Privacy Policy
Last updated: January 3, 2026
1. Data Controller Information
This Privacy Policy explains how Apensy LTD (“Company”, “we”, “our”, “us”), the operator of Invi, collects, uses, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) and Cyprus data protection laws.
Data Controller:
- Apensy LTD
- Cyprus
- Email: support@invi-app.com
We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about this policy or our practices, please contact us at support@invi-app.com.
2. Our Role Under GDPR
Under GDPR, we act in two capacities:
- Data Controller: For your account information, usage data, and any data you directly provide to us.
- Data Processor: For your clients' data that you store and manage through our invoicing service. In this role, we process data only according to your instructions.
When you use Invi to manage invoices for your clients, you are the Data Controller for that client data, and we act as your Data Processor under Article 28 of the GDPR.
3. Information We Collect
3.1 Account Data
Information you provide when creating an account:
- Full name
- Email address
- Password (stored in encrypted form)
- Company name and address
- VAT/Tax registration number
- Bank account details (for invoice display)
3.2 Client Data (Processed on Your Behalf)
Data you enter about your clients:
- Client company names and addresses
- Client contact information
- Invoice amounts and details
- Payment history
3.3 Financial Data
- Subscription payment information (processed by Stripe)
- Invoice and expense records
- Bank account information (for display on invoices only)
3.4 Automatically Collected Data
- IP address
- Browser type and version
- Device information
- Pages visited and actions taken
- Date and time of access
- Referring website
4. Legal Basis for Processing
Under GDPR Article 6, we process your data based on the following legal grounds:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and management | Contract performance | Art. 6(1)(b) |
| Invoice and expense processing | Contract performance | Art. 6(1)(b) |
| Subscription billing | Contract performance | Art. 6(1)(b) |
| Financial record keeping | Legal obligation (Cyprus tax law) | Art. 6(1)(c) |
| Service improvement analytics | Legitimate interest | Art. 6(1)(f) |
| Marketing communications | Consent | Art. 6(1)(a) |
| Analytics cookies | Consent | Art. 6(1)(a) |
5. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | Account recovery period |
| Invoice records | 7 years | Cyprus tax law requirement |
| Expense records | 7 years | Cyprus tax law requirement |
| Usage logs | 90 days | Security and debugging |
| Audit logs | 90 days | Security compliance |
Note: Cyprus tax regulations require retention of financial records for 7 years. This legal obligation overrides deletion requests for invoice and expense data during this period.
6. Third-Party Service Providers (Sub-processors)
We share your data with the following service providers who process data on our behalf:
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database and authentication | EU/US | SCCs, SOC 2 |
| Vercel | Website hosting | EU/US | SCCs, ISO 27001 |
| Stripe | Payment processing | EU/US | PCI DSS, SCCs |
| Resend | Email delivery | US | SCCs |
| Google Analytics | Website analytics | US | SCCs (with consent) |
| Sentry | Error monitoring | US | SCCs, SOC 2 |
SCCs = Standard Contractual Clauses approved by the European Commission for international data transfers.
7. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights:
- Right of Access (Art. 15): You can request a copy of your personal data. Use Settings > Privacy > Export Data or email us.
- Right to Rectification (Art. 16): You can update your information through your account settings or by contacting us.
- Right to Erasure (Art. 17): You can request deletion of your account via Settings > Account > Delete Account. Note: Financial records must be retained for 7 years per Cyprus law.
- Right to Restrict Processing (Art. 18): You can request we limit how we use your data while we address a concern.
- Right to Data Portability (Art. 20): You can export your data in machine-readable format via Settings > Privacy > Export Data.
- Right to Object (Art. 21): You can object to processing based on legitimate interests. Contact us to exercise this right.
- Right to Withdraw Consent (Art. 7): Where we process data based on consent (e.g., analytics, marketing), you can withdraw consent at any time.
How to exercise your rights: Email support@invi-app.com or use the in-app privacy settings. We will respond within 30 days.
8. Cookies and Tracking
We use the following types of cookies:
- Essential Cookies: Required for the service to function (authentication, security). These do not require consent.
- Analytics Cookies (Google Analytics): Help us understand how you use our service. Requires your consent.
You can manage your cookie preferences through your browser settings or our cookie consent banner.
9. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Two-factor authentication available
- Regular security audits
- Row-level security in our database
- Access logging and monitoring
- Employee access controls and training
10. International Data Transfers
Some of our service providers are located outside the EU/EEA. When transferring data internationally, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Verification that recipients maintain appropriate security certifications
- Data processing agreements with all sub-processors
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Cyprus Commissioner for Personal Data Protection within 72 hours
- Notify affected users without undue delay if the breach is likely to result in high risk
- Document all breaches and remediation actions
12. Children's Privacy
Our service is intended for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our website before the changes take effect. We encourage you to review this policy periodically.
14. Complaints and Supervisory Authority
If you have concerns about how we handle your data, please contact us first at support@invi-app.com. We will work to resolve your concern.
You also have the right to lodge a complaint with your local data protection authority. For Cyprus residents:
Commissioner for Personal Data Protection
- Website: www.dataprotection.gov.cy
- Email: commissioner@dataprotection.gov.cy
15. Contact Us
For any questions about this Privacy Policy or our data practices:
- Data Protection Inquiries: support@invi-app.com
- General Support: support@invi-app.com
- Company: Apensy LTD, Cyprus