Legal
Privacy Policy
Effective April 3, 2026
This policy explains what personal data InvoiceFlow collects when you use our invoice automation service, how we use it, who we share it with, and what rights you have over it.
1. Who We Are
InvoiceFlow is operated by a company incorporated in Brazil and provides its Service primarily to businesses located in the United States. Inquiries about this policy should be directed to privacy@getif.app.
2. Data We Collect
2.1 Account Information
When you sign up we collect your name, email address, and authentication credentials through our identity provider (Clerk). If you connect a Google or other OAuth account, we receive the profile information that provider makes available.
2.2 Invoice Documents
You may upload invoice files (PDF, JPG, PNG) to the Service for processing. These documents may contain personal data relating to your vendors — including names, addresses, tax identification numbers, and financial amounts. We treat this data as confidential business data and use it solely to deliver the extraction and review features you requested.
2.3 Billing Information
Subscription payments are processed by Dodo Payments. We do not store full credit card numbers or sensitive payment credentials. We receive transaction identifiers, subscription status, and billing tier from Dodo to manage your account entitlements.
2.4 Usage and Technical Data
We automatically collect log data including your IP address, browser type, pages visited, timestamps, and error events. This data is used for security, debugging, and improving the Service.
2.5 Cookies
We use strictly necessary cookies to maintain your authenticated session (set by Clerk). We do not use advertising cookies or third-party tracking pixels. You can disable cookies in your browser settings, but doing so will prevent you from signing in.
3. How We Use Your Data
- ›To provide the Service — processing invoices, storing results, enabling QuickBooks sync.
- ›To manage your account and subscription — authentication, plan entitlements, billing communications.
- ›To improve the Service — aggregate, anonymized usage analytics to understand feature adoption.
- ›To communicate with you — transactional emails (receipts, security alerts). We do not send marketing email without your consent.
- ›To comply with legal obligations — responding to lawful requests from authorities.
4. Legal Basis for Processing
Where applicable law requires a legal basis, we rely on:
- ›Contract performance — processing necessary to deliver the Service you subscribed to.
- ›Legitimate interests — security monitoring, fraud prevention, and service improvement, where these interests are not overridden by your rights.
- ›Legal obligation — where we are required to process data by applicable law.
5. Sub-processors and Third Parties
We share your data with the following service providers solely to operate the Service:
| Provider | Purpose | Location |
|---|---|---|
| Clerk | User authentication and session management | USA |
| Convex | Database and real-time backend infrastructure | USA |
| OpenRouter | LLM-based OCR extraction via Gemini & Claude | USA |
| Dodo Payments | Subscription billing and payment processing | USA / Global |
| Intuit (QuickBooks) | Optional QuickBooks Online sync (only if you connect) | USA |
We do not sell, rent, or trade your personal data to any third party for marketing purposes — ever.
6. International Data Transfers
InvoiceFlow is operated from Brazil and uses infrastructure providers located in the United States. By using the Service you acknowledge that your data will be transferred to and processed in the United States. We rely on standard contractual clauses and the data processing agreements of our sub-processors to safeguard these transfers.
7. Data Retention
We retain your account data for as long as your account is active. Uploaded invoice documents and extracted records are retained for the duration of your subscription plus 90 days after cancellation, after which they are permanently deleted. You may request earlier deletion at any time (see Section 8).
8. Your Rights
Depending on your jurisdiction you may have the right to:
- ›Access — request a copy of the personal data we hold about you.
- ›Correction — ask us to correct inaccurate data.
- ›Deletion — ask us to delete your account and associated data.
- ›Portability — receive your data in a machine-readable format.
- ›Objection — object to processing based on legitimate interests.
- ›Do Not Sell (CCPA) — we do not sell personal data. No opt-out is required, but you may request confirmation at any time.
To exercise any of these rights, email privacy@getif.app. We will respond within 30 days.
9. Security
We implement industry-standard security measures including TLS encryption in transit, access controls, and routine security reviews. No system is perfectly secure; we will notify you promptly in the event of a breach that materially affects your data.
10. Children
The Service is intended for business users and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it.
11. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email or by posting a notice in the Service at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance.
12. Contact
Questions, concerns, or requests related to this Privacy Policy should be sent to:
InvoiceFlow Privacy
privacy@getif.appThis policy was written in English. In the event of any conflict between a translation and the English version, the English version controls.