Privacy Policy

Last updated: January 2024

Introduction

Invicing ("we," "our," or "us") is committed to protecting your privacy and the security of your data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our secure PayPal invoicing platform.

As a financial platform, we take data protection extremely seriously. We employ bank-level encryption and follow industry best practices to ensure your sensitive information remains secure.

Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Name (optional)
  • Organization name
  • Password (stored in hashed form)

PayPal Credentials

To enable invoicing functionality, you may provide PayPal API credentials. These are:

  • Encrypted immediately upon receipt using AES-256-GCM encryption
  • Stored in encrypted form only — we cannot view your raw credentials
  • Decrypted only in secure memory during authorized API operations
  • Never logged, displayed, or transmitted in unencrypted form

Usage Data

We automatically collect certain information when you use our service:

  • IP addresses (for security and audit logging)
  • Browser type and version
  • Pages visited and features used
  • Timestamps of actions taken
  • Invoice creation and status data

Payment Information

When you purchase credits, payment is processed through Stripe. We do not store complete credit card numbers. Stripe handles payment data in accordance with PCI-DSS standards.

How We Use Your Information

We use collected information to:

  • Provide and maintain our invoicing service
  • Process PayPal invoice operations on your behalf
  • Send service-related notifications and updates
  • Maintain audit logs for security and compliance
  • Process payments and manage billing
  • Respond to customer support requests
  • Detect and prevent fraudulent activity
  • Improve our service and develop new features

Data Security

We implement comprehensive security measures to protect your data:

  • Encryption at Rest: All sensitive data is encrypted using AES-256-GCM
  • Encryption in Transit: All connections use TLS 1.3 with perfect forward secrecy
  • Access Controls: Strict role-based access limits who can access what data
  • Infrastructure: Our platform runs on SOC 2 Type II certified infrastructure
  • Audit Logging: All access and operations are logged for security review
  • Regular Audits: We conduct regular security assessments and penetration testing

Data Sharing

We do not sell your personal information. We may share data with:

  • PayPal: To execute invoice operations you request
  • Stripe: To process payments (they act as an independent controller)
  • Service Providers: Who help us operate our platform (hosting, email, analytics) under strict confidentiality agreements
  • Legal Requirements: When required by law, court order, or to protect our rights

Data Retention

We retain your data for as long as your account is active or as needed to provide services. After account deletion:

  • Account data is deleted within 30 days
  • Encrypted credentials are deleted immediately
  • Audit logs may be retained for up to 7 years for compliance purposes
  • Anonymized analytics data may be retained indefinitely

Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to certain processing activities
  • Withdraw consent where processing is based on consent

To exercise these rights, contact us at [email protected].

Cookies

We use essential cookies to:

  • Maintain your login session
  • Remember your preferences
  • Protect against CSRF attacks

We do not use cookies for advertising or tracking purposes.

Third-Party Links

Our service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

International Transfers

Your data may be processed in countries other than your own. We ensure appropriate safeguards are in place for any international data transfers, including standard contractual clauses where required.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through our service. Continued use after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact: