Privacy Policy
At MyInvoice, we are committed to protecting your privacy and ensuring the security of your personal and business data. This comprehensive privacy policy explains how we collect, use, store, process, and protect your information in compliance with Swiss data protection law (revDSG/nDSG) and the GDPR.
Important: AI Data Processing
This Service uses artificial intelligence (AI) technologies. When you use AI features, your data may be transmitted to third-party AI service providers (OpenAI). Please review Section 5 for detailed information about AI data processing, your rights, and data protection measures.
Purpose of This Policy
This Privacy Policy explains how MyInvoice ('we', 'us', 'our', or 'the Company') collects, uses, stores, processes, and protects your personal data when you use our Service. This policy applies to all users of the MyInvoice platform, including visitors, registered users, and subscribers. By using our Service, you acknowledge that you have read and understood this Privacy Policy.
Data Controller
MyInvoice is the data controller responsible for processing your personal data. For questions about data processing, contact us at privacy@myinvoice.ch or at our registered address in Switzerland.
Applicable Laws
This Privacy Policy is designed to comply with: (a) the Swiss Federal Act on Data Protection (revDSG/nDSG); (b) the European General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA); (c) other applicable data protection laws. We process your data in accordance with these legal frameworks.
Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to you via email or through a prominent notice on the Service at least 30 days before they take effect. The 'Last updated' date at the top indicates when this policy was last revised.
Account and Registration Information
When you create an account, we collect: (a) name and email address (required); (b) company name, address, and business details; (c) billing and payment information (processed by third-party payment processors); (d) authentication credentials managed by our authentication service provider (Clerk); (e) profile preferences including language and theme settings.
Business and Financial Data
We collect and store: (a) invoice data including amounts, dates, client information, payment references, and QR bill details; (b) receipt and expense data including descriptions, amounts, categories, and dates; (c) company and client information including names, addresses, contact details, and business identifiers (VAT numbers, tax IDs); (d) offer and contract data including terms, pricing, and digital signatures; (e) financial calculations and tax-related information.
Usage and Technical Information
We automatically collect: (a) log data including IP addresses, browser type, device information, operating system, and access times; (b) usage analytics including pages visited, features used, time spent, and interaction patterns; (c) error reports and performance data; (d) referral sources and navigation paths; (e) session identifiers and authentication tokens.
Communication Data
When you contact us, we collect: (a) support requests, inquiries, and feedback; (b) email communications and responses; (c) customer service interactions and records; (d) survey responses and feedback forms.
AI Processing Data
When you use AI features, we process: (a) text content you provide for AI generation (descriptions, offers, contracts); (b) images of invoices and receipts uploaded for OCR and data extraction; (c) reference text and context provided to AI systems; (d) AI-generated content and responses; (e) metadata about AI usage including timestamps and feature types. This data may be transmitted to third-party AI service providers (OpenAI) for processing.
Digital Signature Data
For digital signatures, we collect: (a) signature images and drawings; (b) IP addresses and timestamps of signature events; (c) signatory information and consent records; (d) document versions and audit trails.
Cookies and Tracking Technologies
We use cookies, web beacons, and similar technologies to: (a) maintain your session and authentication state; (b) remember your preferences and settings; (c) analyze usage patterns and improve our Service; (d) provide personalized experiences. See Section 10 for detailed information about cookies.
Contract Performance
We process your data to perform our contract with you, including: (a) providing the Service and its features; (b) processing payments and managing subscriptions; (c) delivering invoices, documents, and communications; (d) maintaining your account and preferences.
Legitimate Interests
We process data based on our legitimate interests, including: (a) improving and developing the Service; (b) ensuring security and preventing fraud; (c) analyzing usage patterns and user behavior; (d) marketing and promoting our Service (with opt-out rights); (e) managing business operations and customer relationships.
Legal Obligations
We process data to comply with legal obligations, including: (a) tax and accounting requirements (Swiss Code of Obligations); (b) financial reporting and record-keeping; (c) responding to legal requests and court orders; (d) compliance with data protection laws; (e) maintaining records for audit purposes.
Consent
We process certain data based on your explicit consent, including: (a) optional marketing communications (you can withdraw at any time); (b) use of non-essential cookies and tracking technologies; (c) processing of sensitive personal data where required; (d) international data transfers where consent is the legal basis.
Vital Interests
In rare circumstances, we may process data to protect vital interests, such as preventing serious harm to individuals or responding to emergencies.
Service Provision and Operations
We use your data to: (a) create, manage, and process invoices, receipts, offers, and contracts; (b) generate Swiss QR bills and PDF documents; (c) manage your account, subscriptions, and billing; (d) provide customer support and respond to inquiries; (e) authenticate users and manage access; (f) process digital signatures and maintain audit trails.
AI-Powered Features
We use your data to: (a) generate text content using AI (descriptions, offers, contracts); (b) extract data from invoice and receipt images using OCR and AI vision models; (c) improve and enhance text content using AI; (d) process and analyze documents for automated data extraction. Your data may be transmitted to OpenAI (third-party AI provider) for these purposes. See Section 5 for detailed AI processing information.
Communication
We use your contact information to: (a) send service-related communications (account updates, security alerts, billing notifications); (b) respond to your inquiries and provide support; (c) send important notices about the Service; (d) with your consent, send marketing communications about features, updates, and promotions (you can opt out at any time).
Service Improvement and Analytics
We analyze usage data to: (a) understand how users interact with the Service; (b) identify areas for improvement and new features; (c) optimize performance and user experience; (d) conduct research and development; (e) generate aggregated, anonymized statistics (which do not identify individuals).
Security and Fraud Prevention
We use data to: (a) detect and prevent fraud, abuse, and security threats; (b) verify user identity and authenticate access; (c) monitor for suspicious activities and unauthorized access; (d) enforce our Terms and Conditions; (e) protect the rights, property, and safety of users and the Service.
Legal Compliance
We process data to: (a) comply with Swiss tax and accounting laws; (b) fulfill legal obligations and respond to legal requests; (c) maintain records as required by law (e.g., 10-year retention for tax records); (d) protect our legal rights and interests; (e) comply with data protection regulations.
AI Service Provider
IMPORTANT: When you use AI features, your data (including text, images, and documents) is transmitted to OpenAI, a third-party AI service provider, for processing. OpenAI operates under its own privacy policy and terms of service. By using AI features, you consent to this data transmission and processing.
Data Transmitted to AI Providers
The following data may be transmitted to OpenAI: (a) text content you provide for generation (descriptions, titles, context); (b) images of invoices and receipts for OCR and data extraction; (c) reference text and prompts; (d) language preferences and locale information; (e) metadata about AI requests. This data is used solely for processing your requests and is subject to OpenAI's data processing practices.
AI Data Processing Purposes
Your data is processed by AI systems to: (a) generate text content based on your inputs; (b) extract structured data from images (invoices, receipts); (c) improve and enhance existing text; (d) analyze and understand document content. AI processing is performed to provide the requested features and is not used for training AI models on your specific data without your explicit consent.
Data Security with AI Providers
We implement appropriate measures to protect your data when transmitted to AI providers: (a) data is transmitted over encrypted connections (TLS); (b) we use API keys and authentication to secure access; (c) we minimize data transmission to only what is necessary; (d) we review AI provider security practices and compliance. However, data transmitted to third-party AI providers is subject to their privacy policies and security measures.
Your Rights Regarding AI Processing
You have the right to: (a) opt out of using AI features (though this may limit Service functionality); (b) request information about AI data processing; (c) request deletion of data processed by AI providers (subject to technical limitations); (d) withdraw consent for AI processing (where consent is the legal basis). Contact us to exercise these rights.
AI Processing Limitations
Please note: (a) AI providers may retain data for their own purposes as described in their privacy policies; (b) we cannot guarantee complete deletion of data once transmitted to AI providers; (c) AI processing may occur in jurisdictions outside Switzerland/EEA; (d) you should review AI provider privacy policies for detailed information about their data practices.
No Sale of Personal Data
We never sell, rent, trade, or otherwise monetize your personal data. Your data is not shared with third parties for their marketing purposes or for any purpose other than providing the Service.
Service Providers and Processors
We share data with trusted third-party service providers who help us operate the Service, all bound by strict confidentiality and data processing agreements: (a) Authentication services (Clerk) - for user authentication and account management; (b) Payment processors (Stripe) - for processing subscription payments; (c) AI service providers (OpenAI) - for AI-powered features; (d) Email services (Resend) - for transactional and marketing emails; (e) Cloud storage providers (AWS/R2) - for file storage and hosting; (f) Analytics services - for usage analysis and improvement (with anonymization where possible).
Legal and Regulatory Disclosures
We may disclose data when: (a) required by law, court order, or regulatory authority; (b) necessary to protect our rights, property, or safety; (c) necessary to protect the rights, property, or safety of users or others; (d) required to enforce our Terms and Conditions; (e) necessary to respond to legal process or government requests.
Business Transfers
In the event of a merger, acquisition, sale of assets, or other business transaction, your data may be transferred to the acquiring entity. You will be notified of such transfers, and your privacy rights will be maintained. The acquiring entity will be bound by this Privacy Policy or a substantially equivalent policy.
With Your Consent
We may share data with third parties when you explicitly consent to such sharing, such as when you choose to integrate with third-party services or authorize specific data sharing.
Aggregated and Anonymized Data
We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This data may be used for research, analytics, industry reports, or other purposes.
Encryption
We implement strong encryption measures: (a) data in transit is encrypted using TLS 1.3 (or higher) for all communications; (b) data at rest is encrypted using AES-256 encryption; (c) sensitive data such as payment information is subject to additional encryption layers; (d) database connections are encrypted and secured.
Access Controls and Authentication
We implement strict access controls: (a) multi-factor authentication (MFA) for administrative access; (b) role-based access controls (RBAC) limiting access to data on a need-to-know basis; (c) regular access reviews and audits; (d) secure password policies and credential management; (e) session management and timeout controls.
Infrastructure Security
Our infrastructure is secured through: (a) regular security assessments and penetration testing; (b) network security measures including firewalls and intrusion detection; (c) secure software development practices and code reviews; (d) regular security updates and patch management; (e) monitoring and logging of security events.
Data Hosting and Location
Your data is primarily stored in Swiss data centers to ensure compliance with Swiss data protection laws and maintain data sovereignty. Some data may be processed in EEA data centers for GDPR compliance. We do not transfer data to countries without adequate data protection unless necessary safeguards are in place.
Backup and Disaster Recovery
We maintain: (a) regular, encrypted backups of your data; (b) geographic redundancy for disaster recovery; (c) tested backup and recovery procedures; (d) retention policies for backups aligned with data retention requirements.
Incident Response
We have procedures in place to: (a) detect security incidents and data breaches; (b) respond promptly to security threats; (c) notify affected users and authorities as required by law (within 72 hours for GDPR, as required by Swiss law); (d) investigate and remediate security issues; (e) document and learn from security incidents.
Employee Training and Awareness
We ensure that employees and contractors: (a) receive regular data protection and security training; (b) are bound by confidentiality agreements; (c) have access only to data necessary for their roles; (d) follow security best practices and policies.
Retention Periods
We retain your data for different periods depending on the type of data and legal requirements: (a) Account data: retained while your account is active and for a reasonable period after deletion (typically 30 days) unless longer retention is required by law; (b) Financial and tax records: retained for 10 years as required by Swiss tax law (Swiss Code of Obligations, Art. 958f); (c) Invoice and business data: retained while your account is active and may be retained longer if required for legal or tax purposes; (d) Communication records: retained for up to 3 years for customer service and legal purposes; (e) Log data and analytics: retained for up to 2 years for security and service improvement purposes.
Account Deletion
When you delete your account: (a) we will delete or anonymize your personal data within 30 days; (b) data required for legal compliance (e.g., tax records) will be retained as required by law; (c) aggregated, anonymized data may be retained for analytics; (d) backup copies may be retained for up to 90 days before permanent deletion; (e) you will receive confirmation of deletion.
Data Deletion Requests
You may request deletion of specific data at any time through your account settings or by contacting us. We will: (a) process deletion requests within 30 days; (b) confirm deletion in writing; (c) inform you of any data that must be retained for legal reasons; (d) provide information about data that has already been shared with third parties (which may require separate deletion requests).
Legal Holds
In certain circumstances, we may be required to retain data beyond normal retention periods due to: (a) ongoing legal proceedings or investigations; (b) regulatory requirements or audits; (c) preservation orders or legal holds; (d) disputes or claims. Data subject to legal holds will be retained until the hold is released.
Right of Access (Art. 15 GDPR / Art. 25 revDSG)
You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data and receive: (a) the purposes of processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients; (d) the retention period or criteria for determining it; (e) your rights regarding the data. You can access most of your data through your account dashboard or request a complete copy by contacting us.
Right to Rectification (Art. 16 GDPR / Art. 32 revDSG)
You have the right to have inaccurate or incomplete personal data corrected. You can update most information through your account settings. For corrections we must make, contact us with the correct information.
Right to Erasure ('Right to be Forgotten') (Art. 17 GDPR / Art. 32 revDSG)
You have the right to request deletion of your personal data when: (a) the data is no longer necessary for the original purpose; (b) you withdraw consent and there is no other legal basis; (c) you object to processing and there are no overriding legitimate grounds; (d) the data has been unlawfully processed. Note: We may be required to retain certain data for legal compliance (e.g., tax records for 10 years).
Right to Restrict Processing (Art. 18 GDPR)
You have the right to restrict processing of your data when: (a) you contest the accuracy of the data; (b) processing is unlawful and you oppose erasure; (c) we no longer need the data but you need it for legal claims; (d) you have objected to processing pending verification. During restriction, we will only process data with your consent or for legal claims.
Right to Data Portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. You can export your data through the Service's export functionality (CSV, PDF, JSON formats) or request a complete export by contacting us.
Right to Object (Art. 21 GDPR / Art. 32 revDSG)
You have the right to object to processing based on legitimate interests, including: (a) direct marketing (you can opt out at any time); (b) processing for statistical purposes; (c) other processing based on legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Art. 7 GDPR)
Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. You can withdraw consent through account settings or by contacting us.
Right to Lodge a Complaint (Art. 77 GDPR / Art. 49 revDSG)
You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. In Switzerland, contact the Federal Data Protection and Information Commissioner (FDPIC). In the EEA, contact your local data protection authority.
Exercising Your Rights
To exercise your rights: (a) use your account settings for common requests (data access, correction, deletion); (b) contact us at privacy@myinvoice.ch for other requests; (c) provide sufficient information to identify you and your request; (d) we will respond within 30 days (may be extended to 60 days for complex requests). We may request additional information to verify your identity.
What Are Cookies
Cookies are small text files stored on your device when you visit our Service. We use cookies and similar technologies (web beacons, pixels, local storage) to provide, improve, and personalize the Service.
Types of Cookies We Use
We use the following types of cookies: (a) Essential cookies - required for the Service to function (authentication, security, session management); (b) Functional cookies - enhance functionality and personalization (preferences, language, theme); (c) Analytics cookies - help us understand usage patterns and improve the Service (anonymized where possible); (d) Marketing cookies - used for marketing and advertising (only with your consent).
Cookie Management
You can control cookies through: (a) your browser settings (most browsers allow you to refuse or delete cookies); (b) our cookie consent banner (for non-essential cookies); (c) your account settings (for certain functional cookies). Note: disabling essential cookies may affect Service functionality.
Third-Party Cookies
Some third-party services we use may set their own cookies: (a) authentication services (Clerk) - for session management; (b) analytics services - for usage analysis; (c) payment processors - for payment processing. These are subject to the respective third parties' privacy policies.
Do Not Track
Some browsers support 'Do Not Track' (DNT) signals. We respect DNT signals and will not track users who have enabled DNT, except as necessary for Service functionality or legal compliance.
Data Transfer Safeguards
When we transfer your data outside Switzerland or the EEA, we implement appropriate safeguards to ensure adequate protection: (a) Standard Contractual Clauses (SCCs) approved by the European Commission; (b) Adequacy decisions recognizing adequate protection in the destination country; (c) Binding Corporate Rules (BCRs) where applicable; (d) Other legally recognized transfer mechanisms.
Third-Party Service Locations
Some of our service providers may process data outside Switzerland/EEA: (a) OpenAI (AI services) - may process data in the United States; (b) Cloud storage providers - may store data in various locations; (c) Analytics services - may process data globally. We ensure all transfers comply with applicable data protection laws and use appropriate safeguards.
Your Rights Regarding Transfers
You have the right to: (a) be informed about international data transfers; (b) request information about safeguards in place; (c) object to transfers where your rights may be at risk; (d) request that data be processed only within Switzerland/EEA where technically feasible.
Age Restrictions
Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.
If We Discover Child Data
If we discover that we have collected personal data from a child without parental consent, we will: (a) delete the data immediately; (b) terminate the account if applicable; (c) notify parents or guardians if contact information is available.
Swiss Federal Act on Data Protection (revDSG/nDSG)
We comply with the Swiss Federal Act on Data Protection (revDSG), which entered into force on September 1, 2023. This includes: (a) processing data lawfully, fairly, and transparently; (b) collecting data only for specified, explicit, and legitimate purposes; (c) ensuring data accuracy and keeping it up to date; (d) implementing appropriate security measures; (e) respecting data subject rights; (f) maintaining records of processing activities.
GDPR Compliance (EEA Users)
For users in the European Economic Area, we comply with the General Data Protection Regulation (GDPR), including: (a) all rights and obligations under GDPR; (b) data protection impact assessments (DPIAs) where required; (c) appointment of a Data Protection Officer (DPO) if required; (d) breach notification requirements (within 72 hours); (e) privacy by design and by default principles.
Data Protection Officer
We have designated a Data Protection Officer (DPO) to oversee data protection compliance. You can contact our DPO at privacy@myinvoice.ch for questions about data protection, your rights, or this Privacy Policy.
Records of Processing Activities
We maintain records of our processing activities as required by law, including: (a) purposes of processing; (b) categories of data subjects and personal data; (c) categories of recipients; (d) international transfers; (e) retention periods; (f) security measures. These records are available to supervisory authorities upon request.
Regular Compliance Reviews
We conduct regular reviews to ensure ongoing compliance: (a) privacy impact assessments for new features; (b) security audits and assessments; (c) staff training on data protection; (d) reviews of third-party data processors; (e) updates to policies and procedures as laws evolve.
Data Controller Contact
For questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at: MyInvoice, [Your Address], Switzerland. Email: privacy@myinvoice.ch. We will respond to inquiries within a reasonable time, typically within 30 days.
Data Protection Officer
For data protection-specific inquiries, you can contact our Data Protection Officer (DPO) at: privacy@myinvoice.ch. The DPO can assist with: (a) questions about data processing; (b) exercising your data protection rights; (c) concerns about data security; (d) complaints about data handling.
Supervisory Authorities
You have the right to lodge a complaint with a supervisory authority: (a) Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland, www.edoeb.admin.ch; (b) EEA: Your local data protection authority (list available at https://edpb.europa.eu/about-edpb/board/members_en).
Request Processing
When you contact us: (a) we will verify your identity to protect your data; (b) we will process your request within 30 days (may be extended to 60 days for complex requests with notification); (c) we will provide clear, transparent responses; (d) if we cannot fulfill a request, we will explain why and inform you of your right to complain.
Questions About Your Privacy?
If you have any questions about this privacy policy or how we handle your data, please don't hesitate to contact us. We're here to help and ensure your privacy is protected.