LEGAL

Data Processing Agreement

This agreement governs how InvoiceLabs processes personal data on behalf of its users in accordance with UK GDPR and the Data Protection Act 2018.

Last updated: 8 June 2026

1. Parties

Data Processor — Black Flame Digital

The company that operates InvoiceLabs and processes personal data on your behalf. Contact: support@invoicelabs.io.

Data Controller — You (the InvoiceLabs user)

The individual or business that has created an InvoiceLabs account and determines the purposes for which client personal data is used.

By using InvoiceLabs, you agree to the terms of this Data Processing Agreement. This agreement forms part of, and is subject to, our Privacy Policy.

2. Subject matter and nature of processing

Black Flame Digital processes personal data solely to provide the InvoiceLabs service — specifically to store, display, and transmit invoice and client data as directed by you.

We act only on your instructions. We will never use your clients' personal data for our own purposes, sell it to third parties, or process it in any way beyond what is necessary to operate the service.

3. Categories of personal data processed

The following categories of personal data belonging to your clients may be processed through InvoiceLabs:

Identity data: Client names and business names.

Contact data: Email addresses and postal addresses.

Financial data: Invoice amounts, line items, payment terms, and payment status.

Online identifiers: Invoice view events (whether a client has opened a public invoice link).

4. Duration

We process personal data for as long as you maintain an active InvoiceLabs account. Upon account deletion, personal data is removed within 30 days, except where retention is required by law (invoice and financial records are retained for a minimum of six years under UK law). You may export all your data at any time before deletion.

5. Our obligations as data processor

Process only on your instructions: We will only process personal data to provide InvoiceLabs and as described in this agreement.

Confidentiality: All staff and contractors with access to personal data are bound by confidentiality obligations.

Security: We implement appropriate technical and organisational measures including encryption at rest, TLS in transit, and access controls.

Sub-processors: We will not engage new sub-processors without informing you. Our current sub-processors are listed in section 6.

Assist with data subject rights: We will help you respond to access, erasure, or portability requests from your clients within reasonable timeframes.

Notify of breaches: We will notify you without undue delay (and within 72 hours where feasible) if we become aware of a personal data breach affecting your data.

Deletion on termination: On account closure, we will delete or return your data as described above, unless retention is legally required.

6. Sub-processors

To provide InvoiceLabs, we share data with the following sub-processors. Each is bound by a data processing agreement with us and provides adequate data protection guarantees.

Supabase

Purpose: Database hosting and authentication

Data shared: All account and business data

Location: European Union

Stripe

Purpose: Subscription billing and client card payment processing

Data shared: Subscription status, Stripe customer ID, and (if card payments enabled) Stripe Connect account ID

Location: United States (covered by Standard Contractual Clauses)

Postmark

Purpose: Transactional email delivery

Data shared: Recipient email addresses and invoice PDFs when you send an invoice by email

Location: United States (covered by Standard Contractual Clauses)

7. Your obligations as data controller

As the data controller for your clients' personal data, you are responsible for:

Having a lawful basis to collect and store your clients' personal data.

Providing your clients with a privacy notice that explains how their data is used, including that it is stored on InvoiceLabs.

Ensuring the personal data you enter is accurate and kept up to date.

Handling any data subject requests (access, erasure, etc.) from your clients, with our assistance where needed.

8. International data transfers

Some of our sub-processors (Stripe and Postmark) are based in the United States. Where data is transferred outside the UK or EEA, we ensure it is protected by appropriate safeguards — specifically, Standard Contractual Clauses (SCCs) approved by the relevant supervisory authorities.

9. Changes to this agreement

If we make material changes to this agreement — such as adding a new sub-processor — we will notify you by email at least 14 days before the changes take effect. Continued use of InvoiceLabs after that date constitutes acceptance of the updated agreement.

Questions about this agreement?

If you have questions about how we process your clients' data or need help responding to a data subject request, contact us.

support@invoicelabs.io