Table of Contents
PrimeInvo (hereinafter "we", "us" or "our") is committed to protecting and respecting your personal data. This Privacy Policy explains what personal data we collect, how and why we use it, who we share it with, and what rights you have in relation to your data. It is drafted in accordance with the UK General Data Protection Regulation (UK GDPR) as retained under the Data Protection Act 2018.
This policy applies to all our services accessible via app.primeinvo.com and www.primeinvo.com, including our web application, API and mobile applications.
1. Data Controller
As the data controller, PrimeInvo Ltd determines the purposes and means of processing your personal data. We are registered in England and Wales and operate under the jurisdiction of the United Kingdom.
2. Data We Collect
2.1 Account Data
- Full name or company/trading name
- Business email address
- Phone number (optional)
- Password (BCrypt hashed — never stored in plain text)
- Country, company registration number (Companies House No.), VAT number and legal entity type
2.2 Billing and Client Data
- Invoices, quotes and credit notes created within the application
- Your clients' data (company name, address, VAT number)
- Bank details — Sort Code/Account Number or IBAN/BIC (encrypted with AES-256-GCM at rest)
- Payment data: we do not store any card numbers — all payments are processed securely by Stripe
2.3 Technical Data
- IP address (connection logs)
- Browser type and operating system
- Pages visited and session duration
- Error and performance logs (Serilog)
2.4 AI Usage Data
If you use our AI assistant feature, the questions you ask and the responses generated are recorded in order to improve the relevance of answers and to ensure the security of the service. This data is strictly isolated per tenant and is never used to train third-party models.
3. Purposes and Legal Bases for Processing
| Purpose | Legal Basis (UK GDPR Art. 6) |
|---|---|
| Providing the invoicing service (invoices, quotes, client management) | Performance of a contract — Art. 6(1)(b) |
| Managing your SaaS subscription and billing | Performance of a contract — Art. 6(1)(b) |
| Retaining accounting and tax records as required by law (HMRC) | Legal obligation — Art. 6(1)(c) |
| Security, fraud detection and access logging | Legitimate interests — Art. 6(1)(f) |
| Sending transactional emails (confirmations, payment reminders, password resets) | Performance of a contract — Art. 6(1)(b) |
| Marketing communications (newsletters, product updates) | Consent — Art. 6(1)(a) (withdrawable at any time) |
| Product improvement and aggregated usage analytics | Legitimate interests — Art. 6(1)(f) |
4. Data Retention
| Data Category | Retention Period |
|---|---|
| Invoices and accounting records | 6 years (HMRC requirement) |
| User account data | Duration of subscription + 2 years |
| Connection logs (IP address, access records) | 12 months |
| Stripe payment data | Stripe legal retention period + 13 months (chargeback window) |
| AI conversations | 12 rolling months |
| Marketing data (consent records) | 3 years after last contact |
When the applicable retention period expires, your data is securely deleted or irreversibly anonymised for statistical purposes.
5. Third-Party Recipients
We never sell your personal data. Data is only shared with the following processors who are strictly necessary for providing the service:
| Provider | Role | Location | Safeguards |
|---|---|---|---|
| Stripe | Payment processing and subscription management | United States / EU | IDTAs + UK SCCs |
| Scaleway | Server and database hosting | Paris, France (EU) | UK Adequacy Regulations 2021 |
| Resend / Brevo | Transactional email delivery | EU | UK Adequacy Regulations 2021 |
| Groq / Gemini | AI response generation (anonymised queries only) | United States | IDTAs — anonymised data |
Data Processing Agreements (DPAs) compliant with UK GDPR Article 28 are in place with each of these processors.
6. International Data Transfers
6.1 Transfers from the United Kingdom
Transfers from the UK to the European Economic Area (EEA) are permitted under the UK Adequacy Regulations 2021, which recognise the EU's level of data protection as adequate. For transfers to countries outside the EEA (such as the United States for Stripe and Groq), we rely on International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the Information Commissioner's Office (ICO).
6.2 Transfers from the EU
Our primary hosting is in the European Union (Scaleway, Paris). Transfers to third countries (United States for Stripe, Groq) are covered by Standard Contractual Clauses (SCCs) adopted by the European Commission under GDPR Article 46.
EU to UK transfers are covered by the adequacy decision adopted by the European Commission on 28 June 2021.
7. Cookies and Similar Technologies
We only use cookies that are strictly necessary for the operation of our service:
| Cookie | Purpose | Duration | Consent Required |
|---|---|---|---|
.MyApp.Session |
User session management | 8 hours (sliding) | No — strictly necessary |
.MyApp.Auth |
Secure authentication | 8 hours (sliding) | No — strictly necessary |
lang (localStorage) |
Language preference storage | Persistent (local storage) | No — strictly necessary |
__stripe_* |
Fraud prevention — Stripe (payment processing) | Session | No — strictly necessary |
We do not use tracking cookies, behavioural advertising cookies or third-party analytics. As we only use strictly necessary cookies, no cookie consent banner is required under the Privacy and Electronic Communications Regulations 2003 (PECR) or the UK GDPR.
8. Your Rights
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:
- Right of access (Art. 15) — You can request a copy of the personal data we hold about you (a "Subject Access Request").
- Right to rectification (Art. 16) — You can ask us to correct any inaccurate or incomplete personal data.
- Right to erasure (Art. 17) — You can request the deletion of your personal data, subject to any overriding legal obligations to retain it (e.g., HMRC requirements).
- Right to restriction of processing (Art. 18) — You can request that we temporarily restrict the processing of your data in certain circumstances.
- Right to data portability (Art. 20) — You can receive your personal data in a structured, commonly used and machine-readable format (e.g., CSV or JSON).
- Right to object (Art. 21) — You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds.
- Right to withdraw consent — Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at privacy@primeinvo.com. We will respond to your request within one calendar month of receipt. This period may be extended by a further two months where requests are complex or numerous, in accordance with UK GDPR Article 12(3). We may ask you to verify your identity before processing your request.
9. Supervisory Authority
If you are not satisfied with how we handle your personal data or respond to your request, you have the right to lodge a complaint with the relevant supervisory authority:
We encourage you to contact us first at privacy@primeinvo.com so that we may resolve your concern directly and promptly before you escalate to a supervisory authority.
10. Contact and Updates
For any questions about this Privacy Policy or to exercise your data protection rights, please contact our Data Protection Officer:
Data Protection Officer
We reserve the right to update this Privacy Policy at any time. In the event of a material change, we will notify you by email at least 30 days before the updated version takes effect. The "Updated" date displayed at the top of this page indicates the version currently in force.