Privacy Policy
Effective date: April 10, 2026
This policy describes how Free Invoice Maker ("freeinvoicemaker.app"), operated by adpena ("we", "us", "our"), collects, uses, and protects your personal data. We are committed to privacy by design. If you have questions, contact us at contact@adpena.com.
1. Data Controller
The data controller is adpena, reachable at contact@adpena.com. For GDPR purposes, we process personal data as a controller when you use the service, and as a processor when we store your invoice and client data on your behalf.
2. Data We Collect
What we collect depends on how you use the service:
Anonymous users (no account): All data is stored locally in your browser via IndexedDB. We collect nothing. No server contact occurs.
Registered users: When you create an account, we collect your email address for authentication (magic-link login). If you opt in to cloud sync, we store your invoice data, client data, and organization settings on our infrastructure.
Paying users: Stripe collects and processes your payment information. We receive your Stripe customer ID, subscription status, and payment history. We do not store credit card numbers or bank details.
AI features: If you opt in to AI features (OCR, data extraction), the documents or images you submit are processed by Cloudflare Workers AI. Input data is not retained after processing and is not used to train models.
x402 API access: If you use agent API calls via x402 micropayments, we record your wallet address and transaction hashes for billing reconciliation.
3. Lawful Basis for Processing (GDPR)
We process personal data under the following legal bases:
- Contract performance (Art. 6(1)(b) GDPR): To provide the service, process payments, and deliver transactional emails.
- Consent (Art. 6(1)(a) GDPR): For optional features such as cloud sync, AI processing, and email reminders. You may withdraw consent at any time.
- Legitimate interest (Art. 6(1)(f) GDPR): For service security, abuse prevention, and privacy-preserving analytics.
- Legal obligation (Art. 6(1)(c) GDPR): Where required by tax, financial, or regulatory law.
4. Cookies and Analytics
We do not use tracking cookies. We do not use third-party trackers. We load Cloudflare Web Analytics only after you accept analytics. It is privacy-first: it collects no personally identifiable information, sets no cookies, and does not track users across sites. It provides aggregate page-view and performance data only.
5. How We Use Your Data
- To provide and maintain the service, including cloud sync and invoice delivery.
- To authenticate you via magic-link email.
- To process subscription payments through Stripe.
- To send transactional emails via Resend: invoices, magic links, and payment reminders. We do not send marketing email.
- To process documents through AI features when you explicitly opt in.
- To detect and prevent abuse, fraud, and security incidents.
6. Data Storage and Security
Cloud-synced data is stored on Cloudflare D1 (encrypted at rest) and Cloudflare R2 for file storage. Data is transmitted over TLS. We follow the principle of least privilege for infrastructure access. Cloudflare's data centers are located globally; for EU users, data may be processed in the EU or transferred to other regions under Cloudflare's DPA and Standard Contractual Clauses. You may request a copy of Cloudflare's Data Processing Agreement through us.
7. Data Retention
We retain your data only as long as necessary:
- Account data: Retained while your account is active. Deleted within 30 days of account deletion.
- Invoice and client data: Retained while your account is active. Available for export at any time. Deleted within 30 days of account deletion.
- Payment records: Retained for 7 years as required by tax and financial regulations.
- AI processing data: Not retained after processing is complete.
- Security logs: Retained for up to 90 days for incident investigation.
8. Third-Party Processors
We share data with the following processors, strictly to operate the service:
- Cloudflare — Hosting, data storage (D1, R2), AI processing, and analytics.
- Stripe — Payment processing.
- Resend — Transactional email delivery (invoices, magic links, payment reminders).
We do not sell, rent, or share your personal data with advertisers or data brokers. Each processor is bound by a Data Processing Agreement.
9. Your Rights (GDPR and Applicable Law)
If you are located in the EU/EEA, UK, or another jurisdiction with applicable data protection law, you have the right to:
- Access your personal data and obtain a copy.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten").
- Restrict processing under certain conditions.
- Port your data in a structured, machine-readable format.
- Object to processing based on legitimate interest.
- Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, email contact@adpena.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
10. International Transfers
The service runs on Cloudflare's global edge network. Your data may be processed in data centers outside your country of residence. For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, as incorporated in our processors' DPAs. You may request copies of applicable SCCs by contacting us.
11. Children's Privacy
The service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact us and we will delete it promptly.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email (for registered users) or by posting a notice on the service at least 14 days before they take effect. The effective date at the top of this page will be updated accordingly.
13. Contact
For privacy-related questions, data subject requests, or to request DPA documentation, contact us at contact@adpena.com.