Privacy Policy

RD MindMedia LTD, operating under the brand InvoPulse, ("we", "us") takes the protection of your personal data seriously. This policy explains what data we collect, why, and how we protect it.

Data Controller

RD MindMedia LTD, Anemonis 218c, 8560 Peyia, Cyprus. For privacy inquiries: hello [at] invopulse.io

Data We Collect

We collect the minimum data necessary to provide our service:

• Account data: email address and password (hashed)
• Company details: name, address, tax number, bank details (entered by you for invoicing)
• Customer data: names, addresses, VAT IDs (entered by you for your invoices)
• Invoice data: invoices, quotes, credit notes, order confirmations, delivery notes - including amounts, dates, and line items (created by you)
• Time tracking data: tracked hours, descriptions, dates, associated projects
• Product catalog: product/service names, prices, units, tax rates
• Recurring invoices: templates, schedules, auto-send preferences
• Incoming invoices: uploaded documents, parsed data (sender, amounts, dates)
• Email delivery log: recipient addresses, delivery status, timestamps
• Customer credits: credit balances, applications, refund history
• Dunning notices: payment reminders, dunning levels, interest calculations, fee amounts
• Usage data: login timestamps, feature usage for service improvement

Cloud Storage Intelligence (Add-on)

When you activate the Cloud Storage Intelligence add-on, we process additional data:

• Connection credentials: Your cloud server URL, username, and app password are encrypted using AES-256-GCM and stored securely. Credentials are never logged or transmitted unencrypted.
• File metadata: We periodically synchronize metadata from your cloud storage, including file names, paths, sizes, modification dates, and content types. Actual file contents are not stored on our servers.
• Auto-filing: When enabled, invoice PDFs are automatically uploaded to your connected cloud storage using your configured folder structure.
• AI document analysis: When enabled, document content may be sent to our AI processing partner (Anthropic, United States) for classification, data extraction (vendor names, amounts, dates), and smart rename suggestions. AI processing is optional and only activated when you explicitly enable it.
• Data retention: Cloud connection data is retained as long as the connection exists. You can delete connections at any time. All cloud-related data is permanently removed within 14 days of account deletion.
• Your cloud server: InvoPulse connects to the cloud server you specify. If your server is located outside the European Economic Area (EEA), your data may be transferred internationally. You are responsible for the location and compliance of your own cloud server.

Legal basis: Contract performance (Art. 6(1)(b) GDPR) - you purchase and configure this add-on.

Legal Basis

We process your data based on: (a) contract performance (Art. 6(1)(b) GDPR) for providing our service, (b) legitimate interest (Art. 6(1)(f) GDPR) for security and service improvement, and (c) your consent (Art. 6(1)(a) GDPR) where explicitly given.

Hosting & Data Processing

Our application runs on infrastructure within the European Union. All data is stored and processed in EU data centers.

Sub-Processors

We use the following third-party services to operate InvoPulse:

Usage Analytics (Umami)

With your consent, we use Umami, a privacy-focused, self-hosted analytics tool, to collect anonymous usage statistics (page views, referrers, browser/OS, screen resolution). Umami does not use cookies, does not collect personal data, and IP addresses are never stored. All data is aggregated and cannot be traced back to individual users. Analytics are only activated when you have given consent via the cookie banner. You can withdraw your consent at any time.

Session Replay (Sentry)

We use Sentry Session Replay to record anonymized user interactions (clicks, navigation, scrolling) for debugging purposes. All text and user input is masked by default, and no personal data is captured. Session replays are only activated when you have given consent via the cookie preferences panel. You can withdraw your consent at any time by clicking 'Cookie Preferences' in the footer.

Email Delivery Tracking

Email tracking pixels are disabled for all emails sent through InvoPulse. Delivery status information (e.g., delivered, bounced) is provided by our email provider (Resend) via webhook notifications without embedding tracking pixels in emails. No personal browsing data of your recipients is collected. If you use your own SMTP server, email delivery is handled entirely by your server.

International Data Transfers

Some of our sub-processors (Resend, Stripe, Sentry, Cloudflare, Anthropic) process data in the United States or globally. Upstash, Hostinger, and Umami Analytics process data exclusively within the EU. Anthropic processes document data only when AI analysis is enabled by the user (Art. 49(1)(a) GDPR). These transfers are protected by EU Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs). You may request a copy of the safeguards at hello [at] invopulse.io.

Cookies

We only use strictly necessary cookies for authentication, language preferences, and bot protection (Cloudflare Turnstile may set cookies such as cf_clearance). Our analytics tool (Umami) is completely cookie-free and does not set any cookies. We do not use tracking or advertising cookies.

The following cookies may be set by InvoPulse:

Data Retention

We retain your data for as long as your account is active. After account deletion, all your data is permanently removed within 14 days. Please note: If applicable tax laws require you to retain invoice records (e.g., up to 8 years in Germany, up to 8 years in Cyprus), it is your responsibility to export and archive your data before deleting your account.

We reserve the right to terminate accounts after extended periods of inactivity, with reasonable prior notice via email to allow you to export your data.

Email sending metadata (recipient address, subject line, delivery status) is retained for the duration of your account. Email body content is automatically purged after 30 days.

Your Rights

Under GDPR, you have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Restrict processing of your data
• Object to data processing
• Withdraw consent at any time

To exercise these rights, contact us at hello [at] invopulse.io.

Supervisory Authority

You have the right to lodge a complaint with the Commissioner for Personal Data Protection of Cyprus (www.dataprotection.gov.cy) or your local data protection authority.

Contact Form

When you use our contact form, we collect your name, email address, subject, and message content. This data is processed to respond to your inquiry (Art. 6(1)(f) GDPR - legitimate interest). Your message is forwarded to our team via our email provider (Resend). We do not store contact form submissions in a database. Data is retained in our email inbox and deleted when no longer needed for correspondence.

Rate Limiting

To protect our service from abuse, we use pseudonymized (salted SHA-256 hashed) IP addresses for rate limiting via Upstash Redis. These hashed values expire automatically within 60 seconds and cannot be traced back to individual users.

Data Protection Officer

RD MindMedia LTD is not required to designate a Data Protection Officer under Art. 37 GDPR. For all data protection inquiries, please contact us at hello [at] invopulse.io.

Changes to This Policy

We may update this policy from time to time. The date at the top of this page indicates the last revision. We encourage you to review this policy periodically. For significant changes that affect your rights, we will notify registered users via email.

Privacy Contact

hello [at] invopulse.io