InvoitionBack to app →

Privacy Policy

Last updated: February 22, 2026

Invoition is committed to protecting your privacy. This policy explains what personal data we collect, how we use it, and your rights under applicable data protection law (including GDPR). We treat your data the way we would want our own treated — with care and transparency.

1. What Data We Collect

When you create an account, we collect:

  • Your name and email address
  • A Notion OAuth token — encrypted at rest — that grants Invoition read/write access only to the Notion pages and databases you explicitly authorise

When you use the service, we store:

  • Invoices, line items, and invoice statuses you create or import
  • Client records you add
  • Invoice templates and branding settings you configure
  • Email logs (recipient, subject, delivery status) for invoices and reminders you send
  • An audit log of security-relevant actions (login, password change, account deletion)

We also collect limited, anonymous technical data — error reports and performance traces — via Sentry to help us fix bugs and improve reliability.

2. How We Collect Your Data

We collect data when you:

  • Register for an account
  • Connect your Notion workspace via OAuth
  • Create or import invoices, clients, or templates
  • Use or browse the application

All communication between your browser and our servers is encrypted via HTTPS/TLS.

3. How We Use Your Data

We use your data solely to:

  • Provide the Invoition service (generate PDFs, send invoices, sync with Notion)
  • Display your information when you are logged in
  • Send transactional emails: invoice delivery, payment reminders, account verification, and password resets
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not sell your data, and we do not use it for advertising.

4. How We Store Your Data

Your data is stored in a PostgreSQL database on a private VPS hosted in the EU. Passwords are hashed using bcrypt and are never stored in plain text. Notion access tokens are encrypted at rest using AES-256 (ASP.NET Data Protection). Other fields are stored without additional field-level encryption.

Automated database backups are taken daily. We retain backups for 7 days.

5. Third-Party Services

We share data with the following sub-processors only to the extent necessary to operate the service:

  • Resend (resend.com) — email delivery. Your email address and invoice content are transmitted to Resend when you send an invoice or receive a system email.
  • Sentry (sentry.io) — error tracking. Crash reports may contain request metadata but are configured to scrub sensitive fields (passwords, tokens).
  • Notion (notion.so) — when you connect your workspace, we read and write data to the Notion databases you authorise. Invoition is independent of Notion, Inc.

6. Cookies

Invoition uses the following cookies:

  • invoition_access_token — a short-lived JWT used to authenticate your session. This is a strictly necessary cookie; the service cannot function without it.
  • invoition_refresh_token — a longer-lived token used to silently renew your session. Also strictly necessary.

We do not use advertising or tracking cookies. We do not use Google Analytics or similar third-party analytics on authenticated pages.

7. Your Data Protection Rights

Under GDPR and applicable data protection law, you have the following rights. To exercise any of them, contact us at support@invoition.app. We will respond within 30 days.

  • Right of access — request a copy of all personal data we hold about you. You can also use the Export My Data button in Settings → Account.
  • Right to rectification — request correction of inaccurate data.
  • Right to erasure — request deletion of your account and all associated data. You can also use the Delete Account button in Settings → Account.
  • Right to restrict processing — request that we limit how we process your data in certain circumstances.
  • Right to data portability — receive your data in a structured, machine-readable format (JSON export).
  • Right to object — object to processing based on legitimate interests.

8. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data (profile, invoices, clients, templates, email logs) is permanently deleted within 30 days. Anonymised aggregate statistics may be retained indefinitely.

9. Security

We maintain appropriate technical and organisational security measures to protect your data against loss, unauthorised access, alteration, or disclosure. These include HTTPS encryption, bcrypt password hashing, encrypted Notion tokens, rate limiting, account lockout, and audit logging.

No security measure is perfect. If you believe your account has been compromised, contact us immediately at support@invoition.app.

You are responsible for maintaining the confidentiality of your password. Do not share it with anyone.

10. Children's Privacy

Invoition is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has created an account, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by email or via an in-app banner. The “Last updated” date at the top of this page always reflects the current version.

12. Contact Us

For any questions about this Privacy Policy or to exercise your data rights, contact us at: support@invoition.app