← Back to Home

Legal

Privacy Policy

Effective Date: April 2026 · Last Updated: April 28, 2026

InvoiceGenie ("we," "us," or "our") is operated by Ali Munir, based in Germany. We operate the InvoiceGenie platform, an AI-powered invoicing service. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service.

This policy applies to users in all jurisdictions where InvoiceGenie operates, including Germany, the United Arab Emirates, and the United States.

Summary: We collect the information you provide to create and send invoices. We do not sell your data. We do not use your data for advertising. AI processing is used only for prompt-to-invoice parsing and your data is not used to train AI models.

1. Information We Collect

1.1 Account Information

When you register for InvoiceGenie, we collect:

  • Email address (used for login and system communications)
  • Full name
  • Password (hashed, never stored in plaintext) or OAuth provider data (Google, Apple sign-in)
  • Language and timezone preference

1.2 Business Information

Information you add to your workspace for invoice generation:

  • Company name, address, and contact details
  • Tax identification number (VAT ID, tax number)
  • Bank account details (IBAN, BIC, account holder name)
  • Company logo (uploaded images)
  • Default currency and invoice numbering preferences

1.3 Invoice and Client Data

  • Client names, email addresses, CC email addresses, and billing addresses
  • Invoice line items, quantities, amounts, tax rates, and discounts
  • Invoice notes, payment terms, and due dates
  • Generated PDF invoices

1.4 Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or bank account details on our servers. We store only your Stripe customer ID and subscription status.

1.5 Usage Data

We collect aggregate platform usage data such as the number of invoices created, PDFs generated, and emails sent. This data is used for quota enforcement and service improvement and is not shared externally.

1.6 Technical Data

We collect IP addresses during account registration for security purposes. We do not use tracking cookies, analytics services, or third-party advertising pixels.

2. How We Use Your Information

We use your information exclusively to:

  • Generate invoices: Create, store, and render PDF invoices using your business and client data
  • Deliver invoices: Send invoice PDFs to your clients via email
  • AI prompt parsing: When you use the AI input feature, your text prompt is sent to OpenAI to extract structured invoice data (items, amounts, client details)
  • Process payments: Manage your subscription through Stripe
  • Maintain your account: Authentication, workspace management, quota enforcement, customer support
  • Communicate with you: Transactional emails (invoice delivery, account notifications, feedback responses), service updates, and security notices

We never:

  • Sell your data to third parties
  • Use your data for advertising or marketing profiling
  • Train AI models on your invoice data or business information
  • Share your data with other InvoiceGenie customers

3. Third-Party Services (Sub-processors)

We use the following third-party services to operate InvoiceGenie. Each is bound by their own privacy policy and data processing terms:

ServicePurposeData SharedLocation
SupabaseDatabase hosting and authenticationAll application data (encrypted at rest via AES-256 and in transit via TLS)United States (AWS)
OpenAI (GPT-4o-mini)AI invoice prompt parsingText prompt input only (processed in real-time, not used for model training per OpenAI's API data usage policy)United States
StripePayment processingEmail, payment method details (handled by Stripe)United States
DigitalOcean SpacesPDF invoice storageGenerated PDF files (encrypted at rest)Germany (Frankfurt, FRA1)
DigitalOcean VPSWorkflow processing (n8n automation server)Invoice data in transit during PDF generation and email sendingGermany (Frankfurt, FRA1)
GotenbergHTML-to-PDF conversionInvoice HTML templates (processed locally on our DigitalOcean VPS, no external transmission)Germany (Frankfurt, FRA1)
ResendTransactional email deliveryRecipient email addresses, email subject and body content, PDF attachmentsUnited States
VercelFrontend hosting and CDNStatic assets and server-side renderingGlobal (edge network)

We will notify customers at least 14 days before engaging any new sub-processor that handles personal data. If you have concerns about a new sub-processor, contact us at privacy@invoicegenie.ai.

4. Data Retention

4.1 Account Data

Account information is retained for the duration of your subscription. If you request account deletion, your data is permanently deleted within 30 days. If you cancel your subscription without requesting deletion, your account data is retained for 90 days (to allow reactivation), after which it is permanently deleted.

4.2 Invoice Data

Invoice records (metadata, line items, client information) are retained in the database while your account is active.

4.3 PDF Files

Generated PDF invoices are stored in DigitalOcean Spaces (Frankfurt). Retention periods depend on your plan:

PlanPDF Retention
Free90 days
Basic ($9.99/month)2 years
Pro ($29.99/month)5 years

4.4 AI Prompt Data

Text prompts sent to OpenAI for invoice parsing are processed in real-time and are not stored by InvoiceGenie after the structured data is extracted. OpenAI's API data usage policy states that API inputs and outputs are not used to train their models.

5. Data Security

We implement the following security measures:

  • Encryption in transit: All data transmitted between your browser, our servers, and third-party APIs uses TLS encryption (HTTPS)
  • Encryption at rest: Database storage is encrypted using AES-256 managed by Supabase. PDF storage is encrypted at rest by DigitalOcean Spaces
  • Access control: Row-Level Security (RLS) policies on database tables ensure each customer can only access their own data. Workspaces are fully isolated
  • Authentication: Powered by Supabase Auth with secure session management. Passwords are hashed using bcrypt. OAuth 2.0 for Google and Apple sign-in
  • PDF access control: PDF files are served through signed URLs that expire, never directly accessible via public URLs
  • Secret management: API keys and tokens are stored in encrypted environment variables on our servers, never in source code or client-side files

About our frontend code: The Supabase anonymous key visible in our frontend code is designed to be public — it only allows operations permitted by our Row-Level Security policies. All secret keys (API keys, service credentials) are stored securely on our backend servers and are never exposed in client-side code.

6. Your Rights

6.1 For All Users

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data (completed within 30 days of verified request)
  • Export: Request an export of your data in a machine-readable format

6.2 For EU/EEA Residents (EU GDPR)

If you are located in the European Union or European Economic Area, the EU General Data Protection Regulation (Regulation 2016/679) applies to our processing of your personal data. In addition to the rights listed above, you have the right to:

  • Object to processing based on legitimate interest
  • Restrict processing under certain conditions
  • Data portability (receive your data in a structured, commonly used format)
  • Lodge a complaint with your local supervisory authority
  • Not be subject to automated decision-making with legal effects (InvoiceGenie's AI parsing is a convenience tool only and does not produce legal effects or similarly significant decisions)

Legal basis for processing: (a) Contractual necessity — providing the service you subscribed to (Article 6(1)(b)); (b) Legitimate interest — improving service quality and security (Article 6(1)(f)); (c) Consent — where applicable, such as for optional features (Article 6(1)(a)).

Data transfers: Where your data is transferred outside the EEA (to services hosted in the United States), we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework.

6.3 For German Residents

In addition to EU GDPR rights, the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG") applies. The Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the relevant state data protection authorities serve as supervisory authorities.

6.4 For UAE Residents (PDPL)

If you are located in the United Arab Emirates, the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL") applies.

  • Legal basis: Performance of a contract (providing the InvoiceGenie service) and your explicit consent obtained during account registration
  • Your rights: Access, correction, erasure, restriction, objection to processing, data portability, and the right to withdraw consent at any time
  • Cross-border transfers: Your data is transferred to the United States for processing (database, AI, payment processing). We rely on contractual safeguards and your explicit consent. PDF files are stored in Germany (Frankfurt)
  • Complaints: You have the right to lodge a complaint with the UAE Data Office

6.5 For California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act provides you with specific rights:

  • Right to know: You can request details about the categories and specific pieces of personal information we collect
  • Right to delete: You can request deletion of your personal information (completed within 45 days of verified request)
  • Right to opt-out of sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
  • Right to correct: You can request correction of inaccurate personal information

6.6 For US Residents (Other States)

InvoiceGenie's privacy controls — including data minimization, configurable retention, and the right to deletion — satisfy the requirements of current US state privacy laws.

7. Data Breach Notification

In the event of a data breach that affects your personal data:

  • We will notify affected users via email within 72 hours of becoming aware of the breach
  • We will notify the relevant supervisory authority within 72 hours where required by law, including the relevant EU supervisory authority (for EU residents) and the UAE Data Office (for UAE residents)
  • Notification will include the nature of the breach, the data affected, likely consequences, and the measures we are taking to address it

8. International Data Transfers

InvoiceGenie processes data across multiple locations. Here is exactly where your data flows:

Processing ActivityServiceLocation
Workflow processing (n8n server)DigitalOcean VPSFrankfurt, Germany (FRA1)
PDF generation (Gotenberg)DigitalOcean VPSFrankfurt, Germany (FRA1)
PDF storageDigitalOcean SpacesFrankfurt, Germany (FRA1)
Database storageSupabase (AWS)United States
AI prompt parsingOpenAI APIUnited States (transient — not stored)
Payment processingStripeUnited States
Email deliveryResendUnited States
Frontend hostingVercelGlobal (edge network)

For transfers from the EU/EEA to the United States, we rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. For UAE transfers, we rely on contractual safeguards and your explicit consent.

9. AI Processing

InvoiceGenie uses artificial intelligence (OpenAI's GPT-4o-mini) to parse natural language prompts into structured invoice data. This processing is a convenience feature only — it does not produce automated decisions with legal effects. You are responsible for reviewing all invoice details before sending.

OpenAI's API operates under their data usage policy: API inputs and outputs are not used to train their models. Your prompt text is processed in real-time and is not stored by InvoiceGenie after the structured data is extracted.

The AI feature is optional. You can create invoices entirely through manual form input without using AI parsing.

10. Children's Privacy

InvoiceGenie is a business service and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 14 days before they take effect. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related inquiries, data access requests, or concerns: