security audits and penetration testing, and SOC 2 compliant infrastructure through our service providers.

Data access is restricted through: role-based access control (RBAC), workspace-level data isolation, Row Level Security (RLS) in our database, and regular access reviews. Employees access data only as necessary for their job functions.

Our infrastructure includes: 24/7 security monitoring, automated threat detection, regular security updates and patches, and compliance with industry standards. All service providers maintain enterprise-grade security certifications.

In case of a data breach, we will: notify supervisory authorities within 72 hours (where required), inform affected users without undue delay, investigate and contain the breach, and implement measures to prevent future incidents.

We use essential cookies for: user authentication and session management, workspace preferences and settings, security features and CSRF protection, and basic functionality. These cookies are necessary for the service to function.

With your consent, we use analytics cookies to: understand usage patterns, improve service performance, identify and fix errors, and enhance user experience. You can manage these preferences in your account settings.

You can control cookies through: your browser settings, our cookie preference center, account privacy settings, and opt-out mechanisms. Disabling non-essential cookies may affect certain features.

For European users, we comply with all GDPR requirements including: lawful basis for processing, data subject rights, data protection by design and default, and breach notification procedures. Our EU representative handles regional compliance matters.

California residents have rights to: know what personal information is collected, delete personal information, opt-out of data sales (we don't sell data), and non-discrimination for exercising privacy rights. Contact us to exercise these rights.

We monitor and comply with privacy laws in all jurisdictions where we operate, including: Canada's PIPEDA, Australia's Privacy Act, Brazil's LGPD, and other applicable regulations. We update our practices as laws evolve.

We review this Privacy Policy annually and update it as needed. Material changes will be communicated via: email notification to all users, prominent notice on our website, and in-app notifications. You can always access the current version here.

For privacy questions or to exercise your rights, contact us at: [email protected] (email), through our contact form, or by mail at our registered office address. We respond to privacy inquiries within 48 hours.

EU residents have the right to lodge complaints with their local supervisory authority. We are committed to working with supervisory authorities to resolve any concerns about our data processing practices.