Privacy Policy

Last updated: 24 December 2025

1. Introduction

This Privacy Policy explains how InvoxZero ("we", "us", or "our") collects, uses, discloses, and protects personal data when you access or use our website, applications, and APIs (the "Service").

We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

2. Who We Are

Role under GDPR:

  • We act as a Data Controller for account, billing, and operational data
  • We act as a Data Processor for invoice and customer data processed on your behalf

3. Personal Data We Collect

3.1 Data You Provide Directly

We may collect:

  • Name and email address
  • Account credentials
  • Billing and payment metadata (handled primarily by third-party payment providers)
  • Support communications
  • Invoice data and document content you submit to the Service

3.2 Data Processed on Your Behalf

When you use InvoxZero to generate invoices or documents, you may upload or process:

  • Customer names and contact details
  • Business identifiers (e.g. VAT numbers)
  • Transaction details
  • Any other personal data included in invoices or PDFs

You are responsible for ensuring that you have a lawful basis to provide this data.

3.3 Automatically Collected Data

We may automatically collect:

  • IP address
  • Device and browser information
  • Usage logs and API request metadata
  • Diagnostic and performance data

4. How We Use Personal Data

We process personal data for the following purposes:

  • To provide and operate the Service
  • To generate invoices and documents as instructed by you
  • To manage accounts, authentication, and billing
  • To provide customer support
  • To maintain security, prevent abuse, and monitor performance
  • To comply with legal obligations

We do not sell personal data.

5. Legal Bases for Processing (GDPR)

Under GDPR, we rely on the following legal bases:

  • Contractual necessity – to provide the Service you request
  • Legitimate interests – to operate, secure, and improve the Service
  • Legal obligation – to comply with applicable laws
  • Consent – where explicitly required (e.g. certain communications)

6. Data Controller vs Data Processor

You are the Data Controller for any personal data included in invoices or documents you generate.

InvoxZero acts as a Data Processor, processing such data only on your documented instructions and solely to provide the Service.

Where required, a Data Processing Addendum (DPA) applies and is incorporated by reference into our Terms.

7. Data Sharing & Sub-Processors

We may share personal data with trusted third-party service providers ("sub-processors") strictly as necessary to operate the Service, including:

  • Cloud hosting and infrastructure providers
  • Email delivery services
  • Error monitoring and logging tools
  • Payment processors (e.g. Stripe)

All sub-processors are subject to contractual data protection obligations.

8. International Data Transfers

Personal data may be processed outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Equivalent lawful transfer mechanisms

9. Data Retention

We retain personal data only for as long as necessary to:

  • Provide the Service
  • Fulfil contractual obligations
  • Comply with legal requirements

You remain responsible for exporting, backing up, and deleting your invoice data as required.

10. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Access controls
  • Encryption in transit where appropriate
  • Infrastructure security best practices
  • Monitoring and logging

No system is 100% secure, but we take reasonable steps to protect your data.

11. Your GDPR Rights

If you are located in the EU/EEA, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure ("right to be forgotten")
  • Restrict or object to processing
  • Data portability
  • Lodge a complaint with a supervisory authority

Requests can be sent to support@invoxzero.com.

12. Cookies & Tracking

We may use essential cookies and similar technologies required for the operation and security of the Service. Non-essential cookies may be subject to consent where required by law.

13. Children's Data

The Service is not intended for children under 16. We do not knowingly collect personal data from children.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date.

Continued use of the Service constitutes acceptance of the updated Policy.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: