InvoiceAPI

Privacy Policy

Last updated: April 14, 2026

InvoiceAPI ("we", "us", "our") is operated by Abhinav Ankur from Darbhanga, Bihar 846004, India. This policy explains how we collect, use, store, and share your personal information when you use invoiceapi.dev and our API.

If you do not agree with any of this, please do not use the Services. For any questions, email privacy@invoiceapi.dev.

1. What we collect

Information you give us directly

  • Account data: name, email address, password (stored only as a bcrypt hash — we never see your actual password)
  • Invoice data: seller and buyer names, addresses, tax IDs, line items, currencies, amounts, notes, and payment terms you submit via the API or dashboard
  • Support communications: emails you send us and any details you share when contacting support

Information collected automatically

  • Log and usage data: IP address, browser type, request timestamps, API endpoints accessed, response codes, referrer, and rate-limit counts
  • Session tokens:stored in your browser's localStorage to keep you signed in (no tracking cookies)

Information from third parties

  • Razorpay (for customers in India) sends us customer IDs, subscription IDs, and payment status via webhooks
  • Paddle (for international customers) sends us customer IDs, subscription IDs, and payment status via webhooks

We do not process sensitive personal information such as racial or ethnic origin, health data, biometric data, or financial account details. Card data is handled directly by Razorpay and Paddle — we never see or store it.

2. How we use your information

  • To create and authenticate your account
  • To generate invoice PDFs from the data you submit
  • To process subscription payments via Razorpay or Paddle
  • To enforce plan quotas and rate limits (for example, 500 invoices/month on Free)
  • To respond to support inquiries and send administrative notices
  • To protect the service — diagnose issues, prevent fraud, investigate abuse
  • To analyze aggregated usage patterns and improve the service
  • To comply with legal obligations

We process your information on the following legal bases (where GDPR applies): performance of a contract with you, our legitimate interests (service improvement, fraud prevention), compliance with legal obligations, and your consent where required.

3. Who we share with

We do not sell your personal information. We share data only with third parties that help us deliver the service, all under data processing agreements:

  • Payment processors: Razorpay (privacy policy) and Paddle (privacy policy)
  • Cloud and hosting providers: Fly.io (API), Vercel (frontend), Neon (database), Upstash (rate limit store), Cloudflare R2 (PDF storage)

We may also disclose information if required by law, court order, or to protect rights, property, or safety, or in connection with a business transfer (e.g., merger or acquisition).

4. International transfers

Our servers and third-party providers are primarily located in the United States, with payment processing in the United Kingdom (Paddle) and India(Razorpay). If you are in the EU, UK, or Switzerland, your data is transferred out of your region. We rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent safeguards with our providers.

5. How we protect your information

  • Passwords are hashed using bcrypt
  • API keys are stored as SHA-256 hashes — we never store the raw key
  • Webhooks are signed with HMAC-SHA256
  • All traffic is served over HTTPS/TLS
  • Database access is restricted and audited

No system is 100% secure. If we learn of a breach affecting your information, we will notify you and the relevant authorities as required by law.

6. How long we keep it

We retain your account data for as long as your account is active. When you delete your account, we remove your personal information from our active systems within 30 days, except where longer retention is required by law (for example, tax and billing records — typically 7 years).

7. Your rights

Depending on where you live, you have rights over your personal information. To exercise any of them, email privacy@invoiceapi.dev.

EU/UK/Switzerland (GDPR)

  • Access a copy of your data
  • Correct inaccuracies
  • Request deletion ("right to be forgotten")
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time (without affecting past lawful processing)
  • Lodge a complaint with your local data protection authority

United States

If you reside in California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to know, access, correct, delete, and opt out of sale or sharing of personal information. We do not sell or share personal information for targeted advertising.

India (DPDP Act 2023)

If you are located in India, your personal data is processed under the Digital Personal Data Protection Act, 2023. The Data Fiduciary is Abhinav Ankur, operating InvoiceAPI from India. You may access, correct, update, and erase your personal data, withdraw consent, nominate another person to exercise rights in case of incapacity, and file a grievance at privacy@invoiceapi.dev.

8. Cookies and tracking

We do not use tracking cookies, advertising pixels, Google Analytics, or similar tools. Authentication uses localStorage to store your session token. Third-party payment processors (Razorpay, Paddle) may set their own cookies on their checkout pages, which are governed by their respective privacy policies.

We do not currently respond to Do-Not-Track (DNT) browser signals, as there is no uniform industry standard.

9. Children

The Services are intended for users aged 18 and above. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, email us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects when it was last changed. For material changes, we will notify you at least 30 days in advance by email or an in-app notice. Continued use of the Services after an update constitutes acceptance.

11. Contact

For privacy questions or to exercise your rights:
Email: privacy@invoiceapi.dev
General support: support@invoiceapi.dev

Postal address:
Abhinav Ankur
Darbhanga, Bihar 846004
India