GDPR & Your Data Rights

1. Our commitment to GDPR

InvoiceFlow Ltd takes data protection seriously. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 set out strict rules about how organisations collect, use, store, and share personal data. We are committed to complying with those rules in full.

In practical terms, this means:

• We only collect personal data that is necessary for a specific, legitimate purpose.
• We are transparent about what we collect and how we use it.
• We do not sell personal data or share it with advertisers.
• We implement appropriate technical and organisational security measures to protect the data we hold.
• We respect and facilitate your legal rights over your personal data.
• We maintain records of our processing activities as required by Article 30 of UK GDPR.

2. Your rights under UK GDPR

As a data subject, you have the following rights. We will respond to any request within 30 days.

3. Lawful basis for processing

Under UK GDPR, every processing activity must have a lawful basis. InvoiceFlow relies on the following:

• Article 6(1)(b) — Contract: processing your account data, billing information, and invoice content is necessary to fulfil the contract between us when you subscribe to InvoiceFlow.
• Article 6(1)(f) — Legitimate interests: we process usage data and error reports to improve and secure the platform. Our legitimate interests are not overridden by your rights and freedoms, as this processing is low-risk and anonymised where possible.
• Article 6(1)(c) — Legal obligation: we are required by UK law (in particular HMRC requirements) to retain certain financial records for a minimum of six years.
• Article 6(1)(a) — Consent: we will only send optional marketing or newsletter communications with your explicit prior consent. You can withdraw consent at any time via the unsubscribe link in any such email.

We do not process any special category data (Article 9) or data relating to criminal convictions (Article 10).

4. Data we process and why

• Account data (name, email, business name, hashed password): to create and authenticate your account, and to identify you if you contact support.
• Billing data (card last four digits, expiry, billing postcode): to manage subscription billing. Full card numbers are processed directly by Stripe and are never held on our servers.
• Invoice and customer data (customer names, addresses, invoice amounts, VAT): the core output of using the platform. This data belongs to you and is processed solely to provide the Service.
• Usage data (pages visited, features used, session length, browser/OS): to understand aggregate product usage and improve the application. Processed under legitimate interests.
• Support communications (email threads, submitted queries): to resolve your enquiries and improve our support offering. Retained for two years.

For full details, see our Privacy Policy.

5. Our data processors

We use the following third-party data processors. All are bound by data processing agreements and are required to process your data only on our instruction:

6. International data transfers

Some of our data processors operate in or transfer data to countries outside the UK and EEA. Where this occurs, we ensure that an appropriate safeguard is in place as required by UK GDPR Article 46. This typically takes the form of:

• A UK International Data Transfer Agreement (IDTA) based on the ICO's approved template, or
• The processor's binding corporate rules, or
• An adequacy decision made by the UK government for the destination country.

We do not transfer data to countries that lack adequate protections without an appropriate safeguard in place.

7. Data retention

• Account and invoice data: retained for the lifetime of your subscription, then deleted within 30 days of account closure. You may export your data at any time before deletion.
• Billing records: retained for 7 years to comply with HMRC requirements under the Finance Act.
• Support communications: retained for 2 years from the date of the last message in the thread.
• Usage and analytics data: stored in aggregated, anonymised form with no retention limit.
• Backups: encrypted backups are retained for a maximum of 90 days; after that window, deleted data cannot be restored.

8. How to make a data request

To exercise any of your rights under UK GDPR, you can:

• Export your data directly: go to Settings › Account › Export Data within the application for an immediate download of your invoices, customer list, and account details in JSON and CSV format.
• Email a formal request: send a request to privacy@invoiceflow.app. Include your full name, the email address associated with your account, a description of the request you are making, and proof of identity (a copy of a photo ID). This is required to protect your data from unauthorised disclosure.

We will acknowledge your request within 5 working days and fulfil it within 30 days. Complex or multiple requests may take up to 90 days; if so, we will notify you of the extension within the initial 30-day period.

We do not charge a fee for handling data requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline the request.

9. Complaints and the ICO

If you are not satisfied with how we have handled your personal data or responded to a request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.

• ICO website: ico.org.uk/make-a-complaint
• ICO helpline: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would always appreciate the opportunity to resolve any concern directly before you contact the ICO. Please reach out to us first at privacy@invoiceflow.app.