Privacy Policy

RD MindMedia LTD, operating under the brand InvoPulse, ("we", "us") takes the protection of your personal data seriously. This policy explains what data we collect, why, and how we protect it.

Data Controller

RD MindMedia LTD, Anemonis 218c, 8560 Peyia, Cyprus. For privacy inquiries: hello [at] invopulse.io

Data We Collect

We collect the minimum data necessary to provide our service:

• Account data: email address and password (hashed)
• Company details: name, address, tax number, bank details (entered by you for invoicing)
• Customer data: names, addresses, VAT IDs (entered by you for your invoices)
• Invoice data: invoices, quotes, credit notes, order confirmations, delivery notes - including amounts, dates, and line items (created by you)
• Time tracking data: tracked hours, descriptions, dates, associated projects
• Product catalog: product/service names, prices, units, tax rates
• Recurring invoices: templates, schedules, auto-send preferences
• Incoming invoices: uploaded documents, parsed data (sender, amounts, dates)
• Email delivery log: recipient addresses, delivery status, timestamps
• Customer credits: credit balances, applications, refund history
• Dunning notices: payment reminders, dunning levels, interest calculations, fee amounts
• Receipts: uploaded invoices and receipts including extracted data (vendor name, VAT ID, amount, date, category) - AI analysis only with active consent
• Bank transactions: imported bank statements (date, amount, counterpart, IBAN, reference, FX rate) for matching against invoices/receipts
• Learned patterns: categorization rules derived from your accounting history (counterpart → category, private/business) to automate routine bookkeeping
• Month-close log: timestamps, actor, reason, and statistics for closed months (GoBD/audit trail)
• Tax-period snapshots: frozen data sets at the moment a tax filing is submitted (VIES, VAT pre-declaration)
• Usage data: login timestamps, feature usage for service improvement

Automated decision-making

InvoPulse contains automated processing that can make changes to your bookkeeping data without an explicit review step (Art. 13(2)(f) GDPR): auto-matching of bank transactions to invoices/receipts when AI confidence ≥ 0.85; automatic application of learned patterns (category, private/business) on counterpart hits; automatic extraction of receipt data (vendor, amount, date) from uploaded documents. You can undo any assignment manually at any time (UI buttons 'Unlink', 'Change category'). These automations have no legal effect on third parties (Art. 22(1) GDPR does not apply). The detailed logic is documented in our Data Protection Impact Assessment (DPIA), available on request at hello [at] invopulse.io.

Cloud Storage Intelligence (Add-on)

When you activate the Cloud Storage Intelligence add-on, we process additional data:

• Connection credentials: Your cloud server URL, username, and app password are encrypted using AES-256-GCM and stored securely. Credentials are never logged or transmitted unencrypted.
• File metadata: We periodically synchronize metadata from your cloud storage, including file names, paths, sizes, modification dates, and content types. Actual file contents are not stored on our servers.
• Auto-filing: When enabled, invoice PDFs are automatically uploaded to your connected cloud storage using your configured folder structure.
• AI document analysis: When enabled, document content may be sent to our AI processing partner (Anthropic, United States) for classification, data extraction (vendor names, amounts, dates), and smart rename suggestions. AI processing is optional and only activated when you explicitly enable it.
• Data retention: Cloud connection data is retained as long as the connection exists. You can delete connections at any time. All cloud-related data is permanently removed within 14 days of account deletion.
• Your cloud server: InvoPulse connects to the cloud server you specify. If your server is located outside the European Economic Area (EEA), your data may be transferred internationally. You are responsible for the location and compliance of your own cloud server.

Legal basis: Contract performance (Art. 6(1)(b) GDPR) - you purchase and configure this add-on.

Legal Basis

We process your data based on: (a) contract performance (Art. 6(1)(b) GDPR) for providing our service, (b) legitimate interest (Art. 6(1)(f) GDPR) for security and service improvement, and (c) your consent (Art. 6(1)(a) GDPR) where explicitly given.

Hosting & Data Processing

Our application runs on infrastructure within the European Union. All data is stored and processed in EU data centers.

Sub-Processors

We use the following third-party services to operate InvoPulse:

Usage Analytics (Umami)

With your consent, we use Umami, a privacy-focused, self-hosted analytics tool, to collect anonymous usage statistics (page views, referrers, browser/OS, screen resolution). Umami does not use cookies, does not collect personal data, and IP addresses are never stored. All data is aggregated and cannot be traced back to individual users. Analytics are only activated when you have given consent via the cookie banner. You can withdraw your consent at any time.

Session Replay (Sentry)

We use Sentry Session Replay to record anonymized user interactions (clicks, navigation, scrolling) for debugging purposes. All text and user input is masked by default, and no personal data is captured. Session replays are only activated when you have given consent via the cookie preferences panel. You can withdraw your consent at any time by clicking 'Cookie Preferences' in the footer.

Email Delivery Tracking

Email tracking pixels are disabled for all emails sent through InvoPulse. Delivery status information (e.g., delivered, bounced) is provided by our email provider (Resend) via webhook notifications without embedding tracking pixels in emails. No personal browsing data of your recipients is collected. If you use your own SMTP server, email delivery is handled entirely by your server.

International Data Transfers

Some of our sub-processors (Resend, Stripe, Sentry, Cloudflare, Anthropic) process data in the United States or globally. Upstash, Hostinger, and Umami Analytics process data exclusively within the EU. For US transfers we rely primarily on the EU-US Data Privacy Framework adequacy decision of 10 July 2023 (Art. 45 GDPR), supplemented by EU Standard Contractual Clauses (SCCs, Art. 46(2)(c) GDPR). Anthropic processes data only when the user has granted AI consent (additionally Art. 6(1)(a) GDPR). You may request a copy of the safeguards at hello [at] invopulse.io.

Cookies

We only use strictly necessary cookies for authentication, language preferences, and bot protection (Cloudflare Turnstile may set cookies such as cf_clearance). Our analytics tool (Umami) is completely cookie-free and does not set any cookies. We do not use tracking or advertising cookies.

The following cookies may be set by InvoPulse:

Data Retention

We retain your data for as long as your account is active. After account deletion, all your data is permanently removed within 14 days. Please note: If applicable tax laws require you to retain invoice records (e.g., up to 8 years in Germany, up to 8 years in Cyprus), it is your responsibility to export and archive your data before deleting your account.

We reserve the right to terminate accounts after extended periods of inactivity, with reasonable prior notice via email to allow you to export your data.

Email sending metadata (recipient address, subject line, delivery status) is retained for the duration of your account. Email body content is automatically purged after 30 days.

Your Rights

Under GDPR, you have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Restrict processing of your data
• Object to data processing
• Withdraw consent at any time

To exercise these rights, contact us at hello [at] invopulse.io.

Supervisory Authority

You have the right to lodge a complaint with the Commissioner for Personal Data Protection of Cyprus (www.dataprotection.gov.cy) or your local data protection authority.

Contact Form

When you use our contact form, we collect your name, email address, subject, and message content. This data is processed to respond to your inquiry (Art. 6(1)(f) GDPR - legitimate interest). Your message is forwarded to our team via our email provider (Resend). The message contents themselves are not stored in a database - they remain in our email inbox and are deleted when no longer needed for correspondence. To fulfill our consent-proof obligation under Art. 7(1) GDPR we additionally store pseudonymized records (salted SHA-256 hashes of email and IP, the language used, and the version of our privacy policy at the time of consent) for 3 years - no plaintext PII.

Rate Limiting

To protect our service from abuse, we use pseudonymized (salted SHA-256 hashed) IP addresses for rate limiting via Upstash Redis. These hashed values expire automatically within 60 seconds and cannot be traced back to individual users.

Data Protection Officer

RD MindMedia LTD is not required to designate a Data Protection Officer under Art. 37 GDPR. For all data protection inquiries, please contact us at hello [at] invopulse.io.

Changes to This Policy

We may update this policy from time to time. The date at the top of this page indicates the last revision. We encourage you to review this policy periodically. For significant changes that affect your rights, we will notify registered users via email.

Privacy Contact

hello [at] invopulse.io