Get started

Privacy Policy

Last updated: 23 April 2026

This Privacy Policy explains how inv.so ("we", "us") collects, uses, and protects your personal data. By using inv.so you agree to this policy. We aim for plain language, not legal smoke.

1. What we collect

  • Account data: name, email, password (handled by Clerk).
  • Business data: company name, address, tax ID, bank details — for invoice generation.
  • Client data you upload: client names, emails, addresses, currency preferences.
  • Invoice content: line items, amounts, notes, attached templates.
  • Payment data: handled by Stripe. We never see or store your full card number.
  • Usage data: page views, feature usage, errors. Captured via Umami / Google Analytics 4 / Sentry.
  • Logs: request metadata (IP, user agent, timestamps) retained briefly for security and debugging.

2. How we use it

  • Operate the Service — generate invoices, send emails, take payments, manage your subscription.
  • Communicate with you — service-critical emails (trial-end reminder, payment failed, security alerts).
  • Improve the product — aggregate usage analytics, error tracking, A/B tests.
  • Comply with legal obligations — tax reporting, fraud prevention, court orders.

We do not sell your personal data. We do not share your invoice content for marketing.

3. Sub-processors

We use the following third parties to operate the Service. Each receives only the data they need:

  • Cloudflare — hosting, CDN, database (D1), object storage (R2), PDF rendering.
  • Clerk — authentication, user identity.
  • Stripe — payment processing, subscription management, tax calculation.
  • Resend — transactional email (invoice delivery, account notices).
  • Sentry — error tracking and performance monitoring.
  • Umami / Google Analytics 4 — privacy-friendly product analytics.

Each sub-processor has its own privacy practices. We choose vendors that meet GDPR / SCC requirements where applicable.

4. Cookies & similar

We use strictly necessary cookies for authentication and session management, and analytics cookies to understand product usage. You can disable non-essential cookies in your browser settings. We do not use advertising cookies.

5. Data retention

We retain your account and invoice data for as long as your account is active. After deletion, data is removed from production systems within 30 days. Backups roll off within 90 days.

We retain certain records (tax invoices, payment receipts) for the period required by applicable law, typically 7 years.

6. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your data, and to object to or restrict certain processing. EU/UK residents have rights under the GDPR; California residents have rights under the CCPA.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

7. International transfers

Your data may be processed in countries outside your own. We rely on Standard Contractual Clauses and equivalent safeguards where required.

8. Security

We use industry-standard practices: TLS encryption in transit, encryption at rest where supported, scoped access controls, and regular security review. No system is perfectly secure; we will notify affected users of any incident that materially impacts their data, in line with applicable law.

9. Children

inv.so is not intended for use by anyone under 18. We do not knowingly collect data from children.

10. Changes to this policy

We may update this policy occasionally. Material changes will be communicated by email or in-app notice. The "Last updated" date above always reflects the current version.

11. Contact

Privacy questions, data requests, complaints: [email protected].