Privacy Policy

Last updated: 26 March 2026

1. Data Controller

The controller responsible for the processing of your personal data is:

Name: TradeInvoice (operated by Vlad Mazilu Alexandru)
Address: Veen, Netherlands
Email: support@tradeinvoice.app

2. Data We Collect and Legal Basis

Under Article 6 of the GDPR, we process personal data based on the following legal grounds:

Account registration (email, name)

Legal basis: Art. 6(1)(b) - necessary for the performance of the contract (providing the invoicing service).

Business details (company name, address, KVK number, BTW/VAT number)

Legal basis: Art. 6(1)(b) - necessary for the performance of the contract (generating invoices with your business information).

Invoice data (client names, emails, addresses, line items, amounts)

Legal basis: Art. 6(1)(b) - necessary for the performance of the contract (creating and sending invoices).

Payment processing (email, subscription status)

Legal basis: Art. 6(1)(b) - necessary for the performance of the contract (managing your subscription).

Email notifications (invoice delivery, payment reminders)

Legal basis: Art. 6(1)(b) - necessary for the performance of the contract (delivering invoices and reminders on your behalf).

Security logging (IP addresses, login attempts, security events)

Legal basis: Art. 6(1)(f) - legitimate interest in maintaining the security of our service and protecting user accounts.

Session cookie

Legal basis: Art. 6(1)(b) - strictly necessary for authentication and keeping you logged in.

3. Third-Party Processors

We share personal data with the following third-party processors, solely to operate the service:

Vercel Inc. (USA)

Purpose: Hosting and deployment of the application.

Data processed: All application data transmitted through the platform.

EU data region available.

Neon Inc. (USA)

Purpose: PostgreSQL database hosting.

Data processed: All stored user data, invoice data, and client data.

Database hosted in EU region (eu-west-2).

Stripe Inc. (USA)

Purpose: Subscription payment processing.

Data processed: Email address, subscription status. We do not store credit card details.

PCI DSS compliant. Certified under the EU-US Data Privacy Framework.

Resend Inc. (USA)

Purpose: Transactional email delivery (magic links, invoices, reminders).

Data processed: Email addresses, invoice details included in emails.

Cloudflare Inc. (USA)

Purpose: CAPTCHA and bot protection (Cloudflare Turnstile).

Data processed: IP address, browser information.

Certified under the EU-US Data Privacy Framework.

4. International Data Transfers

Some of our third-party processors are based in the United States. Transfers of personal data to these processors are protected under the EU-US Data Privacy Framework and, where applicable, Standard Contractual Clauses (SCCs) approved by the European Commission. We ensure that all international transfers provide an adequate level of data protection as required by the GDPR.

5. Data Retention

Active accounts: Your data is retained for as long as your account remains active.
Deleted accounts: Upon account deletion, your personal data is deleted within 30 days.
Invoice records: Invoice data may be retained for up to 7 years as required by Dutch fiscal law (Belastingdienst).
Security logs: Retained for 12 months, then automatically deleted.
Session data: Deleted on logout or after 90 days of inactivity.

6. Your Rights Under GDPR (Articles 15-22)

As a data subject, you have the following rights:

Right of access (Art. 15) - You can export a copy of all your personal data from the Settings page.
Right to rectification (Art. 16) - You can edit your personal and business details at any time in Settings.
Right to erasure (Art. 17) - You can delete your account and all associated data from Settings.
Right to restriction of processing (Art. 18) - Contact us at support@tradeinvoice.app to request restriction of processing.
Right to data portability (Art. 20) - You can export all your data as a machine-readable JSON file from Settings.
Right to object (Art. 21) - Contact us at support@tradeinvoice.app to object to any processing based on legitimate interest.

We will respond to all data subject requests within 30 days as required by the GDPR.

7. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). You can reach them at autoriteitpersoonsgegevens.nl.

8. Cookies

We use one strictly necessary session cookie for authentication. This cookie keeps you logged in and is essential for the service to function. It does not track you across websites.

We do not use analytics cookies. We do not use tracking cookies. We do not use advertising cookies.

Stripe may load scripts on pages where payment functionality is used, solely for the purpose of processing payments securely.

9. Security

We implement appropriate technical and organisational measures to protect your personal data. These include encryption in transit (TLS), rate limiting, CAPTCHA protection, input sanitisation, OWASP-recommended security headers, and secure session management. While no method of electronic storage is entirely secure, we take reasonable steps to protect your data against unauthorised access, alteration, or destruction.

10. Children

TradeInvoice is not intended for use by children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@tradeinvoice.app and we will delete it promptly.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes via email. Continued use of the service after changes constitutes acceptance of the updated policy. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact

For any questions about this privacy policy or your personal data, contact us at support@tradeinvoice.app.