Privacy Policy

1. Who We Are

InvoiceFlows ("we", "us", "our") operates the InvoiceFlows platform at invoiceflows.net. We provide AI-powered invoice management and payment reminder services for small businesses.

2. Data We Collect

Account data (provided by you)

• Email address and password (for authentication via AWS Cognito)
• Company name and logo (optional, for branding)
• Custom email domain (optional, for branded sending)

Invoice data (provided by you)

• Client names and email addresses
• Invoice numbers, amounts, dates, and line item descriptions
• Payment records and notes

Automatically collected

• Usage logs (which features you use, for billing and service operation)
• Email delivery status (sent, bounced, complained — for deliverability monitoring)
• IP addresses (for rate limiting and security only — not for tracking)

3. What We Do NOT Collect

• We do not use analytics or tracking cookies
• We do not use third-party advertising pixels or trackers
• We do not collect browsing behavior, device fingerprints, or location data
• We do not monitor your usage for profiling or ad-targeting purposes

4. How We Use Your Data

Your data is used exclusively to provide the InvoiceFlows service:

• To create and manage your invoices
• To generate and send AI-powered reminder emails on your behalf
• To generate branded PDF invoices
• To process your subscription payments via Stripe
• To monitor email deliverability and protect our sending reputation
• To provide customer support when you contact us

5. Emails We Send You

We do not send marketing emails. The only emails you will ever receive from InvoiceFlows are:

• Account verification and password reset emails (via AWS Cognito)
• Trial expiry notification (once, 3 days before your trial ends)
• Service-critical notices (e.g., planned maintenance, security alerts)
• Replies to support requests you initiate

There is no newsletter. There is no "tips and tricks" email series. If you receive an email from us, it is because the service needs to communicate something to you.

6. Third-Party Services

We use the following third-party services to operate InvoiceFlows. Each processes data only as necessary to provide their specific function:

• Amazon Web Services (AWS) — Infrastructure hosting, database (DynamoDB), authentication (Cognito), email delivery (SES), file storage (S3), and serverless compute (Lambda). Data is stored in the eu-west-2 (London) AWS region.
• Amazon Bedrock — AI service used to generate reminder email content. Invoice context (client name, amount, due date) is sent to the AI model to generate messages. No data is retained by the AI provider after processing.
• Stripe — Payment processing for subscriptions. Stripe stores your payment method and billing details under their own privacy policy. We do not store card numbers or bank details.
• Upstash — Rate limiting service. Stores only anonymized request counts by hashed identifiers. No personal data is stored.

We do not use any analytics services (Google Analytics, Mixpanel, etc.), advertising networks, or data brokers.

7. Data Retention

• Active accounts: Your data is retained for as long as your account is active.
• After cancellation: Your data is retained for 30 days after account deletion, then permanently removed from our systems.
• Email delivery logs: Retained for 90 days for deliverability monitoring, then automatically deleted.
• Backups: DynamoDB point-in-time recovery is enabled. Backup data follows the same retention schedule as primary data.

8. Cookies

InvoiceFlows uses only strictly necessary cookies for authentication (AWS Cognito session tokens). These cookies are required for the Service to function and cannot be disabled.

We do not use advertising cookies, tracking cookies, or any non-essential cookies. Because we only use strictly necessary cookies, no cookie consent banner is required under GDPR.

9. Your Rights

Under GDPR, UK GDPR, and applicable data protection laws, you have the right to:

• Access — Request a copy of all data we hold about you
• Rectification — Correct inaccurate data in your account settings
• Erasure — Request deletion of your account and all associated data
• Portability — Export your invoice data (CSV export is available in the app)
• Objection — Object to processing of your data

To exercise any of these rights, email us at privacy@invoiceflows.net. We will respond within 30 days.

10. Data Processing Agreement

When you use InvoiceFlows to send reminder emails to your clients, we act as a Data Processor on your behalf (you are the Data Controller). We process your clients' personal data (name, email address) solely to deliver the reminder emails you configure.

We do not use your clients' data for any other purpose. We do not contact your clients independently. We do not build profiles of your clients. The only interaction your clients have with us is receiving the reminder emails you choose to send.

11. Security

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via AWS)
• Authentication is handled by AWS Cognito with enforced password complexity
• API routes are protected by rate limiting and CSRF protections
• Security headers (HSTS, CSP, X-Frame-Options) are enforced on all responses
• Access to production infrastructure is restricted to authorized personnel

12. Children

InvoiceFlows is a business tool and is not intended for use by individuals under the age of 18. We do not knowingly collect data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact

For privacy-related questions or requests, contact us at privacy@invoiceflows.net.

For general support, contact us at support@invoiceflows.net.