Legal
InvoicePrepper is operated by an individual based in Canada. This policy applies to all users globally.
Account: email and hashed password. Plaintext passwords are never stored.
Profile: business name, address, contact details, payment link, and logo (only what you choose to enter).
Invoices: client names, amounts, line items, dates, and notes.
Billing: Stripe handles payment processing. We receive only a customer ID and subscription status, never your card number or bank details.
Usage logs: IP address and request timestamps for security and debugging only. Not sold or used for advertising.
AI data (Voice AI only): input submitted for parsing is sent to Groq and deleted immediately after. We store only a daily count for rate-limiting. Your stored invoices are never sent to Groq.
Solely to provide the Service: storing invoices, sending transactional emails, and (on paid plans) sending invoices to your clients. On Voice AI, past invoice history is used locally to personalise AI results and is never shared externally.
We use PostHog for product analytics to understand how features are used in aggregate. This helps us improve the app. We do not use your invoice content or client data for analytics.
We do not use your data for advertising or behavioural profiling. For EEA/UK users, processing is based on contract performance, legitimate interests (security), and consent for optional features.
Supabase (database and auth, US, SOC 2 Type II), Stripe (payments, PCI-DSS Level 1), Resend (email delivery), Cloudflare (CDN and security), Groq, Inc. (Voice AI parsing only), PostHog (product analytics, EU servers), Sentry (error monitoring, US).
We do not sell your data to any third party or share it with advertisers.
Data may be processed in Canada and the United States. EEA/UK transfers are made under standard contractual clauses.
You can access, correct, export, or delete your data at any time. Canadian users: PIPEDA. EU/UK users: GDPR (including portability and objection rights). California users: CCPA.
Data is retained while your account is active. You can permanently delete your account and all associated data at any time from your profile settings , no email required. Billing records may be retained as required by Stripe and applicable regulations.
Email [email protected] to exercise any of these rights. We respond within 30 days.
Canadian users may also contact the Office of the Privacy Commissioner of Canada if you believe your rights under PIPEDA have not been respected.
Security: All data is encrypted in transit (TLS 1.2+) and at rest. Row-level security ensures users can only access their own data.
Cookies: We use functional cookies for authentication (session token) and analytics cookies via PostHog to understand how the app is used. No advertising or third-party tracking cookies are used. You can opt out of analytics by contacting us.
Children: The Service is not directed at anyone under 16. Contact us to remove a minor's account.
Questions or data requests: [email protected]. EU/UK residents may also contact their local data protection authority.