Privacy Policy
Last updated: 4 May 2026. This policy explains how CHIMISMART LTD collects, uses, and protects your personal data in connection with the Invoicify service.
1. Who We Are
The data controller for personal data collected through Invoicify is:
CHIMISMART LTD (trading as Invoicify)
Company number: 16995660 · Registered in England and Wales
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Email: info@useinvoicify.com
Phone: +44 7538 299689
References to “we”, “us”, and “our” in this policy mean CHIMISMART LTD. “Service” means the Invoicify web application available at useinvoicify.com.
Where we process personal data on your behalf as part of the Service (e.g. your clients’ details stored in your invoices), we act as a data processor under your instructions. That relationship is governed by our Data Processing Addendum. This Privacy Policy covers our role as a data controller — primarily for account, billing, and support data.
2. What Personal Data We Collect
Account and registration data
Name, email address, password (hashed — never stored in plain text), business name, business address, VAT or tax number (if provided), and phone number. Collected when you create an account or update your profile.
Billing and payment data
Subscription plan, billing cycle, payment history, and billing address. Card details are processed directly by Stripe, Inc. and are not stored on our servers. We receive only a tokenised reference and the last four digits of your card for display purposes.
Invoice and client data
The invoice content you create — including your clients’ names, addresses, email addresses, and amounts — is stored to provide the Service. This data belongs to you; we process it on your instructions as described in the DPA.
Usage and technical data
IP address, browser type and version, operating system, pages visited, time spent on pages, referring URL, and error logs. Collected automatically when you use the Service.
Communications data
Messages you send us via email or the contact form, including the content of support requests and any attachments. Retained for up to 3 years to maintain a record of support history.
Cookie and tracking data
Cookies and similar technologies used for authentication, preferences, and aggregate analytics. See our Cookie Policy for full details.
3. How and Why We Use Your Data
UK GDPR requires us to identify a lawful basis for each processing purpose. The table below sets out our purposes and the basis we rely on.
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Providing the Service — creating, storing, and delivering invoices | Performance of a contract (Art. 6(1)(b)) |
| Account registration and authentication | Performance of a contract (Art. 6(1)(b)) |
| Processing subscription payments and managing billing | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (receipts, invoices, password resets) | Performance of a contract (Art. 6(1)(b)) |
| Responding to support requests | Legitimate interests — providing customer support (Art. 6(1)(f)) |
| Monitoring service performance, diagnosing errors, and maintaining security | Legitimate interests — operating a reliable and secure service (Art. 6(1)(f)) |
| Aggregated analytics to understand how the Service is used | Legitimate interests — improving the Service (Art. 6(1)(f)) |
| Sending product update and marketing emails to existing customers | Legitimate interests — direct marketing to existing customers; you may opt out at any time (Art. 6(1)(f)) |
| Complying with legal obligations (e.g. tax records, fraud prevention) | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, you have the right to object — see Section 7.
4. Who We Share Your Data With
We do not sell your personal data. We share it only with the third-party service providers necessary to operate the Service, each bound by data processing agreements:
| Recipient | Purpose | Location |
|---|---|---|
| Cloud hosting provider | Infrastructure, database, and file storage | EU / UK |
| Stripe, Inc. | Payment processing and subscription billing | USA — SCCs in place |
| Transactional email provider | Sending receipts, invoice delivery, and system emails | EU / UK |
| Analytics provider | Aggregated, anonymised usage analytics | EU |
We may also disclose your data where required by law, court order, or to protect our legal rights, or in connection with a merger or acquisition of CHIMISMART LTD (with advance notice to you where permitted).
5. International Transfers
We are based in the United Kingdom and store data primarily in the EU and UK. Where we transfer personal data to recipients outside the UK or EU/EEA (such as Stripe in the United States), we ensure appropriate safeguards are in place:
- EU Standard Contractual Clauses (European Commission Decision 2021/914) for transfers from the EEA.
- UK International Data Transfer Agreements (IDTAs) or UK Addenda to EU SCCs for transfers from the UK.
Copies of applicable transfer mechanisms are available on request at info@useinvoicify.com.
6. How Long We Keep Your Data
| Data category | Retention period |
|---|---|
| Account and profile data | For the life of your account, then deleted 30 days after account closure |
| Invoice and client data | For the life of your account; available to export for 30 days after cancellation; deleted from live systems after that, and from backups within 90 days |
| Billing and payment records | 7 years from the date of transaction (UK tax record-keeping requirement) |
| Support communications | 3 years from last contact |
| Usage and technical logs | 90 days, then automatically deleted |
| Marketing preferences (opt-out records) | Indefinitely, to honour your opt-out |
7. Your Rights Under UK GDPR
As a data subject under UK GDPR you have the following rights. To exercise any of them, email info@useinvoicify.com from your registered address. We will respond within one month.
Right of access (Art. 15)
Request a copy of the personal data we hold about you, along with information about how we use it.
Right to rectification (Art. 16)
Ask us to correct personal data that is inaccurate or incomplete.
Right to erasure (Art. 17)
Request deletion of your personal data where there is no overriding legal reason for us to keep it. Note that some data (e.g. billing records) must be retained by law.
Right to restriction of processing (Art. 18)
Ask us to pause processing of your data in certain circumstances — for example, while we verify a rectification request.
Right to data portability (Art. 20)
Receive a copy of the personal data you provided to us in a structured, machine-readable format (CSV or JSON).
Right to object (Art. 21)
Object to processing based on legitimate interests, including direct marketing. We will stop unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent
Where we rely on consent (e.g. optional marketing emails), you may withdraw it at any time via the unsubscribe link in any email or by contacting us.
Right to lodge a complaint
You have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would appreciate the opportunity to address your concern first.
8. Security
We implement and maintain appropriate technical and organisational measures to protect your personal data:
- All data in transit is encrypted using TLS 1.2 or higher.
- Data at rest is stored in encrypted form.
- Passwords are hashed using a strong one-way algorithm and never stored in plain text.
- Access to production systems is restricted to authorised personnel via authenticated sessions.
- Automatic encrypted daily backups retained for a minimum of 30 days.
- Security patches applied on a risk-prioritised basis.
No transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at info@useinvoicify.com.
9. Cookies
We use cookies for authentication, preferences, and aggregate analytics. For full details of the cookies we set, their purpose, and how to control them, see our Cookie Policy.
10. Children
The Service is intended for use by businesses and adult professionals. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.
11. Links to Third-Party Sites
The Service may contain links to third-party websites. This Privacy Policy applies only to Invoicify. We have no control over third-party privacy practices and recommend reviewing their policies before providing personal data.
12. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes we will notify you by email to your registered address at least 14 days before the change takes effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact and Complaints
For any questions about this Privacy Policy or to exercise your rights, contact us:
CHIMISMART LTD (trading as Invoicify)
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Email: info@useinvoicify.com
Phone: +44 7538 299689
UK Supervisory Authority
You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) — the UK’s independent data protection regulator. Visit ico.org.uk or call 0303 123 1113. We would appreciate the chance to resolve your concern before you contact the ICO.