Privacy Policy

Last updated: April 2026

This Privacy Policy describes how Invoflows ("we", "us") processes personal data when you use our invoice recognition and related services (the "Service"), including when you sign in with Google or connect Google Drive for optional file ingestion.

1. Who we are

The data controller for personal data processed through the Service is the Invoflows operator identified in your agreement or account correspondence. For privacy requests, contact us at info@invoflows.eu.

2. Data we process

Depending on how you use the Service, we may process:

Account data — name, email address, authentication identifiers, billing or subscription details where applicable.
Invoice and document content — files you upload or that we import on your behalf (for example PDFs or images), and data extracted by OCR or recognition (vendor names, amounts, line items, etc.).
Technical and usage data — IP address, device/browser type, timestamps, and logs needed to operate and secure the Service.
Integration data — when you enable Google features, tokens and configuration needed to access Google APIs as described below.

3. Google Sign-In (OAuth)

If you choose to sign in with Google, Google shares with us the account information required to create or link your account (typically including your Google user ID and email address), according to Google's settings and your choices on the consent screen. We use this information to authenticate you and provide the Service.

4. Google Drive integration (optional)

If you enable Google Drive ingestion, we access your Google account only within the scopes you approve. This may include listing folders you configure, downloading files from those folders for processing, and optionally moving processed files to a folder you designate. We use this access solely to provide the ingestion features you turn on. Access tokens are stored securely and refreshed as needed for ongoing sync.

5. Purposes and legal bases

We process personal data to:

provide, maintain, and improve the Service (performance of a contract or legitimate interests);
authenticate users and protect accounts (legitimate interests / legal obligations for security);
comply with law and respond to lawful requests where required.

Where GDPR applies, we rely on the legal bases above; where consent is required for specific processing, we will ask for it separately (for example through OAuth or in-product controls).

6. Hosting and subprocessors

We use trusted infrastructure and service providers (for example cloud hosting, storage, email delivery, and AI/OCR providers) to run the Service. They process data only on our instructions and under appropriate safeguards.

7. Retention

We retain personal data for as long as your account is active and as needed to provide the Service, comply with law, resolve disputes, and enforce our agreements. Retention periods may vary by data category; you may request deletion subject to legal exceptions.

8. International transfers

If we transfer personal data outside your country, we use appropriate safeguards (such as standard contractual clauses) where required by applicable law.

9. Your rights

Depending on your location, you may have rights to access, rectify, delete, restrict, or object to certain processing, and to data portability. To exercise these rights, contact info@invoflows.eu. You may also lodge a complaint with your local data protection authority.

10. Children

The Service is not directed at children under 16, and we do not knowingly collect their personal data.

11. Changes

We may update this policy from time to time. We will post the updated version and revise the "Last updated" date above. Material changes may be communicated through the Service or by email where appropriate.