Privacy policy

Last updated: April 8, 2026

1. Data controller

The controller responsible for the processing of personal data collected through ininvoice.com is:

2. Data we collect

We collect the following personal data:

2.1. Data provided directly by the user

  • Waitlist and registration: name, email, company name and role.
  • Communications: data included in emails you send us.

2.2. Service data (registered users)

  • Connected email: we access your Gmail or Outlook account in read-only mode to extract invoices, purchase orders and delivery notes from email attachments.
  • Processed documents: invoices, purchase orders and delivery notes that the system extracts, classifies and reconciles.
  • Reconciliation data: three-way matching results (variances, risk scores, approval statuses).

2.3. Technical data

  • Web analytics: we use PostHog to analyze website usage. We collect data such as pages visited, visit duration and device type. Passwords are always masked.
  • Cookies: we use technical cookies necessary for the operation of the site. We do not use advertising or third-party tracking cookies for advertising purposes.

3. Purpose of processing

We process your personal data for the following purposes:

  • Manage your registration and user account.
  • Provide the automatic invoice reconciliation service.
  • Process financial documents (invoices, purchase orders, delivery notes) received in your email.
  • Send you service-related communications (variance notifications, duplicate alerts, product updates).
  • Improve the product through aggregated and anonymized usage analysis.
  • Comply with applicable legal obligations.

4. Legal basis for processing

  • Performance of the contract (art. 6.1.b GDPR): to provide the contracted service.
  • Consent (art. 6.1.a GDPR): for sending commercial communications and waitlist registration.
  • Legitimate interest (art. 6.1.f GDPR): to improve the product and prevent fraud.
  • Legal obligation (art. 6.1.c GDPR): to comply with tax and data protection regulations.

5. Email access

When you connect your Gmail or Outlook account, ininvoice accesses it exclusively in read-only mode. This means that:

  • We only read emails that contain attachments likely to be financial documents (PDF, images, XML).
  • We do not send emails on your behalf.
  • We do not modify or delete any email.
  • We do not access the content of emails that do not contain financial attachments.
  • You can revoke access at any time from your Google or Microsoft account settings.

6. Storage and security

  • Location: all data is stored on European Union servers (Frankfurt, Germany), provided by Supabase (AWS eu-central-1 infrastructure).
  • Encryption: data is transmitted encrypted via TLS 1.3 and stored encrypted at rest (AES-256).
  • Authentication: two-factor authentication (2FA/TOTP) is mandatory for all users.
  • Access: access to the data is restricted to authorized personnel via Row Level Security (RLS) policies that ensure per-user isolation.

7. Data retention

  • Account data: while the account is active and for an additional 30 days after cancellation.
  • Processed documents: while the account is active. Deleted within 30 days of cancellation, unless a legal retention obligation applies.
  • Waitlist data: up to 12 months from registration or until you request deletion.
  • Analytics data: 90 days in PostHog, anonymized afterwards.

8. Disclosure of data to third parties

We do not sell or share your personal data with third parties for commercial purposes. Data may be disclosed to:

  • Supabase Inc.: database and infrastructure provider (EU servers).
  • Google LLC / Microsoft Corp.: for OAuth authentication of your email account (access tokens only).
  • PostHog Inc.: web analytics (EU servers).
  • Cal.com Inc.: appointment and demo management.
  • Competent authorities: when a legal obligation exists.

9. International transfers

Your data is stored in the European Union. Where any subprocessor is based outside the EU (Google, Microsoft, PostHog), transfers are covered by the Standard Contractual Clauses (SCC) approved by the European Commission or by an adequacy decision of the destination country.

10. User rights

Under the GDPR, you have the right to:

  • Access: request a copy of your personal data.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion of your data ("right to be forgotten").
  • Restriction: restrict processing under certain circumstances.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interest.
  • Withdrawal of consent: withdraw your consent at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, email hola@ininvoice.com. We will respond within a maximum of 30 days.

You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

11. Modifications

We reserve the right to update this privacy policy. Any material change will be communicated by email to registered users and indicated on this page with the date of the last update.

12. Contact

For any inquiries related to the privacy of your data: