Privacy Policy
Effective date: 6 July 2026 Last updated: 6 July 2026
This Privacy Policy explains how RadianPixelApps SRL ("RadianPixelApps", "we", "us", or "our") collects, uses, and protects your personal data when you use Prime Invoice (the "Service") at primeinvoiceing.com.
We take privacy seriously. This policy is written in plain language wherever possible. If anything is unclear, email us at privacy@primeinvoiceing.com.
1. Who we are
Data controller: RadianPixelApps SRL Registered address: Strada București nr. 32, Ardud, Județul Satu Mare, Romania Email: privacy@primeinvoiceing.com Service: Prime Invoice — primeinvoiceing.com
We are established in Romania and our processing activities are governed primarily by the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and Romanian data protection law (Law 190/2018).
Our supervisory authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP), www.dataprotection.ro.
We have not appointed a Data Protection Officer because we are not legally required to do so. Privacy questions go to privacy@primeinvoiceing.com.
2. What this policy covers
This policy covers personal data we process when you:
- visit primeinvoiceing.com (including marketing pages, the blog, and the templates gallery)
- use the free invoice maker at /create without an account
- create an account, log in, or use any feature of Prime Invoice
- contact us by email or any other channel
It does not cover third-party websites you reach through links from our Service. Their privacy practices are their own.
3. The personal data we collect
3.1 Data you provide directly
Account data Name, email address, password (stored as a salted hash — never in plain text), language preference, country, and currency. Collected when you sign up or update your profile.
Business profile data Business name, business address, tax/VAT identification number, phone number, logo, signature image. You enter this into Settings; it appears on the invoices you generate.
Client and invoice content Information you enter about your clients (name, email, address, tax ID, phone) and the contents of invoices, estimates, expenses, products, and time entries you create. This is your business data. We process it on your behalf to provide the Service.
Payment data When you subscribe to a paid plan, you provide payment information (card number, expiry, CVC, billing address) directly to Stripe, our payment processor. We never see or store your full card number. We retain only Stripe's customer ID, subscription status, last 4 digits of the card, and billing country for our records.
Communications Anything you send us by email or write into a support form.
AI Assistant prompts (optional) If you use the AI Assistant or any AI-powered feature, the prompts and document content you submit are sent to our AI processor (Anthropic) for processing.
3.2 Data we collect automatically
Authentication and session data A session token (HTTP-only cookie) so you stay logged in. IP address and browser user-agent for security monitoring.
Usage data Aggregated, non-identifying analytics about how the Service is used (pages visited, features used, performance metrics) collected via Vercel Analytics. We do not use third-party advertising trackers.
Logs Server logs containing IP address, request URL, response status, and timestamp. Used for debugging, abuse prevention, and security investigations.
3.3 Data we receive from third parties
OAuth providers (Google, Apple) If you sign in with Google or Apple, we receive your name, email address, and profile picture URL from those providers — only what's needed to create your account.
Stripe Subscription status, payment status, and billing events.
4. Why we process your data and our legal basis
Under the GDPR, every act of processing personal data requires a lawful basis (Article 6). Here is ours, by purpose:
| Purpose | Legal basis |
|---|---|
| Creating and operating your account | Performance of a contract (Art. 6(1)(b)) |
| Generating invoices, estimates, reports, and other Service outputs | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (password reset, invoice receipts, account notifications) | Performance of a contract (Art. 6(1)(b)) |
| Sending product update emails (only if you opt in) | Consent (Art. 6(1)(a)) — withdrawable at any time |
| Detecting fraud, abuse, and security incidents | Legitimate interest (Art. 6(1)(f)) — securing our infrastructure and protecting users |
| Aggregated usage analytics to improve the Service | Legitimate interest (Art. 6(1)(f)) — improving the product, balanced against your privacy by using non-identifying data only |
| Complying with tax, accounting, and legal obligations (invoice records, VAT records) | Legal obligation (Art. 6(1)(c)) — Romanian Accounting Law no. 82/1991 |
| Responding to law enforcement requests | Legal obligation (Art. 6(1)(c)) |
| Defending against legal claims | Legitimate interest (Art. 6(1)(f)) |
| Submitting e-invoices to government systems on your request (Phase 4.5 feature) | Performance of a contract (Art. 6(1)(b)) |
| AI-assisted features (drafting, suggestions, scan/OCR) when you invoke them | Performance of a contract (Art. 6(1)(b)) |
We do not process your data for advertising or sell it to data brokers, ever.
5. Automated decision-making and AI
We do not make automated decisions that produce legal or similarly significant effects about you (GDPR Article 22). Our AI features assist with drafting, categorization, and data extraction — they do not approve loans, screen identity, or take any decision that affects your legal rights.
When you use AI features (the AI Assistant, scan/OCR, AI logo generation, AI-assisted invoice fields), the content you submit is sent to Anthropic, PBC (US) for processing under Anthropic's Data Processing Agreement, which prohibits using customer prompts to train Anthropic's models.
AI outputs are not legal, tax, or accounting advice. Always review AI-generated content before sending invoices, filing taxes, or making business decisions based on it.
6. Who we share your data with (subprocessors)
We use the following processors and subprocessors. Each is bound by a Data Processing Agreement that requires GDPR-equivalent protection.
| Processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | Servers in Switzerland (EU-equivalent adequacy) | EU adequacy decision for Switzerland |
| Vercel Inc. | Application hosting and edge delivery | United States (with EU edge nodes) | EU-US Data Privacy Framework |
| Stripe Payments Europe Ltd. / Stripe Inc. | Payment processing, subscription billing | Ireland (EU) and United States | Standard Contractual Clauses + EU-US Data Privacy Framework |
| Twilio SendGrid Inc. | Transactional email delivery | United States | EU-US Data Privacy Framework + Standard Contractual Clauses |
| Anthropic, PBC | AI features (only when you invoke them) | United States | Standard Contractual Clauses |
| Storecove B.V. | E-invoice transmission to government systems (only when you submit an e-invoice) | Netherlands (EU) | Within EEA — no transfer safeguard required |
| Google LLC | Google Sign-In OAuth (only if you choose this login method) | United States | EU-US Data Privacy Framework |
| Apple Inc. | Apple Sign-In OAuth (only if you choose this login method) | United States | Standard Contractual Clauses |
We may also share data with:
- Tax authorities and government bodies when legally required (e.g., for tax audits or court orders).
- Professional advisors (accountants, lawyers) under confidentiality, only when necessary for our own business operations.
- A successor entity if we merge, are acquired, or sell assets — we will notify you and the data will remain protected by an equivalent privacy policy.
We do not share your data with advertisers, data brokers, or analytics resellers.
7. International data transfers
The Service is operated from the EU and your account data is primarily stored in Switzerland (Supabase region: Zurich), which the European Commission has confirmed provides an adequate level of data protection.
Some of our subprocessors are based in the United States. When we transfer data there, we rely on:
- the EU-US Data Privacy Framework (DPF) for processors that are DPF-certified, and/or
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), supplemented where necessary by additional technical and organizational measures.
You can request a copy of the SCCs we use by emailing privacy@primeinvoiceing.com.
8. How long we keep your data
| Data category | Retention period |
|---|---|
| Active account data | While your account is open |
| Account data after deletion request | 30 days soft-delete (recoverable), then permanent purge |
| Invoice and billing records | 10 years from the date of issuance (see below) |
| Payment transaction records | 10 years (accounting law) |
| Server logs | 30 days, then deleted |
| Backups | Up to 30 days, encrypted |
| Email correspondence | 3 years from last contact |
| Analytics data (aggregated, non-identifying) | Indefinitely |
| AI prompts sent to Anthropic | Per Anthropic's retention policy (currently up to 30 days for trust & safety, then deleted) |
When the retention period ends, we delete or anonymize the data.
Invoice retention — legal basis and rationale
Invoices issued through the Prime Invoice platform are retained for 10 years from the date of issuance.
Legal basis: Article 25 of the Romanian Accounting Law no. 82/1991, republished, as amended by Law no. 36/2023. The statutory minimum is 5 years calculated from July 1 of the year following the end of the financial year. RadianPixelApps SRL applies a precautionary 10-year retention period to:
- cover the retention requirements of other European Union jurisdictions where the platform is used (Germany, France, Italy: 10 years);
- provide margin for extended tax audits and potential disputes;
- align with Romanian professional accountant best practice.
9. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — get a copy of the data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17) — delete your account and personal data, subject to legal retention requirements.
- Right to restriction (Art. 18) — limit how we process your data while a dispute is resolved.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (CSV/JSON). You can request an export at any time from Settings → Privacy → Export my data; we email you a download link, usually within an hour.
- Right to object (Art. 21) — object to processing based on legitimate interest, including profiling.
- Right to withdraw consent (Art. 7(3)) — for any processing based on consent, withdrawable at any time.
- Right to lodge a complaint with a supervisory authority — in Romania, ANSPDCP (www.dataprotection.ro), or your local data protection authority if you live elsewhere in the EU.
How to exercise these rights: Email privacy@primeinvoiceing.com from the address associated with your account. We respond within 30 days (extendable by 60 days for complex requests, with notice). For account deletion, you can also use the "Delete account" function in Settings.
We may need to verify your identity before responding to certain requests, to prevent unauthorized disclosure.
We do not charge for these requests unless they are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse, as permitted by Art. 12(5)).
10. Security
We protect your data with:
- Encryption in transit — TLS 1.2+ on all connections to and from the Service.
- Encryption at rest — database, file storage, and backups are encrypted.
- Access controls — only the two founders have administrative access to production systems, protected by multi-factor authentication.
- Row-level security in our database — your data is isolated from other customers' data at the database level.
- No plaintext passwords — passwords are hashed using industry-standard algorithms (bcrypt).
- Audit logs — administrative actions on production systems are logged.
- Regular dependency updates and security patches.
No system is completely secure. If we ever experience a personal data breach that poses a risk to your rights, we will notify the supervisory authority within 72 hours of becoming aware of it (per GDPR Art. 33), and notify you directly without undue delay if the risk is high (Art. 34).
11. Children
The Service is not directed to anyone under 18 years old. We do not knowingly collect personal data from minors. If we learn we have collected data from someone under 18, we will delete it. If you believe a minor has provided us with personal data, contact privacy@primeinvoiceing.com.
12. Cookies
We use a small number of strictly necessary cookies (authentication session, theme and locale preferences, CSRF protection, Stripe Checkout during payment). We do not use advertising or third-party tracking cookies.
For full details, see our Cookie Policy.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make a material change, we will:
- update the "Last updated" date at the top,
- notify you by email if you have an account, at least 30 days before the change takes effect, and
- post a summary of the change on the policy page.
Continued use of the Service after the effective date means you accept the updated policy.
14. Contact
For any privacy question, request, or complaint:
Email: privacy@primeinvoiceing.com Postal: RadianPixelApps SRL, Strada București nr. 32, Ardud, Județul Satu Mare, Romania
This Privacy Policy is provided in English. If you read a translated version, the English version controls in case of conflict.