Privacy Policy
FreeInvoiceNow ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what data we collect, how we use it, your rights under the General Data Protection Regulation (GDPR) and other applicable laws, and how to contact us.
1. Data Controller
FreeInvoiceNow operates this service. For the purposes of the GDPR (EU) 2016/679 and the UK GDPR, FreeInvoiceNow is the data controller responsible for your personal data.
2. Data We Collect
We collect the following categories of personal data:
2.1 Account Data
When you register for an account, we collect your email address, display name, and a hashed password. This is necessary to authenticate you and provide access to your saved invoices.
2.2 Invoice & Business Data
We store the invoice content you create — including your business name, address, contact information, client names, addresses, line items, amounts, and any notes you add. This data is yours; we process it solely to provide the invoicing service.
2.3 Client Data
If you use our client management feature, we store your clients' names, email addresses, postal addresses, and phone numbers on your behalf. You are the controller of this data; we act as a data processor.
2.4 Usage & Technical Data
We automatically collect certain technical data including your IP address (truncated where possible), browser type, device type, operating system, referring URLs, and page-level interaction events (e.g. pages visited, features used). This is used to improve the service and detect abuse.
2.5 Communications
If you contact us via the contact form or email, we store your name, email address, and the contents of your message to respond to your enquiry.
2.6 Guest Mode
If you use our guest invoice builder without registering, we do not link your invoice to any account. A session identifier may be stored temporarily in your browser. No account-level personal data is collected.
3. Legal Basis for Processing
We process your personal data under the following legal bases provided by Article 6 GDPR:
| Processing Activity | Legal Basis |
|---|---|
| Account creation & authentication | Contract (Art. 6(1)(b)) — necessary to provide the service |
| Storing invoices & client data | Contract (Art. 6(1)(b)) |
| Security, fraud prevention, abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Service improvement & analytics | Legitimate interests (Art. 6(1)(f)) |
| Responding to support requests | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance & record-keeping | Legal obligation (Art. 6(1)(c)) |
| Optional analytics cookies | Consent (Art. 6(1)(a)) |
4. How We Use Your Data
We use the data we collect to:
- Provide, operate, and improve the FreeInvoiceNow service;
- Authenticate you and keep your account secure;
- Generate and store PDF invoices on your behalf;
- Send transactional emails (e.g., email confirmation, password reset) — we do not send marketing emails without your explicit opt-in;
- Detect, investigate, and prevent fraudulent activity and abuse;
- Comply with our legal obligations;
- Respond to your support requests and enquiries.
We do not sell, rent, or trade your personal data to any third party. We do not use your invoice or client data for any purpose other than providing the service to you.
5. Third-Party Services
We use a limited set of trusted sub-processors to operate the service:
| Sub-Processor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Supabase Inc. | Database, authentication, and file storage | US (AWS us-east-1) | supabase.com/privacy |
| Google LLC | reCAPTCHA v3 (bot/spam prevention on auth forms) | US | policies.google.com/privacy |
Each sub-processor is contractually bound to protect your data and process it only on our instructions. Data transfers to the US are covered by Standard Contractual Clauses (SCCs) and/or the EU–US Data Privacy Framework where applicable.
6. Data Retention
We retain personal data only for as long as necessary:
- Account data: Retained while your account is active. Deleted within 30 days of account deletion unless we are required by law to retain it longer.
- Invoice & client data: Retained while your account is active and for up to 30 days after account deletion.
- Server logs: Retained for up to 90 days for security and debugging purposes.
- Support communications: Retained for up to 3 years to assist with follow-up enquiries.
You can request immediate deletion of your account and associated data at any time (see Your Rights below).
7. International Transfers
FreeInvoiceNow stores data on infrastructure operated by Supabase Inc. in the United States (AWS us-east-1 region). Where personal data is transferred from the European Economic Area (EEA) or the United Kingdom to a third country, we ensure an adequate level of protection is in place through one or more of the following:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- The EU–US Data Privacy Framework (where the recipient is certified);
- The UK International Data Transfer Agreement (IDTA).
8. Your Rights
Under the GDPR (and equivalent laws in the UK, Switzerland, and other jurisdictions), you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): You can request a copy of the personal data we hold about you.
- Right to rectification (Art. 16 GDPR): You can correct inaccurate or incomplete personal data. Most data can be updated directly in your account settings.
- Right to erasure (Art. 17 GDPR): You can request deletion of your personal data ("right to be forgotten"). You can delete your account via the settings page or by contacting us.
- Right to restriction (Art. 18 GDPR): You can ask us to restrict processing of your data in certain circumstances.
- Right to data portability (Art. 20 GDPR): You can request your data in a structured, machine-readable format (JSON or CSV).
- Right to object (Art. 21 GDPR): You can object to processing based on legitimate interests. You also have an unconditional right to object to direct marketing.
- Rights related to automated decision-making (Art. 22 GDPR): We do not make decisions about you based solely on automated processing that have legal or similarly significant effects.
- Right to withdraw consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at privacy@freeinvoicenow.com. We will respond within 30 days. We may request proof of identity before processing your request.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with your local supervisory authority — for example, the ICO (UK) or your EU Member State's data protection authority.
9. Security
We implement industry-standard security measures to protect your personal data, including:
- TLS/HTTPS encryption for all data in transit;
- Encryption at rest for database storage;
- Row-level security (RLS) policies so users can only access their own data;
- Google reCAPTCHA v3 on authentication forms to prevent automated attacks;
- HTTP security headers (HSTS, CSP, X-Frame-Options, etc.);
- Access controls limiting employee access to production data.
No system can be completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.
10. Children's Privacy
FreeInvoiceNow is a business tool intended for users aged 16 and over (or the minimum age for digital consent in your jurisdiction). We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify registered users by email or in-app notice at least 14 days before the changes take effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.
12. Contact & DPO
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us: