Effective Date: October 17th, 2025
Last Updated Date: November 28th, 2025
1. Introduction
InvoBill (“we,” “us,” “our”) provides Accounts Receivable automation software that helps businesses manage invoices, payments, follow-ups, customer communication, and team assignments.
We process personal information in compliance with:
- Applicable data-transfer regulations including Standard Contractual Clauses (SCCs)
This Privacy Policy explains:
- What personal data we collect
- Why we collect it
- How long do we keep it
- Who we share it with
- How we secure it
- Your rights under GDPR + CCPA
- How to contact us or exercise your rights
2. Who We Are
Legal Entity: InvoBill, a business entity registered in Canada.
Address: Mississauga, Ontario, Canada
Email (Privacy policy, DPO, GDPR, CCPA): [email protected]
InvoBill is the data controller responsible for your personal data.
3. Data Protection Officer (DPO)
As per our DPO Appointment Letter, our DPO is Mr. ArhamUllah who can be reached out using the email [email protected]
4. EU Representative
Our EU Representative is the same as our DPO, that is, Mr. ArhamUllah who can be reached out by using the mail [email protected].
5. Categories of Personal Data We Collect
InvoBill processes the following categories of personal information:
5.1 Account Information
- Full name
- Email address
- Password (encrypted)
- User roles within InvoBill Software (Owner, AR Manager, Assistant, etc.)
5.2 Company Information
- Your Company name(s)
- Third-party integration you connect with InvoBill (like QuickBooks, Outlook, Jobber, Gmail etc.)
- Linked accounting data (invoice metadata, payment status, amounts on each invoice)
5.3 Customer Communications & Email Data
If you connect your email (Gmail, Outlook etc.), we process:
- Sender/recipient names & emails
- Subject line
- Message body
- Attachments (e.g., invoices, replies)
- Thread metadata (timestamps, read status)
5.4 Financial & Invoice Metadata
We process:
- Invoice numbers
- Amount due / outstanding
- Dates, status, notes
- Customer name & contact details
- Payment confirmations
- Internal tasks tied to each invoice(s)
5.5 Usage Data
- IP address
- Device/browser information
- Login timestamps
- Feature usage patterns
- Error logs
5.6 Cookies & Tracking Data
InvoBill uses cookies and similar technologies, including:
- Google Analytics 4 for usage analytics
- Meta Pixel for advertising effectiveness
- Microsoft Clarity for session insights
A full cookie disclosure section is given in the Privacy Policy. Consent is required for all cookies, other than the ones required for the proper functioning of the website when a new user visits our website. Analytics and advertising cookies are only activated after the user provides explicit consent through our cookie banner. All details are given in our Cookies Disclosure Document.
InvoBill collects the following categories of personal information as defined under California Civil Code §1798.140(v):
- Identifiers (e.g., name, email address, account credentials)
- Commercial Information (e.g., transaction records, invoice activity processed through InvoBill)
- Internet or Network Activity (e.g., log data, device data, usage analytics)
- Professional or Employment Information (e.g., role, business email, company details)
- Sensitive Personal Information (limited to user credentials used for authentication; we do not use sensitive information for inferring characteristics)
6. Sources of Personal Data
We obtain personal data from:
- InvoBill users directly
- QuickBooks Online or other integrated platforms
- Connected email accounts (Outlook, Gmail)
- Analytics tools (Google Analytics 4, Meta Pixel, MS Clarity)
- Support queries sent to [email protected]
7. Purposes and Legal Basis for Processing
7.1 To Provide the InvoBill Service
Includes:
- Creating accounts
- Linking companies
- Syncing invoices
- Organizing customer communication
- Sending automated reminders
- Assigning tasks to team members
Legal basis:
- Performance of a contract (GDPR Art. 6(1)(b))
7.2 To Improve the Product
Includes:
- Debugging
- Error-prevention
- Analytics
- Feature usage insights
Legal basis:
- Legitimate interests pursued by InvoBill or our customers (GDPR Art. 6(1)(f))
7.3 To Provide Support
Includes:
- Responding to emails
- Troubleshooting accounts
- Coaching users on product setup
Legal basis:
- Performance of a contract (GDPR Art. 6(1)(b))
- Legitimate interests pursued by InvoBill or our customers (GDPR Art. 6(1)(f))
7.4 To Prevent Fraud & Security Threats
Includes:
- Monitor login activity and suspicious access attempts.
- Detect unusual account behavior, fraudulent actions, or platform misuse.
- Maintain security logs and audit trails.
- Protect network and application infrastructure.
- Validate data, file uploads, and integration requests.
Legal basis:
- Legitimate interests pursued by InvoBill or our customers (GDPR Art. 6(1)(f))
7.5 Marketing
Includes:
- Email address and marketing preferences.
- Newsletter sign-up details.
- Campaign performance data (opens, clicks).
- Website behavior collected through marketing cookies.
- Advertising interaction data from GA4, Meta Pixel, and similar tools.
Legal basis:
- Consent given by user (GDPR Art. 6(1)(a)
- Legitimate interests pursued by InvoBill or our customers (GDPR Art. 6(1)(f))
8. Sensitive Personal Information (CCPA)
InvoBill does not intentionally collect or process sensitive personal information (such as government IDs, health data, biometric identifiers etc.).
9. Data Retention and Notice at Collection
InvoBill retains data as follows:
| Data Category | Retention Period | Legal Basis |
| User Account Data | Active usage + up to 12 months post-termination | Operational necessity |
| Email Data | Active usage + 6 months after the user deletes their account for fraud detection, security logging and dispute resolution purposes. | Contractual necessity and User Consent |
| Financial Data | Active usage + up to 12 months post-termination | Contractual necessity and Legal Obligation |
| Log & Security Data | 12–24 months | Legitimate interest and Legal obligation |
| Cookie/Analytics Data | 6 months | User Consent |
We have not sold or shared personal information in the preceding 12 months as those terms are defined under the CCPA/CPRA. We disclose the categories of personal information listed in Section 5 only to the service providers and contractors described in Section 10, solely for business purposes. Upon request, all user data is deleted within statutory timelines of GDPR and CCPA.
10. Sharing of Personal Data
We share your personal data only with service providers and contractors operating under written data processing agreements. All such parties are bound by contracts prohibiting them from selling or sharing your personal information and restricting use solely to the business purposes defined in this policy.
10.1 Infrastructure & Hosting Providers
- GoDaddy (hosting) – SCC-compliant
- Google Cloud / Gmail – SCC-compliant
- Microsoft Outlook / 365 – SCC-compliant
10.2 Integrations
- QuickBooks Online
- (Future) Jobber, Stripe.
10.3 Marketing Platforms
- Google Analytics 4
- Meta Pixel
- Microsoft Clarity
11. International Transfers
All international transfers are covered by Standard Contractual Clauses (SCCs) used by our sub-processors, i.e. Google, Microsoft and GoDaddy. Where personal data is transferred outside the European Economic Area, InvoBill relies on the European Commission’s Standard Contractual Clauses (SCCs) and supplementary safeguards implemented by our service providers, including Google, Microsoft, and GoDaddy. These providers maintain recognized security certifications and contractual protections to ensure an adequate level of data protection.
12. Cookies & Tracking Disclosure
InvoBill uses cookies and similar technologies, including:
- Google Analytics 4 for usage analytics
- Meta Pixel for advertising effectiveness
- Microsoft Clarity for session insights
Analytics and Marketing cookies are only activated after you consent. Users can opt out of all except the essential functional cookies through cookie preference button on our website. For users in the EU/EEA, non-essential cookies (such as analytics and advertising cookies) are only used with your consent, which you are prompted to choose when you first visit the website, and you can withdraw at any time via our cookie preference button in the footer of the website.
13. Data Security
We implement:
- Encryption at rest & in transit
- Access-control and RBAC (Role Based Access Control)
- Secure server architecture
- Regular vulnerability checks
- Strict permissions for internal staff
14. Data Breach Notification
If a data breach occurs, InvoBill will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR Article 33. If all information cannot be provided at once, InvoBill will submit additional details as they become available.
- Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34.
- For California residents, provide notice of a data breach in the most expedient time possible and without unreasonable delay, consistent with California Civil Code §1798.82 and other applicable U.S. state laws.
15. Your Rights (GDPR + CCPA)
15.1 Under GDPR
For the processing of their personal data, users in the EU/EEA have the right to:
- Access their personal data (Art. 15)
- Correct inaccurate or incomplete data (Art. 16)
- Delete their data (“Right to be Forgotten”) (Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7(3))
- Not be subject to automated decision-making, including profiling, where applicable (Art. 22)
If you are in the EU/EEA, you also have the right to lodge a complaint with your local supervisory authority if you believe we have not handled your personal data in compliance with GDPR.
15.2 Under CCPA (California)
California residents have the right to limit the use, and disclosure of their sensitive personal information. As a California resident, you have the right to:
- Know what personal information is collected (California Civil Code §1798.110 & §1798.115)
- Access a copy of your data (California Civil Code §1798.110(a)(5) & §1798.115)
- Know if data is shared, and with whom (California Civil Code §1798.115(a)(2)–(4))
- Request deletion (California Civil Code §1798.105)
- Opt-out of sale or sharing of personal information (California Civil Code §1798.120 & §1798.140(ad))
- Correct inaccurate information (California Civil Code §1798.106)
- Limit use and disclosure of sensitive personal information (California Civil Code §1798.121)
- Not be discriminated against for exercising your privacy rights (California Civil Code §1798.125)
You have the right to opt-out of the sale or sharing of your personal information by visiting the “Manage your cookies” option in the footer of our website.
16. How to Exercise Your Rights
You can submit requests by emailing [email protected]. We will not discriminate against you for exercising your rights under the CCPA.
InvoBill operates exclusively online and maintains a direct relationship with users; therefore, under CCPA §1798.130(a)(1)(A), we are required to provide only a single method for submitting privacy requests.
Our User Rights Handling Policy governs:
- Identity verification
- Response timelines
- Processing workflows
- Deletion and export procedures
17. Children’s Data
InvoBill is not intended for children under 16 and does not knowingly collect their personal information.
18. Changes to This Policy
We may update this Privacy Policy occasionally. The “Last Updated Date” listed on the top of this document will indicate changes. For significant updates, we will notify our users via email and/or dashboard notices.
19. Contact Us
For GDPR, CCPA, or general privacy inquiries: [email protected]
