Privacy Policy
Last updated: February 2026
1. Data Controller
The data controller for your personal data is:
Space Invoices Inc.
A Delaware corporation, United States
Certain development and operational services are performed by Studio 404 d.o.o., a company registered in Slovenia (EU), acting as a data processor under contract with Space Invoices Inc.
2. Information We Collect
We collect information that you provide directly and information generated through your use of our services:
Account information:
- Name, email address, and company details
- Billing address and VAT/tax identification numbers
- Payment information (processed by Stripe; we do not store card details)
Platform data:
- Invoice, estimate, and credit note data you create through our platform
- Customer records you add to your entities
- API usage logs and request metadata
Automatically collected:
- IP address, browser type, and device information
- Usage analytics (pages visited, feature usage)
- Cookies and similar tracking technologies (see Section 8)
3. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), we process personal data under the following legal bases:
- Contract performance — to provide our invoicing services, process your transactions, and maintain your account
- Legal obligation — to comply with tax, accounting, and regulatory requirements (including fiscalization mandates)
- Legitimate interest — to improve our services, prevent fraud, and ensure platform security
- Consent — for marketing communications and optional analytics (you may withdraw consent at any time)
4. How We Use Your Information
- Provide, maintain, and improve our invoicing platform and API
- Process transactions, generate invoices, and submit fiscalization data to tax authorities where required
- Send transactional communications (account confirmations, billing notices, security alerts)
- Respond to support requests and provide technical assistance
- Monitor and analyze usage to improve performance and reliability
- Comply with legal and regulatory obligations
- Send product updates and marketing communications (with your consent)
5. Data Sharing and Third Parties
We share personal data only as necessary to operate our services:
- Studio 404 d.o.o. (Slovenia) — contracted development and operational services under a data processing agreement
- Stripe — payment processing
- Cloud infrastructure providers — hosting and data storage within the EU
- Tax authorities — where required by law for fiscalization and e-invoicing compliance
- Analytics providers — anonymized usage data for service improvement
We do not sell your personal data to third parties.
6. International Data Transfers
As Space Invoices Inc. is based in the United States and Studio 404 d.o.o. operates in Slovenia, your data may be transferred between the EU and the US.
For transfers of personal data from the EEA to the United States, we rely on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection. Primary data storage and processing infrastructure is located within the European Union.
7. Data Processing Role
When you use Space Invoices to create invoices for your customers, we act as a data processor on your behalf. You remain the data controller for your end-customer invoice data.
For platform customers requiring a formal Data Processing Agreement (DPA), please contact us at privacy@spaceinvoices.com.
8. Cookies and Tracking
We use the following types of cookies:
- Essential cookies — required for authentication and platform functionality
- Analytics cookies — to understand how our services are used (can be opted out)
We do not use advertising or third-party tracking cookies.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, regular security audits, and multi-tenant data isolation ensuring strict separation between entities.
10. Data Retention
We retain your personal data for as long as your account is active or as needed to provide our services. Invoice and financial data may be retained longer as required by applicable tax and accounting regulations (typically 5-10 years depending on jurisdiction). Upon account deletion, we remove personal data within 30 days, except where retention is required by law.
11. Your Rights
Under the GDPR and applicable privacy laws, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data ("right to be forgotten")
- Restrict processing — limit how we use your data
- Data portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, withdraw at any time
To exercise any of these rights, contact us at privacy@spaceinvoices.com. We will respond within 30 days.
12. Supervisory Authority
If you are located in the EU and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. For Slovenia, this is the Information Commissioner (Informacijski pooblaščenec) at www.ip-rs.si.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through a notice on our platform. Continued use of our services after changes constitutes acceptance of the updated policy.