Privacy Policy

Last updated: 3 June 2026 · Effective from: 3 June 2026

This Privacy Policy explains how MB “Devsolutely” (“we”, “us”, “our”) collects, uses, shares, and protects personal data when you use Invoicing Zone. We comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and the Law on Legal Protection of Personal Data of the Republic of Lithuania.

Controller: MB “Devsolutely”
Company code: 304756667
VAT number: LT100013459817
Registered office: Kauno g. 3A, LT-01314 Vilnius, Lithuania
Privacy contact: [email protected]
Supervisory authority: State Data Protection Inspectorate (VDAI), Vilnius, Lithuania

1. Scope of this policy

This policy applies to personal data we process in connection with:

the public website at invoicing.zone and its subdomains;
your use of the Invoicing Zone web application, including account features, invoicing, dashboards, and PDF generation;
email and other communications we send you about the Service; and
information sent by recipients of invoices we deliver on your behalf (for example, when a recipient opens an invoice email and a delivery webhook is generated).

It does not apply to third-party websites linked from our Service, which have their own privacy practices and policies.

2. Our role and yours

When we are the controller

We act as data controller for personal data we collect about you directly — for example, your name, email, account credentials, payment information (if you ever become a paying customer), support correspondence, and technical logs.

When we are a processor on your behalf

We act as data processor for personal data you upload into the Service and process under your own responsibility — for example, the names, addresses, VAT numbers, and email addresses of your clients, suppliers, or contacts. In this context, you are the controller of that data. We process it only on your documented instructions, as further described in our standard Data Processing Agreement available on request from [email protected].

3. Personal data we collect

Account data

Email address, first and last name, hashed password, preferred language, account creation date, and any avatar or profile data you provide.

Billing identity data

The information you store about the company or sole-trader identity you bill under, including business name, registration code, VAT number, addresses, bank details (IBAN, bank name, SWIFT/BIC), logo, and accent colour.

Customer Content

Data you upload into the Service about your clients, suppliers, products, invoices, recurring templates, purchase orders, and payments. This may include names, addresses, VAT numbers, email addresses, phone numbers, free-form notes, and historical financial records.

Communications

Emails you send us, support tickets, in-app messages, and metadata about emails the Service sends on your behalf (sender, recipient, subject, send status, open/click webhooks from our email provider).

Technical data

Logs of how the Service is used: IP address, browser type and version, operating system, device type, referrer URL, pages visited, timestamps, language preferences, and error traces. We also store the JWT access and refresh tokens that authenticate your session.

Cookies and local storage

Strictly necessary cookies and similar storage we use to keep you signed in and remember your interface preferences. See our Cookie Policy for the full list.

4. Where we get personal data from

Directly from you when you create an account, configure billing identities, upload data, send invoices, or contact support.
Automatically from your device and browser when you use the Service, through server logs and error monitoring.
From third parties acting on your behalf, for example email delivery webhooks reporting that a recipient has opened or clicked an invoice email.

5. Why we use personal data and our legal basis

We only process personal data where we have a lawful basis under Article 6 of the GDPR. The table below summarises the main purposes, the data involved, and the legal basis.

Purpose	Data categories	Legal basis
Create your account, sign you in, and operate the Service	Account data, billing identity data, technical data	Performance of a contract (Art. 6(1)(b))
Render invoices and deliver them to recipients you designate	Customer Content, communications metadata	Performance of a contract (Art. 6(1)(b))
Keep the Service secure, prevent fraud and abuse, monitor errors	Technical data, logs, communications	Legitimate interests (Art. 6(1)(f)) — keeping the Service safe and reliable
Send service announcements (security, downtime, terms changes)	Account data, communications metadata	Legitimate interests (Art. 6(1)(f)); performance of contract for breach notifications
Provide customer support	Account data, communications	Performance of a contract (Art. 6(1)(b))
Comply with tax, accounting, anti-money-laundering, and other legal obligations	Account data, billing data, Customer Content	Compliance with a legal obligation (Art. 6(1)(c))
Defend or bring legal claims	Account data, Customer Content, communications	Legitimate interests (Art. 6(1)(f))
Aggregated, non-identifying analytics about Service usage	Technical data	Legitimate interests (Art. 6(1)(f)) — improving the Service

We do not sell your personal data and we do not use it for advertising purposes.

7. Subprocessors

We engage the following subprocessors to provide the Service. The list is up to date as of the “Last updated” date at the top of this page; we will update it before adding a new subprocessor or changing the location of an existing one. If you have signed our Data Processing Agreement, you can request to be notified of subprocessor changes.

Subprocessor	Purpose	Processing location	Safeguards
Salesforce (Heroku)	Application hosting, database, file storage	European Union	EU region selected; data processing addendum and Standard Contractual Clauses where applicable
ActiveCampaign (Postmark)	Transactional email delivery	United States	EU Standard Contractual Clauses (2021); data minimisation (we share only what is needed to send a specific email)
Functional Software (Sentry)	Error tracking and performance monitoring	European Union (Frankfurt region)	EU hosting; PII scrubbing enabled in our SDK configuration; data processing addendum
Plausible Insights	Privacy-friendly, cookie-free website analytics	European Union (Germany)	EU hosting; no cross-site tracking; no cookies or personal identifiers stored

Each subprocessor is bound by a written agreement that imposes data protection obligations no less protective than those in this policy and the GDPR.

8. International transfers

We aim to keep personal data within the European Economic Area (EEA). Where a transfer to a country outside the EEA is necessary — for example, certain email delivery routes — we rely on safeguards permitted by Chapter V of the GDPR, in particular the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and any supplementary technical and organisational measures required by the relevant supervisory authority. Where a country has been recognised by the European Commission as offering an adequate level of protection, we rely on that adequacy decision.

You can request a copy of the safeguards in place by emailing [email protected].

9. How long we keep your data

We keep personal data only as long as needed for the purposes set out above. The main retention periods are:

Data category	Retention period
Active account data and billing identities	For the duration of your account
Closed account data	Deleted within 30 days of account closure, except where longer retention is required by law
Invoices and accounting records you have generated	10 years from the end of the calendar year of issue, in line with Lithuanian accounting and tax law (you should export and store these independently before closing your account)
Technical and security logs	Up to 12 months, unless retained longer to investigate a specific incident
Support and email correspondence	Up to 3 years from your last interaction with us
Aggregated, non-identifying analytics	Indefinitely (no individual is identifiable)

After a retention period ends, we securely delete or anonymise the data.

10. Security

We implement appropriate technical and organisational measures to protect personal data, including:

encryption in transit (TLS 1.2 or higher) for all traffic between your browser and our servers;
encryption at rest for primary databases and backups;
industry-standard password hashing (PBKDF2/Argon2) for stored credentials;
scoped JSON Web Tokens with short access lifetimes and refresh rotation;
strict access controls for our team based on least privilege and role-based authorisation;
regular software updates and dependency monitoring;
logging and monitoring of administrative actions; and
incident response procedures with breach notification obligations under Articles 33 and 34 of the GDPR.

No system is fully secure. If you become aware of a security issue, please report it immediately to [email protected].

11. Your rights

You have the following rights under the GDPR:

Access (Article 15) — confirm whether we process your personal data and obtain a copy of it.
Rectification (Article 16) — correct inaccurate or complete incomplete personal data.
Erasure (Article 17) — ask us to delete your personal data where one of the grounds in the GDPR applies. You can also close your account at any time, which triggers deletion subject to statutory retention.
Restriction (Article 18) — ask us to limit how we process your data while a request is being verified.
Portability (Article 20) — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller. You can also export your invoices as PDF directly from the Service.
Objection (Article 21) — object to processing based on our legitimate interests.
Withdraw consent (Article 7) — where we rely on consent, you can withdraw it at any time without affecting prior processing.
Complaint (Article 77) — lodge a complaint with the State Data Protection Inspectorate of Lithuania (VDAI) at vdai.lrv.lt or with the supervisory authority in your country of residence, place of work, or place of the alleged infringement.

12. How to exercise your rights

You can update your profile and password directly from the Account settings in the Service, and you can close your account from the same screen.

To exercise any other right, contact us at [email protected]. We may ask you for information to verify your identity before acting on the request, especially where the request relates to data linked to a specific account.

We will respond within one month of receiving your request. Where requests are complex or numerous, we may extend this period by a further two months and will tell you why.

13. Automated decisions

We do not make decisions about you based solely on automated processing that produce legal effects or similarly significantly affect you. We do not engage in profiling.

14. Children

The Service is not directed at people under 16 years old, and we do not knowingly collect personal data from anyone under that age. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time, for example to reflect new features, changes in law, or changes in our practices. The current version is always available at invoicing.zone/legal/privacy and the “Last updated” date at the top is changed accordingly. For material changes, we will notify you by email or in-app message at least 30 days before they take effect.

16. Contact

For any privacy question, request, or concern, contact us at:

MB “Devsolutely” — Privacy
Kauno g. 3A, LT-01314 Vilnius, Lithuania
Email: [email protected]

You always have the right to lodge a complaint with a supervisory authority — in particular the State Data Protection Inspectorate of Lithuania (VDAI, A. Juozapavičiaus g. 6, LT-09310 Vilnius, vdai.lrv.lt), or in the EU member state of your residence or place of work — if you consider that the processing of your personal data infringes the GDPR.