Privacy Policy

Last updated: 28 February 2026

1. Information We Collect

Account Information

When you sign up with Google, we receive: your email address, display name, and profile picture. This is stored securely in our database.

Document Content

Information you enter in invoices: business names, addresses, amounts, line items, logos, signatures, and photo attachments.

Payment Information

When you pay via M-Pesa, we receive: your phone number, M-Pesa receipt number, and transaction date. We do not store your M-Pesa PIN or any banking credentials.

Technical Data

IP address (for rate limiting and abuse prevention), browser user agent, and request timestamps.

2. How We Use Your Information

  • Generate and store your documents
  • Process M-Pesa payments
  • Provide dashboard analytics for your account
  • Prevent fraud and abuse
  • Improve the Service

3. Data Sharing

We do not sell, rent, or share your personal information with third parties, except:

  • Safaricom: Phone number and payment amount are shared to process M-Pesa transactions
  • Supabase: Our database and authentication provider (hosted infrastructure)
  • Legal requirements: When required by Kenyan law or court order

4. Data Retention

  • Guest invoices: Unpaid guest invoices are automatically deleted after 90 days
  • Paid invoices: Retained indefinitely (or until you delete your account)
  • Payment records: Retained for 7 years (Kenyan tax compliance)
  • Account data: Deleted within 30 days of account deletion request

5. Data Security

We use industry-standard security measures: HTTPS encryption, Row-Level Security in our database, secure httpOnly cookies, and access controls. However, no system is 100% secure.

6. Your Rights

Under the Kenya Data Protection Act 2019, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data (right to be forgotten)
  • Object to processing
  • Data portability

7. Cookies

We use essential cookies only: Supabase authentication session and guest session identifier. No tracking or analytics cookies are used.

8. Children's Privacy

InvoSafi is not intended for users under 18. We do not knowingly collect data from minors.

Contact

For privacy inquiries, contact our Data Protection Officer at [email protected].

© 2026 InvoSafi. All rights reserved.