Last updated: May 2025
The entity responsible for processing your personal data is:
This Privacy Policy applies to personal data collected through the website invoseal.es and the InvoSeal application at app.invoseal.es.
InvoSeal processes personal data in accordance with:
When you register for InvoSeal, we collect: full name, email address, company name, tax identification number (NIF/CIF), and billing address. This data is necessary to provide the service and fulfil our contractual obligations (Art. 6(1)(b) GDPR).
To provide the electronic invoicing service, InvoSeal processes the invoice data you enter: client names, addresses, tax IDs, invoice amounts and line items. This data belongs to you and is processed only to deliver the service (Art. 6(1)(b) GDPR). InvoSeal acts as a data processor with respect to your clients' personal data; you act as the data controller.
Payments are processed by Stripe. We receive only a payment confirmation and a masked card reference. We do not store full card numbers or CVV codes. Stripe's privacy policy is available at stripe.com/privacy.
We collect standard server logs (IP address, browser type, pages visited, timestamps) for security monitoring and service improvement. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Logs are retained for a maximum of 90 days.
When you contact us by email or through the application, we retain the content of that communication to handle your request and maintain service quality records. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
To deliver our service, we engage the following sub-processors. All have signed Data Processing Agreements that comply with GDPR requirements:
| Processor | Location | Purpose | Transfer mechanism |
|---|---|---|---|
| Invopop S.L. | Spain / EU | Electronic invoice generation and validation (GOBL engine) | Within EU — no transfer |
| Base44 Inc. | United States | Application hosting and backend infrastructure | Standard Contractual Clauses (SCC) |
| Cloudflare Inc. | United States | CDN, DDoS protection, DNS | EU–US Data Privacy Framework (DPF) |
| Stripe Inc. | United States | Payment processing | EU–US Data Privacy Framework (DPF) |
We retain your data for as long as your account is active or as required by law. Specific retention periods:
Under the GDPR, you have the following rights regarding your personal data:
To exercise any of these rights, please email [email protected]. We will respond within 30 calendar days.
If you believe your data protection rights have been violated, you may lodge a complaint with a supervisory authority. The competent authority in Spain is:
UK users may also contact the Information Commissioner's Office (ICO) at ico.org.uk. Users in other EU member states may contact their local data protection authority.
InvoSeal uses only strictly necessary cookies required for the operation of the service (session management, authentication). We do not use advertising or tracking cookies. Our website does not embed Google Fonts — all fonts are self-hosted. Full details are available in our Cookie Policy.
InvoSeal implements appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These include encrypted connections (HTTPS/TLS), access controls, and regular security reviews. However, no system is completely infallible and we cannot guarantee absolute security.
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified by email at least 15 days before they take effect. The date of the latest revision is shown at the top of this page.
For any questions about this Privacy Policy, please contact us at [email protected].