Privacy Policy

1. Who we are

Invoeva is an AI-assisted invoice-processing service operated by IOT LTD, a company registered in Cyprus (registration number HE343300; registered office Mnasiadou 9, 1065 Nicosia, Cyprus) ("Invoeva", "we", "us"). For privacy questions, contact privacy@invoeva.com or use the contact form.

2. Data we collect

We collect only what is needed to run the service:

• Account information. Name, work email, organisation and team names, role within the team, hashed password (when password auth is used), and OAuth identifiers when you sign in with a third-party provider.
• Invoice files you upload. The PDFs, images, and email attachments you send us for processing.
• Extracted data. Structured fields produced from your invoices (supplier, line items, totals, item codes, etc.).
• Contact-form submissions. The name, email, topic, and message body when you write to us through /contact.
• Operational logs. IP address, user agent, request timestamps, and error traces — used for security, debugging, and rate-limit enforcement. Retained for up to 30 days.
• Cookies. A session cookie (HttpOnly), a CSRF double-submit cookie, and any analytics cookie set by the tool we adopt in a future release. No third-party advertising cookies.

3. How we use your data

• To run the invoice-extraction pipeline you signed up for.
• To authenticate you and protect your account.
• To answer messages you send us via the contact form or email.
• To investigate abuse, fraud, and operational incidents.
• To send transactional email (verification, password reset, billing notices, security alerts). We do not send marketing email without explicit opt-in.

4. Sub-processors

We use a small number of third-party services to operate Invoeva. Each processes data only on our instructions and under contract.

• Cloudflare — application hosting (Workers, KV, Turnstile bot protection), CDN, DDoS protection.
• Neon — Postgres database hosting (account data, extracted invoice metadata).
• Google Gemini — vision-AI extraction of invoice contents. Files and prompts are sent to Gemini to extract structured data; Google's terms govern that processing.
• Resend — transactional email delivery.
• Sentry — error and performance monitoring. Personal data is scrubbed from breadcrumbs where practical.
• Analytics provider — to be selected and disclosed here before launch; if added it will be a privacy-respecting tool (no fingerprinting, no ad targeting).

5. Retention

We keep your account data, uploaded files, and extracted records for as long as your account is active. When you delete your account, we delete the associated invoices, extractions, and personally identifying account data within 30 days, except where law requires longer retention (e.g. financial-records obligations once paid plans launch). Operational logs roll off on the schedules described above.

6. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict its processing. To exercise any of these rights, write to us through the contact form or email privacy@invoeva.com. We respond within one business day on best effort and within 30 days as a hard deadline.

7. California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) gives you the rights below. They supplement — and do not replace — the rights in section 6, and they apply even though Invoeva's data controller is an EU (Cyprus) entity.

• Right to know. You can request the categories and specific pieces of personal information we have collected about you, the sources we collected it from, the business purpose for collecting it, and the categories of third parties we disclose it to.
• Right to delete. You can request that we delete the personal information we hold about you, subject to the exceptions permitted by law.
• Right to correct. You can request that we correct inaccurate personal information we hold about you.
• Right to opt out of sale or sharing. We do not sell or share your personal information for money or for cross-context behavioural advertising, and we have not done so in the preceding 12 months. There is nothing to opt out of, but we honour opt-out preference signals (such as Global Privacy Control) that your browser sends.
• Right to non-discrimination. We will not deny you service, charge a different price, or provide a different level of quality because you exercised any of these rights.

To exercise a California right, email privacy@invoeva.com or use the contact form. We verify your request against the information associated with your account before acting on it, and you may use an authorised agent to submit a request on your behalf.

8. Security

Data is encrypted in transit (TLS) and at rest (provider-managed encryption on Cloudflare and Neon). Access to production data is scoped to a small operations group and audit-logged. We're working toward SOC 2 Type 1 in 2026 — until that report is held, please do not assume independent attestation.

9. Children

Invoeva is a B2B product for finance teams and is not directed to children under 16. We do not knowingly collect personal data from children.

10. International transfers

Some of our sub-processors operate across multiple regions. By using Invoeva you acknowledge that your data may be processed in the United States and other jurisdictions. Standard Contractual Clauses or equivalent transfer mechanisms will be in place with each sub-processor before paid plans launch.

11. Changes to this policy

We'll update the "Last updated" date above whenever this policy changes. Material changes will be announced in-product and by email to active accounts.

12. Contact

Questions or complaints? Email privacy@invoeva.com or use the contact form. The data controller of record is IOT LTD, registered in Cyprus (registration number HE343300), at Mnasiadou 9, 1065 Nicosia, Cyprus.