GDPR & data protection
Invoicing Zone is built and operated in the European Union, under EU privacy law. This page summarises how we comply with the General Data Protection Regulation (GDPR), how to exercise your rights, and the safeguards we have in place for customers who use the Service to process their own clients' personal data.
- Controller
- MB “Devsolutely”
- Company code
- 304756667
- VAT number
- LT100013459817
- Registered office
- Kauno g. 3A, LT-01314 Vilnius, Lithuania
- Privacy contact
- [email protected]
- Supervisory authority
- State Data Protection Inspectorate (VDAI), Vilnius — vdai.lrv.lt
1. Our approach
Privacy and security are not bolt-ons. We apply the principles of data minimisation, purpose limitation, and privacy by design across the Service:
- we only collect personal data we need to operate the Service or meet a legal obligation;
- we host application data in the European Union;
- we use a cookie-free, EU-hosted analytics provider so visiting our website is anonymous;
- we never sell personal data and never use it for advertising;
- we give you control to access, export, correct, and delete your data at any time.
For the full picture, read our Privacy Policy and Cookie Policy.
2. Controller vs processor
Under the GDPR, the controller decides why and how personal data is processed; the processor processes data on the controller's behalf.
We are the controller
We act as controller for the personal data we collect about you as our customer: your name, email, account credentials, billing details, technical logs, and support correspondence.
You are the controller, we are your processor
When you upload the personal data of your clients, suppliers, or contacts into the Service to issue invoices to them, you are the controller of that data. We process it strictly on your documented instructions, as set out in our standard Data Processing Agreement.
3. Your rights under the GDPR
If you have a relationship with us as a customer or visitor, you have the right to:
- Access the personal data we hold about you (Article 15);
- Correct inaccurate data or complete incomplete data (Article 16);
- Delete your data when one of the GDPR grounds applies (Article 17);
- Restrict processing while a request is being verified (Article 18);
- Receive a portable copy of your data and transmit it to another provider (Article 20);
- Object to processing based on our legitimate interests (Article 21);
- Withdraw consent at any time where we have asked for it (Article 7); and
- Lodge a complaint with a supervisory authority (Article 77).
If you are a data subject whose personal data is being processed by one of our customers (for example, you received an invoice from a customer that uses Invoicing Zone) and you want to exercise these rights, please contact that customer directly — they are the controller. If you cannot reach them, we will help connect you.
4. How to make a request
The fastest way is by email. Send your request to [email protected] with:
- the right you want to exercise (access, deletion, etc.);
- the email address associated with your Invoicing Zone account (so we can verify you); and
- any additional details that help us locate the data.
We will reply within one month. Where requests are complex or numerous, we may extend this period by a further two months and will tell you why. There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.
5. Subprocessors and international transfers
The current list of subprocessors we engage to deliver the Service — and the safeguards applied to any data leaving the European Economic Area — is published in our Privacy Policy. We keep that list up to date and update it before adding a new subprocessor.
6. Security measures
We implement the technical and organisational measures required by Article 32 of the GDPR, including encryption in transit and at rest, strict access controls, JWT-based authentication with short-lived tokens, monitored logging, regular dependency updates, and an incident response process. See section 10 of the Privacy Policy for details.
7. Data Processing Agreement
If you are a business customer processing personal data of your own clients through the Service, you may need to sign a Data Processing Agreement (DPA) with us under Article 28 of the GDPR.
We offer a standard DPA that incorporates the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) for any transfers outside the EEA. Request a copy by emailing [email protected] from the email address associated with your account, with the legal name and registered address of your business in the request.
8. Personal data breach notification
We have an incident response process that lets us detect, contain, and assess personal data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the State Data Protection Inspectorate without undue delay and, where feasible, within 72 hours of becoming aware of it, in line with Article 33 of the GDPR.
If a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in line with Article 34.
9. Data Protection Officer
At our current scale we are not legally required to appoint a Data Protection Officer under Article 37 of the GDPR. The named contact for any privacy matter is the founder of MB “Devsolutely” reachable at [email protected].
You can also contact the State Data Protection Inspectorate of Lithuania (VDAI) directly:
VDAI
A. Juozapavičiaus g. 6, LT-09310 Vilnius, Lithuania
vdai.lrv.lt