Privacy Policy

Last updated: February 6, 2026

InvoiceCave ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our invoicing platform at www.invoicecave.com (the "Service").

By using InvoiceCave, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you register, we collect:

  • Full name
  • Email address
  • Hashed password (we never store plain text passwords)
  • Organization/company name
  • Profile picture (if provided via Google OAuth)

1.2 Business Data

When you use the Service, you may provide:

  • Customer information (names, emails, phone numbers, addresses)
  • Invoice and payment data
  • Product/service catalog items
  • Accounting records (journal entries, chart of accounts)
  • Organization settings and branding (logos, currency preferences)

1.3 Automatically Collected Information

  • IP address (for rate limiting and security)
  • Browser type and user agent (logged in audit trail)
  • Timestamps of actions performed
  • Usage patterns and feature interactions

1.4 Payment Information

Subscription payments are processed by Stripe. We do not store your credit card numbers, bank account details, or other payment credentials on our servers. Stripe handles all payment data under their own Privacy Policy.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the InvoiceCave platform
  • Process and manage your invoices, payments, and customer records
  • Send transactional emails (email verification, password resets)
  • Process subscription billing via Stripe
  • Enforce rate limits and protect against abuse
  • Maintain audit logs for your organization's compliance
  • Provide AI-powered features (invoice creation, chat assistance)
  • Improve and optimize the Service
  • Respond to customer support requests
  • Comply with legal obligations

3. Data Encryption & Security

We take data security extremely seriously. InvoiceCave implements enterprise-grade security measures:

  • AES-256-GCM encryption for all sensitive customer data (emails, phone numbers, notes)
  • 3-layer key hierarchy: Master Key → Key Encryption Key (KEK) per organization → Data Encryption Key (DEK) per record
  • Bcrypt password hashing with a cost factor of 12
  • Per-organization encryption keys for complete data isolation between organizations
  • Key rotation capabilities without downtime
  • HTTPS/TLS for all data in transit
  • Rate limiting on all API endpoints to prevent brute-force attacks
  • HTTP security headers including CSP, HSTS, X-Frame-Options

4. Data Sharing & Third Parties

We do not sell, trade, or rent your personal information to third parties. We share data only with:

  • Stripe — for payment processing (subscription billing)
  • Moonshot AI — for AI chat features (only message content you send; no customer data is shared)
  • Maileroo/SMTP — for sending transactional emails (verification, password reset)
  • Vercel — for hosting and infrastructure
  • PostgreSQL provider — for database hosting (data is encrypted at rest)

We may also disclose information if required by law, court order, or to protect the safety and rights of our users.

5. MCP Integration & AI Features

InvoiceCave supports the Model Context Protocol (MCP) for connecting external AI tools. When you generate an API key and connect an AI tool:

  • The external tool can access your invoice, customer, and payment data within your organization
  • Access is scoped to the organization linked to the API key
  • You can revoke API keys at any time from your settings
  • All MCP requests are rate-limited and logged

6. Cookies & Tracking

InvoiceCave uses:

  • Session cookies — essential for authentication (NextAuth.js session token)
  • No advertising cookies — we do not use any third-party advertising or tracking cookies
  • No analytics trackers — we do not use Google Analytics or similar services

7. Data Retention

  • Account data is retained for as long as your account is active
  • Invoice and business data is retained until you delete it or your account
  • Audit logs are retained for the lifetime of the organization
  • Verification tokens expire after 24 hours (email) or 1 hour (password reset) and are deleted

When you delete your account or organization, all associated data is permanently removed from our systems.

8. Your Rights (GDPR & Global)

You have the right to:

  • Access your personal data at any time through the platform
  • Correct inaccurate data via your organization settings
  • Delete your account and all associated data
  • Export your data (invoices, customer lists, payment records)
  • Restrict processing of your data by contacting us
  • Object to processing for specific purposes
  • Data portability — receive your data in a structured format

To exercise any of these rights, contact us at privacy@invoicecave.com.

9. Children's Privacy

InvoiceCave is not intended for use by individuals under the age of 16. We do not knowingly collect information from children under 16. If we discover we have collected such information, we will delete it immediately.

10. International Data Transfers

Your data may be processed in countries outside your own. We ensure that any transfer of data complies with applicable data protection laws. Our infrastructure is hosted on Vercel's global network, and our database may be located in the United States or European Union.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top. We encourage you to review this page periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy, please contact us: