Privacy Policy
Last updated: July 12, 2026
Space Invoices is operated through two companies. Studio 404 d.o.o. is the contracting company and account-data controller for customers outside the United States. Space Invoices Inc. is the contracting company and account-data controller for United States customers. Space Invoices Inc. owns the platform intellectual property and licenses it to Studio 404 d.o.o.
We are GDPR-compliant where the GDPR applies. Personal data for users in the EU and EEA is stored and processed in the European Union, as described in Section 6.
1. Data Controller
The controller for account, billing, support, and website data depends on the market in which we provide the service:
Outside the United States: Studio 404 d.o.o., Gradišče 15c, 1360 Vrhnika, Slovenia.
United States: Space Invoices Inc., 8 The Green, Suite B, Dover, Delaware 19901, United States.
The two companies provide infrastructure, engineering, administration, and support services to each other. For a particular processing activity, the company acting on the documented instructions of the relevant controller acts as its processor. Each company may also act as an independent controller for its own legal, security, tax, employment, and corporate obligations.
We process personal data in line with the General Data Protection Regulation (GDPR) and applicable EU/EEA law where they apply. For privacy requests, contact us at the address in Section 14; EU-related inquiries are handled through the same channel.
2. Information We Collect
We collect information that you provide directly and information generated through your use of our services:
Account information:
- Name, email address, and company details
- Billing address and VAT/tax identification numbers
- Payment information (processed by Stripe; we do not store card details)
Platform data:
- Invoice, estimate, and credit note data you create through our platform
- Customer records you add to your entities
- API usage logs and request metadata
Your customers on invoices: When you issue invoices, you may enter names, addresses, tax IDs, and similar details about buyers or counterparties. That information is your business data; you are typically the controller for your customers’ personal data, and we process it only to run the invoicing service for you. See Section 7.
Automatically collected:
- IP address, browser type, and device information
- Usage analytics (pages visited, feature usage)
- Cookies and similar tracking technologies (see Section 8)
3. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), we process personal data under the following legal bases:
- Contract performance — to provide our invoicing services, process your transactions, and maintain your account
- Legal obligation — to comply with tax, accounting, and regulatory requirements (including fiscalization mandates)
- Legitimate interest — to improve our services, prevent fraud, and ensure platform security
- Consent — for marketing communications and optional analytics (you may withdraw consent at any time)
4. How We Use Your Information
- Provide, maintain, and improve our invoicing platform and API
- Process transactions, generate invoices, and submit fiscalization data to tax authorities where required
- Send transactional communications (account confirmations, billing notices, security alerts)
- Respond to support requests and provide technical assistance
- Monitor and analyze usage to improve performance and reliability
- Comply with legal and regulatory obligations
- Send product updates and marketing communications (with your consent)
5. Data Sharing and Third Parties
We share personal data only as necessary to operate our services:
- Our affiliated company — Studio 404 d.o.o. or Space Invoices Inc., as applicable, for engineering, support, billing administration, and service operations under appropriate intercompany terms
- Stripe — payment processing
- Cloud infrastructure providers — hosting and data storage within the EU
- Tax authorities — where required by law for fiscalization and e-invoicing compliance
- Analytics providers — anonymized usage data for service improvement
We do not sell your personal data to third parties.
6. EU data location and international transfers
Personal data relating to users in the EU and EEA is stored and processed in the European Union—including production hosting, application processing, and day-to-day operations carried out by our Slovenian team and EU-based sub-processors (see Section 5).
A limited set of activities (for example support, billing administration, or security review) may involve access from outside the EEA. Where an EEA transfer requires a safeguard, we use the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures where appropriate. We do not rely on the EU-U.S. Data Privacy Framework unless the relevant recipient is an active participant.
7. Data Processing Role
When you use Space Invoices to create and manage invoices for your own customers, we generally act as a processor for the personal data you enter about those customers (buyer names, addresses, tax identifiers, etc.). You remain the controller for that business and invoicing data, including choosing lawful bases and honouring your customers’ rights toward you.
For your Space Invoices account (login, billing, support), the market-specific company identified in Section 1 is the controller. For a formal Data Processing Agreement (DPA) covering customer-content processing, contact privacy@spaceinvoices.com.
8. Cookies and Tracking
We use the following types of cookies:
- Essential cookies — required for authentication and platform functionality
- Analytics cookies — to understand how our services are used (can be opted out)
We do not use advertising or third-party tracking cookies.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, regular security audits, and multi-tenant data isolation ensuring strict separation between entities.
10. Data Retention
We retain your account and platform data for as long as your account is active or as needed to provide the service. Invoices and related financial records often must be kept for years under tax and bookkeeping rules (length depends on your country); we retain those as long as your account exists and as required by law after closure. After deletion, we remove personal data within 30 days unless a longer period is required for legal or tax obligations.
11. Your Rights
Under the GDPR and applicable privacy laws, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data ("right to be forgotten")
- Restrict processing — limit how we use your data
- Data portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, withdraw at any time
To exercise any of these rights, contact us at privacy@spaceinvoices.com. We will respond within 30 days.
12. Supervisory Authority
If you are located in the EU and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. For Slovenia, this is the Information Commissioner (Informacijski pooblaščenec) at www.ip-rs.si.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through a notice on our platform. Continued use of our services after changes constitutes acceptance of the updated policy.
14. Contact Us
For privacy-related inquiries:
Studio 404 d.o.o. / Space Invoices Inc.
Email: privacy@spaceinvoices.com