Privacy Policy
How invopage.com processes personal data.
1. Controller (Art. 4 GDPR)
Alex Kay60 Trần Phú Street
Nha Trang, Khánh Hòa 650000, Vietnam
Email: [email protected]
2. What we process
Server access logs
IP, timestamp, request URL, HTTP status, referrer, user agent. Logs rotated daily, last 14 days kept. Legal basis: Art. 6(1)(f) GDPR.
Invoice / receipt / purchase-order form data
The free generator is browser-side: data you type into the invoice / receipt / purchase-order form (your name, address, customer details, line items, totals, tax data, bank info) is sent to the server only when you click "Download PDF" so that we can render the PDF for you. After the PDF is sent back, the form data is not persisted in any database. We do not retain copies of generated invoices on our servers. Legal basis: Art. 6(1)(b) GDPR (contract for the PDF render).
PDF Generation API (paid plans)
API customers create an account (email, hashed password). API requests sending HTML or template payloads are processed in-memory and the rendered PDF is returned in the response; payloads are not persisted beyond the request. We log API request metadata (timestamp, endpoint, status, byte size, customer ID) for billing and abuse prevention - 90 days. Legal basis: Art. 6(1)(b) GDPR.
Stripe payments
Paid plans are processed by Stripe Inc. (510 Townsend Street, San Francisco, CA 94103, USA) as an independent controller. Stripe receives your card data directly; we store only the Stripe customer ID, last 4 digits and subscription status. Stripe privacy: stripe.com/privacy. Legal basis: Art. 6(1)(b) GDPR.
Analytics (Umami, self-hosted)
Self-hosted, cookieless Umami. Aggregated data only. Legal basis: Art. 6(1)(f) GDPR.
Error tracking (Sentry / GlitchTip)
Self-hosted GlitchTip at errors.alexkay.dev. Stack trace, request URL, IP and (for API customers) customer ID may be transmitted on errors. Retention 90 days. Legal basis: Art. 6(1)(f) GDPR.
3. Third-country transfers
VPS server outside the EU. Stripe is US-based. Transfers rely on Art. 49(1)(b) GDPR and the EU-U.S. Data Privacy Framework where applicable.
4. Your rights (Art. 15-22 GDPR)
- Access (Art. 15), Rectification (16), Erasure (17), Restriction (18), Portability (20), Objection (21), Withdraw consent at any time
Email [email protected]. You may also lodge a complaint with a supervisory authority (Art. 77 GDPR).
5. Retention
Server logs: 14 days. Invoice form data: not persisted. API request logs: 90 days. Account + Stripe data: until account deletion (10 years for tax-required records). Analytics: 12 months. Error events: 90 days.
6. Cookies
No tracking cookies. Only a strictly-necessary session cookie (consent-exempt under § 25(2) TTDSG / EU ePrivacy Directive).