Privacy Policy

1. Introduction

InvoiceBirds ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our invoicing and billing software platform, including our website at invoicebirds.com and all related services (collectively, the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree with these practices, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your full name, email address, and password (stored in hashed form). If you sign up for a paid plan, payment information is collected and processed directly by Stripe — we do not store credit card numbers on our servers.

2.2 Business Data

To provide our invoicing services, we store information you enter, including:

• Business name, address, logo, and website
• Client contact details and billing addresses
• Invoice, estimate, proposal, and contract data
• Expense records and payment history
• Tax settings, rates, and configurations
• Currency preferences and exchange rate lookups

2.3 Usage Data

We automatically collect information about how you interact with our platform, including pages visited, features used, actions taken, timestamps, device type, operating system, browser type, IP address, and referring URLs. This data is collected through server logs and analytics tools.

2.4 Communications Data

When you send invoices, estimates, proposals, or contracts through InvoiceBirds, we process the recipient email addresses and message content to deliver documents on your behalf. We also retain records of these communications for your reference.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: To provide, operate, and maintain the invoicing and billing platform
• Payment processing: To process subscription payments and facilitate client payment collection through Stripe
• Document delivery: To send invoices, estimates, proposals, and contracts to your clients on your behalf
• Financial reporting: To generate tax reports, revenue summaries, and financial analytics
• Account management: To manage your subscription, authenticate your identity, and provide customer support
• Service communications: To send account notifications, security alerts, subscription updates, and product announcements
• Service improvement: To analyze usage patterns, diagnose technical issues, and improve features
• Security: To detect, prevent, and respond to fraud, abuse, or unauthorized access
• Legal compliance: To comply with applicable laws, regulations, and legal processes

4. Payment Processing

We use Stripe as our payment processor for both subscription billing and client payment collection. When you make a payment or connect a Stripe account:

• Payment card information is processed directly by Stripe and is never stored on our servers
• Stripe may collect additional information as described in Stripe's Privacy Policy
• We receive limited transaction data from Stripe (amounts, dates, status) to display in your dashboard
• A 1% InvoiceBirds service fee is applied to client payments collected through Stripe, as described in our Terms of Service

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share information only with the following categories of recipients, and only to the extent necessary:

• Stripe — For payment processing, subscription management, and fraud prevention
• Supabase — For secure database hosting and authentication infrastructure
• Email delivery services — To send invoices, notifications, and transactional emails on your behalf
• Exchange rate providers — To fetch current currency exchange rates (no personal data shared, only currency codes)
• Analytics providers — Aggregated, anonymized usage data to improve our service (no personally identifiable information)
• Legal authorities — When required by law, subpoena, or court order, or to protect our rights, safety, or property

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you via email before your data is subject to a different privacy policy.

6. Data Storage & Security

Your data is stored securely using Supabase, which provides enterprise-grade infrastructure. We implement the following security measures:

• SSL/TLS encryption for all data in transit
• AES-256 encryption for data at rest
• Row-level security (RLS) policies ensuring users can only access their own data
• Secure password hashing (bcrypt)
• Regular security reviews and monitoring
• Automated session management and token expiration

While we implement industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords.

7. Data Retention

We retain your data according to the following schedule:

• Active accounts: Data is retained for as long as your account is active and you continue to use the Service
• Closed accounts: After account closure, we retain your data for 30 days to allow for reactivation or data export. After this period, data is permanently deleted
• Financial records: Certain transaction records may be retained for up to 7 years as required by tax and financial regulations
• Server logs: Usage and access logs are retained for 90 days for security and debugging purposes
• Backups: Encrypted backups may contain your data for up to 30 days after deletion from production systems

8. International Data Transfers

Your data may be processed and stored in countries outside your country of residence, including the United States and the European Union. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all third-party providers
• Compliance with applicable data transfer regulations

9. Cookies & Tracking Technologies

We use the following types of cookies:

• Essential cookies: Required for authentication, session management, and language preferences. These cannot be disabled.
• Functional cookies: Remember your settings and preferences (e.g., currency, timezone) to enhance your experience.
• Analytics cookies: Help us understand how users interact with the Service through aggregated, anonymized data. These can be managed through your browser settings.

We do not use advertising cookies or third-party tracking pixels. You can manage cookie preferences through your browser settings, though disabling essential cookies may affect Service functionality.

10. Your Rights — GDPR (EEA Users)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data ("right to be forgotten")
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests or direct marketing
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent
• Right to lodge a complaint: File a complaint with your local Data Protection Authority

Legal basis for processing: We process your data based on: (a) contract performance (providing the Service), (b) legitimate interests (improving the Service, security), (c) consent (marketing communications), and (d) legal obligations (tax and regulatory compliance).

To exercise any of these rights, contact us at support@invoicebirds.com. We will respond within 30 days.

11. Your Rights — CCPA/CPRA (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, and the business purposes for collection
• Right to delete: Request deletion of personal information we have collected from you, subject to certain exceptions
• Right to correct: Request correction of inaccurate personal information
• Right to opt out: Opt out of the sale or sharing of personal information. Note: InvoiceBirds does not sell or share your personal information for cross-context behavioral advertising
• Right to limit use of sensitive information: Direct us to limit the use of sensitive personal information to purposes necessary for providing the Service
• Right to non-discrimination: Exercise your privacy rights without receiving discriminatory treatment

Do Not Sell or Share My Personal Information: We do not sell your personal information, nor do we share it for cross-context behavioral advertising purposes. We have not done so in the preceding 12 months.

Automated Decision-Making: We do not use automated decision-making technology that produces legal or similarly significant effects on you. Basic automated processes (e.g., subscription management, invoice calculations) are used solely to operate the Service.

To exercise your CCPA rights, contact us at support@invoicebirds.com or submit a request through your account settings. We will verify your identity before processing any request and respond within 45 days.

12. Children's Privacy

InvoiceBirds is a business tool not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 16, we will promptly delete that information. If you believe a child has provided us with personal data, please contact us at support@invoicebirds.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes:

• We will notify you via email at least 30 days before changes take effect
• We will update the "Last updated" date at the top of this page
• We may display a notice within the Service

We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at: