SB InvoiceFlow
LoginSign Up Free

Privacy Policy

Last updated: March 2, 2026

1. Introduction

SB InvoiceFlow (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share information when you use our invoice management platform at sbinvoiceflow.com. By using the Service, you consent to the practices described in this policy.

2. Information We Collect

We collect the following categories of information:

Account Information

Name, email address, password (hashed), profile image URL, company name, company logo, address, and phone number provided during registration or in account settings.

Invoice & Business Data

Invoice details (line items, amounts, tax rates, due dates), client names and contact information, payment records, recurring billing settings, and notes you add to invoices.

Payment Information

We do not store your full card details. Payment processing is handled by Stripe. We store only the Stripe customer ID and subscription metadata needed to manage your plan.

Usage & Technical Data

IP address, browser type, device information, pages visited, and session data. This information is used for security, debugging, and improving the Service.

Two-Factor Authentication Data

If you enable 2FA, we store a temporary OTP secret during verification. OTP codes are one-time use and expire after a short window.

API & Webhook Data

On the Business plan, we store API key hashes (not the raw key), webhook endpoint URLs, event subscriptions, and delivery logs including request payloads and server responses.

3. How We Use Your Information

  • To provide and operate the Service (invoicing, payments, client management)
  • To authenticate your identity and protect your account (sessions, 2FA, password reset)
  • To process subscription billing via Stripe
  • To send transactional emails (invoice delivery, payment notifications, reminders)
  • To send account-related communications (password reset, OTP codes, team invitations)
  • To deliver webhook events to your registered endpoints
  • To analyse usage patterns and improve the Service
  • To comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising.

4. Data Storage & Security

Your data is stored in a managed PostgreSQL database (Supabase). All connections use TLS encryption in transit. We implement the following security controls:

  • Passwords are hashed using bcrypt — never stored in plain text
  • Two-factor authentication (OTP) is available on all plans
  • API keys are stored as hashed values — the raw key is shown only once at creation
  • Webhook payloads are HMAC-SHA256 signed so you can verify authenticity
  • Sessions are managed with secure, HTTP-only cookies via NextAuth

5. Third-Party Services

We use the following third-party services to operate the platform:

Stripe

Payment processing and subscription management. Stripe's privacy policy applies to data they collect. We never store raw card numbers.

Supabase / PostgreSQL

Managed database hosting. All invoice, client, and user data is stored here with encrypted connections.

Email Provider

Used to deliver invoice emails, payment reminders, and account notifications on your behalf.

6. Cookies & Sessions

We use session cookies to keep you logged in. These are HTTP-only cookies and cannot be accessed by JavaScript. We do not use tracking cookies or third-party advertising cookies. You can clear cookies at any time through your browser settings, which will log you out of the Service.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, your data will be permanently deleted within 30 days, except where we are required to retain it by law. CSV exports and PDF invoices downloaded by you remain your responsibility once exported.

8. Your Rights

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — update inaccurate data through your account settings
  • Deletion — request deletion of your account and associated data
  • Export — export your invoices and client data as CSV at any time
  • Portability — request your data in a machine-readable format
  • Objection — object to processing of your data in certain circumstances

To exercise any of these rights, contact us at support@sbinvoiceflow.com.

9. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by displaying a prominent notice in the Service. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please contact us at:

SB InvoiceFlow

support@sbinvoiceflow.com