Privacy Policy

Whatstudio PTE LTD (UEN: 202441932D), a company incorporated in Singapore, trading as InvoiceDIY (“we,” “us,” or “our”) is committed to protecting your privacy. Whatstudio PTE LTD is the data controller for personal data processed in connection with your use of the InvoiceDIY website and web application (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information.

By creating an account or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

This policy should be read together with our Terms of Service.

1. Information We Collect

1.1 Account Information

When you register, we collect your email address and password (stored as a secure hash by Firebase Authentication). We do not have access to your plaintext password.

1.2 Business and Profile Data

When you set up your business profile, we collect information you provide, including:

• Business name, address, website, and contact details
• Business logo and signature images
• Default currency and payment terms

1.3 Customer Data

When you add clients or customers to InvoiceDIY, we store information you enter about those third parties, including:

• Customer names, company names, and addresses
• Customer email addresses (including additional CC recipients)
• Industry information and contract documents

Important — Your role as data controller: When you store your clients’ personal data (names, email addresses, addresses) in InvoiceDIY, you are acting as an independent data controller (under GDPR) and/or an organisation collecting personal data (under Singapore’s PDPA) in your own right. InvoiceDIY acts as a data processor on your behalf for this data only. You are solely responsible for: (a) having a lawful basis or valid consent for storing your clients’ data; (b) complying with applicable data protection laws including GDPR, Singapore PDPA, CCPA, or other applicable local laws; and (c) handling any access, correction, or erasure requests from your own clients. InvoiceDIY does not accept liability for your compliance obligations as a data controller.

1.4 Invoice and Document Data

We store all invoice and document data you create, including:

• Invoice numbers, dates, and payment terms
• Line items, quantities, prices, taxes, and totals
• Document type (invoice, receipt, quote, etc.) and status
• Notes, memo fields, and custom message content
• Invoice attachments (PDFs, images, documents — Business and Enterprise plans)

1.5 Payment Information

When you subscribe to a paid plan or process payments, payment transactions are handled directly by Stripe, our third-party payment processor. InvoiceDIY does not receive, store, or process your full credit card number, CVV, or other sensitive payment card details. Stripe returns only limited metadata (e.g., subscription status, billing period, last-4 of card) which we use to manage your account.

1.6 Usage and Technical Data

When you use the Service, we may automatically collect:

• Log data (IP address, browser type, operating system, pages visited, timestamps)
• Session information (login times, device type)
• Error logs and crash reports to help us diagnose and fix issues

This technical data is used for security, debugging, and improving the Service. It is not used for behavioral advertising.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: Creating and managing your account, storing your invoices and business data, generating PDFs, and enabling all Service features.
• Sending emails on your behalf: When you use the “Send Invoice” feature, we transmit your invoice content and recipient email addresses via our email delivery system to your clients.
• Billing and subscriptions: Processing your subscription payments via Stripe, managing your plan, and sending billing notifications.
• Overdue reminders: If you are on an eligible plan, our automated system sends scheduled overdue payment reminder emails to your clients on your behalf.
• Security and fraud prevention: Monitoring for suspicious activity, enforcing single-session policies, and protecting accounts from unauthorized access.
• Service communications: Sending you important service announcements, policy updates, and security alerts. You cannot opt out of these as they are essential to the Service.
• Customer support: Responding to your requests, questions, and support tickets.
• Improving the Service: Analyzing aggregated, anonymized usage patterns to understand how the Service is used and where we can improve.

We do not sell your personal data to third parties. We do not use your data for targeted advertising.

3. Legal Bases for Processing

EEA and UK Users (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we rely on the following legal bases under GDPR/UK GDPR for processing your personal data:

• Contractual necessity: Processing required to provide the Service under our Terms of Service (account management, invoice storage, PDF generation, email sending).
• Legitimate interests: Security monitoring, fraud prevention, service improvement, and debugging — where our interests are not overridden by your rights.
• Legal obligation: Where processing is required to comply with applicable law.
• Consent: For any optional processing where we have obtained your explicit consent (e.g., marketing communications, if applicable).

Singapore Users (PDPA)

If you are located in Singapore, we process your personal data in accordance with the Personal Data Protection Act 2012 (No. 26 of 2012), as amended by the Personal Data Protection (Amendment) Act 2020 (collectively, the “PDPA”). The PDPA is administered by the Personal Data Protection Commission (PDPC).

We collect, use, and disclose your personal data on the following bases under the PDPA:

• Consent: We rely on your consent (given when you create an account and accept these policies) as the primary basis for collecting your account information and business data, and for sending you service communications. You may withdraw consent at any time by closing your account, subject to our retention obligations.
• Contractual purpose / legitimate interests: Where processing is reasonably necessary to fulfil our contract with you or to pursue our legitimate interests in operating a secure, functional service — for example, security monitoring, fraud prevention, and service improvement — provided those interests are not outweighed by your interests.
• Legal obligation: Where processing is required to comply with a Singapore law or court order, or is otherwise permitted under the PDPA’s statutory exceptions (Second and Third Schedules of the PDPA).

4. Data Storage and Security

4.1 Where Data Is Stored

Your data is stored on Google Firebase infrastructure, which operates on Google Cloud Platform. Depending on your region, data may be stored in data centres located in the United States or other countries. By using InvoiceDIY, you consent to this transfer and storage.

File uploads (logos, signatures, attachments, contract documents) are stored in Firebase Storage with access restricted to authenticated account owners. Files are not publicly accessible except via time-limited signed URLs generated for specific access scenarios (e.g., email delivery, public invoice pages).

4.2 Security Measures

We implement reasonable security measures to protect your data:

• All data is transmitted over HTTPS/TLS encryption
• Passwords are hashed and salted by Firebase Authentication (we never store plaintext passwords)
• Firestore security rules restrict access so each user can only access their own data
• Firebase Storage rules enforce authenticated access, file size limits (10MB per file), and allowed file types
• Single-session enforcement prevents concurrent unauthorized access
• Public invoice tokens are randomly generated and expire after 90 days

No method of transmission or storage over the internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

5. Third-Party Services and Data Processors

InvoiceDIY uses the following third-party data processors. Each processes data only as necessary to provide their services to InvoiceDIY:

6. Public Invoice Pages

When you share an invoice using the public link feature, InvoiceDIY generates a unique, time-limited URL containing a random access token. This link does not require the viewer to log in but does allow them to view the full invoice contents.

Public invoice pages may be accessed by anyone who has the link. Invoice data (including your business name, client name, line items, and totals) will be visible to that viewer.

• Public links expire automatically after 90 days
• You can revoke and regenerate the public link at any time
• No personal data about the link viewer is collected beyond standard server access logs

You are responsible for deciding whether to share a public link and with whom. Share links only with intended recipients.

7. Data Retention

We retain your data for as long as your account is active and for a reasonable period thereafter:

• Active accounts: All data is retained for the lifetime of your account
• Deleted accounts: Data is retained for 90 days following account deletion to allow recovery, then permanently deleted from all systems
• Backup data: May be retained for a short additional period in encrypted backup systems before expiry
• Server logs: Technical logs are retained for up to 90 days for security and debugging purposes
• Billing records: Payment transaction records are retained as required by applicable financial regulations (typically 7 years)

You may request deletion of your account and data at any time by contacting support@invoicediy.com. Note that billing records required for legal compliance may be retained even after account deletion. In accordance with the Singapore PDPA, we do not retain personal data for longer than is necessary to fulfil the purposes for which it was collected.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete your personal information, the right to opt out of the “sale” of personal information (note: we do not sell personal information), and the right to non-discrimination for exercising your rights.

Singapore Residents (PDPA)

If you are located in Singapore, you have the following rights under the PDPA:

• Right of Access: You may request information about the personal data we hold about you and how it has been or may be used or disclosed in the past year.
• Right of Correction: You may request that we correct any personal data about you that is inaccurate, incomplete, or misleading. Most data can be corrected directly in your account settings.

We will respond to PDPA access and correction requests within 30 days. If we are unable to respond within 30 days, we will notify you and provide an estimated response date. We may charge a reasonable fee for access requests where permitted by the PDPA.

If you are not satisfied with how we handle your personal data, Singapore residents may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.

To exercise any of your rights, contact us at support@invoicediy.com. We will respond to verified requests within 30 days (or within the timeframe required by applicable law).

9. Cookies and Local Storage

InvoiceDIY uses cookies and browser local storage for the following purposes:

• Session management: We store your session token in local storage to keep you logged in between browser sessions. This is strictly necessary for the Service to function.
• Firebase SDK: The Firebase JavaScript SDK uses cookies and local storage for authentication state persistence.

We do not use third-party advertising cookies. We do not use cookies to track your browsing across other websites.

You can control cookies through your browser settings, but disabling cookies or local storage may prevent the Service from functioning correctly, including keeping you logged in.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our service providers (Google Firebase, Stripe) maintain their infrastructure.

For transfers of personal data from the European Economic Area (EEA) to the United States, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) as provided by our data processors.

For transfers of personal data from Singapore, we comply with the cross-border transfer obligations under the Singapore PDPA. Before transferring your personal data outside Singapore, we take steps to ensure that the recipient provides a standard of protection comparable to the PDPA — either by assessing the adequacy of data protection in the destination country, or by contractual arrangements that bind the recipient to obligations equivalent to those under the PDPA (in accordance with the PDPC’s Transfer Limitation Obligation guidelines).

By using the Service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection rules than your country.

11. Data Breach Notification

We maintain reasonable security measures to protect your personal data. In the event of a data breach that is likely to result in significant harm to affected individuals, we will take the following steps in accordance with applicable law:

• Singapore PDPA (2021 amendment): We will notify the Personal Data Protection Commission (PDPC) within 3 business days of becoming aware of a data breach that results, or is likely to result, in significant harm to affected individuals. Where the breach meets the threshold for mandatory notification, we will also notify the affected individuals as soon as reasonably practicable.
• GDPR / UK GDPR: We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in a high risk, we will also notify the affected data subjects without undue delay.

If you have reason to believe that your InvoiceDIY account has been compromised, please contact us immediately at support@invoicediy.com so we can investigate and take appropriate action.

12. Children’s Privacy

The Service is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you are under 18, please do not use the Service or provide any personal information to us. If we learn we have collected personal information from a child under 18, we will delete that information promptly. If you believe we may have collected information from a child, please contact us at support@invoicediy.com.

13. Do Not Track

Some browsers have a “Do Not Track” (DNT) feature that signals to websites that you do not want your online activity tracked. InvoiceDIY does not currently respond to DNT signals, as there is no industry-standard interpretation. We do not track users across third-party websites for advertising purposes.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the “Effective date” at the top of this page
• Post a notice in the Service or send an email to your registered address

Your continued use of the Service after a policy change constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have a privacy concern, please contact us:

EEA/UK users: If you are not satisfied with our response to your privacy request, you have the right to lodge a complaint with your local supervisory authority (e.g., the Information Commissioner’s Office in the UK, or the relevant Data Protection Authority in your EU member state).

Singapore users: If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.

Whatstudio PTE LTD does not currently have a formally designated Data Protection Officer (DPO). All data protection enquiries should be directed to the email address above.