LEGAL

Privacy Policy

We take your privacy seriously. This policy explains exactly what data InvoiceLabs collects, why we collect it, and how it's handled.

Last updated: 8 June 2026

1. Who we are

InvoiceLabs is an invoicing platform for freelancers and small businesses. We are the data controller for the personal data you provide when creating an account or using the service.

For privacy-related enquiries or to exercise your rights, contact us at: support@invoicelabs.io

2. Data we collect

Account data

Your name, email address, and hashed password when you create an account. This is managed through Supabase Auth.

Business data

Company names, contact details, and branding assets you upload. Client names, email addresses, and postal addresses. Invoice content including line items, amounts, and payment terms.

Payment data

Subscription billing is handled entirely by Stripe. We store only your Stripe customer ID and subscription status — we never see or store card numbers. If you enable card payments on invoices via Stripe Connect, your Stripe Connect account ID is stored.

Usage data

Invoice view events (whether a client has opened an invoice link) and email delivery logs (timestamp, recipient address, send status). These are used solely to provide the invoice tracking features.

3. Why we collect it (legal basis)

InvoiceLabs is subject to UK GDPR. We process your data under the following legal bases:

Contract performance

Account data, business data, and payment data are processed to provide the service you signed up for.

Legitimate interest

Usage logs and email delivery records are retained to provide invoice tracking features and maintain service reliability.

Legal obligation

Financial records are retained for a minimum of six years in accordance with UK law.

4. Who we share your data with

We do not sell your data. We share it only with the service providers required to operate InvoiceLabs:

Supabase

Database hosting and authentication. All account and business data is stored on Supabase infrastructure with encryption at rest and in transit.

Stripe

Subscription billing and, for users who enable it, client card payment processing via Stripe Connect. Stripe is PCI DSS compliant and processes payment data under their own privacy policy.

Postmark

Transactional email delivery. When you send an invoice by email, the recipient address and invoice PDF are passed to Postmark for delivery.

5. How long we keep it

Active account data — retained for the life of your account. If you delete your account, personal data is removed within 30 days.

Invoice and financial data — retained for a minimum of six years from the invoice date to comply with UK financial record requirements. You may export your data at any time before deletion.

Email delivery logs — retained for 12 months, then automatically deleted.

Invoice view events — retained for the life of the invoice.

6. Your rights

Under UK GDPR you have the right to:

  • Access: Request a copy of the personal data we hold about you.

  • Rectification: Ask us to correct inaccurate or incomplete data.

  • Erasure: Request deletion of your data, subject to legal retention obligations.

  • Portability: Receive your data in a structured, machine-readable format.

  • Objection: Object to processing based on legitimate interest.

To exercise any of these rights, email support@invoicelabs.io. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

7. Cookies & storage

InvoiceLabs uses cookies and localStorage solely for session management via Supabase Auth. No advertising, tracking, or analytics cookies are used. You can clear session data at any time by signing out or clearing your browser storage.

8. Security

All data is encrypted in transit (TLS) and at rest. Passwords are never stored in plain text. Access to production data is restricted to authorised personnel only. Stripe handles all payment card data and is PCI DSS Level 1 certified — card numbers never touch our servers.

9. Changes to this policy

If we make material changes to this policy, we will notify you by email at least 14 days before the changes take effect. The "last updated" date at the top of this page reflects the most recent revision.

Questions?

If you have any questions about this Privacy Policy or how your data is handled, we're happy to help.

support@invoicelabs.io