Legal
Privacy Policy
Effective date: 6 June 2026 · invoices.mt, Malta
This Privacy Policy explains how invoices.mt collects, uses, shares and protects personal data when you use our website and Service. We are based in Malta and comply with the EU General Data Protection Regulation (GDPR) and the Maltese Data Protection Act. Your rights and our handling of personal data under the GDPR are described in more detail in our GDPR notice.
1. Who is responsible for your data
For your account and billing data (your name, email, business details, subscription), invoices.mt is the data controller.
For the data you enter about your own clients and contacts (for example a client's name, address and VAT number on an invoice), you are the controller and invoices.mt acts as your data processor, processing that data only to provide the Service to you. The terms of that processing are set out in our GDPR notice.
2. What we collect
- Account data: name, email address, password (stored hashed), and authentication details.
- Business profile: business name, address, VAT number, logo, payment details and defaults you configure.
- Content you create: invoices, quotes, receipts, expenses, clients, vendors and any files you upload.
- Payment data: subscription and payout metadata from Stripe. We do not store full card numbers; card details are handled by Stripe.
- Usage and technical data: log data, device and browser information, IP address, and cookies needed to run the Service.
- Support data: the content of messages and tickets you send us.
3. How we use your data and our lawful bases
| Purpose | Lawful basis |
|---|---|
| Providing the Service, your account and your documents | Performance of a contract |
| Processing subscription payments and our application fee | Performance of a contract |
| Sending service, security and transactional emails | Performance of a contract / legitimate interests |
| Securing the Service and preventing fraud and abuse | Legitimate interests |
| Improving and maintaining the Service | Legitimate interests |
| Complying with tax, accounting and legal obligations | Legal obligation |
| Optional product updates or marketing emails | Consent (you can opt out at any time) |
4. AI processing
When you use AI features, the text or files you submit are sent to a third-party AI provider (by default Google, using the Gemini family of models) to generate a draft. We do not use your private business data to train third-party models, and AI providers process this data only to return a result to you. Do not submit information you are not comfortable processing in this way.
5. Who we share data with (subprocessors)
We share data only with service providers who help us run invoices.mt, under contracts that require them to protect it. Our main subprocessors are:
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication and file storage | EU (Ireland) |
| Vercel | Application hosting and delivery | EU (Dublin) |
| Stripe | Subscription billing and card payments | EU / global |
| Resend | Transactional and notification email | EU / global |
| AI generation (Gemini) | EU / global |
We do not sell your personal data. We may disclose data where required by law or to protect our rights, users or the public.
6. International transfers
We host data in the EU wherever possible. Where a provider processes data outside the European Economic Area, that transfer is protected by appropriate safeguards such as the European Commission's Standard Contractual Clauses or an adequacy decision.
7. How long we keep data
We keep your account and content for as long as your account is active. After you close your account we delete or anonymise your personal data within a reasonable period, except where we must keep certain records (for example invoicing and tax records) to meet legal retention obligations. You can request earlier deletion as described in our GDPR notice.
8. Security
We protect your data with encryption in transit and at rest, strict tenant isolation and access controls. See our Security overview for details.
9. Your rights
You have the right to access, correct, delete, restrict and port your personal data, to object to certain processing, and to withdraw consent. You also have the right to lodge a complaint with the Maltese Information and Data Protection Commissioner (IDPC) or your local supervisory authority. How to exercise these rights is explained in our GDPR notice.
10. Cookies
We use only the cookies necessary to keep you signed in and to run the Service securely. We do not use advertising cookies. Your browser lets you block or delete cookies, though doing so may stop parts of the Service from working.
11. Children
The Service is intended for businesses and is not directed at anyone under 18. We do not knowingly collect data from children.
12. Changes
We may update this Policy from time to time. We will post the new version here and, where the change is material, give additional notice. The effective date above shows when it was last updated.
13. Contact
For any privacy question or to exercise your rights, contact us at support@invoices.mt.