InvoicePeak
Get started free

Privacy Policy

Last updated: April 15, 2026

1. Information We Collect

We collect three categories of information. (a) Account data you provide when registering: name, email address, and password hash (we never store passwords in plaintext). (b) Invoice data you create or import: client details, line items, totals, notes, and any custom fields. (c) Usage data automatically collected when you use the service: pages visited, features used, IP address, browser type, and approximate location derived from IP. Usage data is aggregated for analytics through PostHog and error reporting through Sentry.

2. How We Use Your Information

We use your information to: (i) provide and operate the service — store invoices, render PDFs, send invoices to your clients via email; (ii) authenticate you and protect your account; (iii) process subscription payments through Stripe; (iv) send essential transactional emails (invoice notifications, payment receipts, account changes); (v) respond to support requests; (vi) improve the service through aggregated, anonymized usage analytics. We never sell your personal data to third parties, and we do not use your data for advertising.

3. Data Storage and Retention

Your data is stored on encrypted servers in the European Union (Contabo VPS) and Cloudflare R2 (US/EU multi-region) for invoice PDFs. Database content is encrypted at rest and in transit (TLS 1.3). PDF files are accessed via signed URLs that expire 24 hours after generation. We retain account data and invoices for as long as your account is active, plus a 30-day grace period after account deletion to support recovery. Deleted accounts and their data are permanently purged after the grace period.

4. Cookies

Strictly necessary cookies. (a) `auth_token`: session authentication, HTTP-only and Secure, expires when you sign out or after 30 days of inactivity. (b) `NEXT_LOCALE`: remembers your language preference, expires after one year. (c) `consent`: stores your analytics-cookie choice, expires after one year. Analytics cookies. We use Google Analytics 4 to measure traffic. For visitors in the EU, EEA, UK and Switzerland, GA4 cookies (`_ga`, `_ga_*`) are loaded only after explicit opt-in via our cookie banner; declining keeps tracking off. Visitors outside those regions are tracked by default; you can still opt out via the link in our privacy page. We never run advertising cookies.

5. Third-Party Services

InvoicePeak integrates with the following processors, each with their own privacy policy. (a) Stripe (US) — processes subscription payments. (b) Google OAuth (US) — optional sign-in via Google account. (c) Google Analytics 4 (US) — anonymized traffic analytics, IP anonymization enabled, gated by consent for EU/EEA/UK/CH visitors. (d) Resend (US) — sends transactional and invoice emails on your behalf. (e) Cloudflare (US/EU) — DDoS protection and CDN. (f) Sentry (US) — error monitoring. We share only the minimum data required for each integration to function.

6. Your Rights

Under GDPR (European Union) and CCPA (California), you have the right to: access your personal data, correct inaccuracies, request deletion (right to be forgotten), restrict or object to processing, and request data portability. You may exercise these rights from the Settings page (export your data, delete your account) or by emailing us. We respond to verifiable rights requests within 30 days. If you are an EU resident, you also have the right to lodge a complaint with your local data protection authority.

7. Changes

We may update this policy from time to time as the service evolves or to comply with legal requirements. The "Last updated" date at the top reflects the most recent revision. For material changes — for example, adding new categories of data collection or new third-party processors — we will notify active accounts by email at least 30 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the revised policy.

Cookies and analytics

We use Google Analytics to measure traffic. For visitors in the EU, EEA, UK and Switzerland, analytics cookies are loaded only after explicit consent. You can change your preference at any time below.

8. Contact

Questions about privacy, or to exercise any of your rights? Email us at [email protected].