Legal

Privacy Notice

How we process personal data when you use Invoxo.eu.

Back to home Cookie policy

This Privacy Notice explains how Sektor Technologies OÜ (registration number 17404256) (“Invoxo”, “we”, “us”) processes personal data when you visit Invoxo.eu or use the Invoxo application (the “Service”).

This Notice is provided for transparency under the GDPR and related data protection laws.

Sections

Controller Roles Data categories Purposes & legal bases Sharing Transfers Retention Your rights Security Children Changes

1) Controller and contact

Controller: Sektor Technologies OÜ
Registered address: Sepapaja 6, 15551 Tallinn, Estonia
Contact: [email protected]

If you contact us, we process your details to respond and keep an audit trail of the interaction.

2) Roles: controller vs processor

  • Website and account administration: Invoxo typically acts as a controller for account and operational data (such as login, billing, and support).
  • Customer invoice data: When you input personal data about your clients or invoice recipients, you typically act as controller and Invoxo acts as processor to provide the Service.

If you need a Data Processing Agreement (DPA), request it at [email protected].

3) Personal data we process

We process the following categories of personal data depending on how you use the Service:

  • Account data: name, email, password hash (not plain password), authentication and security signals, and profile fields you provide.
  • Company and workspace data: business identifiers and configuration you input (for example, legal name, address, VAT number, invoice preferences).
  • Service data: invoices, clients, products/services, and related metadata you create in the app (may include personal data of your clients).
  • Billing data: subscription status, payment references, invoice/receipt records, refund references, and limited identifiers needed for reconciliation.
  • Support and communications: messages you send, attachments you provide, feedback, and troubleshooting context.
  • Technical and security data: logs and telemetry (for example IP address, timestamps, device/browser metadata, and error diagnostics) needed to operate and secure the Service.

We do not intentionally collect special categories of data (GDPR Art. 9). Please do not upload sensitive data unless strictly necessary.

4) Purposes and legal bases (GDPR)

Providing and operating the Service

Purpose: account creation, authentication, invoicing workflows, VAT-related features, exports, and core application functionality.

Legal basis: performance of a contract (GDPR Art. 6(1)(b)).

Billing, refunds, and administration

Purpose: subscription management, payment processing, refunds (if applicable), invoicing/receipts, and financial recordkeeping.

Legal basis: contract (Art. 6(1)(b)) and legal obligation where applicable (Art. 6(1)(c)).

Security, fraud prevention, and abuse detection

Purpose: protect accounts, detect misuse, prevent fraud, enforce limits, and maintain service integrity and availability.

Legal basis: legitimate interests (Art. 6(1)(f)).

Support and service communications

Purpose: respond to requests, resolve incidents, deliver operational messages (for example service notices), and improve reliability.

Legal basis: contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).

Product updates and announcements

Purpose: send non-marketing updates about feature changes, security notices, and important operational information.

Legal basis: legitimate interests (Art. 6(1)(f)) or contract (Art. 6(1)(b)) depending on message type.

Optional marketing communications

Purpose: send marketing messages (for example newsletters) where allowed. You can opt out anytime using the email footer or by contacting us.

Legal basis: consent (Art. 6(1)(a)) or legitimate interests (Art. 6(1)(f)) depending on applicable law and relationship.

Important

Invoxo provides tooling support and does not provide legal, tax, or accounting advice. You remain responsible for the accuracy of invoice data, VAT treatments, and compliance decisions.

5) Who we share data with

We use service providers (“processors”) to run the Service, such as hosting infrastructure, email delivery, payment processing, monitoring, analytics, and customer support tooling. We share only what is necessary to provide and secure the Service.

  • Payment providers: process transactions and handle payment authentication.
  • Infrastructure providers: host application data and deliver content.
  • Email providers: deliver transactional messages (for example verification emails).
  • Monitoring and security tooling: detect incidents and maintain service stability.

A detailed subprocessors list is available on request.

6) International transfers

If any provider processes data outside the EEA, we implement appropriate safeguards where required, such as Standard Contractual Clauses (SCCs), and assess transfer risks based on the nature of the processing.

7) Retention

We retain personal data only as long as necessary for the purposes described in this Notice, including contractual needs, security, dispute resolution, and legal obligations (for example accounting and tax records).

Retention periods vary by data category. When data is no longer needed, we delete or de-identify it in line with our retention practices.

8) Your rights

Depending on your location and applicable law, you may have rights to access, rectify, delete, restrict, object to processing, and port your personal data, and to withdraw consent at any time where processing is based on consent.

To exercise rights, contact [email protected]. We may request information to verify your identity and protect your account.

You also have the right to lodge a complaint with your local supervisory authority.

Controller vs processor requests

If you are an end-customer of a business using Invoxo (for example, you received an invoice from them), please contact that business first. They typically control the invoice data and decide how it is processed.

9) Security

We implement appropriate technical and organizational measures designed to protect data against unauthorized access, alteration, loss, or misuse. No system is perfectly secure; you are responsible for maintaining strong credentials and access hygiene.

If you suspect an account compromise, contact [email protected].

10) Automated processing

The Service may perform automated checks and validations (for example input validation, fraud signals, and VAT number format checks) to operate reliably and securely. These checks are used to support workflows and reduce error rates.

We do not use automated decision-making that produces legal effects about you, within the meaning of GDPR Art. 22, as part of typical Service operation.

11) Cookies and similar technologies

We use cookies and similar technologies to operate the website, maintain sessions, and improve performance. Details are described in the Cookie policy.

You can manage cookies via your browser settings and the Cookie policy controls where applicable.

12) Children

The Service is not directed to children and is not intended for use by individuals under 18. We do not knowingly collect personal data from children.

13) Changes

We may update this Privacy Notice to reflect product, legal, or operational changes. Material updates will be communicated via the website or the app.

Legal Terms Cookies

Last updated: 2026-01-17