Privacy policy

1. Who is responsible?

The data controller for personal data processed through this application is the organization operating this Invoice Flow service.

Operators should set NEXT_PUBLIC_PRIVACY_CONTACT_EMAIL so users have a clear contact for privacy requests.

2. What data we process

• Account: email address and a password stored only as a cryptographic hash (we do not store the plain password).
• Business profile: company legal name, address, tax identifiers, phone, email, bank details you enter, and document settings (e.g. currency, invoice prefix).
• Operational data: customers, products, invoices, quotations, credit notes, and debit notes you create — including any personal data you choose to store about your customers (names, emails, addresses, tax IDs, etc.).
• Technical: HTTP cookies used strictly to keep you signed in (see below). The app does not embed third-party advertising or analytics cookies in the codebase.

3. Purposes and legal bases (GDPR)

We process this data to:

• Provide the service (Art. 6(1)(b) GDPR — performance of a contract): authentication, storing your workspace, and generating documents you request.
• Legitimate interests (Art. 6(1)(f) GDPR), where applicable: securing the service, preventing abuse, and maintaining availability — balanced against your rights.
• Legal obligations (Art. 6(1)(c) GDPR), where applicable: e.g. tax or accounting rules that apply to you or to the controller.

Where local law requires consent for specific processing (for example certain marketing communications), we will ask separately; core account features do not rely on optional marketing consent.

4. Retention

Data is kept for as long as your account exists and as needed to provide the service. After you delete your account, associated personal data in this application is removed from our database, subject to any legal requirement to retain certain records separately.

5. Cookies

Invoice Flow uses only strictly necessary authentication cookies:

• Access session cookie (approximately 15 minutes).
• Refresh token cookie (approximately 7 days) to renew your session without storing passwords in the browser.

These cookies are httpOnly (not readable by page scripts), SameSite=Lax, and in production are sent only over HTTPS when configured accordingly. They are required to use the logged-in application; declining them means you cannot stay signed in.

6. Recipients and transfers

Personal data is processed on infrastructure you or the controller choose (for example a VPS or cloud provider hosting the app and database). If data is transferred outside the European Economic Area, appropriate safeguards (such as Standard Contractual Clauses) should be documented by the controller where required.

7. Your rights

Depending on applicable law, you may have the right to:

• Access your personal data and receive a copy in a portable format (use “Download my data” in your profile).
• Rectify inaccurate data (update your business profile and records in the app).
• Erase your data in many cases (use “Delete account” in your profile — this removes your workspace).
• Restrict or object to certain processing, and to lodge a complaint with a supervisory authority.

To exercise rights that are not available in the app, use the contact details above. We may need to verify your identity before acting on a request.

8. Security

Passwords are hashed before storage. Authentication uses signed tokens in cookies. You should run production deployments over HTTPS, restrict database access, and keep secrets (JWT keys, database credentials) confidential.

9. Children

The service is intended for businesses and adults. It is not directed at children.