invoices.mt
Log inGet started free
FeaturesPricingTemplatesFAQLog inGet started free

Legal

GDPR & data protection

Effective date: 6 June 2026 · invoices.mt, Malta

invoices.mt is built in Malta and designed to comply with the EU General Data Protection Regulation (GDPR) and the Maltese Data Protection Act. This notice explains the roles we each play, your rights, and the terms on which we process personal data on your behalf. It works together with our Privacy Policy.

1. Controller and processor roles

Under the GDPR there are two roles in how data flows through invoices.mt:

  • invoices.mt as controller. For your account, profile and billing data, we decide how and why the data is processed, so we are the controller.
  • invoices.mt as processor. When you add details about your own clients and contacts (for example to put them on an invoice), you are the controller of that personal data and we process it on your documented instructions, only to provide the Service. Sections 6 to 11 below act as our data-processing terms for that relationship.

2. Your rights

Whenever we hold personal data about you, you have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("right to be forgotten"), subject to records we must keep by law.
  • Restriction of processing in certain circumstances.
  • Portability: receive your data in a structured, commonly used, machine-readable format.
  • Object to processing based on our legitimate interests, and to direct marketing at any time.
  • Withdraw consent where processing is based on consent, without affecting earlier processing.

3. How to exercise your rights

You can manage and export much of your data directly in the app. For anything else, email support@invoices.mt with the subject "GDPR request". We will respond within one month, as required by the GDPR, and may need to verify your identity first. These requests are free unless they are manifestly unfounded or excessive.

4. Supervisory authority

If you believe we have not handled your data properly, you can complain to the Maltese supervisory authority, the Information and Data Protection Commissioner (IDPC) (idpc.org.mt), or to the data-protection authority in your own country. We would, however, appreciate the chance to address your concern first.

5. International transfers

We keep personal data in the European Economic Area wherever possible. Where a subprocessor processes data outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or an adequacy decision. Our subprocessors are listed in our Privacy Policy.

6. Subject matter and scope of processing

As your processor, we process the personal data contained in the content you put into the Service (such as client names, addresses, email addresses and VAT numbers) for the duration of your subscription, solely to provide the invoicing, payment, reporting and related features you use.

7. Our obligations as processor

  • We process personal data only on your documented instructions, which include your use of the Service and these terms.
  • We ensure that people authorised to process the data are bound by confidentiality.
  • We implement appropriate technical and organisational security measures (see our Security overview).
  • We assist you, so far as reasonably possible, in responding to data-subject requests and in meeting your own security, breach-notification and impact-assessment obligations.
  • We notify you without undue delay if we become aware of a personal-data breach affecting your data.
  • On termination, we delete or return the personal data we process for you, except where retention is required by law.

8. Subprocessors

You authorise us to use the subprocessors listed in our Privacy Policy (currently Supabase, Vercel, Stripe, Resend and Google) to help deliver the Service. We impose data-protection obligations on each of them and remain responsible for their performance. We will give notice of any intended change so you can object.

9. Security and breach notification

We maintain encryption in transit and at rest, strict per-workspace data isolation and access controls. If a breach affects your data, we will inform you promptly with the information you need to meet your own obligations.

10. Audits

On reasonable written request, we will make available the information necessary to demonstrate our compliance with these processing terms, subject to confidentiality and the security of other customers' data.

11. Deletion and return

You can export your data at any time. When your account is closed, we delete or anonymise personal data within a reasonable period, retaining only what we must keep to meet legal obligations such as tax record-keeping.

12. Contact

For any GDPR or data-protection matter, contact support@invoices.mt.