Privacy Policy

Last updated: 10/27/2025

1. Introduction

Welcome to Invoro. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and protect your personal information when you use our e-invoicing compliance platform and visit our website, in accordance with the EU General Data Protection Regulation (GDPR) and Luxembourg data protection laws.

Data Controller:

Procyon Web S.àr.l.-S (trading as Invoro)

14-16 avenue Pasteur

L-2310 Luxembourg

RCS: B234376

VAT: LU31200358

Phone: +352 621 664 396

Email: hello@invoro.lu

2. What Data We Collect

We collect and process the following categories of personal data:

Pre-Launch (Waitlist)

  • Identity Data: First name
  • Contact Data: Email address
  • Marketing Preferences: Newsletter subscription opt-in (optional)

Post-Launch (Full Service)

  • Business Verification (KYB - Know Your Business): Company name, business registration number, VAT number, business address, industry/business type, legal representative/manager information (name, email, phone number, position), proof of business registration documents
  • Invoice Data: Business invoices you submit through our platform, including customer information, invoice amounts, and related business documents
  • Technical Data: IP address, browser type and version, device information, operating system
  • Usage Data: Information about how you use our platform, including features accessed and API calls made
  • Authentication Data: Account credentials and security information
  • Payment Data: Billing information for subscription payments (processed by our payment providers)

3. Legal Bases for Processing

We process your personal data based on the following legal grounds under GDPR:

  • Contract Performance: Processing necessary to provide our e-invoicing services to you (Article 6(1)(b) GDPR)
  • Legal Obligation: Compliance with EU e-invoicing regulations, tax laws, and data retention requirements (Article 6(1)(c) GDPR)
  • Consent: Marketing communications and newsletter subscriptions (Article 6(1)(a) GDPR)
  • Legitimate Interests: Service improvement, security monitoring, and fraud prevention (Article 6(1)(f) GDPR)

4. How We Use Your Data

We use your personal data for the following purposes:

  • E-Invoicing Services: Processing and transmitting your invoices through the Peppol network to comply with EU e-invoicing regulations
  • Email Invoice Processing: Extracting invoice data from PDF attachments sent via email using local AI processing (no external AI services, no automated decision-making affecting your rights - only data extraction for your review)
  • Account Management: Creating and managing your account, authentication, and customer support
  • Communication: Sending service-related notifications, updates about EU compliance deadlines, and responding to your inquiries
  • Newsletter: Sending marketing communications and educational content about e-invoicing (with your consent)
  • Service Improvement: Analyzing usage patterns to improve our platform and user experience using privacy-friendly Umami analytics
  • Security: Monitoring for security threats, preventing fraud, and ensuring platform integrity
  • Legal Compliance: Meeting regulatory requirements for invoice retention and audit trails
  • Billing: Processing subscription payments and managing your billing information

No Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Our email AI feature only extracts data from PDFs for your review - you maintain full control over all invoice submissions.

We never sell your data.

Your personal information and business data will never be sold, rented, or shared with third parties for their marketing purposes.

5. Data Retention

We retain your personal data for the following periods:

  • Invoice Data: 10 years from invoice date, in accordance with Luxembourg and EU tax and audit requirements
  • Account Data: For the duration of your active account, plus a reasonable period after account closure for legal and business purposes
  • Newsletter Data: Until you unsubscribe from our mailing list
  • Technical/Usage Data: Up to 2 years for analytics and service improvement purposes
  • Right to Deletion: You may request deletion of your data at any time, subject to our legal retention obligations

Where applicable, we anonymize personal data to minimize privacy impact while retaining useful business insights.

6. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients:

Essential Service Providers (Subprocessors)

We use the following trusted subprocessors to provide our services. All are EU-based and GDPR-compliant:

  • Peppol Network: Your invoice data is transmitted through the official EU e-invoicing network to your designated recipients
  • Hetzner Online GmbH (Germany): Cloud infrastructure hosting and data storage
  • Amazon Web Services EMEA SARL (Luxembourg): Email delivery via AWS SES for transactional emails and newsletters
  • Mollie B.V. (Netherlands): Payment processing for subscription billing (receives only necessary payment information)
  • KYCAID (EU data centers): Business verification and Know Your Business (KYB) identity checks

We will notify you at least 30 days in advance if we add new subprocessors or change existing ones.

Integration Partners

  • Third-party services you choose to integrate (e.g., WHMCS, Zoho) - only with your explicit authorization

Legal Requirements

  • Government authorities, tax agencies, and regulators when required by law
  • Legal advisors and auditors as necessary for compliance and business operations

All third-party service providers are carefully selected and bound by data processing agreements that ensure GDPR compliance and appropriate security measures.

7. International Data Transfers

Your data is processed exclusively within the European Union. We use data centers located in:

  • Germany
  • Finland

Your personal data never leaves EU jurisdiction, ensuring full protection under GDPR and Luxembourg data protection laws. We do not transfer data to countries outside the EU/EEA.

8. Data Security

We implement industry-standard security measures to protect your personal data, including:

  • Encryption: All data is encrypted in transit (TLS/SSL) and at rest using strong encryption algorithms
  • Access Controls: Strict authentication and role-based access controls limit data access to authorized personnel only
  • Network Security: Firewalls, intrusion detection, and security monitoring protect our infrastructure
  • Regular Backups: Multiple backup locations across EU data centers ensure business continuity
  • Security Monitoring: 24/7 automated monitoring and incident response procedures
  • Compliance Standards: We are working toward ISO 27001 certification and maintain GDPR compliance

For detailed information about our security practices, please visit our Security & Compliance page.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations
  • Right to Restriction: Request limitation of processing your personal data in certain circumstances
  • Right to Data Portability: Receive your data in a structured, machine-readable format and transfer it to another provider
  • Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
  • Right to Withdraw Consent: Withdraw consent for newsletter and marketing communications at any time
  • Right to Lodge a Complaint: File a complaint with the Luxembourg National Commission for Data Protection (CNPD)

How to Exercise Your Rights:

To exercise any of these rights, please contact us at hello@invoro.lu. We will respond to your request within one month as required by GDPR.

Supervisory Authority:

Commission Nationale pour la Protection des Données (CNPD)

15, Boulevard du Jazz

L-4370 Belvaux, Luxembourg

Website: cnpd.public.lu

10. Cookies and Tracking

We use privacy-friendly Umami analytics to understand how visitors use our website. Umami is an open-source, privacy-focused analytics tool that:

  • Does not use cookies
  • Does not collect personal data
  • Does not track users across websites
  • Anonymizes all visitor data
  • Stores all data in the EU

For detailed information about cookies we may use for essential functionality, please see our Cookie Policy.

11. Newsletter and Marketing Communications

Pre-Launch: When you join our waitlist, you can opt in to receive our newsletter. This is entirely optional and your choice will not affect your access to our services.

Post-Launch: You can subscribe directly to our newsletter to receive updates about e-invoicing compliance, product features, and industry news.

We use an in-house newsletter system powered by AWS SES. You can unsubscribe at any time by:

  • Clicking the "unsubscribe" link in any newsletter email
  • Contacting us at hello@invoro.lu
  • Managing your preferences in your account settings (post-launch)

12. Data Breach Notification

We take data security seriously and have implemented comprehensive measures to protect your personal information. However, in the unlikely event of a data breach that poses a risk to your rights and freedoms, we are committed to transparent and timely communication.

Our Obligations Under GDPR

  • We will notify the Luxembourg National Commission for Data Protection (CNPD) within 72 hours of becoming aware of a data breach
  • We will notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms
  • We will document all data breaches and the steps taken to address them

What You Can Expect

If we experience a data breach that affects your personal information, we will notify you by email at your registered account email address. Our notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • Measures we have taken or propose to take to address the breach and mitigate potential adverse effects
  • Contact information for our team (hello@invoro.lu) where you can obtain more information
  • Recommendations for steps you can take to protect yourself

Reporting Security Concerns

If you discover a potential security vulnerability or have concerns about the security of our services, please contact us immediately:

Email: hello@invoro.lu

Subject Line: SECURITY INCIDENT or SECURITY CONCERN

We take all security reports seriously and will respond promptly to investigate and address any issues.

13. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make significant changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Notify you via email if you have an account with us
  • Post a notice on our website

We encourage you to review this policy periodically to stay informed about how we protect your data.

14. Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us:

Email: hello@invoro.lu

Phone: +352 621 664 396

Mail: Procyon Web S.àr.l.-S, 14-16 avenue Pasteur, L-2310 Luxembourg

For technical security questions or to report a security concern, please also contact us at hello@invoro.lu with "SECURITY" in the subject line.

Our Commitment to Your Privacy

We are committed to transparency, data minimization, and giving you control over your personal information. Your trust is essential to our business, and we take our responsibility to protect your data seriously.