Privacy Policy

1. Who we are

InvoPass is operated by Eldvarnir ehf., doing business as InvoPass.io, a company registered in Iceland. Kt. 6508080450, VAT 96668.

InvoPass is the data controller for all personal data processed through InvoPass. This Privacy Policy explains how we collect, use, and protect that data.

2. What we collect

Account information

When you sign up, we collect:

• Your name and email address (from your Microsoft or Google account via SSO, or provided directly)
• Your company name and billing details
• Your role within the application (admin, approver, viewer, etc.)

Invoice data

InvoPass processes invoice documents that you submit or that arrive via your dedicated inbound email address. This data includes:

• Vendor names, invoice numbers, amounts, and due dates
• PDF and image attachments containing invoice documents
• Email metadata (sender, subject, received timestamp)
• Extracted fields and confidence scores from AI processing

Usage and audit data

We automatically collect:

• Approval events and actions (who approved what, when)
• Login and logout timestamps
• Application configuration changes made by admins

We do not collect sensitive personal data such as health information, political opinions, or biometric data.

3. How we use your data

We use your data only to provide and improve the InvoPass service:

• To authenticate you and manage your access to the application
• To process and route invoices through your approval workflow
• To send approval request notifications and reminders
• To maintain an audit trail for compliance purposes
• To provide you with usage reports and analytics within the app
• To send billing-related communications and receipts
• To respond to your support requests

Our legal basis for processing is:

• Contract performance - processing invoice and account data to deliver the service you subscribed to
• Legitimate interests - security monitoring, fraud prevention, and service improvement
• Legal obligation - maintaining records required by applicable law

4. Data storage and security

All InvoPass data is stored in the European Union. Our infrastructure uses EU-based cloud providers, and no personal data is transferred to countries outside the EEA without appropriate safeguards.

We protect your data using:

• Encryption in transit using TLS 1.2 or higher for all connections
• Encryption at rest for database storage and file uploads
• Access controls - employees can only access data where required to deliver the service
• Regular security reviews and dependency updates
• Audit logging of all administrative actions

Invoice PDF files are stored in EU-based object storage with strict access controls. Only authenticated users with appropriate permissions can retrieve attachments.

5. Third-party services

InvoPass uses a small number of carefully selected third-party services. Where these services process your data, we have appropriate data processing agreements in place.

Anthropic Claude (AI extraction)

Invoice documents are sent to Anthropic's Claude API for field extraction (vendor name, amount, due date, etc.). Anthropic processes this data as a data processor on our behalf. Invoice content sent to Claude is not used to train Anthropic's models. Anthropic is covered by EU data processing agreements under their enterprise terms.

Lemon Squeezy (billing)

Subscription billing and payment processing is handled by Lemon Squeezy, who act as the merchant of record. They collect your billing name, email, and payment details. Their privacy policy applies to payment data. We store your subscription status and customer reference only.

Microsoft Graph (email integration)

If you use the Microsoft 365 mailbox integration, InvoPass connects to Microsoft Graph with your organization's delegated permissions to read invoice emails from a shared mailbox. Microsoft processes this data subject to their own privacy policy and data processing terms.

Notification providers

If you configure Slack, Telegram, or Teams notifications, your notification preferences (channel IDs, chat IDs) are stored and used to send approval request alerts. These providers process message content subject to their own privacy policies.

We do not share your data with any third parties for marketing or advertising purposes.

6. Your rights under GDPR

As a data subject under the GDPR, you have the following rights. To exercise any of these rights, contact us at [email protected].

Right to access

You can request a copy of the personal data we hold about you at any time. Admins can also use the built-in "Export all data" feature in Settings to download a complete export of all your organization's data.

Right to rectification

If any personal data we hold is inaccurate or incomplete, you can ask us to correct it. For your account details, you can update these directly within the application.

Right to erasure

You can request deletion of your personal data. For complete account deletion, use the "Delete account" option in Settings, which initiates a 30-day grace period after which all data is permanently deleted. We may retain some data where required by law (for example, financial records subject to accounting retention requirements).

Right to portability

You can export all your data in machine-readable CSV format using the built-in export feature in Settings. This includes all invoices, vendors, users, and audit events.

Right to restrict processing

In certain circumstances, you can request that we limit how we process your data. Contact us to discuss your specific situation.

Right to object

You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds that override your interests.

Right to lodge a complaint

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Icelandic Data Protection Authority (Personuvernd) at www.personuvernd.is.

7. Data retention

We retain your data for as long as your account is active and for a period afterward as required by law or legitimate business need.

• Invoice records - retained for 7 years from the invoice date, in accordance with Icelandic accounting law (Bokhaldslog nr. 145/1994). This applies to all invoice data, including attached PDFs.
• Audit logs - retained for 7 years to support compliance and dispute resolution.
• Account data - retained while your account is active. After account deletion, account records are anonymized within 30 days.
• Email content - raw email bodies are stored alongside invoice records for reference. They follow the same 7-year retention as invoices.
• Billing records - payment and subscription records are retained for 7 years for accounting purposes.

You can configure custom retention policies within InvoPass to archive or delete records earlier, subject to legal minimums.

When you delete your account, all invoice data, vendor data, user data, and settings are permanently deleted within 30 days of the scheduled deletion date. Anonymized aggregate statistics may be retained for service improvement purposes.

8. Cookies

InvoPass uses cookies for authentication only. We set a single session cookie when you log in, which is used to maintain your authenticated session. This cookie is strictly necessary for the service to function.

We do not use tracking cookies, advertising cookies, or analytics cookies that follow you across the web. We do not use Google Analytics or similar third-party analytics tools.

The landing page at invopass.io uses no cookies at all. The application at app.invopass.io sets one session cookie on login.

9. Contact and Data Protection Officer

For any questions about this Privacy Policy, your data rights, or our data practices, contact our Data Protection Officer:

We may update this Privacy Policy from time to time. When we make significant changes, we will notify account administrators by email and update the "Last updated" date at the top of this page. Continued use of InvoPass after changes take effect constitutes acceptance of the updated policy.