GDPR Compliance
We're committed to protecting your privacy rights under the General Data Protection Regulation.
SmartInvoice is fully GDPR compliant and registered with the UK Information Commissioner's Office (ICO)
Our Commitment to GDPR
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that gives EU/EEA residents control over their personal data. Even though we're based in the UK, we apply GDPR standards to all users globally.
As a data processor handling sensitive financial documents, we take our responsibilities seriously. This page explains how we comply with GDPR and how you can exercise your rights.
Your Data Rights
Under GDPR, you have specific rights regarding your personal data. Here's how to exercise them.
Right to Access
You can request a copy of all personal data we hold about you, including uploaded documents, extracted data, account information, and usage logs.
Request Data Export →Right to Rectification
You can correct any inaccurate personal data we hold. Update your profile information directly in your account settings or contact us for assistance.
Update Profile →Right to Erasure
You can request deletion of your personal data. This includes your account, all uploaded documents, extracted data, and associated records.
Delete My Data →Right to Restrict Processing
You can request that we limit how we process your data while we verify accuracy or assess our legitimate interests.
Restrict Processing →Right to Data Portability
You can receive your data in a structured, commonly used format (JSON, CSV) to transfer to another service provider.
Export Data →Right to Object
You can object to processing based on legitimate interests, direct marketing, or research/statistical purposes.
Submit Objection →Data We Collect & Process
Transparency about what data we collect, why, and how long we keep it.
| Category | Data Collected | Purpose | Retention |
|---|---|---|---|
| Account Information | Email address, Name, Password (hashed), Profile settings | Account management and authentication | Until account deletion + 30 days |
| Financial Documents | Uploaded bank statements, Invoices, Receipts | Document processing and data extraction | 30 days after processing (configurable) |
| Extracted Data | Transactions, Account balances, Vendor information | Providing core service functionality | Until account deletion |
| Payment Information | Billing address, Payment method (via Stripe) | Processing payments and subscriptions | 7 years (legal requirement) |
| Usage Data | Features used, Pages viewed, Processing history | Service improvement and analytics | 90 days |
Legal Bases for Processing
Contract Performance (Article 6(1)(b))
Processing your documents and providing our services requires handling your data as part of our contractual obligations to you.
Legitimate Interests (Article 6(1)(f))
We use anonymized analytics to improve our service, detect fraud, and ensure security. We've conducted legitimate interest assessments for these activities.
Consent (Article 6(1)(a))
For optional features like marketing emails and analytics cookies, we obtain your explicit consent. You can withdraw consent at any time.
Legal Obligation (Article 6(1)(c))
We retain certain records (like payment history) to comply with tax, accounting, and anti-money laundering regulations.
Response Times
Data Subject Requests
We respond to all GDPR requests within 30 days. Complex requests may take up to 60 days, and we'll notify you of any extension.
Data Breach Notification
In case of a data breach affecting your rights, we'll notify you and the relevant supervisory authority within 72 hours.
Submit a GDPR Request
To exercise any of your rights, please contact our Data Protection Officer. We may need to verify your identity before processing your request.
You also have the right to lodge a complaint with a supervisory authority (e.g., ICO in the UK, your local DPA in the EU).
Platform developed by AI Makers • 10-12 Snipweg, Willemstad, Curaçao