Effective date: May 25, 2026 Last updated: May 25, 2026

This Privacy Policy explains how we collect, use, and protect your personal data when you use the InvoHub service. Please read it carefully. If anything is unclear, contact us at privacy@invohub.eu — we will answer in plain English or Lithuanian.

1. Who we are

InvoHub is a service operated by:

All Digital Group, UAB Company code: 305453299 VAT code: LT100012967017 Registered office: Žalgirio g. 94, LT-09300 Vilnius, Lithuania

For all matters related to your personal data, contact:

Email: privacy@invohub.eu Postal address: Žalgirio g. 94, LT-09300 Vilnius, Lithuania

We are the data controller for the personal data we collect about you as a user of the InvoHub service.

For the personal data contained in invoices you upload or that we collect from your connected mailboxes, we act as your data processor — see Section 2 for the distinction.

2. What this Privacy Policy covers — and what it doesn’t

InvoHub processes two distinct types of personal data, and our role under GDPR differs between them.

Your user account data (we are the controller):

When you sign up and use InvoHub, we collect and process data about you as our user — your email address, name, language preference, login activity, audit log entries, consent records. For this data, we are the data controller and this Privacy Policy applies in full.

Invoice content and mailbox data (we are the processor):

When your business uses InvoHub to collect invoices from a connected mailbox, the invoices typically contain personal data about other people — your suppliers, their employees, sole traders, free-lance workers, your customers. For this data, your business is the data controller and we act as the data processor.

The processing of invoice data is governed by the Data Processing Agreement that forms Appendix A to the Terms of Service. This Privacy Policy describes the security and operational measures we apply, but the legal basis and purpose for processing that data are determined by the business that uses our service, not by us.

3. Personal data we collect

We collect personal data in four categories.

3.1 Account and identity data

When you register and use InvoHub:

• Name and email address — obtained from your Google or Microsoft account through OAuth at sign-up.
• Authentication metadata — Google or Microsoft account identifier, OAuth refresh and access tokens (encrypted at rest with AES-256-GCM).
• Role and permissions — your role within your organisation’s InvoHub workspace, your platform role.

3.2 Processing and usage data

When you use InvoHub:

• Connection settings — which mailboxes you have connected (Gmail or Outlook addresses), which connector types are active.
• Mail rules and export rules — automation rules you have configured.
• Audit log entries — records of significant actions you take in the application (creating connectors, deleting tenants, accepting terms, toggling privacy settings).

3.3 Technical data

Collected automatically when you use InvoHub:

• IP address — recorded at sign-up, login, consent acceptance, and during significant actions for security and audit purposes.
• Browser and device information — User-Agent string recorded at the same points as IP.
• Session metadata — login timestamps, session expiry timestamps, language preference.
• Cookie data — see Section 11.

3.4 Communications data

If you contact us:

• Email correspondence — when you write to privacy@invohub.eu, support@invohub.eu, or hello@invohub.eu, we retain the email content and reply history.

We do not collect:

• Payment card data (we do not currently process payments directly)
• Health data, biometric data, or other special categories of personal data
• Tracking data from third-party advertising networks
• Behavioural profiling data

4. Why we process your personal data

Our processing of your personal data has the following lawful bases under GDPR Article 6.

We do not process your personal data for marketing purposes, profiling, automated decision-making with legal effects, or for training AI models.

5. How we use AI

InvoHub uses an AI service from Anthropic to extract structured data from invoice documents. This is a core part of the service — when an invoice arrives in your connected mailbox, the PDF is sent to Anthropic’s Claude API for text and data extraction, then the extracted data is stored in your InvoHub workspace.

We comply with the Google API Services User Data Policy, specifically the Limited Use requirements. We commit that:

1. We use Gmail and Outlook data only to provide and improve user-facing features that are prominent in the InvoHub interface — that is, invoice collection and structured data extraction.
2. We do not transfer Gmail or Outlook data to others except as necessary to provide and improve the service, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
3. We do not use Gmail or Outlook data for advertising, including retargeting, personalised advertising, or interest-based advertising.
4. We do not allow humans to read Gmail or Outlook data unless we have your explicit consent, we are required to do so for security purposes (such as investigating abuse), to comply with applicable law, or for the limited purpose of providing internal operations on aggregated, anonymised data.

The fourth commitment is enforced technically through our Support Access privacy gate. By default, no employee of All Digital Group, UAB can view your mail metadata (sender, subject, snippet) through our admin tools. You can opt to grant this access through the Privacy settings in your account, and you can revoke it at any time. Every access by support staff is recorded in an audit log.

6. Who we share your personal data with

We share your personal data only with the sub-processors listed below, each of which is contractually bound by a Data Processing Agreement and provides security guarantees at least equivalent to ours.

The full list of sub-processors, with up-to-date contact information and links to each sub-processor’s Data Processing Agreement, is available at https://invohub.eu/legal/sub-processors.

When we add a new sub-processor, we will notify all active users through an in-application banner that remains visible until you acknowledge it. You will have 30 days from the date of your acknowledgment to object to the change by writing to privacy@invohub.eu. If we cannot accommodate your objection, you can terminate your use of the service.

We do not share your personal data with advertising networks, data brokers, or for any commercial purpose unrelated to providing the InvoHub service.

7. International data transfers

Some of our sub-processors are located outside the European Economic Area (EEA), specifically in the United States. When your personal data is transferred to a country outside the EEA, we ensure the transfer is protected by appropriate safeguards under GDPR Article 46.

For each sub-processor outside the EEA, our contracts incorporate the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), Module Two (controller-to-processor) or Module Three (processor-to-processor) as applicable.

For sub-processors that allow region selection (AWS, Neon), we have selected EU regions, so your data is stored in the European Union.

For sub-processors where data unavoidably crosses borders during processing (Anthropic, Replit, Google, Microsoft), the SCCs in their respective DPAs provide the legal safeguard. The processing scope is minimised — Replit, for example, hosts only the application runtime and does not store persistent customer data, which remains in EU regions.

8. How long we keep your personal data

Our retention periods are designed around the principle of data minimisation (GDPR Article 5(1)(c)).

9. Your rights under GDPR

You have the following rights regarding your personal data:

• Right of access (Article 15) — request a copy of the personal data we hold about you.
• Right to rectification (Article 16) — correct inaccurate personal data through your account settings, or request correction by writing to privacy@invohub.eu.
• Right to erasure (Article 17) — request deletion of your personal data. For your workspace, you can do this self-service through Settings; for your user account separately, write to privacy@invohub.eu.
• Right to restriction of processing (Article 18) — request that we limit processing while a dispute is being resolved.
• Right to data portability (Article 20) — export your invoice data in a structured, commonly used, machine-readable format. The Export feature in your account produces ZIP and XLSX exports for this purpose.
• Right to object (Article 21) — object to processing based on our legitimate interests.
• Right to withdraw consent (Article 7(3)) — withdraw any consent you have previously given. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint — complain to the Lithuanian Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI) at vdai.lrv.lt, or to the data protection authority of your country of residence.

We respond to all rights requests within one month of receipt, as required by GDPR Article 12(3). For complex requests, we may extend this period by an additional two months and will notify you of the extension within the first month.

10. How to exercise your rights

Write to privacy@invohub.eu with:

• The right you wish to exercise (you can simply describe what you want — you do not need to cite GDPR articles)
• Your account email address (so we can identify your records)
• Any additional context that helps us understand the request

We may ask for additional information to verify your identity before responding to a request, particularly for sensitive operations like erasure or data export. This protects you from unauthorised access to your data.

We do not charge a fee for rights requests, except where requests are manifestly unfounded or excessive (GDPR Article 12(5)).

11. Cookies and tracking

InvoHub operates two distinct parts with different cookie policies. The application (app.invohub.eu) is where you sign in and use the service. The marketing websites (invohub.eu and invohub.lt) are the public landing pages where we describe the product to prospective customers.

11.1 On the application (app.invohub.eu)

The application uses only strictly necessary cookies required to operate the service.

We do not use any of the following on the application:

• Google Analytics or any other web analytics service
• Facebook Pixel or any advertising or retargeting cookies
• Cross-site tracking cookies
• Behavioural profiling cookies
• Session recording tools (such as Hotjar or FullStory)

This is a deliberate, strict commitment. We operate under the Google API Services User Data Policy (the Limited Use requirements) because we access Gmail and Microsoft 365 mailboxes on your behalf. Limited Use prohibits using mailbox-derived identity for advertising, retargeting, or third-party tracking — and we go further by not running any third-party scripts at all inside the authenticated application.

Because the application uses only strictly necessary cookies, no cookie consent banner is shown when you sign in. Strictly necessary cookies are exempt from the consent requirement under ePrivacy Directive Article 5(3) second sentence.

11.2 On the marketing websites (invohub.eu and invohub.lt)

The marketing websites use additional cookies for analytics and advertising purposes, including:

• Google Analytics for measuring traffic sources, audience size, and content engagement
• Facebook Pixel for measuring the effectiveness of our advertising campaigns and building advertising audiences
• Other marketing or analytics tools as listed in the cookie preferences panel on those websites

These cookies are set only after you provide consent through the cookie banner displayed on your first visit. You can change your preferences at any time through the “Cookie preferences” link in the website footer.

Cookies set on the marketing websites do not follow you into the application. The marketing websites and the application operate with completely separate cookie scopes, and we do not bridge identity between the two — for example, we do not pass a visitor’s Facebook Pixel identifier into the application after sign-up.

11.3 Why the application stays clean

The strict separation between the application and the marketing websites is a security and privacy decision, not an oversight. The application processes sensitive business data (your invoices, your mailbox content) under our agreements with you and under the Google API Services User Data Policy. Adding third-party scripts to the application would broaden the trust boundary of that processing — every third-party script provider would become a de facto sub-processor. By keeping the application clean, we keep the trust boundary narrow.

12. How we keep your data secure

We apply technical and organisational security measures appropriate to the risk, including:

• Encryption in transit — TLS 1.2 or higher on all connections, HTTP Strict Transport Security headers.
• Encryption at rest — invoice PDFs encrypted with AWS KMS envelope encryption; OAuth tokens encrypted at the application layer with AES-256-GCM bound to your workspace identity.
• Tenant isolation — three independent layers prevent one workspace from accessing another’s data: session-level binding, application context propagation, and PostgreSQL Row-Level Security.
• Authentication — OAuth-only sign-in (Google or Microsoft); no passwords stored on our systems.
• Access controls — role-based permissions, audit logging of privileged actions, technical privacy gates limiting support staff access to mail metadata.
• Continuous monitoring — external uptime monitoring, structured worker logs, automated stuck-job recovery.
• Tested incident response — documented incident response playbooks for outage, data exposure, credential leak, and other scenarios.

We undergo periodic security review, including the Google Cloud Application Security Assessment (CASA) Tier 2 process for our restricted-scope OAuth access to Gmail.

In the event of a personal data breach, we will notify the Lithuanian Data Protection Inspectorate (VDAI) within 72 hours of becoming aware, as required by GDPR Article 33, and we will notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms.

13. Children’s privacy

InvoHub is a business-to-business service intended for use by professionals in the accounting and bookkeeping sector. We do not knowingly collect personal data from children under the age of 16.

If you believe a child has provided personal data to us, please contact privacy@invohub.eu and we will delete the data promptly.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our service, our sub-processors, applicable law, or our security practices.

When we make material changes, we will:

• Update the “Effective date” and “Last updated” fields at the top of this Policy
• Notify you through an in-application banner that remains visible until you acknowledge it
• For changes that materially affect your rights, give you at least 30 days notice before the changes take effect

The current version of this Privacy Policy is always available at https://invohub.eu/legal/privacy-policy. Past versions are archived and available on request to privacy@invohub.eu.

Document history

Contact

For any questions about this Privacy Policy or your personal data:

Email: privacy@invohub.eu Postal address: All Digital Group, UAB · Žalgirio g. 94 · LT-09300 Vilnius · Lithuania Data Protection Authority: Valstybinė duomenų apsaugos inspekcija (VDAI) · vdai.lrv.lt · +370 5 271 2804