Overview

This policy explains what we collect, why we collect it, and how we protect it. We follow the principle of collecting the minimum necessary data to provide and secure the Service and comply with UK GDPR.

Who we are

For the purposes of UK data protection law, Algorithm Invoice is the data controller for the Service. References to “we”, “us”, and “our” are to Algorithm Invoice.

Data we collect

Account data: name, email, password hash, roles, and settings.
Billing data: subscription status, invoices, transactions (handled by payment providers).
Content you provide: clients, products, invoices, files you upload or generate.
Technical data: essential cookies, IP address, browser user-agent, device summary, and (if available from a local GeoIP database) approximate location for sign-in security.
Support: messages you send to us (for example, email or contact forms).

How we use your data (lawful bases)

Provide the Service and features you request (contract).
Process payments and manage subscriptions/credits (contract/legal obligation).
Protect accounts and detect fraud/abuse via security logging and alerts (legitimate interests).
Improve performance and troubleshoot issues (legitimate interests).
Send essential service emails (for example, receipts, 2FA, security notices) (contract/legitimate interests). Any marketing is opt-in (consent) and you can withdraw consent at any time.

Security logging (IP/Device)

When you sign in (including 2FA), we record your IP address, a device summary (derived from your browser’s user-agent) and—where available from a local MaxMind GeoLite2 database—an approximate location (city/region/country). This helps verify it was you, detect unusual activity, and present a one-time “Signed in securely” notice. Private/local IPs (for example, 127.0.0.1, 192.168.x.x) are treated as non-locatable.

We also set a lightweight, non-sensitive fingerprint cookie (IP + user-agent hash) for up to 30 days to avoid repeating the same pop-up on the same device. Clearing cookies or changing networks/devices may show it again.

Sharing & processors

We use service providers (for example, hosting, email, payments) to operate the product. They process data on our behalf under appropriate agreements and safeguards. We do not sell personal data.

Cookies & analytics

We use a small amount of device storage (cookies and/or localStorage) to keep you signed in, protect the Service, process payments, and remember your preferences. We do not sell personal data.

Your choice: Non-essential categories (such as Analytics and Marketing) are off by default unless you opt in. You can change your selection at any time via Cookie settings in the footer.

Cookie categories

Category	What it does	Examples	Typical lifetime
Essential Strictly necessary	Required for core features like authentication, session security, and form protection. These cannot be switched off in our banner because the site won’t work properly without them. Lawful basis: Contract / Legitimate interests (security).	Sign-in/session cookie, CSRF token cookie, antiforgery identifiers.	Session or short-lived
Security & fraud prevention	Helps detect suspicious activity (for example unusual sign-in patterns), protect accounts, and reduce repeated prompts. This may include a lightweight device “fingerprint” (hash) so certain notices are shown only once on a device. Lawful basis: Legitimate interests (fraud prevention & security).	One-time UI notice flag; non-sensitive device hash cookie (IP + user-agent hash).	Up to ~30 days
Preferences	Remembers your choices (such as cookie preferences) so we don’t keep asking every visit. Lawful basis: Legitimate interests / Consent management.	`cookieConsent.v2` stored in `localStorage`.	Until you clear it
Payments (service cookies)	When you make payments, our payment providers may set cookies or use similar technologies needed to process transactions, prevent fraud, and comply with security requirements (for example 3-D Secure flows). Lawful basis: Contract + Legitimate interests (secure payments).	Provider session/security tokens (e.g. Stripe / PayPal checkout flow).	Varies by provider
Analytics (optional)	If you enable analytics in Cookie Settings, we may measure usage patterns (e.g. pages viewed, feature usage) to improve performance and user experience. We aim to use privacy-respecting analytics and minimise data. Lawful basis: Consent (opt-in).	Analytics identifier (only if enabled).	Varies (only if enabled)
Marketing (optional)	If enabled, may be used to measure campaign effectiveness or personalise offers. We keep this off by default unless you opt in. Lawful basis: Consent (opt-in).	Marketing tags/identifiers (only if enabled).	Varies (only if enabled)

How to change your choice: Use Cookie settings in the footer to update your preferences at any time. You can also clear cookies and localStorage in your browser to reset the banner. If you disable non-essential cookies, the Service will still work, but some optional features may be limited.

More detail (for power users)

Your cookie preferences are stored in your browser as localStorage under cookieConsent.v2 (a small JSON object with your choices and a timestamp).
Some cookies are “strictly necessary” for security and sign-in; blocking them may prevent login or break forms.
Payments are handled by third-party processors. Their cookie usage is governed by their own policies, and they may place cookies during checkout to prevent fraud and process payments securely.
If we introduce a new optional cookie category or materially change our usage, we will re-prompt for consent.

How long we keep data

We keep data only as long as needed for the purposes above, legal compliance, or as required by our contracts. You may request deletion where applicable; some records (for example, invoices) may need to be retained for legal reasons.

Your rights

You are in control of your personal data. Depending on your location (including the UK, EU, and similar jurisdictions), you have the following rights in relation to information we hold about you.

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Ask us to correct inaccurate or incomplete information.
Right to erasure (“right to be forgotten”): Request deletion of your account and associated personal data, subject to legal or contractual retention requirements (for example, invoices required for tax or accounting purposes).
Right to data portability: Request a machine-readable export of your data so you can move it to another service.
Right to restrict processing: Ask us to limit how your data is used in certain circumstances.
Right to object: Object to processing based on legitimate interests, including optional analytics or communications.
Right to withdraw consent: Withdraw consent at any time where processing relies on consent (for example analytics or marketing cookies). This does not affect processing already carried out.

Self-service tools (in your account)

You can access privacy tools directly from your account settings:

Download your personal data: Export a copy of personal data associated with your account.
Delete your account: Permanently delete your account (subject to legal retention requirements, such as invoices kept for accounting/tax).

These tools are typically located under Manage Account → Personal Data. If you cannot access your account, contact us and we can help.

Important – account deletion is permanent: Once you confirm deletion, your account and associated personal data are permanently removed and cannot be restored. We strongly recommend downloading your personal data before proceeding.

Please note that certain records cannot be deleted immediately due to legal obligations. For example, invoices and transaction records may be retained for accounting, tax, and anti-fraud requirements.

Where retention is required, data is securely restricted, minimised, and used only for compliance purposes. It is not used for marketing or analytics.

How to exercise your rights: Use the self-service tools under Manage Account → Personal Data, or contact us at privacy@algorithminvoice.com. We may ask you to verify your identity before completing a request to protect your account.

We aim to respond to all valid requests within one month, as required by law. There is no fee for exercising your rights, unless a request is manifestly unfounded or excessive.

Exercising your rights will not result in any discrimination or reduction in service, except where the requested action makes it technically or legally impossible to continue providing the Service.

International transfers

If data is transferred across borders, we use appropriate safeguards (for example, UK International Data Transfer Agreement/standard contractual clauses) where required.

Children’s data

The Service is intended for business use and is not directed to children. If you believe a child has provided personal data, please contact us so we can take appropriate action.

Changes to this policy

We may update this policy to reflect product, legal, or security changes. If changes are material, we’ll provide reasonable notice in-app or by email. Continuing to use the Service means you accept the updates.

Privacy Policy