Privacy Policy

1. Controller

The controller responsible for the processing described here is:

Dreamstack Media Limited, 56 Daly Street, Belize City, Belize District, Belize. Company Registration No. 000052397. Director: Stefano Sordini.

Privacy contact: [email protected].

2. Representative in the European Union (Art. 27 GDPR)

As we are established outside the EU and offer the Service to data subjects in the European Union, we have designated a representative in the EU pursuant to Art. 27 GDPR. Data subjects and supervisory authorities may contact our EU representative on all matters relating to the processing of their data:

[EU REPRESENTATIVE — name, postal address within the EU and email to be inserted before go-live].

3. Overview of the processing

Categories of data subjects: our users (account holders and invited team members), and the clients and contacts whose details our users enter into the Service.

Categories of data: account and login data, technical and security data, the business content you enter (companies, customers, invoices), and — only if you enable the respective feature — data sent to connected email providers or to our AI address-assistance provider.

Purposes: providing and securing the Service, performing our contract with you, and the features you actively use. Legal bases are stated in each section below.

4. Account and registration data

When you register we process your username, email address and password. Passwords are never stored in plain text — only as a salted bcrypt hash.

New accounts are reviewed and activated by us before first login. Legal basis: Art. 6(1)(b) GDPR (performance of the usage agreement).

5. Server and security data

To keep the Service secure we process technical data: a login session is maintained via a session cookie, and for each session we store your IP address, browser user-agent and timestamps. We apply login throttling and temporary lockouts after repeated failed attempts, and we keep an internal audit log of administrative actions.

Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in the secure, abuse-resistant operation of the Service).

6. Your business content (companies, customers, invoices)

The Service stores the business content you enter: your own company master data, your customers (including their names, addresses, email addresses, phone numbers, VAT/tax IDs and notes), and your invoices, quotes and credit notes.

Where this content contains personal data of your own clients and contacts, you are the controller for that data and we act as your processor, processing it only on your instructions. A data processing agreement (DPA) pursuant to Art. 28 GDPR is available on request.

Legal basis: Art. 6(1)(b) GDPR (performance of our contract with you) and your instructions as controller.

7. Google user data (Gmail API)

If you choose to connect a Google account to send your invoices by email, we request a single, send-only scope: https://www.googleapis.com/auth/gmail.send. We use this access exclusively to send emails — the invoices and related documents that you initiate from within the Service — on your behalf.

We do not read, list, search, download or store the contents of your mailbox. The gmail.send scope does not grant, and we do not request, any such access.

We store the OAuth access token and refresh token issued by Google, together with the email address of the connected account, encrypted at rest using AES-256-GCM. We do not store the content of sent emails after they have been delivered.

We do not sell or transfer your Google user data to third parties (except as necessary to provide the sending feature, for security, or to comply with applicable law), we do not use it for advertising, we do not allow humans to read it, and we do not use it to develop, improve or train generalized artificial-intelligence or machine-learning models.

InvoDash’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. The policy is available at https://developers.google.com/terms/api-services-user-data-policy#limited-use.

You can disconnect the Google account at any time in the Service settings; when you disconnect, the stored tokens are deleted from our systems. You can additionally revoke access at https://myaccount.google.com/permissions.

8. Microsoft user data (Outlook / Microsoft 365)

If you connect a Microsoft account instead, we request the send-only scope “Mail.Send” via Microsoft Graph and use it solely to send your invoices on your behalf. We do not read or store your mailbox contents.

The OAuth tokens and the connected email address are stored encrypted at rest (AES-256-GCM) and are used only for sending. You can disconnect in the Service settings — which deletes the stored tokens from our systems — and revoke access in your Microsoft account security settings.

9. AI address assistance (Anthropic, USA)

InvoDash offers an optional feature that turns an address you paste into structured fields. If you use it, the pasted text — which may include a name, postal address, VAT ID, email address or phone number — is sent to our processor Anthropic, PBC (United States) to extract the structured fields, and is returned to us. The text is not retained by us beyond the request, and Anthropic does not use API inputs to train its models.

If the feature is unavailable or fails, a local parser is used instead and no data leaves our servers. The feature is optional; you do not have to use it.

Because Anthropic is located in the United States, this involves a transfer to a third country. The transfer is safeguarded by the EU Standard Contractual Clauses (SCCs). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing a convenient data-entry aid).

10. Transactional email (password reset)

If you request a password reset, we send a one-time reset link to your registered email address via our own SMTP server. This is necessary to operate the account-recovery function (Art. 6(1)(b) and (f) GDPR).

11. Cookies

We only use strictly necessary and functional cookies; we do not use tracking or advertising cookies, and therefore no consent banner is required.

session_token — your authenticated login session (strictly necessary). locale — your selected language. active_workspace / active_company — which workspace and company are currently active. mail_oauth_state — short-lived CSRF protection during the email-connection flow. impersonating — set only while a support session accesses your account, and recorded in our audit log.

12. Hosting and fonts

The Service is hosted on servers located in Germany (EU). Our hosting provider is Hostinger International Ltd (registered in Cyprus, operations in Lithuania — within the EU), acting as our processor under a data processing agreement. No third-country transfer takes place for hosting.

Web fonts (Geist) are self-hosted. The only external request made by the public site is to a content delivery network (jsdelivr) to fetch a font used to render the social-share preview image; this request transmits no personal data.

13. Retention and deletion

We retain personal data for as long as your account exists. You can delete your account at any time in the settings; deletion permanently and cascadingly removes your data, including invoices, customers, connected mail credentials, sessions and team memberships.

Login session records expire after 7 days. Some content may be retained longer where a statutory retention obligation applies (for example, retention periods for invoices).

14. Your rights

You have the right to access your data and to rectification, erasure, restriction of processing, data portability and objection, and the right to lodge a complaint with a competent supervisory authority. You can also export your invoices and customers at any time from within the Service.

Providing your account data is necessary to enter into and perform the agreement; without it we cannot provide the Service. Where any processing is based on your consent, you may withdraw that consent at any time with effect for the future.

Rights by region: if you are in the EU/EEA the GDPR applies; if you are in the United Kingdom the UK GDPR applies; if you are a California resident, the CCPA/CPRA gives you the right to know, delete and correct your personal information and to opt out of its “sale” or “sharing” — we do not sell or share personal information.

To exercise any right, contact [email protected].

15. No tracking, no automated decision-making

We do not use analytics, tracking or advertising tools, and we do not carry out automated decision-making producing legal effects, nor profiling.

16. Contact and changes to this policy

For any privacy matter, contact [email protected]. We may update this Privacy Policy to reflect changes to the Service or the law; the current version and its date are shown above.